8 Replies Latest reply: Jun 26, 2010 5:39 AM by dcminter RSS

    Problem on Solaris 10 Native ldap client.

    807567
      Hi,

      I have configured the DS 5.2 on Solaris 10 and it seems to be working.
      I'm getting the answers from the ldapsearch command with the SSL.
      ./ldapsearch -h ismesl90 -p 636 -Z -P /var/ldap -D "cn=Directory Manager" -w password -b "cn=Password Policy,cn=config" "(objectclass=*)"
      version: 1
      dn: cn=Password Policy,cn=config
      objectClass: top
      objectClass: passwordPolicy
      cn: Password Policy
      passwordInHistory: 0
      passwordStorageScheme: CRYPT
      passwordUnlock: on
      passwordMustChange: off
      passwordNonRootMayResetUserpwd: off
      passwordWarning: 86400
      passwordExpireWithoutWarning: on
      passwordLockout: off
      passwordMinLength: 6
      passwordMaxFailure: 3
      passwordMaxAge: 8640000
      passwordResetFailureCount: 600
      passwordisglobalpolicy: off
      passwordChange: on
      passwordExp: off
      passwordLockoutDuration: 3600
      passwordCheckSyntax: off
      passwordMinAge: 0
      passwordRootdnMayBypassModsChecks: off


      but on the client it complians about the connection:
      ul 20 18:50:16 king ldap_cachemgr[2823]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server
      Jul 20 18:50:16 king ldap_cachemgr[2823]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.
      Jul 20 18:50:16 king ldap_cachemgr[2823]: [ID 186574 daemon.error] Error: Unable to refresh profile:default: Session error no available conn.

      I have installed the latest patches on both machines and it didn't solved the problem.
      The ldapsearch command that comes with the DS 5.2 works and the native doesn't.

      I have create the keys and cert's and everything.

      Have someone faced this problem?

      Thanks,
      Shalom

      Message was edited by:
      shalomG
        • 1. Re: Problem on Solaris 10 Native ldap client.
          807567
          This perfectly describes the same problem I am currently having. Have you had any success in solving it?
          • 2. Re: Problem on Solaris 10 Native ldap client.
            807567
            Hi,

            I had a similar problem. Additionally /var/ldap/cachemgr.log showed every 12hours:
            =cut=
            Sun Apr 29 10:40:55.4968 Error: Unable to refresh profile:tls_profile:Session error no available conn.

            Sun Apr 29 10:40:55.4969 Error: Unable to update from profile
            Sun Apr 29 22:40:55.5163 Error: Unable to refresh profile:tls_profile:Session error no available conn.

            Sun Apr 29 22:40:55.5164 Error: Unable to update from profile
            =cut=

            I could resolve this executing:
            bash-3.00# svcadm restart network/ldap/client
            -and-
            bash-3.00# pkill -HUP ldap_cachemgr

            seams that ldap client was not using the latest configuration..
            • 3. Re: Problem on Solaris 10 Native ldap client.
              807567
              I get the same error in /var/adm/messages of client and in client's cachemgr.log. Also, in cachemgr.log there is this error message:
              Error: Unable to update from profile

              I have searched Sun's JSDS documentation and I can't find any troubleshooting info for this problem, so I'm hoping that one of you has found a good solution to this problem-thanks. Some details of my setup:

              Results of DS search issued from client:

              myclient-root: /var/ldap:143)-> ldapsearch -h myserver -D "cn=pr
              oxyagent,ou=profile,dc=example,dc=com" -w (removed) -b ou=profile,dc =example,dc=com objectclass=\*


              version: 1
              dn: ou=profile,dc=example,dc=com
              ou: profile
              objectClass: top
              objectClass: organizationalUnit

              dn: cn=proxyagent,ou=profile,dc=example,dc=com
              cn: proxyagent
              sn: proxyagent
              objectClass: top
              objectClass: person
              userPassword: (removed)

              dn: cn=myprofile1,ou=profile,dc=example,dc=com
              objectClass: top
              objectClass: DUAConfigProfile
              defaultSearchBase: dc=example,dc=com
              followReferrals: FALSE
              defaultSearchScope: one
              searchTimeLimit: 30
              cn: myprofile1
              bindTimeLimit: 10
              preferredServerList: myserver
              defaultServerList: myserver
              authenticationMethod: none
              credentialLevel: anonymous
              profileTTL: 3600

