Re: Connect Solaris ldapclient to a Oracle internet directory

From: Shakespeare <whatsin_at_xs4all.nl>
Date: Wed, 18 Jun 2008 16:19:05 +0200
Message-ID: <4859195e$0$14359$e4fe514c@news.xs4all.nl>

"denis" <Denis.Nicklas_at_googlemail.com> schreef in bericht news:e32cfdef-3bac-40e1-a4d5-a5edb5d5392c_at_25g2000hsx.googlegroups.com... On 18 Jun., 15:48, "Shakespeare" <what..._at_xs4all.nl> wrote:
> "Shakespeare" <what..._at_xs4all.nl> schreef in
> berichtnews:485910d1$0$14342$e4fe514c_at_news.xs4all.nl...
>
>
>
>
>
> > "denis" <Denis.Nick..._at_googlemail.com> schreef in bericht
> >news:b3ca07d0-d334-4230-bed6-6d334a1acdc9_at_i76g2000hsf.googlegroups.com...
> >> Hi,
>
> >> I am looking for informations howto connect Solaris native ldapclient
> >> to a Oracle internet directory.
> >> Or a solution for the following problem:
> >> Solaris 10
> >> ldapclient init works
> >> ssh with a ldap user doesn't
> >> error:
>
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 219349 auth.debug]
> >> pam_unix_auth: user MYUSER not found
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 453631 auth.debug] tid= 1:
> >> Adding connection (serverAddr=xxx.xxx.xxx.xxx:389)
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 776464 auth.debug] tid= 1:
> >> Initialized sessionPool
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 816976 auth.debug] tid= 1:
> >> Connection added [0]
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 467101 auth.debug] tid= 1:
> >> connectionID=1024
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 805042 auth.debug] tid= 1:
> >> shared=1
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 982078 auth.debug] tid= 1:
> >> usedBit=0
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 727660 auth.debug] tid= 1:
> >> threadID=1
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 577507 auth.debug] tid= 1:
> >> serverAddr=xxx.xxx.xxx.xxx:389
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 939703 auth.debug] tid= 1:
> >> AuthType=0
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 142272 auth.debug] tid= 1:
> >> TlsType=0
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 537450 auth.debug] tid= 1:
> >> SaslMech=0
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 625532 auth.debug] tid= 1:
> >> SaslOpt=0
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 323218 auth.debug] tid= 1:
> >> unlocking sessionLock
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Keyboard-
> >> interactive (PAM) userauth failed[13] while authenticating: No account
> >> present for user
> >> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Failed
> >> keyboard-interactive for <invalid username> from xxx.xxx.xxx.xxx port
> >> 1463 ssh2
>
> >> ldapclient list
> >> NS_LDAP_FILE_VERSION= 2.0
> >> NS_LDAP_SERVERS= 10.0.0.1:389
> >> NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
> >> NS_LDAP_CACHETTL= 0
> >> NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
>
> >> /etc/pam.conf
> >> #ident "@(#)pam.conf 1.29 05/06/08 SMI"
> >> #
> >> # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
> >> # Use is subject to license terms.
> >> #
> >> # PAM configuration
> >> #
> >> # Unless explicitly defined, all services use the modules
> >> # defined in the "other" section.
> >> #
> >> # Modules are defined with relative pathnames, i.e., they are
> >> # relative to /usr/lib/security/$ISA. Absolute path names, as
> >> # present in this file in previous releases are still acceptable.
> >> #
> >> # Authentication management
> >> #
> >> #
> >> # login service (explicit because of pam_dial_auth)
> >> #
> >> login auth requisite pam_authtok_get.so.1
> >> login auth sufficient pam_ldap.so.1
> >> login auth required pam_dhkeys.so.1
> >> login auth required pam_unix_cred.so.1
> >> #login auth required pam_unix_auth.so.1
> >> login auth required pam_dial_auth.so.1
> >> login auth binding pam_unix_auth.so.1 server_policy
> >> login auth required pam_ldap.so.1 debug
>
> >> #
> >> # rlogin service (explicit because of pam_rhost_auth)
