[Freeipa-users] AD trust users cannot login to Solaris

nathan at nathanpeters.com nathan at nathanpeters.com
Thu Mar 5 21:51:17 UTC 2015 

Ok, I sort of have this working now, but there are still some loose ends. 
Comments inline

>>> 2. Setup Solaris properly
>>> NS_LDAP_AUTH=tls:simple
>>> NS_LDAP_CREDENTIAL_LEVEL=proxy
>>> NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test
>>> NS_LDAP_BINDPASSWD=ohaimakethissimethingtoughtobreak
>>> NS_LDAP_CACHETTL=0
>>> NS_LDAP_HOST_CERTPATH=/var/ldap

When I added NS_LDAP_HOST_CERTPATH to the ldap_client_file it complained
about that particular setting being invalid.  I think that setting doesn't
exist on Solaris 10?  I had to remove that line.

>>Is that functionally equivalent to what you were trying to do with the
>>cert database or were you trying to do something different?
> More or less -- create an NSS database and add a CA cert there.

OK, great, I think the manual copy worked.  The reason is because if  I
delete those 2 .db files I get the following log entries:

[ID 293258 daemon.warning] libsldap: Status: 91  Mesg: createTLSSession:
failed to initialize TLS security (security library: bad database.)
[ID 545954 daemon.error] libsldap: makeConnection: failed to open
connection to ipadc1.ipadomain.net
[ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL
mode for __ns_ldap_getRootDSE. createTLSSession: failed to initialize TLS
security (security library: bad database.)

But if those 2 files I manually copied exist, then those messages don't
happen.

Also, FYI, certutil is not really supported on Solaris 10.  Any download
links to that program are now 404.  It wasn't included in the Solaris 10
cd either.

> PAM has different stages -- authentication, session, etc. Shell,
> UID/GID and other parameters are coming from nsswitch interface, not
> PAM.
>
> On the other hand PAM allows to stack multiple modules to perform the
> same action so you can have both pam_krb5 and pam_ldap in the stack and
> cover both Kerberos ticket and password-based logins.
>
>>Also, if what you wrote below is true and AD users are authenticated not
>>by kerberos, but by authenticated ldap binds, won't that totally fail if
>> I
>>don't mention pam_ldap in my pam configuration?
> Yep, it would fail but there are few separate things we need to clarify
> first.
>
> Did you add your Solaris host into IPA? Did you create a keytab for
> it? Is your Solaris host FQDN
>
> If answers are yes, yes, and yes, then AD users, when connecting to
> Solaris host from their Windows machines will attempt to obtain Kerberos
> ticket and IPA KDC will grant a service ticket to them thanks to
> cross-forest trust. When AD user using putty would present that ticket
> to Solaris, chances are that pam_krb5 will accept it and allow to login.
>
> When AD users have no Kerberos ticket, then they would attempt to do a
> password login. To verify this login you would need to bind to IPA
> LDAP's as AD user, using its DN from the compat tree and then actual
> authentication would happen on IPA master as part of LDAP bind
> processing.

Yes, yes, and yes :)

OK, I have added the following 2 lines to my pam.conf file and I can now
authenticate AD users:
other   auth sufficient         pam_ldap.so.1
other   account required         pam_ldap.so.1

However, I had to use a slighly different setting when initiating ldap
client:

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple

Note that if I chose tls:simple, the bind failed and I received the
following log entries :
Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
ldap_cachemgr[650]: [ID 293258 daemon.warning] libsldap: Status: 81  Mesg:
openConnection: simple bind failed - Can't contact LDAP server
Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
ldap_cachemgr[650]: [ID 545954 daemon.error] libsldap: makeConnection:
failed to open connection to ipadc1.ipadomain.net
Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
ldap_cachemgr[650]: [ID 687686 daemon.warning] libsldap: Falling back to
anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple
bind failed - Can't contact LDAP server

So... any ideas why I could bind 'simple' but not 'tls:simple' ?

More information about the Freeipa-users mailing list