I currently have a server running ODSEE 184.108.40.206 and I cannot run a "useradd -S ldap" on a Solaris 11.1 client. I get the following error:
LDAP configuration problem.
ldap passwd database update failed for username.
UX: useradd: ERROR: Cannot update system - login cannot be created.
We were previously using ldif's to add users, but have been wanting to switch to the useradd commands for simplicity. I am not too familiar with ODSEE, but can provide any information needed for the server setup. Any ideas?
it could be a problem with the user binding to the Directory Server that hasn't privileges enough... or it could be a password policy related issue (i.e. password doesn't meet the minimum requirements like length, complexity, etc..)
What do you see in the Directory Server instance log files when you try to 'useradd' ?
I haven't gotten to the far enough to assign a password. I can't even create the user. After doing some searching I ran a ldapclient mod to set enableShadowUpdate=TRUE and add properties for adminDN, and adminPassword on the client. When I run the useradd command now I get "ldap: operation failed" instead of "LDAP configuration problem," but the same errors about passwd database update failed. I was tailing the messages file while running the useradd and noticed the following errors:
ldap_cachemgr : [ID 293258 daemon.error] libsldap: Status: 32 Mesg: openConnection simple bin failed - No such object
ldap_cachemgr [2743:] [ID 293258 daemon.warning] libsldap: Status: 1 Mesg: Internal write State machine exit (state = 3, rc =1).
passmgmt : [ID 783142 user.error] ldap passwd database update failed for username
Does this mean I'm having issues with the "admin" binding to the ldapserver? In the access.log I see "Connection closed by unbind client"
err=32 on a bind operation, simply means that the object you're using/would like to authenticate with, doesn't exist.
You would probably check the credentials being used to bind to the LDAP. [maybe the LDAP 'admin' user that you are using is *not really* the Directory Manager (the nsslapd-rootdn in the dse.ldif file), or what you're using hasn't privileges enough]
I'm not sure what was wrong with my admin user, but I rebuilt the server and the admin user is binding. The problem I'm having now is that we apply a password policy and I cannot successfully run a useradd because ldap errors out with err=19 "invalid password syntax: no uppercase character." I'm assuming this is for the user that I am trying to add and not the admin user. The admin user contains an uppercase character. I'm looking into this issue now. Thanks for getting me headed in the right direction.
Well, you can check that in the access log.
I would expect you now have a successful 'BIND' operation performed by the admin user (err=0), maybe followed by a failing 'MOD' operation (err=19), when trying to set a password which doesn't comply with the password policy.
I get an error for the ADD. The useradd command in Solaris 11.1 doesn't give the option to assign a password while adding the user. I'm basically trying to add a user without a password and LDAP is rejecting the addition from what I can see.
# useradd -S ldap -u uid -g gid -d homedir -e date -f 365 username
Command fails with the error i mentioned above. I'm not sure if I can modify my an ACI to allow user entries without passwords and then update the user's password with the "passwd -r ldap username" command. Any information would be appreciated.
Ok, so you have ACIs in place that prevent this operation.
Although it may depend your specific configurations (PAM and/or other auth mechanisms), having users without the password attribute, doesn't mean that these users are granted the access to the various systems without a password...
At this point, I would see 2 alternative options:
1) Modify the password policy and check that a user without a password is *NOT* granted access to the systems.
2) Not modify the password policy, perform the 'ADD' operation binding with an LDAP privileged user (i.e., an ldapmodify with the "Directory Manager") and then assign regularly the password with the 'passwd -r ldap <PASSWORD>' command