Hi Doug,
Thank you so much for your help. With your questions, I double checked credential levels and authentication methods, and luckily, I found the solution for my problem.
Error recap: On the Client Machine, when su from one user to another, /var/log/authlog shows the following error: Mar 22 09:03:53 apggd08dev login: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Solution: Reconfigure Client again using credentialLevel and serviceAuthenticationMethod attributes. apggd08dev# ldapclient -v manual -a defaultsearchbase=dc=pg,dc=dtveng,dc=net \
-a domainname=pg.dtveng.net \ -a credentialLevel=anonymous \ -a serviceAuthenticationMethod=pam_ldap:simple xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is LDAP server IP.
Now, I am able to rlogin/telnet/ssh to the client machine (Native Solaris LDAP Client) using a user account defined from LDAP Server. "su" from from one user to another also works well.
Thanks, Joe
________________________________ From: Doug Leavitt doug.leavitt@oracle.com To: Joe Phan joeanhphan@yahoo.com Sent: Wednesday, March 20, 2013 12:20 PM Subject: Re: openldap-2.4.32 su-ok, rlogin-fails
No. SSL is not required for authentication. But if you are using pam_ldap without SSL, your passwords are sent over TCP/IP in the clear.
Alternatively you can use pam_unix authentication and have the password hashes sent over the wire (like in NIS) and have the unix client do the authentication.
This usually requires that you store the passwords in the LDAP server in {crypt} format.
On 03/20/13 14:07, Joe Phan wrote: Hi Doug,
Do you know if it is required to have SSL for authentication?
In other word, do I need to configure SSL Tunnel?
Do I need to change pam.conf on LDAP Server?
Link: http://www.softpanorama.info/Net/Directories/ldap.shtml "Because our LDAP service requires SSL connections before
allowing authentication, it is necessary to connect to the LDAP server using SSL"
Thanks, Joe
From: Doug Leavitt doug.leavitt@oracle.com To: Joe Phan joeanhphan@yahoo.com Sent: Tuesday, March 19, 2013 3:08 PM Subject: Re: openldap-2.4.32 su-ok, rlogin-fails
You probably need to correct your pam settings in pam.conf. See the pam_ldap man page for more details. I suspect
you
need to change the setting to look more like this: # Authentication management for login service is
stacked.
# If pam_unix_auth succeeds, pam_ldap is not
invoked.
# The control flag "binding" provides a local
overriding
# remote (LDAP) control. The "server_policy"
option is used
# to tell pam_unix_auth.so.1 to ignore the LDAP
users.
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1
server_policy
login auth required pam_ldap.so.1
If your system is set up for anonymous connections may
or may not
be an issue depending on your servers acl setups.
I am referring to the configuration supplied into
ldapclient (aka what is in
/var/ldap/ldap_client_file, and presumably
ldap_cred_file is you have bind
credentials into the ldap server).
When we setup DSEE servers we usually recommend at least
proxy
credentials and at least simple bind, or more depending
on your security
needs. Your needs may vary.
Doug.
On 03/19/13 15:32, Joe Phan wrote: Hi Doug,
Thank you for looking at this.
apggd08dev# ldaplist -l passwd jphan dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: posixGroup cn: jphan uid: jphan uidNumber: 2003 gidNumber: 203 homeDirectory: /export/home/jphan loginShell: /usr/bin/csh gecos: Joe Phan 310-964-4125 shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword: {SSHA}/...
Also how is your system configured w.r.t anonymous connections? <== Yes, I believed that I configured the system for anonymous connections. Do you know how to verify it? What are you credential levels and authentication
methods being used in your configuration? <== Not sure about credential levels; I am using PAM for authentication. At the beginning, I don't have SASL/TLS.
Sorry for unclear answers if existed, b/c I am new to LDAP and PAM. Please show me where or which area I should verify the system. Thank you so much,
Joe Phan
From: Doug Leavitt doug.leavitt@oracle.com To: Joe Phan joeanhphan@yahoo.com Sent: Tuesday, March 19, 2013 12:27 PM Subject: Re: openldap-2.4.32 su-ok, rlogin-fails
What happens if you try:
ldaplist -l passwd jphan
Also how is your system configured w.r.t
anonymous connections?
What are you credential levels and
authentication methods being used
in your configuration?
Doug.
On 03/18/13 19:01, Joe Phan wrote: Hi,
I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10. Adding users/groups to LDAP Server seems to be ok.
From a second machine, I configured it to be LDAP Client using command "ldapclient manual -v -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16". It was successful. /var/ldap/ldap_client_file contains appropriate LDAP Server information. Openldap-2.4.32 is not installed on the Client Machine.
