[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Solaris Issues



Having trouble getting pam_ldap to work properly with Solaris.  The only
way I can become one of the users in LDAP is to first become root, and
then su to that user.  I cannot su from a non-LDAP user to an LDAP user,
and cannot ssh in as an LDAP user.

ldapsearch -ZZ works perfectly -- returns all entrires in the LDAP DB,
regardless of who called it (LDAP user, regular user, root, etc)..

su: Root can su to any user in the LDAP database
    Non-root users receive the message "su: Unknown id: johndoe"

getent passwd: returns passwd file, include LDAP entries, for all
root/local
               users -- but NOT when called by LDAP users

Looking in /var/log/authlog when a normal user attempts to su to root, I
see the following entry:

Feb 25 19:07:17 name su: pam_ldap: ldap_starttls_s: Connect error
Feb 25 19:07:20 name su: pam_ldap: ldap_result Can't contact LDAP server

I have installed a random number device (otherwise the ldapsearch wouldn't
work), and have /etc/ldap.conf setup as follows:

URI             LDAP://ip_of_server
BASE dc=correct,dc=base,dc=com
HOST ip_of_server
port    389
ldap_version 3
ssl start_tls
pam_password exop
suffix          "dc=correct,dc=base,dc=com"
rootdn          "uid=root_user,ou=People,dc=correct,dc=base,dc=com"
rootpw          {crypt}uhm...yeah,.right.;)

This version of the config file is IDENTICAL to the file on our Linux
boxes, which work flawlessly.  Btw, /etc/openldap is symlinked to
/usr/local/etc/openldap, and /usr/local/etc/openldap/ldap.conf is
symlinked to /etc/ldap.conf and just for kicks, /usr/local/etc/ldap.conf
is also symlinked to /etc/ldap.conf -- so /etc/ldap.conf is the file that
everything is looking at.  /etc/nsswitch.conf contains the following
lines:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

and /etc/pam.conf is:

#
# Authentication mgmt
#
other   auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
#
# Account mgmt
#
other   account sufficient      /usr/lib/security/pam_ldap.so.1 debug
other   account required        /usr/lib/security/pam_unix.so.1
#
# Password mgmt
#
other   password sufficient     /usr/lib/security/pam_ldap.so.1 debug
other   password required       /usr/lib/security/pam_unix.so.1
try_first_pass
#
# Session mgmt
#
other   session required        /usr/lib/security/pam_unix.so.1


I initially investigated TLS/SSL issues, reading the error message to read
this but the fact that the majority of operations work suggests that
perhaps the error is misleading.

Versions:

Solaris 7
nss_ldap 184
pam_ldap 138
OpenLDAP 2.0.19
OpenSSL 0.9.6b



Any thoughts on why this isn't working?  Is there anybody out there who
HAS successfully gotten LDAP authentical with TLS to work on Solaris 7?!?!

Pulling my hair out..this project is already way overdue :(

Thanks in advance
chris

Attachment: pgp00004.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []