[Fedora-directory-users] solaris8 simple auth

Doug Chapman prjctgeek at gmail.com
Fri Aug 10 23:50:06 UTC 2007 

Thanks !

Removing the special characters from my password caused it to start
working- I guess using dollar signs for your proxy account isn't
supported (bug in solaris client?)

On 8/10/07, George Holbert <gholbert at broadcom.com> wrote:
> >
> > How do I verify that the NS1 crypt is correct outside of the solaris
> > client (or ldap_gen_profile)?
>
> Don't know... I've only ever seen {NS1} with Solaris' LDAP client.
> Anyone know more about this hash, and what other tools can work with it?
>
> > The password in FDS for the above proxy user is stored in CRYPT format
> > in FDS- is this  mismatch really supported ?
>
> Yes.  The NS1 hash is really just to obscure the password in the
> ldap_client_cred file.  When doing a simple bind, it is reversed and
> transmitted as clear text.
>
>
> > suggestions?
>
> Try putting the password cleartext directly in your ldap_client_cred
> file.  Maybe there was a typo when generating the NS1 hash?
>
> e.g.:
>
> NS_LDAP_BINDPASSWD= the-password
>
>
> Then restart Solaris' ldapclient.
>
>
>
>
> Doug Chapman wrote:
> > I'm looking for troubleshooting advice- hope someone has some insight
> > I can borrow.
> >
> > Trying to get a Solaris8 client (with the latest ldap patchcluster) to
> > do simple authentication against FDS.
> > When setup for anonymous auth, I'm able to do ldap list just fine:
> >
> > # ldaplist -l passwd tester
> > dn: cn=test user,ou=People,dc=corp,dc=example,dc=com
> >         givenName: test
> >         sn: user
> >         loginShell: /bin/bash
> >         gidNumber: 1024
> >         uidNumber: 5351
> >         mail: tester at example.com
> >         objectClass: person
> >         objectClass: organizationalPerson
> >         objectClass: inetOrgPerson
> >         objectClass: posixAccount
> >         objectClass: top
> >         uid: tester
> >         gecos: test user
> >         cn: test user
> >         homeDirectory: /nethome/tester
> >
> >
> > When setup for simple auth (and that's all I've changed), I'm seeing
> > error 49 (invalid credentials) in the FDS logs:
> >
> > [10/Aug/2007:14:45:02 -0700] conn=25532 fd=65 slot=65 connection from
> > 172.20.100.85 to 172.20.200.125
> > [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 BIND
> > dn="cn=sunldap,ou=profile,dc=corp,dc=example,dc=com" method=128
> > version=3
> > [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 RESULT err=49 tag=97
> > nentries=0 etime=0
> > [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 UNBIND
> > [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 fd=65 closed - U1
> >
> > Here's my /var/ldap/ldap_client_cred file
> > NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com
> > NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045e
> >
> > How do I verify that the NS1 crypt is correct outside of the solaris
> > client (or ldap_gen_profile)?
> >
> > The password in FDS for the above proxy user is stored in CRYPT format
> > in FDS- is this  mismatch really supported ?
> >
> > I can bind with the 'sunldap' user just fine from my linux hosts using
> > ldapsearch.
> >
> > suggestions?
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list