I updated PAM configuration on Client Machine for su and rlogin, results are listed below:
rlogin into Client Machine using root - OK
rlogin into Client Machine using "jphan" user - Fails
After login to Client Machine as root, su from root to "jphan" user - OK (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server)
From "jphan" user, su to another user - Fails
Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct. Please let me know if there is anything missing from my setup. Do I need to configure pam.conf on LDAP Server machine as well?
Any help is greatly appreciated. Best regards, Joe Phan
Downloaded and installed following packages from SunFreeWare.com to LDAP Server: openldap-2.4.32-sol10-sparc-local.gz db-4.7.25.NC-sol10-sparc-local.gz gcc-3.3.2-sol10-sparc-local.gz libgcc-3.3-sol10-sparc-local.gz libtool-2.4.2-sol10-sparc-local.gz openssl-1.0.1c-sol10-sparc-local.gz sasl-2.1.25-sol10-sparc-local.gz
Client Machine configuration:
- /etc/nsswitch.conf:
passwd: files ldap group: files ldap shadow: files ldap
- /etc/pam.conf:
apggd08dev# more pam.conf # login auth requisite
pam_authtok_get.so.1
login auth required
pam_dhkeys.so.1
login auth required
pam_unix_cred.so.1
#login auth required
pam_unix_auth.so.1
login auth sufficient
pam_unix_auth.so.1
login auth required
pam_dial_auth.so.1
login auth required
pam_ldap.so.1 debug
# # rlogin service (explicit because of
pam_rhost_auth)
# rlogin auth sufficient
pam_rhosts_auth.so.1
rlogin auth requisite
pam_authtok_get.so.1
rlogin auth required
pam_dhkeys.so.1
rlogin auth required
pam_unix_cred.so.1
#rlogin auth required
pam_unix_auth.so.1
rlogin auth sufficient
pam_unix_auth.so.1
rlogin auth required
pam_ldap.so.1 debug
# # Kerberized rlogin service # krlogin auth required
pam_unix_cred.so.1
krlogin auth binding
pam_krb5.so.1
krlogin auth required
pam_unix_auth.so.1
# # rsh service (explicit because of
pam_rhost_auth,
# and pam_unix_auth for meaningful
pam_setcred)
# rsh auth sufficient
pam_rhosts_auth.so.1
rsh auth required
pam_unix_cred.so.1
# # Kerberized rsh service # krsh auth required
pam_unix_cred.so.1
krsh auth binding
pam_krb5.so.1
krsh auth required
pam_unix_auth.so.1
# # Kerberized telnet service # ktelnet auth required
pam_unix_cred.so.1
ktelnet auth binding
pam_krb5.so.1
ktelnet auth required
pam_unix_auth.so.1
# # PPP service (explicit because of
pam_dial_auth)
# ppp auth requisite
pam_authtok_get.so.1
ppp auth required
pam_dhkeys.so.1
ppp auth required
pam_unix_cred.so.1
#ppp auth required
pam_unix_auth.so.1
ppp auth sufficient
pam_unix_auth.so.1
ppp auth required
pam_dial_auth.so.1
ppp auth required
pam_ldap.so.1 debug
# # Default definitions for
Authentication management
# Used when service name is not
explicitly mentioned for authentication
# other auth requisite
pam_authtok_get.so.1
other auth required
pam_dhkeys.so.1
other auth required
pam_unix_cred.so.1
#other auth required
pam_unix_auth.so.1
other auth sufficient
pam_unix_auth.so.1
other auth required
pam_ldap.so.1 debug
# # passwd command (explicit because of
a different authentication module)
# #passwd auth required
pam_passwd_auth.so.1
passwd auth sufficient
pam_passwd_auth.so.1
passwd auth required
pam_ldap.so.1 debug
# # cron service (explicit because of
non-usage of pam_roles.so.1)
# cron account required
pam_unix_account.so.1
# # Default definition for Account
management
# Used when service name is not
explicitly mentioned for account management
# other account sufficient
pam_ldap.so.1 debug
other account requisite
pam_roles.so.1
other account required
pam_unix_account.so.1
# # Default definition for Session
management
# Used when service name is not
explicitly mentioned for session management
# other session required
pam_unix_session.so.1
# # Default definition for Password
management
# Used when service name is not
explicitly mentioned for password management
# other password required
pam_dhkeys.so.1
other password requisite
pam_authtok_get.so.1
other password requisite
pam_authtok_check.so.1
other password required
pam_authtok_store.so.1
jphan user info: apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan' # extended LDIF # # LDAPv3 # base <dc=pg,dc=dtveng,dc=net>
with scope subtree
# filter: uid=jphan # requesting: ALL #
# jphan, people, pg.dtveng.net dn:
uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net
objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: posixGroup cn: jphan uid: jphan uidNumber: 2003 gidNumber: 203 homeDirectory: /export/home/jphan loginShell: /usr/bin/csh gecos::
Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA==
shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: ....=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1