> >> #
> >> rlogin auth sufficient pam_rhosts_auth.so.1
> >> rlogin auth requisite pam_authtok_get.so.1
> >> rlogin auth required pam_dhkeys.so.1
> >> rlogin auth required pam_unix_cred.so.1
> >> #rlogin auth required pam_unix_auth.so.1
> >> #
> >> # Kerberized rlogin service
> >> #
> >> krlogin auth required pam_unix_cred.so.1
> >> krlogin auth binding pam_krb5.so.1
> >> krlogin auth required pam_unix_auth.so.1
> >> #
> >> # rsh service (explicit because of pam_rhost_auth,
> >> # and pam_unix_auth for meaningful pam_setcred)
> >> #
> >> rsh auth sufficient pam_rhosts_auth.so.1
> >> rsh auth required pam_unix_cred.so.1
> >> #
> >> # Kerberized rsh service
> >> #
> >> #krsh auth required pam_unix_cred.so.1
> >> #krsh auth binding pam_krb5.so.1
> >> #krsh auth required pam_unix_auth.so.1
> >> #
> >> # Kerberized telnet service
> >> #
> >> #ktelnet auth required pam_unix_cred.so.1
> >> #ktelnet auth binding pam_krb5.so.1
> >> #ktelnet auth required pam_unix_auth.so.1
> >> #
> >> # PPP service (explicit because of pam_dial_auth)
> >> #
> >> ppp auth requisite pam_authtok_get.so.1
> >> ppp auth required pam_dhkeys.so.1
> >> ppp auth required pam_unix_cred.so.1
> >> ppp auth required pam_unix_auth.so.1
> >> ppp auth required pam_dial_auth.so.1
> >> #
> >> # Default definitions for Authentication management
> >> # Used when service name is not explicitly mentioned for
> >> authentication
> >> #
> >> other auth requisite pam_authtok_get.so.1
> >> other auth required pam_dhkeys.so.1
> >> other auth required pam_unix_cred.so.1
> >> #other auth required pam_unix_auth.so.1
> >> #other auth sufficient pam_krb5.so.1
> >> other auth binding pam_unix_auth.so.1 server_policy
> >> other auth required pam_ldap.so.1 debug
> >> #
> >> # passwd command (explicit because of a different authentication
> >> module)
> >> #
> >> #passwd auth required pam_passwd_auth.so.1
> >> passwd auth sufficient pam_passwd_auth.so.1 debug
> >> passwd auth sufficient pam_ldap.so.1 debug
> >> #
> >> # cron service (explicit because of non-usage of pam_roles.so.1)
> >> #
> >> cron account required pam_unix_account.so.1
> >> #
> >> # Default definition for Account management
> >> # Used when service name is not explicitly mentioned for account
> >> management
> >> #
> >> other account requisite pam_roles.so.1
> >> #other account required pam_unix_account.so.1
> >> other account sufficient pam_unix_account.so.1 debug
> >> other account sufficient pam_ldap.so.1 debug
> >> #
> >> # Default definition for Session management
> >> # Used when service name is not explicitly mentioned for session
> >> management
> >> #
> >> other session required pam_unix_session.so.1
> >> #
> >> # Default definition for Password management
> >> # Used when service name is not explicitly mentioned for password
> >> management
> >> #
> >> other password required pam_dhkeys.so.1
> >> other password requisite pam_authtok_get.so.1
> >> other password requisite pam_authtok_check.so.1
> >> other password required pam_authtok_store.so.1
> >> #
> >> # Support for Kerberos V5 authentication and example configurations
> >> can
> >> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> >> #
> >> krlogin auth required pam_krb5.so.1
> >> krsh auth required pam_krb5.so.1
> >> ktelnet auth required pam_krb5.so.1
>
> Sorry, forgot to copy/paste the entries I was pointing at:
>
> Are these entries
>
> NS_LDAP_SERVERS= 10.0.0.1:389
> NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
>
> a) unmodified taken from your configuration?
> b) correct?
>
> Did you perform any preparations on the OID to make it work with Solaris
> Ldap Client?
>
> Shakespeare- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -

yes, they are (the original values) because the ldapclient initialize sucessfully and ldapsearch works with these values.



Ok, if ldapsearch works, it looks like ldapcompare or ldapbind is not working. Could you check ldapcompare?

Shakespeare Received on Wed Jun 18 2008 - 09:19:05 CDT

Original text of this message