Home -> Usenet -> c.d.o.server -> Re: Connect Solaris ldapclient to a Oracle internet directory

Re: Connect Solaris ldapclient to a Oracle internet directory

From: Shakespeare <whatsin_at_xs4all.nl>
Date: Wed, 18 Jun 2008 20:45:19 +0200
Message-ID: <485957c7$0$14347$e4fe514c@news.xs4all.nl> 






"denis" <Denis.Nicklas_at_googlemail.com> schreef in bericht 
news:b3ca07d0-d334-4230-bed6-6d334a1acdc9_at_i76g2000hsf.googlegroups.com...


> Hi,

>

> I am looking for informations howto connect Solaris native ldapclient

> to a Oracle internet directory.

> Or a solution for the following problem:

> Solaris 10

> ldapclient init works

> ssh with a ldap user doesn't

> error:

>

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 219349 auth.debug]

> pam_unix_auth: user MYUSER not found

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 453631 auth.debug] tid= 1:

> Adding connection (serverAddr=xxx.xxx.xxx.xxx:389)

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 776464 auth.debug] tid= 1:

> Initialized sessionPool

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 816976 auth.debug] tid= 1:

> Connection added [0]

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 467101 auth.debug] tid= 1:

> connectionID=1024

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 805042 auth.debug] tid= 1:

> shared=1

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 982078 auth.debug] tid= 1:

> usedBit=0

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 727660 auth.debug] tid= 1:

> threadID=1

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 577507 auth.debug] tid= 1:

> serverAddr=xxx.xxx.xxx.xxx:389

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 939703 auth.debug] tid= 1:

> AuthType=0

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 142272 auth.debug] tid= 1:

> TlsType=0

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 537450 auth.debug] tid= 1:

> SaslMech=0

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 625532 auth.debug] tid= 1:

> SaslOpt=0

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 323218 auth.debug] tid= 1:

> unlocking sessionLock

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Keyboard-

> interactive (PAM) userauth failed[13] while authenticating: No account

> present for user

> Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Failed

> keyboard-interactive for <invalid username> from xxx.xxx.xxx.xxx port

> 1463 ssh2

>

>

> ldapclient list

> NS_LDAP_FILE_VERSION= 2.0


> NS_LDAP_SERVERS= 10.0.0.1:389


> NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com

> NS_LDAP_CACHETTL= 0


> NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple

>

>

> /etc/pam.conf

> #ident  "@(#)pam.conf   1.29    05/06/08 SMI"

> #

> # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.

> # Use is subject to license terms.

> #

> # PAM configuration

> #

> # Unless explicitly defined, all services use the modules

> # defined in the "other" section.

> #

> # Modules are defined with relative pathnames, i.e., they are

> # relative to /usr/lib/security/$ISA. Absolute path names, as

> # present in this file in previous releases are still acceptable.

> #

> # Authentication management

> #

> #

> # login service (explicit because of pam_dial_auth)

> #

> login   auth requisite          pam_authtok_get.so.1

> login   auth sufficient         pam_ldap.so.1

> login   auth required           pam_dhkeys.so.1

> login   auth required           pam_unix_cred.so.1

> #login  auth required           pam_unix_auth.so.1

> login   auth required           pam_dial_auth.so.1

> login    auth binding           pam_unix_auth.so.1 server_policy

> login    auth required          pam_ldap.so.1 debug

>

> #

> # rlogin service (explicit because of pam_rhost_auth)

> #

> rlogin  auth sufficient         pam_rhosts_auth.so.1

> rlogin  auth requisite          pam_authtok_get.so.1

> rlogin  auth required           pam_dhkeys.so.1

> rlogin  auth required           pam_unix_cred.so.1

> #rlogin auth required           pam_unix_auth.so.1

> #

> # Kerberized rlogin service

> #

> krlogin auth required           pam_unix_cred.so.1

> krlogin auth binding            pam_krb5.so.1

> krlogin auth required           pam_unix_auth.so.1

> #

> # rsh service (explicit because of pam_rhost_auth,

> # and pam_unix_auth for meaningful pam_setcred)

> #

> rsh     auth sufficient         pam_rhosts_auth.so.1

> rsh     auth required           pam_unix_cred.so.1

> #

> # Kerberized rsh service

> #

> #krsh   auth required           pam_unix_cred.so.1

> #krsh   auth binding            pam_krb5.so.1

> #krsh   auth required           pam_unix_auth.so.1

> #

> # Kerberized telnet service

> #

> #ktelnet        auth required           pam_unix_cred.so.1

> #ktelnet        auth binding            pam_krb5.so.1

> #ktelnet        auth required           pam_unix_auth.so.1

> #

> # PPP service (explicit because of pam_dial_auth)

> #

> ppp     auth requisite          pam_authtok_get.so.1

> ppp     auth required           pam_dhkeys.so.1

> ppp     auth required           pam_unix_cred.so.1

> ppp     auth required           pam_unix_auth.so.1

> ppp     auth required           pam_dial_auth.so.1

> #

> # Default definitions for Authentication management

> # Used when service name is not explicitly mentioned for

> authentication

> #

> other   auth requisite          pam_authtok_get.so.1

> other   auth required           pam_dhkeys.so.1

> other   auth required           pam_unix_cred.so.1

> #other  auth required           pam_unix_auth.so.1

> #other  auth sufficient         pam_krb5.so.1

> other auth binding              pam_unix_auth.so.1 server_policy

> other auth required pam_ldap.so.1 debug

> #

> # passwd command (explicit because of a different authentication

> module)

> #

> #passwd auth required           pam_passwd_auth.so.1

> passwd auth sufficient pam_passwd_auth.so.1 debug

> passwd auth sufficient   pam_ldap.so.1 debug

> #

> # cron service (explicit because of non-usage of pam_roles.so.1)

> #

> cron    account required        pam_unix_account.so.1

> #

> # Default definition for Account management

> # Used when service name is not explicitly mentioned for account

> management

> #

> other   account requisite       pam_roles.so.1

> #other  account required        pam_unix_account.so.1

> other account sufficient pam_unix_account.so.1 debug

> other account sufficient pam_ldap.so.1 debug

> #

> # Default definition for Session management

> # Used when service name is not explicitly mentioned for session

> management

> #

> other   session required        pam_unix_session.so.1

> #

> # Default definition for  Password management

> # Used when service name is not explicitly mentioned for password

> management

> #

> other   password required       pam_dhkeys.so.1

> other   password requisite      pam_authtok_get.so.1

> other   password requisite      pam_authtok_check.so.1

> other   password required       pam_authtok_store.so.1

> #

> # Support for Kerberos V5 authentication and example configurations

> can

> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.

> #

> krlogin auth required           pam_krb5.so.1

> krsh    auth required           pam_krb5.so.1

> ktelnet auth required           pam_krb5.so.1




Denis,



you may want to take a look at this:


http://www.oracle.com/technology/products/oid/htdocs/oracleauthenticationservices_ds.pdf



It looks like a pre-cooked OID for OS platforms; Solaris is supported too...



I never knew it existed, just noted it in some blog...



Shakespeare
Received on Wed Jun 18 2008 - 13:45:19 CDT












Original text of this message