Am 11.10.2011 22:12, schrieb NetNinja:
I tryed your command today. I still can't get it to work. I listed all the files I have edited. Can you look over it and tell if I'm missing anything. Thanks for your help.
Please keep your replies on the list. Others might run into similar problems and find this helpful.
I ran this: ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" -a domainName="test.net" -a authenticationMethod="simple" -a defaultServerList="10.0.0.2" -a preferredServerList="10.0.0.2" -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" 10.0.0.2
I don't have TLS, automount or netgroups setup yet.
bash-3.00# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 10.0.0.2 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_CACHETTL= 0 NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
I tried to add more lines but I was getting a lot of errors.
What kind of errors?
/etc/nsswitch.conf passwd: files ldap group: files ldap host: files ldap
Are you sure you want to resolve hostnames via LDAP and not DNS?
what i have running on RHEL ldapsearch -x
<snip>
---------------- I have added a proxy entry before I have not done so yet. Do I still need one if I'm useing manual and not init?
If your data can be accessed anonymously, you don't need proxy credentials.
My PAM file
# login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1
My "auth" blocks look like this:
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_ldap.so.1 use_first_pass ignore_unknown_user login auth required pam_unix_auth.so.1
# # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_dial_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1
You can omit pam_ldap here. It only produces error messages in the logs for me.
# # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 #
On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 09.10.2011 14:33, schrieb NetNinja:
On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 07.10.2011 23:58, schrieb NetNinja:
Ok that's good to know. I was reading in the book "Solaris 10 System Administration Essential" and it says on pg 365 that the openldap server needs to be patched so that the ldapclient init utility will configure properly.
Do you happen to remeber how you setup the Solaris Native client? This my current issue, I installed openldap on a RHEL 5.5 server and have all the Linux servers working with the ldap server but the Solaris servers won't let me login as a ldap user. I can do a ldapsearch, id, getent and get info on ldap users. I am in the process of troubleshooting the issue and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, uatomount or replication. I will add these later when I know what i'm doing.
Anyway thanks for your help. If you have any advice on ldapclient setup let me know.
On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal <moenoel@informatik.uni-bremen.de mailto:moenoel@informatik.uni-bremen.de> wrote:
Am 07.10.2011 20:25, schrieb NetNinja: > Hello, > I have been reading up on OpenLDAP. I have installed it on RHEL 5.5 but > I have seen documention saying that openldap needs to be patched to work > with Solaris. Can someone tell me if this still the case and if so where > to get the patch. If not any info you can provide wold be great. > > Thanks > > Hi, I've been running OpenLDAP on Solaris 10 for years now. It works out of the tarball, no patches needed. Regards, Christian Manal
Here's an example of an ldapclient invocation that works for me:
ldapclient manual \ -a authenticationMethod="tls:simple" \ -a credentialLevel="proxy" \ -a defaultSearchBase="dc=example,dc=org" \ -a defaultSearchScope="sub" \ -a defaultServerList="ldap1.example.org,ldap2.example.org" \ -a domainName="example.org" \ -a preferredServerList="ldap1.example.org,ldap2.example.org" \ -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ -a serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" \ -a attributeMap="auto_home:automountMapName=ou" \ -a attributeMap="auto_home:automountKey=cn" \ -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ -a proxyPassword="foobar"
Before you invoke that, you need to modify /etc/nsswitch.ldap to your needs (ldapclient will copy that to /etc/nsswitch.conf). You also need to put your TLS certs into /var/ldap in NSS format (you can generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP authentication.
Regards, Christian Manal
[1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
Thanks,
I will try your command. Since you used ldapclient manual and not ldapclient init I don't need to add a profile of proxy ldif file to the ldap server, right?
Right. It's possible to deposit most of those infos in a profile in the DIT, but since I have a script for configuring LDAP clients it doesn't make any difference for me. I have only one set of settings for Solaris boxes. Though, it might be worth looking into for you, if you have different setups.
