Hi,
I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10. Adding users/groups to LDAP Server seems to be ok.
From a second machine, I configured it to be LDAP Client using command "ldapclient manual -v -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16". It was successful. /var/ldap/ldap_client_file contains appropriate LDAP Server information. Openldap-2.4.32 is not installed on the Client Machine.
I updated PAM configuration on Client Machine for su and rlogin, results are listed below: - rlogin into Client Machine using root - OK - rlogin into Client Machine using "jphan" user - Fails
- After login to Client Machine as root, su from root to "jphan" user - OK (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server)
- From "jphan" user, su to another user - Fails
Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct. Please let me know if there is anything missing from my setup. Do I need to configure pam.conf on LDAP Server machine as well?
Any help is greatly appreciated. Best regards, Joe Phan
Downloaded and installed following packages from SunFreeWare.com to LDAP Server: openldap-2.4.32-sol10-sparc-local.gz db-4.7.25.NC-sol10-sparc-local.gz gcc-3.3.2-sol10-sparc-local.gz libgcc-3.3-sol10-sparc-local.gz libtool-2.4.2-sol10-sparc-local.gz openssl-1.0.1c-sol10-sparc-local.gz sasl-2.1.25-sol10-sparc-local.gz
Client Machine configuration: - /etc/nsswitch.conf: passwd: files ldap group: files ldap shadow: files ldap
- /etc/pam.conf: apggd08dev# more pam.conf # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 #login auth required pam_unix_auth.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1 debug # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 #rlogin auth required pam_unix_auth.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 debug # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 #ppp auth required pam_unix_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 #other auth required pam_unix_auth.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 debug # # passwd command (explicit because of a different authentication module) # #passwd auth required pam_passwd_auth.so.1 passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 debug other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
jphan user info: apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan' # extended LDIF # # LDAPv3 # base <dc=pg,dc=dtveng,dc=net> with scope subtree # filter: uid=jphan # requesting: ALL #
# jphan, people, pg.dtveng.net dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: posixGroup cn: jphan uid: jphan uidNumber: 2003 gidNumber: 203 homeDirectory: /export/home/jphan loginShell: /usr/bin/csh gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA== shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: ....=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
on linux, i had to install a package called nss-pam-ldapd that would do lookups in the directory for users, groups etc.
Description : The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name service information (users, groups, etc.) on behalf of a lightweight nsswitch module.
not sure if this is the case for solaris.
On Mon, Mar 18, 2013 at 8:01 PM, Joe Phan joeanhphan@yahoo.com wrote:
Hi,
I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10. Adding users/groups to LDAP Server seems to be ok.
From a second machine, I configured it to be LDAP Client using command "ldapclient manual -v -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16". It was successful. /var/ldap/ldap_client_file contains appropriate LDAP Server information. Openldap-2.4.32 is not installed on the Client Machine.
I updated PAM configuration on Client Machine for su and rlogin, results are listed below:
- rlogin into Client Machine using root - OK
- rlogin into Client Machine using "jphan" user - Fails
- After login to Client Machine as root, su from root to "jphan" user -
OK (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server)
- From "jphan" user, su to another user - Fails
Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct. Please let me know if there is anything missing from my setup. Do I need to configure pam.conf on LDAP Server machine as well?
Any help is greatly appreciated. Best regards, Joe Phan
Downloaded and installed following packages from SunFreeWare.com to LDAP Server: openldap-2.4.32-sol10-sparc-local.gz db-4.7.25.NC-sol10-sparc-local.gz gcc-3.3.2-sol10-sparc-local.gz libgcc-3.3-sol10-sparc-local.gz libtool-2.4.2-sol10-sparc-local.gz openssl-1.0.1c-sol10-sparc-local.gz sasl-2.1.25-sol10-sparc-local.gz
Client Machine configuration:
- /etc/nsswitch.conf:
passwd: files ldap group: files ldap shadow: files ldap
- /etc/pam.conf:
apggd08dev# more pam.conf # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 #login auth required pam_unix_auth.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1 debug # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 #rlogin auth required pam_unix_auth.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 debug # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 #ppp auth required pam_unix_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 #other auth required pam_unix_auth.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 debug # # passwd command (explicit because of a different authentication module) # #passwd auth required pam_passwd_auth.so.1 passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 debug other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
jphan user info: apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan' # extended LDIF # # LDAPv3 # base <dc=pg,dc=dtveng,dc=net> with scope subtree # filter: uid=jphan # requesting: ALL #
# jphan, people, pg.dtveng.net dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: posixGroup cn: jphan uid: jphan uidNumber: 2003 gidNumber: 203 homeDirectory: /export/home/jphan loginShell: /usr/bin/csh gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA== shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: ....=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
openldap-technical@openldap.org
-
brendan kearney -
Joe Phan