[Fedora-directory-users] Problem with solaris & FDS authentication

Wed Aug 31 14:26:00 UTC 2005

--- "Tay, Gary" <Gary_Tay at platts.com> wrote:

> 0) Make sure every time you restart /etc/init.d/ldap.client
> (ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache
> daemon).

well, I decided to turn off the nscd completely, while I'm testing.

> 1) Make sure you define "CRYPT" as the default passwordStorageScheme in
> LDAP DIT (right click cn=config and edit its properties).

yes.

> 2) Make sure you have these three lines in /var/ldap/ldap_client_file
> and also in "default" profile in LDAP DIT?

I have them in the ldap.client.file but the default profile looks like this:

# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one

Am I missing anything?  I don't have serviceSearchDescriptor but I think it should chain
ou=People+defaultSearchBase, right?

> And there is a "shadow: files ldap" line in /etc/nsswitch.conf.

yes.

> 4) Did you install a binary version of OpenSSH Server with PAM support
> or compile from source with an "./configure --with-pam" option?

it was a pkg:

bash-2.03# ldd /usr/local/sbin/sshd
        libpam.so.1 =>   /usr/lib/libpam.so.1

> 6) For ssh client connection, do this way to see more:
> 
> $ ssh -v testdba at 192.85.86.87

OK.  This is me trying to a linux box under the FDS control:

cnyitsun01/ > ssh testdba at cnyitlin01
testdba at cnyitlin01's password: 
Last login: Fri Aug 26 11:02:06 2005 from cnyitlin02.composers.foo.com
[testdba at cnyitlin01 ~]$ 

Works fine. Now, to the test sun box:

debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password: 
LDAP Password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password: 

And notice it's asking me for a separate ldap password.  What's up with that?

Also, I ran this:

bash-2.03# ldapsearch -D "uid=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -w
password -h cnyitlin02 -s base -b "" "objectclass=*"

objectClass=top
namingContexts=dc=composers,dc=foo,dc=com
namingContexts=dc=example, dc=com
namingContexts=o=NetscapeRoot
supportedExtension=2.16.840.1.113730.3.5.7
supportedExtension=2.16.840.1.113730.3.5.8
[more crap...]

So, looks like the proxy id/password is correct....

I hate Solaris.  It took me ONE MINUTE to get a linux client working.  One command -
authconfig.  This is just retarded.

__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html 