I have been using examples like the one you just gave me and I can only get the info from the server. The password seems to not work. I get the same erros on the prompt that I would get if the password or username where wrong. Though I have not tried the command with the serviceSearchDescriptor before maybe this is what I'm missing.
You replaced the credentials with existing ones from your DIT, right? Do they work with ldapsearch? Does the DN have read access to the user and group data in your DIT?
You might want to call ldapclient with '-v' to get some debugging info.
I'm also not using TLS or automount can I leave these out, for now? Sotls:simple would be simple, right.
Right.
Also could Solaris 10 not want to work because I'm not using TLS?
I don't think so. It shouldn't make any difference. Though, I'd recommend adding TLS support before putting anything in production.
Anyway thanks for your time. I will let you know if it works.
Regards, Christian Manal
This is an example of the error I was talking about.
bash-3.00# ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" \
-a domainName="test.net" -a authenticationMethod="simple" \ -a defaultServerList="10.0.0.2" -a preferredServerList="10.0.0.2" \ -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" \ -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" \ 10.0.0.2
Parsing defaultSearchBase=dc=test,dc=net Parsing domainName=test.net Parsing authenticationMethod=simple Parsing defaultServerList=10.0.0.2 Parsing preferredServerList=10.0.0.2 Parsing serviceSearchDescriptor=passwd:ou=People,dc=test,dc=net Parsing serviceSearchDescriptor=group:ou=Group,dc=test,dc=net Invalid use of option Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]
ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]
Set up a server or workstation as a client of an LDAP namespace. <args> take the form of '-a attrName=attrVal' as described in the man page: ldapclient(1M) Error (1) setting serverList param. Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]
ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]
Set up a server or workstation as a client of an LDAP namespace. <args> take the form of '-a attrName=attrVal' as described in the
Also I noticed on many of the websites with how to's on this. There user accounts have a lot more stuff in them. What about your stuff. Can you post an example user, profile and proxy entry in LDAP?
I will add make the changes you suggested when I get into work today. I have not been able to work on this much because I have been working with contrators on a thin client solution.
Thanks for your help. After I get this working I will wright up a document explaining how to do this. I have run into at least 2 other people on the forums with the same problem I have.
On Wed, Oct 12, 2011 at 3:18 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 11.10.2011 22:12, schrieb NetNinja:
I tryed your command today. I still can't get it to work. I listed all the files I have edited. Can you look over it and tell if I'm missing anything. Thanks for your help.
Please keep your replies on the list. Others might run into similar problems and find this helpful.
I ran this: ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" -a domainName="test.net" -a authenticationMethod="simple" -a defaultServerList="10.0.0.2" -a preferredServerList="10.0.0.2" -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" 10.0.0.2
I don't have TLS, automount or netgroups setup yet.
bash-3.00# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 10.0.0.2 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_CACHETTL= 0 NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
I tried to add more lines but I was getting a lot of errors.
What kind of errors?
/etc/nsswitch.conf passwd: files ldap group: files ldap host: files ldap
Are you sure you want to resolve hostnames via LDAP and not DNS?
what i have running on RHEL ldapsearch -x
<snip>
---------------- I have added a proxy entry before I have not done so yet. Do I still need one if I'm useing manual and not init?
If your data can be accessed anonymously, you don't need proxy credentials.
My PAM file
# login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1
My "auth" blocks look like this:
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_ldap.so.1 use_first_pass ignore_unknown_user login auth required pam_unix_auth.so.1
# # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_dial_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1
You can omit pam_ldap here. It only produces error messages in the logs for me.
# # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 #
On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 09.10.2011 14:33, schrieb NetNinja:
On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 07.10.2011 23:58, schrieb NetNinja:
Ok that's good to know. I was reading in the book "Solaris 10 System Administration Essential" and it says on pg 365 that the openldap server needs to be patched so that the ldapclient init utility will configure properly.
Do you happen to remeber how you setup the Solaris Native client? This my current issue, I installed openldap on a RHEL 5.5 server and have all the Linux servers working with the ldap server but the Solaris servers won't let me login as a ldap user. I can do a ldapsearch, id, getent and get info on ldap users. I am in the process of troubleshooting the issue and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, uatomount or replication. I will add these later when I know what i'm doing.
Anyway thanks for your help. If you have any advice on ldapclient setup let me know.
On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal <moenoel@informatik.uni-bremen.de mailto:moenoel@informatik.uni-bremen.de> wrote:
Am 07.10.2011 20:25, schrieb NetNinja: > Hello, > I have been reading up on OpenLDAP. I have installed it on RHEL 5.5 but > I have seen documention saying that openldap needs to be patched to work > with Solaris. Can someone tell me if this still the case and if so where > to get the patch. If not any info you can provide wold be great. > > Thanks > >
Hi,
I've been running OpenLDAP on Solaris 10 for years now. It works out of the tarball, no patches needed.
Regards, Christian Manal
Here's an example of an ldapclient invocation that works for me:
ldapclient manual \ -a authenticationMethod="tls:simple" \ -a credentialLevel="proxy" \ -a defaultSearchBase="dc=example,dc=org" \ -a defaultSearchScope="sub" \ -a defaultServerList="ldap1.example.org,ldap2.example.org" \ -a domainName="example.org" \ -a preferredServerList="ldap1.example.org,ldap2.example.org" \ -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ -a serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" \ -a attributeMap="auto_home:automountMapName=ou" \ -a attributeMap="auto_home:automountKey=cn" \ -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ -a proxyPassword="foobar"
Before you invoke that, you need to modify /etc/nsswitch.ldap to your needs (ldapclient will copy that to /etc/nsswitch.conf). You also need to put your TLS certs into /var/ldap in NSS format (you can generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP authentication.
Regards, Christian Manal
[1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
Thanks,
I will try your command. Since you used ldapclient manual and not ldapclient init I don't need to add a profile of proxy ldif file to the ldap server, right?
Right. It's possible to deposit most of those infos in a profile in the DIT, but since I have a script for configuring LDAP clients it doesn't make any difference for me. I have only one set of settings for Solaris boxes. Though, it might be worth looking into for you, if you have different setups.
I have been using examples like the one you just gave me and I can only get the info from the server. The password seems to not work. I get the same erros on the prompt that I would get if the password or username where wrong. Though I have not tried the command with the serviceSearchDescriptor before maybe this is what I'm missing.
You replaced the credentials with existing ones from your DIT, right? Do they work with ldapsearch? Does the DN have read access to the user and group data in your DIT?
You might want to call ldapclient with '-v' to get some debugging info.
I'm also not using TLS or automount can I leave these out, for now? Sotls:simple would be simple, right.
Right.
Also could Solaris 10 not want to work because I'm not using TLS?
I don't think so. It shouldn't make any difference. Though, I'd recommend adding TLS support before putting anything in production.
Anyway thanks for your time. I will let you know if it works.
Regards, Christian Manal
Am 13.10.2011 12:49, schrieb NetNinja:
This is an example of the error I was talking about.
bash-3.00# ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" \
Invalid use of option Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]
ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]
You have to put '-v' before the 'manual' keyword, I believe.
Also I noticed on many of the websites with how to's on this. There user accounts have a lot more stuff in them. What about your stuff. Can you post an example user, profile and proxy entry in LDAP?
See RFC 2307 for example: http://www.faqs.org/rfcs/rfc2307.html
That's for basic UNIX accounts and what you already had in your example ldapsearch output.
I will add make the changes you suggested when I get into work today. I have not been able to work on this much because I have been working with contrators on a thin client solution.
Thanks for your help. After I get this working I will wright up a document explaining how to do this. I have run into at least 2 other people on the forums with the same problem I have.
