Hi there.
I have the following configuration:
client - Solaris Express snv_40
server - Novell eDir (hosted on Suse Linux)
Steps:
I've defined the system as a client to the ldap server
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.0.1
NS_LDAP_SEARCH_BASEDN= o=XXX
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=STUDENTS,o=XXX?sub
I've modified the pam.conf to look at the ldap server for server 'login'
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
I've checked the ldap service...
bash-3.00# /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 31
cachemgr cache data statistics:
Configuration refresh information:
Configured to NO REFRESH.
Server information:
Previous refresh time: 2006/09/25 12:03:06
Next refresh time: 2006/09/25 12:23:06
server: 192.168.0.1, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
But I cannot get the client to auth agains the server. I've used ldapsearch to
"manually" check to see if I can at least get to the server and check the
userid that I want to auth with...
bash-3.00# ldapsearch -b ou=STUDENTS,o=XXX -h 192.168.0.1 -D
cn=johndoe,ou=STUDENTS,o=XXX "cn=johndoe"
Enter bind password: *******
version: 1
dn: cn=johndoe,ou=STUDENTS,o=XXX
iFolderServerName: *
loginShell: /bin/sh
homeDirectory: /home/johndoe
gecos:
gidNumber: 1234
uidNumber: 222222
uid: johndoe
givenName: johndoe
fullName: johndoe
Language: ENGLISH
passwordRequired: FALSE
passwordAllowChange: TRUE
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ndsLoginProperties
objectClass: iFolderUser
objectClass: posixAccount
objectClass: uamPosixUser
objectClass: shadowAccount
loginTime: 20060926092515Z
cn: johndoe
cn: CN
ACL: 2#entry#[Public]#uidNumber
ACL: 2#entry#[Public]#gidNumber
ACL: 2#entry#[Public]#loginShell
ACL: 2#entry#[Public]#homeDirectory
ACL: 2#entry#[Public]#gecos
ACL: 2#entry#[Public]#groupMembership
ACL: 1#entry#[Public]#cn
So, the account has got all the posix attributes it needs. I tested with
getent...
bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
It doesn't see the johndoe ldap user.
I also did a ldaplist to check:
bash-3.00# ldaplist -l passwd
dn: cn=johndoe,ou=STUDENTS,o=XXX
iFolderServerName: *
loginShell: /bin/sh
homeDirectory: /home/johndoe
gecos:
gidNumber: 1234
uidNumber: 222222
uid: johndoe
givenName: johndoe
groupMembership: cn=GP-UNIXUSERS,o=XXX
surname: johndoe
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ndsLoginProperties
objectClass: iFolderUser
objectClass: posixAccount
objectClass: uamPosixUser
objectClass: shadowAccount
So, everything 'seems' right, but getent cannot pick up the ldap user and login
doesn't want to authenticate.
I've done a snoop during the login/password step and captured the traffic
flowing to and from the ldap server. Everything seems fine... I can post it if
required.
Any ideas on where the problem could be...?
Thank you
PS: Although there are thousands of users defined in the ldap server, only one
has the posixAccount attribute and as such only 'johndoe' shows using a
ldaplist.
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
[email protected]
