0 Replies Latest reply: Sep 18, 2009 2:40 PM by 807567 RSS

    LDAP authentication to Win2K8 server nightmare.

    807567
      Hello All, I have been trying to get LDAP authentication working on this Solaris 10 server. To this point i've had little success. The domain controller/LDAP server is W2K8. I am able to authenticate successfully using "kinit" so i'm sure kerberos is configures. I have extended the Unix services on 2K8 as well. Here is the /var/ldap/ldap_client_file:

      NS_LDAP_FILE_VERSION= 2.0
      NS_LDAP_SERVERS= parwindom
      NS_LDAP_SEARCH_BASEDN= dc=stcg,dc=net
      NS_LDAP_AUTH= sasl/GSSAPI
      NS_LDAP_CACHETTL= 0
      NS_LDAP_CREDENTIAL_LEVEL= self
      NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
      NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Unix Services,ou=Service Accounts,dc=stcg,dc=net?one
      NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAccountName
      NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
      NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
      NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
      NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
      NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
      NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
      NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
      NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
      NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
      NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
      NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
      NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
      NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
      NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group

      The ldap service is enabled. Here is /etc/nsswitch.conf
      passwd: files ldap [TRYAGAIN=5]
      group: files ldap
      hosts: dns files
      ipnodes: dns files
      networks: files
      protocols: files
      rpc: files
      ethers: files
      netmasks: files
      bootparams: files
      publickey: files
      netgroup: files
      automount: files
      aliases: files
      services: files
      printers: user files
      auth_attr: files
      prof_attr: files
      project: files
      tnrhtp: files
      tnrhdb: files

      And Finally here is /etc/pam.conf

      login auth requisite pam_authtok_get.so.1
      login auth required pam_dhkeys.so.1
      login auth required pam_unix_cred.so.1
      login auth required pam_unix_auth.so.1
      login auth required pam_dial_auth.so.1

      rlogin auth sufficient pam_rhosts_auth.so.1
      rlogin auth requisite pam_authtok_get.so.1
      rlogin auth required pam_dhkeys.so.1
      rlogin auth required pam_unix_cred.so.1
      rlogin auth required pam_unix_auth.so.1

      krlogin auth required pam_unix_cred.so.1
      krlogin auth required pam_krb5.so.1

      rsh auth sufficient pam_rhosts_auth.so.1
      rsh auth required pam_unix_cred.so.1

      krsh auth required pam_unix_cred.so.1
      krsh auth required pam_krb5.so.1

      ktelnet auth required pam_unix_cred.so.1
      ktelnet auth required pam_krb5.so.1

      ppp auth requisite pam_authtok_get.so.1
      ppp auth required pam_dhkeys.so.1
      ppp auth required pam_unix_cred.so.1
      ppp auth required pam_unix_auth.so.1
      ppp auth required pam_dial_auth.so.1

      other auth requisite pam_authtok_get.so.1
      other auth required pam_dhkeys.so.1
      other auth sufficient pam_krb5.so.1
      other auth required pam_unix_cred.so.1
      other auth required pam_unix_auth.so.1

      passwd auth required pam_passwd_auth.so.1

      cron account required pam_unix_account.so.1

      other account requisite pam_roles.so.1
      other account sufficient pam_unix_account.so.1
      other account required pam_ldap.so.1

      other session required pam_unix_session.so.1

      other password required pam_dhkeys.so.1
      other password requisite pam_authtok_get.so.1
      other password requisite pam_authtok_check.so.1
      other password required pam_authtok_store.so.1

      Here is what happens if i run ldaplist

      # ldaplist
      ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)

      I have been pulling what little hair I have left out on this issue and I'm starting to run out of time on this project. There is nothing in any log file anywhere. Any help would be greatly appreciated.