Sol10 - OpenLDAP Auth

UNIX Solaris
1

Hi,

im new to Solaris (10) and need some help please.

Situation: Actually is there a Linux (SLES11) OpenLDAP-Server and authentification of Linux-Maschines works pretty sweet. Now i want to put the SOL10 (Sparc) boxes in....

Problem: User Authentification via OpenLDAP on Sol10 doesn�t work now (SSH-Login Screen comes, but if i enter the password, "Access denied")

Works (on Sol10-Ldap-Client):

  • getent passwd (lists all local and ldap-users)
  • ldaplist -vl (shows ou-entries)
  • su - ldapuser (user is only in ldap! works great...)
  • ldapsearch etc.. (all fine)

Configuration:

  • Native Client on Sol10:
    [list]
  • ldapclient -v manual \
    -a defaultServerList=10.16.0.37 \
    -a domainname=example.de \
    -a defaultSearchBase=dc=example,dc=de \
    -a serviceSearchDescriptor=group:dc=example,dc=de?sub \
    -a serviceSearchDescriptor=passwd:dc=example,dc=de?sub \
    -a serviceSearchDescriptor=shadow:dc=example,dc=de \
    -a enableShadowUpdate=TRUE \
    -a adminDN=cn=manager,dc=example,dc=de \
    -a attributeMap=group:memberuid=memberUid \
    -a attributeMap=group:gidnumber=gidNumber \
    -a adminPassword=blaselfasel \
    -a attributeMap=passwd:gidnumber=gidNumber \
    -a attributeMap=passwd:uidnumber=uidNumber \
    -a attributeMap=passwd:loginshell=loginShell \
    -a attributeMap=shadow:shadowflag=shadowFlag \
    -a attributeMap=shadow:userpassword=userPassword
    [/list]
  • pam.conf on Sol10:
    [list]
  • # login service (explicit because of pam_dial_auth)
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth required pam_unix_cred.so.1
    login auth required pam_unix_auth.so.1
    login auth required pam_dial_auth.so.1
    [/list]
  • # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for #authentication
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth required pam_unix_cred.so.1
    other auth required pam_unix_auth.so.1
  • # Used when service name is not explicitly mentioned for account management
  • other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    other session required pam_unix_session.so.1
  • # Default definition for Password management
  • # Used when service name is not explicitly mentioned for password management
    #
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1 \ force_check
    other password required pam_authtok_store.so.1

Logfile (Linux Openldap-Server):

slapd[15449]: conn=1461 op=10 SRCH base="dc=example,dc=de" scope=2 deref=3 filter="(&(objectClass=posixAccount)(uid=ldapuser))"
[15449]: conn=1461 op=10 SRCH attr=cn uid uidNumber gidNumber gecos description homedirectory loginShell
slapd[15449]: conn=1461 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[15449]: conn=1473 fd=28 ACCEPT from IP=10.16.0.70:33030 (IP=0.0.0.0:389)
slapd[15449]: conn=1473 op=0 BIND dn="" method=128
slapd[15449]: conn=1473 op=0 RESULT tag=97 err=0 text=
slapd[15449]: conn=1473 op=1 SRCH base="dc=example,dc=de" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=ldapuser))"
slapd[15449]: conn=1473 op=1 SRCH attr=uid userPassword shadowlastchange shadowmin shadowmax shadowwarning shadowinactive shadowexpire shadowFlag
slapd[15449]: conn=1473 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[15449]: conn=1473 op=2 UNBIND
slapd[15449]: conn=1473 fd=28 closed
slapd[15449]: conn=1461 op=11 SRCH base="dc=example,dc=de" scope=2 deref=3 filter="(&(objectClass=posixAccount)(uid=ldapuser))"
slapd[15449]: conn=1461 op=11 SRCH attr=cn uid uidNumber gidNumber gecos description homedirectory loginShell
slapd[15449]: conn=1461 op=11 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[15449]: conn=1474 fd=28 ACCEPT from IP=10.16.0.70:33031 (IP=0.0.0.0:389)
slapd[15449]: conn=1474 op=0 BIND dn="" method=128
slapd[15449]: conn=1474 op=0 RESULT tag=97 err=0 text=
slapd[15449]: conn=1474 op=1 SRCH base="dc=example,dc=de" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=ldapuser))"
slapd[15449]: conn=1474 op=1 SRCH attr=uid userPassword shadowlastchange shadowmin shadowmax shadowwarning shadowinactive shadowexpire shadowFlag
slapd[15449]: conn=1474 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[15449]: conn=1474 op=2 UNBIND
slapd[15449]: conn=1474 fd=28 closed
slapd[15449]: conn=1461 op=12 SRCH base="dc=example,dc=de" scope=2 deref=3 filter="(&(objectClass=posixAccount)(uid=ldapuser))"
slapd[15449]: conn=1461 op=12 SRCH attr=cn uid uidNumber gidNumber gecos description homedirectory loginShell
slapd[15449]: conn=1461 op=12 SEARCH RESULT tag=101 err=0 nentries=1 text=

Entry on LDAP-Server (Linux):

uid: ldapuser
cn: ldapuser GB
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}GHGf1nI9tpFRE
uidNumber: 5000
gidNumber: 1
loginShell: /usr/bin/bash
homeDirectory: /export/home/ldapuser

Slapd.conf:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/ldapns.schema
include /etc/openldap/schema/autofs.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/duaconf.schema

--------------------------------------------
Any ideas? :frowning:

2

Not sure it will fix the issue but your ldapuser entry is missing a gecos field.

3

Hey, thx for the answer. Geco field (Value=ldapuser GB) is still there and and entry for shadowLastChange,shadowMax,shadowWarning, sn, too :wink: I didn�t post it. Srry my fault.

---------- Post updated at 01:24 AM ---------- Previous update was at 01:12 AM ----------

Okay, is maybe value for the shadow pw missing ({CRYPT} blablabla)? if i do ldaplist -l passwd ldapuser on Sol10 Client:

#ldaplist -l passwd ldapuser

Sol10Serv:> dn: uid=ldapuser,ou=People,dc=example,dc=de
uid: ldapuser
cn: ldapuser GB
givenName: ldap user
sn: GB
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15622
shadowMax: 168
shadowWarning: 7
loginshell: /usr/bin/bash
gidnumber: 1
gecos: ldapuser GB
homeDirectory: /export/home/ldapuser
uidnumber: 5000

---------- Post updated at 09:55 AM ---------- Previous update was at 01:24 AM ----------

DAM!!

i got some new grey hairs now... not funny :wink: It works now!!11! If im really sure, what i did, i will post a howto here for other guys...

thx for reading :b:

4

When it works, please post howto when you have a chance. Thx,