5 Replies Latest reply on Sep 15, 2011 9:28 PM by 887078

    Solaris 11 LDAP Client to 389 DS(Linux)

    887078
      OK, I've been working on this for a while and getting no where. We have a RHEL 5.4 Linux server running 389 Directory Server as the LDAP server. We're trying to get a new server running Solaris 11 to authenticate to this server. Any links or information you can help to get started? Difficult since most of the help material online references old Sun docs which the links are now broken. I can get a ldapclient command to say "Successfully" completed but authentication fails. Stumped. Help!

      Thanks,
      Ted
        • 1. Re: Solaris 11 LDAP Client to 389 DS(Linux)
          877113
          It works for me without a problem. You can go one step further and customize the search, but in our case this was not required. We also created an LDAP profile on the LDAP Server, but this is not required for running.
          For debugging:
          Is your ldap/client service running?
          online Apr_01 svc:/network/ldap/client:default
          Is "getent passwd" also showing the LDAP accounts?

          Although not by design, you can work without pam for LDAP, only by using nsswitch if you use unix crypt passwords. If you use SHA or MD5 or other decent hashes for the passwords you must also use PAM.

          Anyway, here are my configuration files:

          /etc/nsswitch.conf:
          (SNIP)
          passwd: files ldap
          group: files ldap
          (SNIP)


          /etc/pam.conf:
          (SNIP)
          # Authentication management
          #
          # login service (explicit because of pam_dial_auth)
          #
          login auth requisite pam_authtok_get.so.1
          login auth required pam_dhkeys.so.1
          login auth required pam_unix_cred.so.1
          login auth sufficient pam_unix_auth.so.1
          login auth required pam_dial_auth.so.1
          login auth required pam_ldap.so.1
          (SNIP)
          #
          # Default definitions for Authentication management
          # Used when service name is not explicitly mentioned for authentication
          #
          other auth requisite pam_authtok_get.so.1
          other auth required pam_dhkeys.so.1
          other auth required pam_unix_cred.so.1
          other auth sufficient pam_unix_auth.so.1
          other auth required pam_ldap.so.1
          #
          # passwd command (explicit because of a different authentication module)
          #
          passwd auth sufficient pam_passwd_auth.so.1
          passwd auth required pam_ldap.so.1
          (SNIP)
          # Used when service name is not explicitly mentioned for account management
          #
          other account sufficient pam_ldap.so.1
          other account requisite pam_roles.so.1
          other account required pam_unix_account.so.1
          (SNIP)




          /var/ldap/ldap_client_file:

          NS_LDAP_FILE_VERSION= 2.0
          NS_LDAP_SERVERS= ds1.****.net, ds2.****.net
          NS_LDAP_SEARCH_BASEDN= dc=****,dc=net
          NS_LDAP_AUTH= simple
          NS_LDAP_SEARCH_REF= TRUE
          NS_LDAP_SEARCH_SCOPE= sub
          NS_LDAP_SEARCH_TIME= 30
          NS_LDAP_CACHETTL= 43200
          NS_LDAP_PROFILE= default
          NS_LDAP_CREDENTIAL_LEVEL= proxy
          NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,o=****,dc=****,dc=net?sub
          NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,o=****,dc=****,dc=net?sub
          NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,o=****,dc=****,dc=net?sub
          NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,o=****,dc=****,dc=net?sub
          NS_LDAP_BIND_TIME= 2

          /var/ldap/ldap_client_cred:

          NS_LDAP_BINDDN= ******
          NS_LDAP_BINDPASSWD= {***}*******
          • 2. Re: Solaris 11 LDAP Client to 389 DS(Linux)
            887078
            I followed your updates on the files. THANK YOU. I can now ssh into the box as the users know by LDAP. Two things, getent passwd does not show the LDAP users, also not all groups seem to be known. Odd it recognizes some but not others. Any ideas? Been a huge help already. Getting so close! :)
            • 3. Re: Solaris 11 LDAP Client to 389 DS(Linux)
              877113
              Did you check the Distinguished Names in the NS_LDAP_SERVICE_SEARCH_DESC? The LDAP searches can be singleLevel or subTree. For our LDAP implementation we need subtree (thus the ?sub). Furthermore, another question would be: do all your users have the posixAccount objectClass?
              The best thing to do would be to simply compare two accounts, one that's shown and another one that isn't. See if there are any real differences between them.
              If there are no differences in objectClass and other fields you might have too many results in a single search. Some LDAP servers have limits to the numbers of accounts shown.

              If you can log on to the LDAP server it means that PAM works. If you can't see users with getent it means that the Name Service Switcher doesn't work. If you can't see all the users with getent it means that some users are either different, or the search is not using the correct scope or that there are more results than the LDAP server is willing to give in a single shot.

              Let us know which one it is. You can also compare the search results with the ones in the logs from FedoraDS. In old versions they are in /opt/fedora-ds/slapd-$instancename/logs in newer releases I don't exactly remember where they are.
              • 4. Re: Solaris 11 LDAP Client to 389 DS(Linux)
                887078
                What did your ldapclient command look like, just to santiycheck the one I have, maybe I'm goof'ing on one of the attributes?

                How did you get multiple servers to show up in the defaultServerList? I tried comma<space> between IP's but nada.

                I'm looking into your last message more now. Thanks for all the help.
                • 5. Re: Solaris 11 LDAP Client to 389 DS(Linux)
                  887078
                  I have the following -

                  /var/ldap/ldap_client_file:

                  NS_LDAP_FILE_VERSION= 2.0
                  NS_LDAP_SERVERS= ds1.****.net
                  NS_LDAP_SEARCH_BASEDN= dc=****,dc=net
                  NS_LDAP_AUTH= simple
                  NS_LDAP_SEARCH_SCOPE= sub
                  NS_LDAP_SEARCH_TIME= 90
                  NS_LDAP_CACHETTL= 0
                  NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,o=****,dc=****,dc=net?sub
                  NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,o=****,dc=****,dc=net?sub
                  NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,o=****,dc=****,dc=net?sub
                  NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,o=****,dc=****,dc=net?sub
                  NS_LDAP_OBJECTCLASSMAP=group:posixGroup=posixGroup


                  Missing in my file -
                  NS_LDAP_SEARCH_REF= TRUE
                  NS_LDAP_PROFILE= default
                  NS_LDAP_CREDENTIAL_LEVEL= proxy
                  NS_LDAP_BIND_TIME= 2

                  Seems my ldapclient command might be off. ?

                  Thanks,
                  Ted