On Wed, Oct 12, 2011 at 3:18 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 11.10.2011 22:12, schrieb NetNinja:
I tryed your command today. I still can't get it to work. I listed all the files I have edited. Can you look over it and tell if I'm missing anything. Thanks for your help.
Please keep your replies on the list. Others might run into similar problems and find this helpful.
I ran this: ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" -a domainName="test.net" -a authenticationMethod="simple" -a defaultServerList="10.0.0.2" -a preferredServerList="10.0.0.2" -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" 10.0.0.2
I don't have TLS, automount or netgroups setup yet.
bash-3.00# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 10.0.0.2 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_CACHETTL= 0 NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
I tried to add more lines but I was getting a lot of errors.
What kind of errors?
/etc/nsswitch.conf passwd: files ldap group: files ldap host: files ldap
Are you sure you want to resolve hostnames via LDAP and not DNS?
what i have running on RHEL ldapsearch -x
<snip>
---------------- I have added a proxy entry before I have not done so yet. Do I still need one if I'm useing manual and not init?
If your data can be accessed anonymously, you don't need proxy credentials.
My PAM file
# login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1
My "auth" blocks look like this:
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_ldap.so.1 use_first_pass ignore_unknown_user login auth required pam_unix_auth.so.1
# # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_dial_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1
You can omit pam_ldap here. It only produces error messages in the logs for me.
# # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 #
On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 09.10.2011 14:33, schrieb NetNinja:
On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 07.10.2011 23:58, schrieb NetNinja: > Ok that's good to know. > I was reading in the book "Solaris 10 System Administration Essential" > and it says on pg 365 that the openldap server needs to be patched so > that the ldapclient init utility will configure properly. > > Do you happen to remeber how you setup the Solaris Native client? This > my current issue, I installed openldap on a RHEL 5.5 server and have all > the Linux servers working with the ldap server but the Solaris servers > won't let me login as a ldap user. I can do a ldapsearch, id, getent and > get info on ldap users. I am in the process of troubleshooting the issue > and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, > uatomount or replication. I will add these later when I know what i'm doing. > > Anyway thanks for your help. If you have any advice on ldapclient setup > let me know. > > On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal > <moenoel@informatik.uni-bremen.de > mailto:moenoel@informatik.uni-bremen.de> wrote: > > Am 07.10.2011 20:25, schrieb NetNinja: > > Hello, > > I have been reading up on OpenLDAP. I have installed it on RHEL > 5.5 but > > I have seen documention saying that openldap needs to be patched > to work > > with Solaris. Can someone tell me if this still the case and if so > where > > to get the patch. If not any info you can provide wold be great. > > > > Thanks > > > > > > Hi, > > I've been running OpenLDAP on Solaris 10 for years now. It works out of > the tarball, no patches needed. > > > Regards, > Christian Manal > > > > >
Here's an example of an ldapclient invocation that works for me:
ldapclient manual \ -a authenticationMethod="tls:simple" \ -a credentialLevel="proxy" \ -a defaultSearchBase="dc=example,dc=org" \ -a defaultSearchScope="sub" \ -a defaultServerList="ldap1.example.org,ldap2.example.org" \ -a domainName="example.org" \ -a preferredServerList="ldap1.example.org,ldap2.example.org" \ -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ -a serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" \ -a attributeMap="auto_home:automountMapName=ou" \ -a attributeMap="auto_home:automountKey=cn" \ -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ -a proxyPassword="foobar"
Before you invoke that, you need to modify /etc/nsswitch.ldap to your needs (ldapclient will copy that to /etc/nsswitch.conf). You also need to put your TLS certs into /var/ldap in NSS format (you can generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP authentication.
Regards, Christian Manal
[1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
Thanks,
I will try your command. Since you used ldapclient manual and not ldapclient init I don't need to add a profile of proxy ldif file to the ldap server, right?
Right. It's possible to deposit most of those infos in a profile in the DIT, but since I have a script for configuring LDAP clients it doesn't make any difference for me. I have only one set of settings for Solaris boxes. Though, it might be worth looking into for you, if you have different setups.
