Configure native ldap client on Solaris 10

sultano · May 27, 2014, 6:05am

Hi guys. First, sorry for my english, I�m tried to write the best form but sure I�m not do it.
I�m tried to configure the native ldap client on Solaris 10 but yet dosen't work. May be the problem is in the pam.conf or something like that.

This is the line I was applied to configure the ldapclient:

ldapclient -vv manual -a credentialLevel=proxy -a  domainName=domine.com.ar -a  proxyDN="cn=sultano,ou=userspecial,ou=user,o=sultano" -a  proxyPassword='passwd' -a authenticationMethod=simple -a  defaultSearchBase=ou=userspecial,ou=user,o=sultano 10.10.10.10:389

When I check the configure I see this:

 -bash-3.2# ldapclient list
Unable to set locale.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=sultano,ou=userspecial,ou=user,o=sultano
NS_LDAP_BINDPASSWD= {NS1}f170edf81e61e0678pb320e1
NS_LDAP_SERVERS= 10.10.10.10:389
NS_LDAP_SEARCH_BASEDN= ou=userspecial,ou=user,o=sultano
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
-bash-3.2#
-bash-3.2# svcs -a | grep ldap
online         17:45:11 svc:/network/ldap/client:default
-bash-3.2#

May be the connection to the ldap server works fine:

-bash-3.2# ldaplist
dn: cn=sultano,ou=userspecial,ou=user,o=sultano
-bash-3.2#

This is my pam.conf and my nsswitch.conf:

/etc/pam.conf

#
# MODIFICADO LDAP
#
# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth sufficient           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth required           pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_dial_auth.so.1
other   auth required           pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_ldap.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

/etc/nsswitch.conf

#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap      1.10    06/05/03 SMI"

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down.
#hosts:      ldap [NOTFOUND=return] files # Commented out by DHCP
hosts: ldap dns [NOTFOUND=return] files # Added by DHCP

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
#ipnodes:    ldap [NOTFOUND=return] files # Commented out by DHCP
ipnodes: ldap dns [NOTFOUND=return] files # Added by DHCP

networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey:  ldap [NOTFOUND=return] files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

I have no experience administering Solaris now and although I have read many guides and documentation to configure the ldap client does not work yet. Surely I'm doing something wrong to set it up.

Would greatly appreciate your help or any comments to solve.

Thanks

jlliagre · May 27, 2014, 3:00pm

You do not show any evidence the ldap client doesn't work.

sultano · May 28, 2014, 11:34am

@jlliagre, you right. When I�m tried to connect with some user to ssh I�m see this on the log:

May 28 12:18:54 solaris-ldap sshd[673]: [ID 800047 auth.notice] Failed none for ldapuser from 10.245.85.199 port 49557 ssh2
May 28 12:19:01 solaris-ldap sshd[673]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authenticating: Error de sistema
May 28 12:19:01 solaris-ldap sshd[673]: [ID 800047 auth.notice] Failed keyboard-interactive for ldapuser from 10.245.85.199 port 49557 ssh2
May 28 12:19:26 solaris-ldap sshd[673]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authenticating: Error de sistema
May 28 12:19:26 solaris-ldap sshd[673]: [ID 800047 auth.notice] Failed keyboard-interactive for ldapuser from 10.245.85.199 port 49557 ssh2

If I try to connect with the same user, using password in the /etc/passwd, user is connected correctly.. Have you any idea what do I wrong?

Thanks,

jlliagre · May 29, 2014, 3:36am

Can you post the directory server log file entries when an authentication is attempted ?

bitlord · May 30, 2014, 4:29pm

I don't see your LDAP server stuff. Did you create a profile.ldif file? You need to add some extra schema files to your LDAP server.

sultano · June 1, 2014, 9:15am

Thanks @jilliage and @bitlord and sorry for the delay.

First, I have no access to the ldap server so I can not check your logs
I check feedback, look back on this and then perform many tests with what I found. One option finally worked, the problem was the configuration of ldapclient.
I know nothing about how it works ldap but when I run with these parameters was able to connect properly.

ldapclient -vvv manual \
-a credentialLevel=proxy \
-a domainName=domine.com.ar \
-a proxyDN="cn=sultano,ou=userspecial,ou=user,o=sultano" \
-a proxyPassword='paswd' \
-a authenticationMethod=simple \
-a "serviceSearchDescriptor=passwd:ou=iduser,,ou=user,o=sultano?sub?(cn=*)" \
-a "serviceSearchDescriptor=shadow:ou=iduser,,ou=user,o=sultano?sub?(cn=*)" \
-a defaultSearchBase=ou=iduser,,ou=user,o=sultano 10.10.10.10:389

bitlord · June 2, 2014, 10:42am

Again,
Please tell us which LDAP server you are using. Solaris doesn't play well with LDAP. Setting up an LDAP client on a Linux distro is about 100 times easier.

This the ldap client command I used to connect to a OpenLDAP server running on Red Hat.
Here's an example of an ldapclient invocation that works for me:

ldapclient manual \ 
 -a authenticationMethod="pam_ldap:simple" \ 
 -a credentialLevel="proxy" \ 
 -a defaultSearchBase="dc=example,dc=org" \ 
 -a defaultSearchScope="sub" \ 
 -a defaultServerList="ldap1.example.org,ldap2.example.org" \ 
 -a domainName="example.org" \ 
 -a preferredServerList="ldap1.example.org,ldap2.example.org" \ 
 -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ 
 -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ 
 -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ 
 -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ 
 -a proxyPassword="foobar"

This will gave me a very basic set up. No auto mount and no TLS security. So this should work on a OpenLDAP server, but if you are connecting to Active directory then you will need to add kerberos.

As you can see there are a lot of sub-commands for the ldapclient command. You will want to use the manual sub-command to test the basic profile setup. then you will want to use the mod sub-command to add additional options/features to your profile. The list sub-command will show you what you r setup is currently. You need to take notes of the sub-commands you used up to this point.
After you get the ldap client working. you need to run the genprofile command with all the options you ran to get it working, up to this point. The genprofile subcommand creates a ldif file. the ldif file is used to add items to the LDAP directory. After this is done all the new Solaris 10 clients can use the init sub-command to connect to the LDAP server.
Example:

ldapclient init <ip of LDAP server>

You also need to add the schema to the LDAP server to get the NIS objects to work. I used solaris.schema and DUAConfigProfile.schema to get my Solaris 10 servers to work with the Solaris Native client. I have attached these files to the post. Before you use them remove the .txt extension.

I hope this helps

jlliagre · June 2, 2014, 5:22pm

@sultano It is unclear if you managed to fix the issue or not.

In any case, your /etc/nsswitch.conf is configured to request every table to the ldap server while the latter looks to only serve the passwd database.

If that is correct, you might want to remove every occurence of "ldap [NOTFOUND=return]" that appears in that file and replace every occurence of "files ldap" by "files" only, except the line:

passwd: files ldap

which should be kept as is.