              dn: cn=myprovile2,ou=profile,dc=example,dc=com
              objectClass: top
              objectClass: DUAConfigProfile
              defaultServerList: myserver
              defaultSearchBase: dc=example,dc=com
              followReferrals: FALSE
              defaultSearchScope: one
              searchTimeLimit: 30
              preferredServerList: myserver
              cn: myprofile2
              bindTimeLimit: 10
              profileTTL: 3600
              authenticationMethod: simple
              credentialLevel: proxy
              serviceCredentialLevel: proxy
              serviceAuthenticationMethod: simple

              dn: cn=myprofile3,ou=profile,dc=example,dc=com
              objectClass: DUAConfigProfile
              objectClass: top
              cn: myprofile3
              serviceAuthenticationMethod: simple
              authenticationMethod: simple
              bindTimeLimit: 10
              followReferrals: FALSE
              searchTimeLimit: 30
              defaultSearchBase: dc=example,dc=com
              defaultSearchScope: one
              attributeMap: shadow:userpassword=userPassword
              attributeMap: group:gidnumber=gidNumber
              attributeMap: group:userpassword=userPassword
              attributeMap: passwd:gecos=cn
              attributeMap: group:memberuid=memberUid
              attributeMap: passwd:loginshell=loginShell
              attributeMap: passwd:gidnumber=gidNumber
              attributeMap: passwd:homedirectory=unixHomeDirectory
              attributeMap: passwd:uidnumber=uidNumber
              attributeMap: shadow:shadowflag=shadowFlag
              preferredServerList: myserver
              serviceSearchDescriptor: passwd:dc=example,dc=com?sub
              serviceSearchDescriptor: group:dc=example,dc=com?sub
              serviceCredentialLevel: proxy
              credentialLevel: proxy
              profileTTL: 3600
              defaultServerList: myserver
              objectclassMap: group:posixGroup=group
              objectclassMap: passwd:posixAccount=user

              -------------------------------------------------------------------
              When I use profile with no authentication ( myprofile1 ), I do not get this error, but, I cannot change my user password ( the documentation says this is expected behavior which is why I'm trying to use proxy authentication )

              Info from systems ( client and server ):

              (myserver-root: /:281)-> showrev
              Hostname: myserver
              Hostid: (removed)
              Release: 5.10
              Kernel architecture: sun4u
              Application architecture: sparc
              Hardware provider: Sun_Microsystems
              Domain: example.com
              Kernel version: SunOS 5.10 Generic_127111-01

              Directory Server Version Info:
              Sun-ldbm/6.0(64-bit) SunOS 5.10 sparc


              (myclient-root: /var/ldap:147)-> showrev
              Hostname: myclient
              Hostid: (removed)
              Release: 5.10
              Kernel architecture: sun4u
              Application architecture: sparc
              Hardware provider: Sun_Microsystems
              Domain: example.com
              Kernel version: SunOS 5.10 Generic_127111-01


              Hoping someone out there has a fix for this.

              Thanks.
              • 4. Re: Problem on Solaris 10 Native ldap client.
                807567
                I solved this by fully qualifying proxyDN entry during client init:

                ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=
                com -a profileName=myprofile svr.ip.ad.dr:port ( port needed if not 389 )
                -------------------------------------------------------------------------------------------------------
                New problem .... "No directory!" when unixuser tries to log on to ldapclient
                • 5. Re: Problem on Solaris 10 Native ldap client.
                  807567
                  auto_home   and auto_master in client's files so that it -- via nsswitch.conf ( automount files ldap ) finds properly configured automount settings on ldap server

                  Got the whole thing working today -- authentication, home dirs, user passwd change, etc. woo-hoo!

                  Here's what I did -- all steps:

                  http://forum.java.sun.com/thread.jspa?messageID=9968108&#9968108
                  • 6. Re: Problem on Solaris 10 Native ldap client.
                    807567
                    Hi,

                    We've the same problem but the ldapclient command with the proxyagent as CN didn't solve the problem.
                    We noted that in th emessage log :
                    Jun 23 07:45:55 charpak ldap_cachemgr[9210]: [ID 293258 daemon.error] libsldap: Status: 4 Mesg: Unable
                    to open filename '/var/ldap/ldap_client_file' for reading (errno=13).

                    But the file is present....

                    Do you have any idea ?

                    Edited by: dubis on Jun 23, 2010 5:47 AM
                    • 7. Re: Problem on Solaris 10 Native ldap client.
                      wrobbins2
                      1) better to start a new thread than reply to one from years ago

                      2) check ownership & permissions on '/var/ldap/ldap_client_file'
                      • 8. Re: Problem on Solaris 10 Native ldap client.
                        dcminter
                        Please don't reopen very old threads. If you have a new question please start a new thread - if you think this thread contains useful information feel free to link to it.

                        Locking.