|
Hi everyone !
I already searched the mailinlist history
googled the net and tried out several HOWTOs and referrals maybe anyone in here
can help me ?
I'm trying to switch over a nis+
environment to OpenLdap directory service for user authentication and
management.
The Server is up and running and i filled it up
with some testusers and solaris ldapclient autoconfig information (see ldif
below)
But somehow i can't get the solaris login to
work.
#login
>login: joschik
>Password: >LDAP Password: >Login incorrect The Solaris Ldapclient tool generated
the
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred and switched over the /pam.config for Ldap usage.(
also tried that with selfcreated files ... nope)
login
auth
sufficient
/usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_ldap.so.1 try_first_pass login
account
sufficient
/usr/lib/security/pam_unix.so.1
login account required /usr/lib/security/pam_ldap.so.1 login session required /usr/lib/security/pam_unix.so.1 login password sufficient /usr/lib/security/pam_unix.so.1 login password required /usr/lib/security/pam_ldap.so.1 try_first_pass The Ldap.cachemanager is up and running and it
also refreshes from the profile stored in the server (most of the
time:-)
I believe that the pam_ldap Module ether tries to
bind to the LDAPserver as the user that tries to login, ore binds as proxyuser
and searches for the passwd info.
If it succeds authentication is granted
?
Am I at least right here?
I can see the module binding to the Server in debug
mode, and search for the user information but i dont know why it does'nt work
?
All the ldap search commands are working, I can
bind to the Ldap Server as anonymous, as one of the uers in ou=People or as the
proxyagent user.
( commandline and java LDAP Browser)
I also tried with the ldap Server
info. ( I think I dont need those, every information the
cachemgr needs is in the files above and ther is no difference with
ore without them )
/etc/ldap.conf
/etc/ldap.secret
does'nt work ether ( do I really need these fies
for solaris pam? )
Is there any known problem with the Solaris native
pam modules and using openLDAP?
Do I need other Pam modules www.padl.com ?
Any Help is welcome !
Thank you
Rlaf Begemann
Search commands and Ldapclient setup:
# ldapsearch -h 192.168.0.1 -s base
'(objectclass=*)'
objectClass=top
objectClass=OpenLDAProotDSE namingContexts=o=rabe,c=de supportedControl=2.16.840.1.113730.3.4.2 supportedExtension=1.3.6.1.4.1.4203.1.11.1 supportedExtension=1.3.6.1.4.1.1466.20037 supportedLDAPVersion=2 supportedLDAPVersion=3 subschemaSubentry=cn=Subschema # # ldapclient list
NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=LDAPusers,o=rabe,c=de NS_LDAP_BINDPASSWD= {NS1}a1ee08dc7d61 NS_LDAP_SERVERS= 192.168.0.1 NS_LDAP_SEARCH_BASEDN= o=rabe,c=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_SERVER_PREF= 192.168.0.1 NS_LDAP_PROFILE= default __default_config NS_LDAP_CREDENTIAL_LEVEL= anonymous NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=rabe,c=de?one NS_LDAP_BIND_TIME= 30 NS_LDAP_ATTRIBUTEMAP= passwd:uid=cn NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=unixAccount NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple # LDIF FILE:
dn:
o=rabe,c=de
objectClass: organization objectClass: top objectClass: nisDomainObject nisDomain: rabe.de o: rabe dn: ou=People,
o=rabe,c=de
ou: People objectClass: top objectClass: organizationalUnit dn: uid=joschik,ou=People,
o=rabe,c=de
objectClass: top objectClass: Person objectClass: posixAccount objectClass: shadowAccount objectClass: account uid: joschik uidNumber: 1621 cn: joschik shadowInactive: -1 loginShell: /usr/bin/ksh gidNumber: 103 shadowMin: -1 shadowMax: -1 gecos: Jonathan Driesner description: -1 homeDirectory: /export/home/joschik sn: Driesner shadowWarning: -1 userPassword: {crypt}o/.ZsRVn/o.Ec shadowExpire: 25000 shadowFlag: 0 shadowLastChange: 11865 dn: uid=otto,ou=People,
o=rabe,c=de
objectClass: top objectClass: Person objectClass: posixAccount objectClass: shadowAccount objectClass: account userPassword: 0 uid: otto uidNumber: 1622 cn: otto shadowInactive: -1 loginShell: /usr/bin/ksh gidNumber: 104 shadowMin: -1 shadowMax: -1 gecos: otto kathalog description: -1 homeDirectory: /export/home/otto sn: kathalog shadowWarning: -1 shadowExpire: 25000 shadowLastChange: 11865 shadowFlag: 0 dn:
uid=rabe,ou=people,o=rabe,c=de
cn: rabe uidNumber: 1001 gidNumber: 14 gecos: Siglis Du brauchst es ! homeDirectory: /home/rabe loginShell: /bin/bash objectClass: posixAccount objectClass: shadowAccount objectClass: account objectClass: top uid: rabe userPassword: {crypt}5UA7HabUR9Qys shadowLastChange: 11865 shadowFlag: 0 dn: ou=LDAPUsers,
o=rabe,c=de
ou: LDAPUsers objectClass: top objectClass: organizationalUnit dn: cn=proxyagent,ou=LDAPUsers,
o=rabe,c=de
objectClass: top objectClass: person sn: LDAP User cn: proxyagent userPassword: {NS1}a1ee08dc7d61 dn:
ou=Profile,o=rabe,c=de ou: Profile objectClass: top objectClass: organizationalUnit dn: cn=__default_config,
ou=Profile,o=rabe,c=de
SolarisSearchBaseDN: ou=People,o=rabe,c=de defaultServerList: 192.168.0.1 authenticationMethod: simple objectClass: top objectClass: SolarisNamingProfile objectClass: DUAConfigProfile SolarisSearchTimeLimit: 30 attributeMap: passwd:uid=cn SolarisCacheTTL: 3600 preferredServerList: 192.168.0.1 SolarisBindPassword: {NS1}a1ee08dc7d61 serviceAuthenticationMethod: pam_ldap:tls:simple defaultSearchBase: o=rabe,c=de defaultSearchScope: sub searchTimeLimit: 30 credentialLevel: anonymous bindTimeLimit: 30 SolarisBindDN: cn=proxyagent,ou=LDAPusers,o=rabe,c=de profileTTL: 3600 objectclassMap: passwd:posixAccount=unixAccount SolarisLDAPServers: 192.168.0.1 serviceSearchDescriptor: passwd:ou=people,o=rabe,c=de?one cn: __default_config |