[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Configuring Solaris 8 clients

To: Igor Brezac <igor@ipass.net>
Subject: RE: Configuring Solaris 8 clients
From: Matthew Mauzy <matthew_mauzy@unc.edu>
Date: Thu, 27 Mar 2003 15:54:20 -0500
Cc: LDAP Mailing List <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <Pine.GSO.4.53.0303270930210.20953@pula.ypass.net>
References: <Pine.GSO.4.53.0303270930210.20953@pula.ypass.net>

--On Thursday, March 27, 2003 9:37 AM -0500 Igor Brezac <igor@ipass.net> wrote:


On Thu, 27 Mar 2003, Matthew Mauzy wrote:

Thanks for the examples but I'm still not able to configure solaris 8 as
a client of the openldap 2.1.12 server.

Here's my /var/ldap/ldap_client_file

NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 152.2.104.6:389
NS_LDAP_SEARCH_BASEDN= dc=amath,dc=unc,dc=edu
NS_LDAP_AUTH= NS_LDAP_AUTH_NONE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_NOREF
NS_LDAP_DOMAIN= amath.unc.edu
NS_LDAP_EXP= 1045640377
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=amath,dc=unc,dc=edu),
group:(ou=People,d
c=amath,dc=unc,dc=edu)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30

Here's my /var/ldap/ldap_client_cred

NS_LDAP_BINDDN= cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu


I've edited /etc/nsswitch.conf to place ldap into the passwd, group,
hosts, etc., but when I run listusers all I get are the local users.

My questions:

 - For the BINDDN, don't I need the password?  When adding that 'user'
 into the LDAP dir, why is it that the NS_LDAP_BINDDN_PASSWD has the
{NS1} stuff?


It depends.  You told the ldap client to bind anonymously to the ldap
server (NS_LDAP_AUTH= NS_LDAP_AUTH_NONE).  You can NS_LDAP_AUTH=
NS_LDAP_AUTH_SIMPLE if you want to simple bind to the ldap server with
NS_LDAP_BINDDN and NS_LDAP_BIND_PASSWD.

Added NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxx to the /var/ldap/ldap_client_cred and now am able to get LDAP info via nss.

 - Would upgrading to openLDAP 2.1.16 solve any of these problems?


For Solaris 9 I've run the ldapclient command that you supplied (with
proper alterations for my LDAP system) and am able to get all of the LDAP
users with listusers (yah!), but when I try and login to one of the LDAP
accounts I get incorrect password errors.  I can su - <ldap account> so
I'm getting proper info from the LDAP server.  Is this a PAM problem???


My guess is that anonymous cannot read userPassword attribute, or the
userPassword attribute is not of the {crypt}xxxxxxxxxxxxx form.


Correct.  My userPassword attribute is {KERBEROS}prinical@REALM

I am now getting account info from LDAP. Only problem is getting PAM stacked correctly to allow login via ssh/telnet/xdm for LDAP accounts. I can su into the account, but logins fail to no local accounts.

__________________________________________________________________
                       Matthew W. Mauzy
                     Systems Administrator
                     Applied Math @ UNC-CH
email : mauzy@amath.unc.edu           pager : mpager@amath.unc.edu
(W) 919.962.9819   www.amath.unc.edu/~mauzy/   (P) 919.347.0390
__________________________________________________________________

Follow-Ups:
- RE: Configuring Solaris 8 clients
  - From: Igor Brezac <igor@ipass.net>

References:
- RE: Configuring Solaris 8 clients
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: restricting login to individual hosts
Next by Date: Re: restricting login to individual hosts
Index(es):
- Chronological
- Thread