[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems to authenticate Solaris 9 in OpenLDAP
Hello
I´m trying to authenticate one Solaris 9 client in one OpenLDAP server
running in the same machine, and I´m having troubles. The 'slapd' and
'ldapclient' are running, but I can´t use the openldap base. I´d really
appreciate any help.
The program versions are:
gcc version 3.3.2
openldap-2.1.25
openssl-0.9.7c
db-4.1.25
cyrus-sasl-2.1.17
I was installed DB with these options:
../dist/configure --prefix=/usr/local --enable-shared
Cyrus-SASL:
./configure --with-bdb-libdir=/usr/local/lib
--with-bdb-incdir=/usr/local/include --disable-krb4 --disable-gssapi
Then, I have applied the suggested patch for Solaris in 'result.c' and
compiled it with these options:
CC=gcc
LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib:/usr/local/lib/sasl2
LD_FLAGS=-L/usr/local/ssl/lib -L/usr/local/lib
-R/usr/local/ssl/lib:/usr/local/lib
./configure --with-cyrus-sasl --with-tls --enable-wrappers --enable-crypt
--enable-bdb --enable-slapd --enable-syslog --enable-ipv6=no
I was configured my LDAP base with one solaris profile:
dn: dc=my,dc=domain
objectClass: top
objectClass: organization
objectClass: dcObject
objectClass: nisDomainObject
dc: my
o: my
description: Root
nisdomain: my.domain
dn: cn=admin,dc=my,dc=domain
objectClass: organizationalRole
cn: admin
description: LDAP Admin
dn: ou=Profile,dc=pucrs,dc=br
objectClass: top
objectClass: organizationalUnit
ou: Profile
description: Profiles
dn: ou=People,dc=my,dc=domain
objectClass: top
objectClass: organizationalUnit
ou: People
description: Everyone
dn: cn=proxyagent,ou=Profile,dc=my,dc=domain
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {MD5}FAFSadsfdasfdsa==
dn: cn=profile-server,ou=profile,dc=my,dc=domain
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: server.my.domain
defaultSearchBase: dc=my,dc=domain
authenticationMethod: tls:simple
cn: profile-server
credentialLevel: proxy
dn: uid=ldapuser,ou=People,dc=my,dc=domain
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: ldapuser
cn: ldapuser
sn: User
cn: LDAP
cn: LDAP User
uidNumber: 100
gidNumber: 4
homeDirectory: /home/adm/ldapuser
userPassword: {MD5}DFASd87906gfuias==
loginShell: /bin/bash
Then, I was used the 'ldapclient' of the system:
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=my,dc=domain
NS_LDAP_BINDPASSWD= {NS1}kjdçlakldaljkçfdlskakldfslkhjhgghklskçakljfdajfdsa
NS_LDAP_SERVERS= 10.10.200.4:389
NS_LDAP_SEARCH_BASEDN= dc=my,dc=domain
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= auth
NS_LDAP_PROFILE= profile-server
NS_LDAP_CREDENTIAL_LEVEL= proxy
I had modified the /etc/nsswitch and /etc/pam.conf too:
##############################################################
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd: files ldap [TRYAGAIN=5]
group: files ldap [TRYAGAIN=5]
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files ldap dns
protocols: ldap files
rpc: ldap files
ethers: ldap files
netmasks: ldap files
bootparams: ldap files
publickey: ldap files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
##############################################################
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth required pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_authtok_get.so.1
rsh auth required pam_dhkeys.so.1
rsh auth sufficient pam_unix_auth.so.1
rsh auth required pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth required pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth required pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password required pam_authtok_get.so.1
other password required pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
other password required pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
##############################################################
Then I tryed to use the system. When I start the slapd, I had the following
messages:
# /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
#
# tail /var/adm/messages
Jan 13 09:41:08 server slapd[1195]: [ID 702911 auth.error] unable to dlopen
/usr/lib/sasl2/libsasldb.so.2: ld.so.1: /usr/local/libexec/slapd: fatal:
libdb-4.1.so: open failed: No such file or directory
#
# ps -ef | grep ldap
root 1196 1 0 09:41:09 ? 0:00 /usr/local/libexec/slapd -h
ldap:/// ldaps:///
root 1198 1166 0 09:42:00 pts/2 0:00 grep ldap
Well, the program is running, but probably there are one problem here. I
was recompiled it with another options, but the problems are persisting.
Ignoring the error, I had continued:
# /etc/init.d/nscd start
# /etc/init.d/ldap.client start
# tail -f /var/adm/messages
Jan 13 10:26:09 server ldap_cachemgr[1355]: [ID 293258 daemon.error]
libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid
credentials
Jan 13 10:26:09 server last message repeated 3 times
Jan 13 10:26:09 server ldap_cachemgr[1355]: [ID 293258 daemon.error]
libsldap: Status: 7 Mesg: Session error no available conn.
Jan 13 10:26:09 server ldap_cachemgr[1355]: [ID 186574 daemon.error] Error:
Unable to refresh profile:profile-server: Session error no available conn.
Well, in spite of these errors, I can to add, consult and modify objects of
the LDAP base (ldapadd, ldapmodify, ldapsearch of the OpenLDAP package).
But when I try to authenticate anyone I can´t:
# id
uid=0(root) gid=1(other)
#
# su - ldapuser
su: Unknown id: ldapuser
#
# tail /var/adm/messages
Jan 13 10:33:24 server nscd[1352]: [ID 293258 user.error] libsldap: Status:
49 Mesg: openConnection: simple bind failed - Invalid credentials
Jan 13 10:33:24 server last message repeated 3 times
Jan 13 10:33:24 server nscd[1352]: [ID 293258 user.error] libsldap: Status:
7 Mesg: Session error no available conn.
I´m really despaired. :-(
Can anyone help me? I was read the list archives, Internet material (SUN
Docs, one page of Greg Matthews, another of Jehan Procaccia, google
references) and OpenLDAP Docs, but the problem persists yet. :-(
Thanks in advance