9 Replies Latest reply: Aug 23, 2013 2:40 PM by Marco Milo RSS

    Add users to ODSEE from Solaris 11.1


      I currently have a server running ODSEE and I cannot run a "useradd -S ldap" on a Solaris 11.1 client.  I get the following error:


      LDAP configuration problem.

      ldap passwd database update failed for username.

      UX: useradd: ERROR: Cannot update system - login cannot be created.


      We were previously using ldif's to add users, but have been wanting to switch to the useradd commands for simplicity.  I am not too familiar with ODSEE, but can provide any information needed for the server setup.  Any ideas?

        • 1. Re: Add users to ODSEE from Solaris 11.1
          Marco Milo


          it could be a problem with the user binding to the Directory Server that hasn't privileges enough... or it could be a password policy related issue (i.e. password doesn't meet the minimum requirements like length, complexity, etc..)


          What do you see in the Directory Server instance log files when you try to 'useradd' ?




          • 2. Re: Add users to ODSEE from Solaris 11.1

            I haven't gotten to the far enough to assign a password. I can't even create the user.  After doing some searching I ran a ldapclient mod to set enableShadowUpdate=TRUE and add properties for adminDN, and adminPassword on the client. When I run the useradd command now I get "ldap: operation failed" instead of "LDAP configuration problem," but the same errors about passwd database update failed.  I was tailing the messages file while running the useradd and noticed the following errors:  


            ldap_cachemgr [2743]: [ID 293258 daemon.error] libsldap: Status: 32 Mesg: openConnection simple bin failed - No such object

            ldap_cachemgr [2743:] [ID 293258 daemon.warning] libsldap: Status: 1 Mesg: Internal write State machine exit (state = 3, rc =1).

            passmgmt [7503]: [ID 783142 user.error] ldap passwd database update failed for username

            Does this mean I'm having issues with the "admin" binding to the ldapserver?  In the access.log I see "Connection closed by unbind client"

            • 3. Re: Add users to ODSEE from Solaris 11.1
              Marco Milo

              Well, you should also probably have seen something like "err=32" ... which is a "well known" LDAP return code, which in this context seems due to the fact that the 'object' (or the DN, uid, cn) you're trying to bind with doesn't exist, so the 'BIND' operation is failing.

              • 4. Re: Add users to ODSEE from Solaris 11.1

                Yes.  I see the err=32 entry in the access log when "admin" tries to bind.  What should I look at to find out why admin can't bind to the server?

                • 5. Re: Add users to ODSEE from Solaris 11.1
                  Marco Milo

                  err=32 on a bind operation, simply means that the object you're using/would like to authenticate with, doesn't exist.



                  You would probably check the credentials being used to bind to the LDAP. [maybe the LDAP 'admin' user that you are using is *not really* the Directory Manager (the nsslapd-rootdn in the dse.ldif file), or what you're using hasn't privileges enough]

                  • 6. Re: Add users to ODSEE from Solaris 11.1

                    I'm not sure what was wrong with my admin user, but I rebuilt the server and the admin user is binding.  The problem I'm having now is that we apply a password policy and I cannot successfully run a useradd because ldap errors out with err=19 "invalid password syntax: no uppercase character."  I'm assuming this is for the user that I am trying to add and not the admin user.  The admin user contains an uppercase character.  I'm looking into this issue now.   Thanks for getting me headed in the right direction.

                    • 7. Re: Add users to ODSEE from Solaris 11.1
                      Marco Milo

                      Well, you can check that in the access log.

                      I would expect you now have a successful 'BIND' operation performed by the admin user (err=0), maybe followed by a failing 'MOD' operation (err=19), when trying to set a password which doesn't comply with the password policy.




                      • 8. Re: Add users to ODSEE from Solaris 11.1

                        I get an error for the ADD. The useradd command in Solaris 11.1 doesn't give the option to assign a password while adding the user.  I'm basically trying to add a user without a password and LDAP is rejecting the addition from what I can see. 


                        # useradd -S ldap -u uid -g gid -d homedir -e date -f 365 username

                        Command fails with the error i mentioned above.  I'm not sure if I can modify my an ACI to allow user entries without passwords and then update the user's password with the "passwd -r ldap username" command.  Any information would be appreciated.

                        • 9. Re: Add users to ODSEE from Solaris 11.1
                          Marco Milo

                          Ok, so you have ACIs in place that prevent this operation.


                          Although it may depend your specific configurations (PAM and/or other auth mechanisms), having users without the password attribute, doesn't mean that these users are granted the access to the various systems without a password...


                          At this point, I would see 2 alternative options:

                          1) Modify the password policy and check that a user without a password is *NOT* granted access to the systems.

                          2) Not modify the password policy, perform the 'ADD' operation binding with an LDAP privileged user (i.e., an ldapmodify with the "Directory Manager") and then assign regularly the password with the 'passwd -r ldap <PASSWORD>' command