[Freeipa-users] AD trust users cannot login to Solaris

Rob Crittenden rcritten at redhat.com
Thu Mar 5 22:56:34 UTC 2015 

nathan at nathanpeters.com wrote:
> Ok, I sort of have this working now, but there are still some loose ends. 
> Comments inline
> 
>>>> 2. Setup Solaris properly
>>>> NS_LDAP_AUTH=tls:simple
>>>> NS_LDAP_CREDENTIAL_LEVEL=proxy
>>>> NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test
>>>> NS_LDAP_BINDPASSWD=ohaimakethissimethingtoughtobreak
>>>> NS_LDAP_CACHETTL=0
>>>> NS_LDAP_HOST_CERTPATH=/var/ldap
> 
> When I added NS_LDAP_HOST_CERTPATH to the ldap_client_file it complained
> about that particular setting being invalid.  I think that setting doesn't
> exist on Solaris 10?  I had to remove that line.
> 
>>> Is that functionally equivalent to what you were trying to do with the
>>> cert database or were you trying to do something different?
>> More or less -- create an NSS database and add a CA cert there.
> 
> OK, great, I think the manual copy worked.  The reason is because if  I
> delete those 2 .db files I get the following log entries:
> 
> [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: createTLSSession:
> failed to initialize TLS security (security library: bad database.)
> [ID 545954 daemon.error] libsldap: makeConnection: failed to open
> connection to ipadc1.ipadomain.net
> [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL
> mode for __ns_ldap_getRootDSE. createTLSSession: failed to initialize TLS
> security (security library: bad database.)
> 
> But if those 2 files I manually copied exist, then those messages don't
> happen.
> 
> Also, FYI, certutil is not really supported on Solaris 10.  Any download
> links to that program are now 404.  It wasn't included in the Solaris 10
> cd either.

SUNWtlsu which installs in /usr/sfw/bin/certutil. It's in my install. I
don't recall if I did any CD swapping during the install or not, though
I installed x86 from iso.

> 
>> PAM has different stages -- authentication, session, etc. Shell,
>> UID/GID and other parameters are coming from nsswitch interface, not
>> PAM.
>>
>> On the other hand PAM allows to stack multiple modules to perform the
>> same action so you can have both pam_krb5 and pam_ldap in the stack and
>> cover both Kerberos ticket and password-based logins.
>>
>>> Also, if what you wrote below is true and AD users are authenticated not
>>> by kerberos, but by authenticated ldap binds, won't that totally fail if
>>> I
>>> don't mention pam_ldap in my pam configuration?
>> Yep, it would fail but there are few separate things we need to clarify
>> first.
>>
>> Did you add your Solaris host into IPA? Did you create a keytab for
>> it? Is your Solaris host FQDN
>>
>> If answers are yes, yes, and yes, then AD users, when connecting to
>> Solaris host from their Windows machines will attempt to obtain Kerberos
>> ticket and IPA KDC will grant a service ticket to them thanks to
>> cross-forest trust. When AD user using putty would present that ticket
>> to Solaris, chances are that pam_krb5 will accept it and allow to login.
>>
>> When AD users have no Kerberos ticket, then they would attempt to do a
>> password login. To verify this login you would need to bind to IPA
>> LDAP's as AD user, using its DN from the compat tree and then actual
>> authentication would happen on IPA master as part of LDAP bind
>> processing.
> 
> Yes, yes, and yes :)
> 
> OK, I have added the following 2 lines to my pam.conf file and I can now
> authenticate AD users:
> other   auth sufficient         pam_ldap.so.1
> other   account required         pam_ldap.so.1
> 
> However, I had to use a slighly different setting when initiating ldap
> client:
> 
> ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple
> 
> Note that if I chose tls:simple, the bind failed and I received the
> following log entries :
> Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
> ldap_cachemgr[650]: [ID 293258 daemon.warning] libsldap: Status: 81  Mesg:
> openConnection: simple bind failed - Can't contact LDAP server
> Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
> ldap_cachemgr[650]: [ID 545954 daemon.error] libsldap: makeConnection:
> failed to open connection to ipadc1.ipadomain.net
> Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
> ldap_cachemgr[650]: [ID 687686 daemon.warning] libsldap: Falling back to
> anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple
> bind failed - Can't contact LDAP server
> 
> So... any ideas why I could bind 'simple' but not 'tls:simple' ?

I'd check the 389-ds access log for connection problems.

This works for me:

ldapclient -v manual -a authenticationMethod=tls:simple \
 -a defaultSearchBase=dc=example,dc=com \
 -a defaultServerList=ipa.example.com \
 -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \
 -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=example,dc=com \
 -a proxyDN=uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
 -a proxyPassword=secret123 \
 -a objectclassMap=shadow:shadowAccount=posixAccount

I'd suggest you look bug
https://bugzilla.redhat.com/show_bug.cgi?id=815515 Another IPA user
contributed a secure DUA Profile which is quite complete.

rob

More information about the Freeipa-users mailing list