Re: Connect Solaris ldapclient to a Oracle internet directory

From: Shakespeare <whatsin_at_xs4all.nl>
Date: Wed, 18 Jun 2008 16:16:10 +0200
Message-ID: <485918ae$0$14351$e4fe514c@news.xs4all.nl>

"denis" <Denis.Nicklas_at_googlemail.com> schreef in bericht news:99a1868b-5ab5-4834-8672-d396268b643e_at_z66g2000hsc.googlegroups.com... On 18 Jun., 15:42, "Shakespeare" <what..._at_xs4all.nl> wrote:
> "denis" <Denis.Nick..._at_googlemail.com> schreef in
> berichtnews:b3ca07d0-d334-4230-bed6-6d334a1acdc9_at_i76g2000hsf.googlegroups.com...
>
>
>
>
>
> > Hi,
>
> > I am looking for informations howto connect Solaris native ldapclient
> > to a Oracle internet directory.
> > Or a solution for the following problem:
> > Solaris 10
> > ldapclient init works
> > ssh with a ldap user doesn't
> > error:
>
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 219349 auth.debug]
> > pam_unix_auth: user MYUSER not found
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 453631 auth.debug] tid= 1:
> > Adding connection (serverAddr=xxx.xxx.xxx.xxx:389)
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 776464 auth.debug] tid= 1:
> > Initialized sessionPool
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 816976 auth.debug] tid= 1:
> > Connection added [0]
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 467101 auth.debug] tid= 1:
> > connectionID=1024
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 805042 auth.debug] tid= 1:
> > shared=1
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 982078 auth.debug] tid= 1:
> > usedBit=0
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 727660 auth.debug] tid= 1:
> > threadID=1
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 577507 auth.debug] tid= 1:
> > serverAddr=xxx.xxx.xxx.xxx:389
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 939703 auth.debug] tid= 1:
> > AuthType=0
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 142272 auth.debug] tid= 1:
> > TlsType=0
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 537450 auth.debug] tid= 1:
> > SaslMech=0
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 625532 auth.debug] tid= 1:
> > SaslOpt=0
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 323218 auth.debug] tid= 1:
> > unlocking sessionLock
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Keyboard-
> > interactive (PAM) userauth failed[13] while authenticating: No account
> > present for user
> > Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Failed
> > keyboard-interactive for <invalid username> from xxx.xxx.xxx.xxx port
> > 1463 ssh2
>
> > ldapclient list
> > NS_LDAP_FILE_VERSION= 2.0
> > NS_LDAP_SERVERS= 10.0.0.1:389
> > NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
> > NS_LDAP_CACHETTL= 0
> > NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
>
> > /etc/pam.conf
> > #ident "@(#)pam.conf 1.29 05/06/08 SMI"
> > #
> > # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> > # Use is subject to license terms.
> > #
> > # PAM configuration
> > #
> > # Unless explicitly defined, all services use the modules
> > # defined in the "other" section.
> > #
> > # Modules are defined with relative pathnames, i.e., they are
> > # relative to /usr/lib/security/$ISA. Absolute path names, as
> > # present in this file in previous releases are still acceptable.
> > #
> > # Authentication management
> > #
> > #
> > # login service (explicit because of pam_dial_auth)
> > #
> > login auth requisite pam_authtok_get.so.1
> > login auth sufficient pam_ldap.so.1
> > login auth required pam_dhkeys.so.1
> > login auth required pam_unix_cred.so.1
> > #login auth required pam_unix_auth.so.1
> > login auth required pam_dial_auth.so.1
> > login auth binding pam_unix_auth.so.1 server_policy
> > login auth required pam_ldap.so.1 debug
>
> > #
> > # rlogin service (explicit because of pam_rhost_auth)
> > #
> > rlogin auth sufficient pam_rhosts_auth.so.1
> > rlogin auth requisite pam_authtok_get.so.1
> > rlogin auth required pam_dhkeys.so.1
> > rlogin auth required pam_unix_cred.so.1
> > #rlogin auth required pam_unix_auth.so.1
> > #
> > # Kerberized rlogin service
> > #
> > krlogin auth required pam_unix_cred.so.1
> > krlogin auth binding pam_krb5.so.1
