[Fedora-directory-users] solaris8 simple auth

George Holbert gholbert at broadcom.com
Fri Aug 10 22:30:12 UTC 2007 

>
> How do I verify that the NS1 crypt is correct outside of the solaris
> client (or ldap_gen_profile)?

Don't know... I've only ever seen {NS1} with Solaris' LDAP client.  
Anyone know more about this hash, and what other tools can work with it?

> The password in FDS for the above proxy user is stored in CRYPT format
> in FDS- is this  mismatch really supported ?

Yes.  The NS1 hash is really just to obscure the password in the 
ldap_client_cred file.  When doing a simple bind, it is reversed and 
transmitted as clear text.


> suggestions?

Try putting the password cleartext directly in your ldap_client_cred 
file.  Maybe there was a typo when generating the NS1 hash?

e.g.:

NS_LDAP_BINDPASSWD= the-password


Then restart Solaris' ldapclient.




Doug Chapman wrote:
> I'm looking for troubleshooting advice- hope someone has some insight
> I can borrow.
>
> Trying to get a Solaris8 client (with the latest ldap patchcluster) to
> do simple authentication against FDS.
> When setup for anonymous auth, I'm able to do ldap list just fine:
>
> # ldaplist -l passwd tester
> dn: cn=test user,ou=People,dc=corp,dc=example,dc=com
>         givenName: test
>         sn: user
>         loginShell: /bin/bash
>         gidNumber: 1024
>         uidNumber: 5351
>         mail: tester at example.com
>         objectClass: person
>         objectClass: organizationalPerson
>         objectClass: inetOrgPerson
>         objectClass: posixAccount
>         objectClass: top
>         uid: tester
>         gecos: test user
>         cn: test user
>         homeDirectory: /nethome/tester
>
>
> When setup for simple auth (and that's all I've changed), I'm seeing
> error 49 (invalid credentials) in the FDS logs:
>
> [10/Aug/2007:14:45:02 -0700] conn=25532 fd=65 slot=65 connection from
> 172.20.100.85 to 172.20.200.125
> [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 BIND
> dn="cn=sunldap,ou=profile,dc=corp,dc=example,dc=com" method=128
> version=3
> [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 RESULT err=49 tag=97
> nentries=0 etime=0
> [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 UNBIND
> [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 fd=65 closed - U1
>
> Here's my /var/ldap/ldap_client_cred file
> NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com
> NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045e
>
> How do I verify that the NS1 crypt is correct outside of the solaris
> client (or ldap_gen_profile)?
>
> The password in FDS for the above proxy user is stored in CRYPT format
> in FDS- is this  mismatch really supported ?
>
> I can bind with the 'sunldap' user just fine from my linux hosts using
> ldapsearch.
>
> suggestions?
>

More information about the Fedora-directory-users mailing list