[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems to authenticate Solaris 9 in OpenLDAP



Hello

I´m trying to authenticate one Solaris 9 client in one OpenLDAP server
running in the same machine, and I´m having troubles. The 'slapd' and
'ldapclient' are running, but I can´t use the openldap base. I´d really
appreciate any help.
The program versions are:

gcc version 3.3.2
openldap-2.1.25
openssl-0.9.7c
db-4.1.25
cyrus-sasl-2.1.17

I was installed DB with these options:

../dist/configure --prefix=/usr/local --enable-shared

Cyrus-SASL:

./configure --with-bdb-libdir=/usr/local/lib
--with-bdb-incdir=/usr/local/include --disable-krb4 --disable-gssapi

Then, I have applied the suggested patch for Solaris in 'result.c' and
compiled it with these options:

CC=gcc
LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib:/usr/local/lib/sasl2
LD_FLAGS=-L/usr/local/ssl/lib -L/usr/local/lib
-R/usr/local/ssl/lib:/usr/local/lib

./configure --with-cyrus-sasl --with-tls --enable-wrappers --enable-crypt
--enable-bdb --enable-slapd --enable-syslog --enable-ipv6=no

I was configured my LDAP base with one solaris profile:

dn: dc=my,dc=domain
objectClass: top
objectClass: organization
objectClass: dcObject
objectClass: nisDomainObject
dc: my
o: my
description: Root
nisdomain: my.domain

dn: cn=admin,dc=my,dc=domain
objectClass: organizationalRole
cn: admin
description: LDAP Admin

dn: ou=Profile,dc=pucrs,dc=br
objectClass: top
objectClass: organizationalUnit
ou: Profile
description: Profiles

dn: ou=People,dc=my,dc=domain
objectClass: top
objectClass: organizationalUnit
ou: People
description: Everyone

dn: cn=proxyagent,ou=Profile,dc=my,dc=domain
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {MD5}FAFSadsfdasfdsa==

dn: cn=profile-server,ou=profile,dc=my,dc=domain
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: server.my.domain
defaultSearchBase: dc=my,dc=domain
authenticationMethod: tls:simple
cn: profile-server
credentialLevel: proxy

dn: uid=ldapuser,ou=People,dc=my,dc=domain
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ldapuser
cn: ldapuser
sn: User
cn: LDAP
cn: LDAP User
uidNumber: 100
gidNumber: 4
homeDirectory: /home/adm/ldapuser
userPassword: {MD5}DFASd87906gfuias==
loginShell: /bin/bash

Then, I was used the 'ldapclient' of the system:

# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=my,dc=domain
NS_LDAP_BINDPASSWD= {NS1}kjdçlakldaljkçfdlskakldfslkhjhgghklskçakljfdajfdsa
NS_LDAP_SERVERS= 10.10.200.4:389
NS_LDAP_SEARCH_BASEDN= dc=my,dc=domain
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= auth
NS_LDAP_PROFILE= profile-server
NS_LDAP_CREDENTIAL_LEVEL= proxy

I had modified the /etc/nsswitch and /etc/pam.conf too:

##############################################################
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:     files ldap [TRYAGAIN=5]
group:      files ldap [TRYAGAIN=5]

# consult /etc "files" only if ldap is down.
hosts:      files dns
ipnodes:    files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:    ldap [NOTFOUND=return] files

networks:   files ldap dns
protocols:  ldap files
rpc:        ldap files
ethers:     ldap files
netmasks:   ldap files
bootparams: ldap files
publickey:  ldap files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap
sendmailvars:   files

printers:       user files ldap

auth_attr: files ldap
prof_attr: files ldap

project:    files ldap

##############################################################
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass
##############################################################

Then I tryed to use the system. When I start the slapd, I had the following
messages:

# /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
#
# tail /var/adm/messages
Jan 13 09:41:08 server slapd[1195]: [ID 702911 auth.error] unable to dlopen
/usr/lib/sasl2/libsasldb.so.2: ld.so.1: /usr/local/libexec/slapd: fatal:
libdb-4.1.so: open failed: No such file or directory
#
# ps -ef | grep ldap
    root  1196     1  0 09:41:09 ?        0:00 /usr/local/libexec/slapd -h
ldap:/// ldaps:///
    root  1198  1166  0 09:42:00 pts/2    0:00 grep ldap

Well, the program is running, but probably there are one problem here. I
was recompiled it with another options, but the problems are persisting.
Ignoring the error, I had continued:

# /etc/init.d/nscd start
# /etc/init.d/ldap.client start
# tail -f /var/adm/messages
Jan 13 10:26:09 server ldap_cachemgr[1355]: [ID 293258 daemon.error]
libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid
credentials
Jan 13 10:26:09 server last message repeated 3 times
Jan 13 10:26:09 server ldap_cachemgr[1355]: [ID 293258 daemon.error]
libsldap: Status: 7  Mesg: Session error no available conn.
Jan 13 10:26:09 server ldap_cachemgr[1355]: [ID 186574 daemon.error] Error:
Unable to refresh profile:profile-server: Session error no available conn.

Well, in spite of these errors, I can to add, consult and modify objects of
the LDAP base (ldapadd, ldapmodify, ldapsearch of  the OpenLDAP package).
But when I try to authenticate anyone I can´t:

# id
uid=0(root) gid=1(other)
#
# su - ldapuser
su: Unknown id: ldapuser
#
# tail /var/adm/messages
Jan 13 10:33:24 server nscd[1352]: [ID 293258 user.error] libsldap: Status:
49  Mesg: openConnection: simple bind failed - Invalid credentials
Jan 13 10:33:24 server last message repeated 3 times
Jan 13 10:33:24 server nscd[1352]: [ID 293258 user.error] libsldap: Status:
7  Mesg: Session error no available conn.

I´m really despaired. :-(
Can anyone help me? I was read the list archives, Internet material (SUN
Docs, one page of Greg Matthews, another of Jehan Procaccia, google
references) and OpenLDAP Docs, but the problem persists yet. :-(
Thanks in advance