> > krlogin auth required pam_unix_auth.so.1
> > #
> > # rsh service (explicit because of pam_rhost_auth,
> > # and pam_unix_auth for meaningful pam_setcred)
> > #
> > rsh auth sufficient pam_rhosts_auth.so.1
> > rsh auth required pam_unix_cred.so.1
> > #
> > # Kerberized rsh service
> > #
> > #krsh auth required pam_unix_cred.so.1
> > #krsh auth binding pam_krb5.so.1
> > #krsh auth required pam_unix_auth.so.1
> > #
> > # Kerberized telnet service
> > #
> > #ktelnet auth required pam_unix_cred.so.1
> > #ktelnet auth binding pam_krb5.so.1
> > #ktelnet auth required pam_unix_auth.so.1
> > #
> > # PPP service (explicit because of pam_dial_auth)
> > #
> > ppp auth requisite pam_authtok_get.so.1
> > ppp auth required pam_dhkeys.so.1
> > ppp auth required pam_unix_cred.so.1
> > ppp auth required pam_unix_auth.so.1
> > ppp auth required pam_dial_auth.so.1
> > #
> > # Default definitions for Authentication management
> > # Used when service name is not explicitly mentioned for
> > authentication
> > #
> > other auth requisite pam_authtok_get.so.1
> > other auth required pam_dhkeys.so.1
> > other auth required pam_unix_cred.so.1
> > #other auth required pam_unix_auth.so.1
> > #other auth sufficient pam_krb5.so.1
> > other auth binding pam_unix_auth.so.1 server_policy
> > other auth required pam_ldap.so.1 debug
> > #
> > # passwd command (explicit because of a different authentication
> > module)
> > #
> > #passwd auth required pam_passwd_auth.so.1
> > passwd auth sufficient pam_passwd_auth.so.1 debug
> > passwd auth sufficient pam_ldap.so.1 debug
> > #
> > # cron service (explicit because of non-usage of pam_roles.so.1)
> > #
> > cron account required pam_unix_account.so.1
> > #
> > # Default definition for Account management
> > # Used when service name is not explicitly mentioned for account
> > management
> > #
> > other account requisite pam_roles.so.1
> > #other account required pam_unix_account.so.1
> > other account sufficient pam_unix_account.so.1 debug
> > other account sufficient pam_ldap.so.1 debug
> > #
> > # Default definition for Session management
> > # Used when service name is not explicitly mentioned for session
> > management
> > #
> > other session required pam_unix_session.so.1
> > #
> > # Default definition for Password management
> > # Used when service name is not explicitly mentioned for password
> > management
> > #
> > other password required pam_dhkeys.so.1
> > other password requisite pam_authtok_get.so.1
> > other password requisite pam_authtok_check.so.1
> > other password required pam_authtok_store.so.1
> > #
> > # Support for Kerberos V5 authentication and example configurations
> > can
> > # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> > #
> > krlogin auth required pam_krb5.so.1
> > krsh auth required pam_krb5.so.1
> > ktelnet auth required pam_krb5.so.1
>
> Are these entries
> a) unmodified taken from your configuration?
> b) correct?
>
> Did you perform any preparations on the OID to make it work with Solaris
> Ldap Client?
>
> Shakespeare- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -

to a) no I needed to change ipadresse to xxx.xxx.xxx.xxx and dc entries <- company policy sorry
b) they are correct in the sense of cut and paste to the newsgroup if the are correct in the sense of functionality? I hope so.

> Did you perform any preparations on the OID to make it work with Solaris
> Ldap Client?

As I am not the administrator of the OID I didn't changed anything. But if you would be so ckind to give me a hint I would ask the admin to do so (I didn't even knew that there are changes needed´, sorry).

thanks



For the changes you made in your post: no problem, I was just checking for a misconfiguration by using some default values like mydomain.com

Actually, from what I read through Google, you'll have to change a lot in OID to use it with a Solaris LDAP client.

But first you could try to add to your LDAP client: NS_LDAP_BINDDN= cn=orcladmin
NS_LDAP_BINDPASSWD= ..... (orcladmin password)

For more reading, you might go to
http://forum.java.sun.com/thread.jspa?threadID=5052764&start=15&tstart=0

Shakespeare Received on Wed Jun 18 2008 - 09:16:10 CDT

Original text of this message