This discussion is archived
9 Replies Latest reply: Aug 23, 2013 12:27 PM by user13499675 RSS

Add users to ODSEE from Solaris 11.1

user13499675 Newbie
Currently Being Moderated

I currently have a server running ODSEE 11.1.1.3 and I cannot run a "useradd -S ldap" on a Solaris 11.1 client.  I get the following error:

 

LDAP configuration problem.

ldap passwd database update failed for username.

UX: useradd: ERROR: Cannot update system - login cannot be created.

 

We were previously using ldif's to add users, but have been wanting to switch to the useradd commands for simplicity.  I am not too familiar with ODSEE, but can provide any information needed for the server setup.  Any ideas?

  • 1. Re: Add users to ODSEE from Solaris 11.1
    Marco Milo Journeyer
    Currently Being Moderated

    Hello,

    it could be a problem with the user binding to the Directory Server that hasn't privileges enough... or it could be a password policy related issue (i.e. password doesn't meet the minimum requirements like length, complexity, etc..)

     

    What do you see in the Directory Server instance log files when you try to 'useradd' ?

     

    thanks,

    Marco

  • 2. Re: Add users to ODSEE from Solaris 11.1
    user13499675 Newbie
    Currently Being Moderated

    I haven't gotten to the far enough to assign a password. I can't even create the user.  After doing some searching I ran a ldapclient mod to set enableShadowUpdate=TRUE and add properties for adminDN, and adminPassword on the client. When I run the useradd command now I get "ldap: operation failed" instead of "LDAP configuration problem," but the same errors about passwd database update failed.  I was tailing the messages file while running the useradd and noticed the following errors:  

     

    ldap_cachemgr [2743]: [ID 293258 daemon.error] libsldap: Status: 32 Mesg: openConnection simple bin failed - No such object

    ldap_cachemgr [2743:] [ID 293258 daemon.warning] libsldap: Status: 1 Mesg: Internal write State machine exit (state = 3, rc =1).

    passmgmt [7503]: [ID 783142 user.error] ldap passwd database update failed for username


    Does this mean I'm having issues with the "admin" binding to the ldapserver?  In the access.log I see "Connection closed by unbind client"

  • 3. Re: Add users to ODSEE from Solaris 11.1
    Marco Milo Journeyer
    Currently Being Moderated

    Well, you should also probably have seen something like "err=32" ... which is a "well known" LDAP return code, which in this context seems due to the fact that the 'object' (or the DN, uid, cn) you're trying to bind with doesn't exist, so the 'BIND' operation is failing.

  • 4. Re: Add users to ODSEE from Solaris 11.1
    user13499675 Newbie
    Currently Being Moderated

    Yes.  I see the err=32 entry in the access log when "admin" tries to bind.  What should I look at to find out why admin can't bind to the server?

  • 5. Re: Add users to ODSEE from Solaris 11.1
    Marco Milo Journeyer
    Currently Being Moderated

    err=32 on a bind operation, simply means that the object you're using/would like to authenticate with, doesn't exist.

     

     

    You would probably check the credentials being used to bind to the LDAP. [maybe the LDAP 'admin' user that you are using is *not really* the Directory Manager (the nsslapd-rootdn in the dse.ldif file), or what you're using hasn't privileges enough]

  • 6. Re: Add users to ODSEE from Solaris 11.1
    user13499675 Newbie
    Currently Being Moderated

    I'm not sure what was wrong with my admin user, but I rebuilt the server and the admin user is binding.  The problem I'm having now is that we apply a password policy and I cannot successfully run a useradd because ldap errors out with err=19 "invalid password syntax: no uppercase character."  I'm assuming this is for the user that I am trying to add and not the admin user.  The admin user contains an uppercase character.  I'm looking into this issue now.   Thanks for getting me headed in the right direction.

  • 7. Re: Add users to ODSEE from Solaris 11.1
    Marco Milo Journeyer
    Currently Being Moderated

    Well, you can check that in the access log.

    I would expect you now have a successful 'BIND' operation performed by the admin user (err=0), maybe followed by a failing 'MOD' operation (err=19), when trying to set a password which doesn't comply with the password policy.

     

    HTH,

    Marco

  • 8. Re: Add users to ODSEE from Solaris 11.1
    user13499675 Newbie
    Currently Being Moderated

    I get an error for the ADD. The useradd command in Solaris 11.1 doesn't give the option to assign a password while adding the user.  I'm basically trying to add a user without a password and LDAP is rejecting the addition from what I can see. 

     

    # useradd -S ldap -u uid -g gid -d homedir -e date -f 365 username


    Command fails with the error i mentioned above.  I'm not sure if I can modify my an ACI to allow user entries without passwords and then update the user's password with the "passwd -r ldap username" command.  Any information would be appreciated.

  • 9. Re: Add users to ODSEE from Solaris 11.1
    Marco Milo Journeyer
    Currently Being Moderated

    Ok, so you have ACIs in place that prevent this operation.

     

    Although it may depend your specific configurations (PAM and/or other auth mechanisms), having users without the password attribute, doesn't mean that these users are granted the access to the various systems without a password...

     

    At this point, I would see 2 alternative options:

    1) Modify the password policy and check that a user without a password is *NOT* granted access to the systems.

    2) Not modify the password policy, perform the 'ADD' operation binding with an LDAP privileged user (i.e., an ldapmodify with the "Directory Manager") and then assign regularly the password with the 'passwd -r ldap <PASSWORD>' command

     

    HTH,

    Marco

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points