[Freeipa-users] AD trust users cannot login to Solaris
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 6 07:31:19 UTC 2015
On Thu, 05 Mar 2015, nathan at nathanpeters.com wrote:
>Ok, I sort of have this working now, but there are still some loose ends.
>Comments inline
>
>>>> 2. Setup Solaris properly
>>>> NS_LDAP_AUTH=tls:simple
>>>> NS_LDAP_CREDENTIAL_LEVEL=proxy
>>>> NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test
>>>> NS_LDAP_BINDPASSWD=ohaimakethissimethingtoughtobreak
>>>> NS_LDAP_CACHETTL=0
>>>> NS_LDAP_HOST_CERTPATH=/var/ldap
>
>When I added NS_LDAP_HOST_CERTPATH to the ldap_client_file it complained
>about that particular setting being invalid. I think that setting doesn't
>exist on Solaris 10? I had to remove that line.
Perhaps it always defaults to /var/ldap.
>>>Is that functionally equivalent to what you were trying to do with the
>>>cert database or were you trying to do something different?
>> More or less -- create an NSS database and add a CA cert there.
>
>OK, great, I think the manual copy worked. The reason is because if I
>delete those 2 .db files I get the following log entries:
>
>[ID 293258 daemon.warning] libsldap: Status: 91 Mesg: createTLSSession:
>failed to initialize TLS security (security library: bad database.)
>[ID 545954 daemon.error] libsldap: makeConnection: failed to open
>connection to ipadc1.ipadomain.net
>[ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL
>mode for __ns_ldap_getRootDSE. createTLSSession: failed to initialize TLS
>security (security library: bad database.)
>
>But if those 2 files I manually copied exist, then those messages don't
>happen.
Good.
>
>Also, FYI, certutil is not really supported on Solaris 10. Any download
>links to that program are now 404. It wasn't included in the Solaris 10
>cd either.
See Rob's answer, I'm pretty sure there is a package somewhere that
allows to manipulate these databases or otherwise they wouldn't be used
by the system tools.
>OK, I have added the following 2 lines to my pam.conf file and I can now
>authenticate AD users:
>other auth sufficient pam_ldap.so.1
>other account required pam_ldap.so.1
>
>However, I had to use a slighly different setting when initiating ldap
>client:
>
>ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple
>
>Note that if I chose tls:simple, the bind failed and I received the
>following log entries :
>Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
>ldap_cachemgr[650]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg:
>openConnection: simple bind failed - Can't contact LDAP server
>Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
>ldap_cachemgr[650]: [ID 545954 daemon.error] libsldap: makeConnection:
>failed to open connection to ipadc1.ipadomain.net
>Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
>ldap_cachemgr[650]: [ID 687686 daemon.warning] libsldap: Falling back to
>anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple
>bind failed - Can't contact LDAP server
>
>So... any ideas why I could bind 'simple' but not 'tls:simple' ?
Perhaps tls:simple requires LDAPS (636) connection? "Can't contact LDAP
server" sounds like inability to reach a port on IPA master. Do you have
it open in your firewall?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list