I have been using examples like the one you just gave me and I can only get the info from the server. The password seems to not work. I get the same erros on the prompt that I would get if the password or username where wrong. Though I have not tried the command with the serviceSearchDescriptor before maybe this is what I'm missing.
You replaced the credentials with existing ones from your DIT, right? Do they work with ldapsearch? Does the DN have read access to the user and group data in your DIT?
You might want to call ldapclient with '-v' to get some debugging info.
I'm also not using TLS or automount can I leave these out, for now? Sotls:simple would be simple, right.
Right.
Also could Solaris 10 not want to work because I'm not using TLS?
I don't think so. It shouldn't make any difference. Though, I'd recommend adding TLS support before putting anything in production.
Anyway thanks for your time. I will let you know if it works.
Regards, Christian Manal
Ok Update I actualy found the patch online that the Solaris book was talking about. I didn't apply it though. I was able to get the Solaris client to work without it. I'm still testing though.
I ran this command: ldapclient -v mod -a serviceAuthenticationmethod=pam_ldap:simple
# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 NS_LDAP_SERVERS= 10.0.1.21:389 NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net NS_LDAP_AUTH= none NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
[root@light migration]# cat user00.ldif dn: uid=user00,ou=People,dc=deathnote,dc=net uid: user00 cn: user00 objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 805 gidNumber: 501 homeDirectory: /home/user00 gecos: ldap user
If anyone see's any porplems let me know. If this is the fix I will write up a guide and post it so your guys can per-review it. The only thing I can see is I don't have a uid=proxyagent,ou=People,dc=deathnote,dc=net loaded in ldap. I have a uid=proxyagent,ou=profile,dc=deathnote,dc=net ththough. like I said I'm still testing.
Thanks.
On Thu, Oct 13, 2011 at 7:57 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 13.10.2011 12:49, schrieb NetNinja:
This is an example of the error I was talking about.
bash-3.00# ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" \
Invalid use of option Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>]
ldapclient [-v | -q] [-z adminPasswordFile] init [<args>]
You have to put '-v' before the 'manual' keyword, I believe.
Also I noticed on many of the websites with how to's on this. There user accounts have a lot more stuff in them. What about your stuff. Can you post an example user, profile and proxy entry in LDAP?
See RFC 2307 for example: http://www.faqs.org/rfcs/rfc2307.html
That's for basic UNIX accounts and what you already had in your example ldapsearch output.
I will add make the changes you suggested when I get into work today. I have not been able to work on this much because I have been working with contrators on a thin client solution.
Thanks for your help. After I get this working I will wright up a document explaining how to do this. I have run into at least 2 other people on the forums with the same problem I have.
On Wed, Oct 12, 2011 at 3:18 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 11.10.2011 22:12, schrieb NetNinja:
I tryed your command today. I still can't get it to work. I listed all the files I have edited. Can you look over it and tell if I'm missing anything. Thanks for your help.
Please keep your replies on the list. Others might run into similar problems and find this helpful.
I ran this: ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" -a domainName="test.net" -a authenticationMethod="simple" -a defaultServerList="10.0.0.2" -a preferredServerList="10.0.0.2" -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" 10.0.0.2
I don't have TLS, automount or netgroups setup yet.
bash-3.00# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 10.0.0.2 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_CACHETTL= 0 NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
I tried to add more lines but I was getting a lot of errors.
What kind of errors?
/etc/nsswitch.conf passwd: files ldap group: files ldap host: files ldap
Are you sure you want to resolve hostnames via LDAP and not DNS?
what i have running on RHEL ldapsearch -x
<snip>
---------------- I have added a proxy entry before I have not done so yet. Do I still need one if I'm useing manual and not init?
If your data can be accessed anonymously, you don't need proxy credentials.
My PAM file
# login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1
My "auth" blocks look like this:
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_ldap.so.1 use_first_pass ignore_unknown_user login auth required pam_unix_auth.so.1
# # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_dial_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1
You can omit pam_ldap here. It only produces error messages in the logs for me.
# # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 #
On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 09.10.2011 14:33, schrieb NetNinja:
On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal moenoel@informatik.uni-bremen.de wrote: > Am 07.10.2011 23:58, schrieb NetNinja: >> Ok that's good to know. >> I was reading in the book "Solaris 10 System Administration Essential" >> and it says on pg 365 that the openldap server needs to be patched so >> that the ldapclient init utility will configure properly. >> >> Do you happen to remeber how you setup the Solaris Native client? This >> my current issue, I installed openldap on a RHEL 5.5 server and have all >> the Linux servers working with the ldap server but the Solaris servers >> won't let me login as a ldap user. I can do a ldapsearch, id, getent and >> get info on ldap users. I am in the process of troubleshooting the issue >> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, >> uatomount or replication. I will add these later when I know what i'm doing. >> >> Anyway thanks for your help. If you have any advice on ldapclient setup >> let me know. >> >> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal >> <moenoel@informatik.uni-bremen.de >> mailto:moenoel@informatik.uni-bremen.de> wrote: >> >> Am 07.10.2011 20:25, schrieb NetNinja: >> > Hello, >> > I have been reading up on OpenLDAP. I have installed it on RHEL >> 5.5 but >> > I have seen documention saying that openldap needs to be patched >> to work >> > with Solaris. Can someone tell me if this still the case and if so >> where >> > to get the patch. If not any info you can provide wold be great. >> > >> > Thanks >> > >> > >> >> Hi, >> >> I've been running OpenLDAP on Solaris 10 for years now. It works out of >> the tarball, no patches needed. >> >> >> Regards, >> Christian Manal >> >> >> >> >> > > > Here's an example of an ldapclient invocation that works for me: > > ldapclient manual \ > -a authenticationMethod="tls:simple" \ > -a credentialLevel="proxy" \ > -a defaultSearchBase="dc=example,dc=org" \ > -a defaultSearchScope="sub" \ > -a defaultServerList="ldap1.example.org,ldap2.example.org" \ > -a domainName="example.org" \ > -a preferredServerList="ldap1.example.org,ldap2.example.org" \ > -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ > -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ > -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ > -a > serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" > \ > -a attributeMap="auto_home:automountMapName=ou" \ > -a attributeMap="auto_home:automountKey=cn" \ > -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ > -a proxyPassword="foobar" > > > Before you invoke that, you need to modify /etc/nsswitch.ldap to your > needs (ldapclient will copy that to /etc/nsswitch.conf). You also need > to put your TLS certs into /var/ldap in NSS format (you can > generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP > authentication. > > > Regards, > Christian Manal > > > [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html >
Thanks,
I will try your command. Since you used ldapclient manual and not ldapclient init I don't need to add a profile of proxy ldif file to the ldap server, right?
Right. It's possible to deposit most of those infos in a profile in the DIT, but since I have a script for configuring LDAP clients it doesn't make any difference for me. I have only one set of settings for Solaris boxes. Though, it might be worth looking into for you, if you have different setups.
I have been using examples like the one you just gave me and I can only get the info from the server. The password seems to not work. I get the same erros on the prompt that I would get if the password or username where wrong. Though I have not tried the command with the serviceSearchDescriptor before maybe this is what I'm missing.
You replaced the credentials with existing ones from your DIT, right? Do they work with ldapsearch? Does the DN have read access to the user and group data in your DIT?
You might want to call ldapclient with '-v' to get some debugging info.
I'm also not using TLS or automount can I leave these out, for now? Sotls:simple would be simple, right.
Right.
Also could Solaris 10 not want to work because I'm not using TLS?
I don't think so. It shouldn't make any difference. Though, I'd recommend adding TLS support before putting anything in production.
Anyway thanks for your time. I will let you know if it works.
Regards, Christian Manal
openldap-technical@openldap.org