Re: Connect Solaris ldapclient to a Oracle internet directory
Date: Wed, 18 Jun 2008 15:48:15 +0200
Message-ID: <48591224$0$14355$e4fe514c@news.xs4all.nl>
"Shakespeare" <whatsin_at_xs4all.nl> schreef in bericht
news:485910d1$0$14342$e4fe514c_at_news.xs4all.nl...
>
> "denis" <Denis.Nicklas_at_googlemail.com> schreef in bericht
> news:b3ca07d0-d334-4230-bed6-6d334a1acdc9_at_i76g2000hsf.googlegroups.com...
>> Hi,
>>
>> I am looking for informations howto connect Solaris native ldapclient
>> to a Oracle internet directory.
>> Or a solution for the following problem:
>> Solaris 10
>> ldapclient init works
>> ssh with a ldap user doesn't
>> error:
>>
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 219349 auth.debug]
>> pam_unix_auth: user MYUSER not found
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 453631 auth.debug] tid= 1:
>> Adding connection (serverAddr=xxx.xxx.xxx.xxx:389)
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 776464 auth.debug] tid= 1:
>> Initialized sessionPool
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 816976 auth.debug] tid= 1:
>> Connection added [0]
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 467101 auth.debug] tid= 1:
>> connectionID=1024
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 805042 auth.debug] tid= 1:
>> shared=1
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 982078 auth.debug] tid= 1:
>> usedBit=0
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 727660 auth.debug] tid= 1:
>> threadID=1
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 577507 auth.debug] tid= 1:
>> serverAddr=xxx.xxx.xxx.xxx:389
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 939703 auth.debug] tid= 1:
>> AuthType=0
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 142272 auth.debug] tid= 1:
>> TlsType=0
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 537450 auth.debug] tid= 1:
>> SaslMech=0
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 625532 auth.debug] tid= 1:
>> SaslOpt=0
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 323218 auth.debug] tid= 1:
>> unlocking sessionLock
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Keyboard-
>> interactive (PAM) userauth failed[13] while authenticating: No account
>> present for user
>> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Failed
>> keyboard-interactive for <invalid username> from xxx.xxx.xxx.xxx port
>> 1463 ssh2
>>
>>
>> ldapclient list
>> NS_LDAP_FILE_VERSION= 2.0
>> NS_LDAP_SERVERS= 10.0.0.1:389
>> NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
>> NS_LDAP_CACHETTL= 0
>> NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
>>
>>
>> /etc/pam.conf
>> #ident "@(#)pam.conf 1.29 05/06/08 SMI"
>> #
>> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
>> # Use is subject to license terms.
>> #
>> # PAM configuration
>> #
>> # Unless explicitly defined, all services use the modules
>> # defined in the "other" section.
>> #
>> # Modules are defined with relative pathnames, i.e., they are
>> # relative to /usr/lib/security/$ISA. Absolute path names, as
>> # present in this file in previous releases are still acceptable.
>> #
>> # Authentication management
>> #
>> #
>> # login service (explicit because of pam_dial_auth)
>> #
>> login auth requisite pam_authtok_get.so.1
>> login auth sufficient pam_ldap.so.1
>> login auth required pam_dhkeys.so.1
>> login auth required pam_unix_cred.so.1
>> #login auth required pam_unix_auth.so.1
>> login auth required pam_dial_auth.so.1
>> login auth binding pam_unix_auth.so.1 server_policy
>> login auth required pam_ldap.so.1 debug
>>
>> #
>> # rlogin service (explicit because of pam_rhost_auth)
>> #
>> rlogin auth sufficient pam_rhosts_auth.so.1
>> rlogin auth requisite pam_authtok_get.so.1
>> rlogin auth required pam_dhkeys.so.1
>> rlogin auth required pam_unix_cred.so.1
>> #rlogin auth required pam_unix_auth.so.1
>> #
>> # Kerberized rlogin service
>> #
>> krlogin auth required pam_unix_cred.so.1
>> krlogin auth binding pam_krb5.so.1
>> krlogin auth required pam_unix_auth.so.1
>> #
>> # rsh service (explicit because of pam_rhost_auth,
>> # and pam_unix_auth for meaningful pam_setcred)
>> #
>> rsh auth sufficient pam_rhosts_auth.so.1
>> rsh auth required pam_unix_cred.so.1
>> #
>> # Kerberized rsh service
>> #
>> #krsh auth required pam_unix_cred.so.1
>> #krsh auth binding pam_krb5.so.1
>> #krsh auth required pam_unix_auth.so.1
>> #
>> # Kerberized telnet service
>> #
>> #ktelnet auth required pam_unix_cred.so.1
>> #ktelnet auth binding pam_krb5.so.1
>> #ktelnet auth required pam_unix_auth.so.1
>> #
>> # PPP service (explicit because of pam_dial_auth)
>> #
>> ppp auth requisite pam_authtok_get.so.1
>> ppp auth required pam_dhkeys.so.1
>> ppp auth required pam_unix_cred.so.1
>> ppp auth required pam_unix_auth.so.1
>> ppp auth required pam_dial_auth.so.1
>> #
>> # Default definitions for Authentication management
>> # Used when service name is not explicitly mentioned for
>> authentication
>> #
>> other auth requisite pam_authtok_get.so.1
>> other auth required pam_dhkeys.so.1
>> other auth required pam_unix_cred.so.1
>> #other auth required pam_unix_auth.so.1
>> #other auth sufficient pam_krb5.so.1
>> other auth binding pam_unix_auth.so.1 server_policy
>> other auth required pam_ldap.so.1 debug
>> #
>> # passwd command (explicit because of a different authentication
>> module)
>> #
>> #passwd auth required pam_passwd_auth.so.1
>> passwd auth sufficient pam_passwd_auth.so.1 debug
>> passwd auth sufficient pam_ldap.so.1 debug
>> #
>> # cron service (explicit because of non-usage of pam_roles.so.1)
>> #
>> cron account required pam_unix_account.so.1
>> #
>> # Default definition for Account management
>> # Used when service name is not explicitly mentioned for account
>> management
>> #
>> other account requisite pam_roles.so.1
>> #other account required pam_unix_account.so.1
>> other account sufficient pam_unix_account.so.1 debug
>> other account sufficient pam_ldap.so.1 debug
>> #
>> # Default definition for Session management
>> # Used when service name is not explicitly mentioned for session
>> management
>> #
>> other session required pam_unix_session.so.1
>> #
>> # Default definition for Password management
>> # Used when service name is not explicitly mentioned for password
>> management
>> #
>> other password required pam_dhkeys.so.1
>> other password requisite pam_authtok_get.so.1
>> other password requisite pam_authtok_check.so.1
>> other password required pam_authtok_store.so.1
>> #
>> # Support for Kerberos V5 authentication and example configurations
>> can
>> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
>> #
>> krlogin auth required pam_krb5.so.1
>> krsh auth required pam_krb5.so.1
>> ktelnet auth required pam_krb5.so.1
>
Sorry, forgot to copy/paste the entries I was pointing at:
Are these entries
NS_LDAP_SERVERS= 10.0.0.1:389
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
- unmodified taken from your configuration?
- correct?
Did you perform any preparations on the OID to make it work with Solaris Ldap Client?
Shakespeare Received on Wed Jun 18 2008 - 08:48:15 CDT