[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
authentication problems
What I am trying to accomplish:
Have a Solaris 8 system authenticate against an ldap server. Where the user has access to only the /etc/password style info, but not /etc/shadow style info. The system needs to be secure from both external users and internal users.
I've tried to setup the following:
An ldap server with two users. A Manager user read/write access to all, and a client user have read only access (for user authentication, local finger, etc).
What's happening:
When /var/ldap/ldap_client_cred is chmod 600:
I can log in via ssh.
As root, listusers produces all users. Including all ldap users, where dn="uid=SOMEUSER,ou=People,dc=onyxsys,dc=net".
ls -l on files produce the username.
As non-root, listusers produces just /etc/passwd users.
ls -l on files produce the userid number.
When /var/ldap/ldap_client_cred is chmod 644:
Everything works like it should, but.....
I can't have the /var/ldap/ldap_client_cred file readable by my users..
This would give them more access that I want.
Also, whenever I change
defaultaccess write
access to * by * write
to
defaultaccess none
access to * by dn="cn=Manager,dc=onyxsys,dc=net" write
access to * by dn="cn=admin,dc=onyxsys,dc=net" write
access to * by dn="cn=client,dc=onyxsys,dc=net" read
I can't query the ldap server. I get "ldap_bind: Insufficient access".
Any help would be appretiated... Also, if anyone know's of a working solaris 8/9 configuration please let me know. All of the one's that I have found are conflicting (some say edit pam.conf, some say don't, some say compile new pam modules, etc.). The only two things I will be using on the system are openSSH and ProFtpd (with mod_ldap).
*****
Here's my Setup:
Openldap 2.0.21 running on solaris8 <sparc>
authenticating on client by creating:
/etc/nsswitch.conf to include:
passwd: files ldap [NOTFOUND=return]
group: files ldap [NOTFOUND=return]
/var/ldap/ldap_client_cred
#Which looks like
NS_LDAP_BINDDN= cn=client,dc=onyxsys,dc=net
NS_LDAP_BINDPASSW= {NS1}<password generated by using ldappasswd>
/var/ldap/ldap_client_file
#Which looks like
NA_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 10.10.2.3
NS_LDAP_SEARCH_BASEDN= (dc=onyxsys,dc=net)
NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
NS_LDAP_DOMAIN= onyxsys.net
NS_LDAP_EXP= 1017866872
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=onyxsys,dc=net)
NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=onyxsys,dc=net)
NS_LDAP_SEARCH_DN= group:(ou=Group,dc=onyxsys,dc=net)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30
on openldap server, /etc/openldap/slapd.conf looks like (minus comments, etc):
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/misc.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
defaultaccess write
access to * by * write
database ldbm
suffix "dc=onyxsys,dc=net"
rootdn "cn=Manager,dc=onyxsys,dc=net"
rootpw {SSHA}<snip>
directory /var/openldap-ldbm
when doing "> ldapsearch -h 10.10.2.3 -D cn=client,dc=onyxsys,dc=net -W -b dc=onyxsys,dc=net cn=client"
version: 2
#
# filter: cn=client
# requesting: ALL
#
# client, onyxsys, net
dn: cn=client,dc=onyxsys,dc=net
objectClass: top
objectClass: person
cn: client
sn: Ldap Client
userPassword:: <SNIP>=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
when doing "> ldapsearch -h 10.10.2.3 -D cn=client,dc=onyxsys,dc=net -W -b ou=People,dc=onyxsys,dc=net uid=chuck"
version: 2
#
# filter: uid=chuck
# requesting: ALL
#
# chuck, People, onyxsys, net
dn: uid=chuck,ou=People,dc=onyxsys,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
cn: chuck
uid: chuck
gecos: Chuck Pierce
uidNumber: 1068
gidNumber: 500
homeDirectory: /home/chuck
loginShell: /bin/bash
userPassword:: <snip>
shadowLastChange: 11896
shadowExpire: 90
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowMax: 999999
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1