I changed the pam.conf exactly as you said, and now the problem es different.
Answering your questions, I have 2 solaris: -SunOS 5.11 NexentaOS_20061012 i86pc i386 i86pc Solaris -SunOS solaris-devx 5.11 snv_55b i86pc i386 i86pc The OpenLdap version is 2.3.34. I got it from www.openldap.org. In Nexenta I use this setup script: ldapclient -v manual -a defaultServerList=192.168.70.133 -a defaultSearchBase=dc=tel,dc=uva,dc=es -a serviceSearchDescriptor=passwd:ou=users,dc=tel,dc=uva,dc=es -a serviceSearchDescriptor=group:ou=groups,dc=tel,dc=uva,dc=es -a serviceSearchDescriptor=shadow:ou=users,dc=tel,dc=uva,dc=es -a authenticationMethod=simple -a proxyDN=cn=proxyagent,ou=profile,dc=tel,dc=uva,dc=es -a proxyPassword=password The unique different with your setup is authenticationMethod. I use "simple". The pam.conf is the same as you, and the nsswitch.conf is this: passwd: files ldap group: files ldap shadow: files ldap # consult /etc "files" only if ldap is down. hosts: files dns # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap tnrhtp: files ldap tnrhdb: files ldap Id, passwd, finger...run well. [EMAIL PROTECTED]:~# passwd dpercam Enter dpercam's password: New Password: Re-enter new Password: passwd: password successfully changed for dpercam [EMAIL PROTECTED]:~# id caralo uid=2001(caralo) gid=1001(profesores) groups=1001(profesores) But when I try to login, It doesn't run. "login incorrect". conn=0 fd=12 ACCEPT from IP=192.168.70.144:34772 (IP=0.0.0.0:389) conn=0 op=0 SRCH base="ou=users,dc=tel,dc=uva,dc=es" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=dpercam))" conn=0 op=0 SRCH attr=uid userpassword shadowflag <= bdb_equality_candidates: (uid) index_param failed (18) conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= In Solaris Developer Express I have the same pam.conf and nsswitch.conf. I use this setup script: ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=tel,dc=uva,dc=es -a proxyPassword=password -a domainname=tel.uva.es 192.168.70.133 It configures itseft with the default user in my ldap server: dn: cn=default,ou=profile,dc=tel,dc=uva,dc=es ObjectClass: top ObjectClass: DUAConfigProfile defaultServerList: 192.168.70.133 defaultSearchBase: dc=tel,dc=uva,dc=es authenticationMethod: simple followReferrals: TRUE cn:default credentialLevel: proxy serviceSearchDescriptor: passwd: ou=users,dc=tel,dc=uva,dc=es?one serviceSearchDescriptor: group: ou=groups,dc=tel,dc=uva,dc=es?one serviceSearchDescriptor: shadow: ou=users,dc=tel,dc=uva,dc=es?one With this configuration, when I try to login at the beginning of the reboot, I can login, but without introducing the password. The pc doesn't request me the password. If I login as root, and I try to login in the terminal, I can't. The message is this: # login dpercam No utmpx entry. You must exec "login" from the lowest level "shell". In both cases, I can use "su" and "ssh". Does Anybody know what I have to change? Thank you very much >From: jpd <[EMAIL PROTECTED]> >To: Daniel Pérez del Campo <[EMAIL PROTECTED]> >Subject: Re: [zones-discuss] trying to login with solaris Ldap client >Date: Sat, 25 Aug 2007 01:32:03 +0100 > >pam.conf > ># Authentication management ># ># login service (explicit because of pam_dial_auth) ># >login auth requisite pam_authtok_get.so.1 >login auth required pam_dhkeys.so.1 >login auth required pam_unix_cred.so.1 >#login auth required pam_unix_auth.so.1 >login auth binding pam_unix_auth.so.1 server_policy >login auth required pam_ldap.so.1 use_first_pass >login auth required pam_dial_auth.so.1 ># ># rlogin service (explicit because of pam_rhost_auth) ># >rlogin auth sufficient pam_rhosts_auth.so.1 >rlogin auth requisite pam_authtok_get.so.1 >rlogin auth required pam_dhkeys.so.1 >rlogin auth required pam_unix_cred.so.1 >#rlogin auth required pam_unix_auth.so.1 >rlogin auth binding pam_unix_auth.so.1 server_policy >rlogin auth required pam_ldap.so.1 use_first_pass ># ># Kerberized rlogin service ># >krlogin auth required pam_unix_cred.so.1 >krlogin auth binding pam_krb5.so.1 >#krlogin auth required pam_unix_auth.so.1 >krlogin auth binding pam_unix_auth.so.1 server_policy >krlogin auth required pam_ldap.so.1 use_first_pass ># ># rsh service (explicit because of pam_rhost_auth, ># and pam_unix_auth for meaningful pam_setcred) ># >rsh auth sufficient pam_rhosts_auth.so.1 >rsh auth required pam_unix_cred.so.1 ># ># Kerberized rsh service ># >krsh auth required pam_unix_cred.so.1 >krsh auth binding pam_krb5.so.1 >krsh auth required pam_unix_auth.so.1 ># ># Kerberized telnet service ># >ktelnet auth required pam_unix_cred.so.1 >ktelnet auth binding pam_krb5.so.1 >ktelnet auth required pam_unix_auth.so.1 ># ># PPP service (explicit because of pam_dial_auth) ># >ppp auth requisite pam_authtok_get.so.1 >ppp auth required pam_dhkeys.so.1 >ppp auth required pam_unix_cred.so.1 >ppp auth required pam_unix_auth.so.1 >ppp auth required pam_dial_auth.so.1 ># ># Default definitions for Authentication management ># Used when service name is not explicitly mentioned for authentication ># >other auth requisite pam_authtok_get.so.1 >other auth required pam_dhkeys.so.1 >other auth required pam_unix_cred.so.1 >#other auth required pam_unix_auth.so.1 >other auth binding pam_unix_auth.so.1 server_policy >other auth required pam_ldap.so.1 use_first_pass ># ># passwd command (explicit because of a different authentication module) ># >#passwd auth required pam_passwd_auth.so.1 >passwd auth binding pam_passwd_auth.so.1 server_policy >passwd auth required pam_ldap.so.1 ># ># cron service (explicit because of non-usage of pam_roles.so.1) ># >cron account required pam_unix_account.so.1 ># ># Default definition for Account management ># Used when service name is not explicitly mentioned for account management ># >other account requisite pam_roles.so.1 >#other account required pam_unix_account.so.1 >other account binding pam_unix_account.so.1 server_policy >other account required pam_ldap.so.1 ># ># Default definition for Session management ># Used when service name is not explicitly mentioned for session management ># >other session required pam_unix_session.so.1 ># ># Default definition for Password management ># Used when service name is not explicitly mentioned for password >management ># >other password required pam_dhkeys.so.1 >other password requisite pam_authtok_get.so.1 >other password requisite pam_authtok_check.so.1 >#other password required pam_authtok_store.so.1 >other password required pam_authtok_store.so.1 server_policy ># ># Support for Kerberos V5 authentication and example configurations can ># be found in the pam_krb5(5) man page under the "EXAMPLES" section. ># > >setup script >ldapclient -v manual -a defaultServerList=192.168.0.15 -a >defaultSearchBase=dc=purple,dc=net -a >serviceSearchDescriptor=password:ou=People,dc=purple,dc=net -a >serviceSearchDescriptor=group:ou=group,dc=purple,dc=net -a >serviceSearchDescriptor=shadow:ou=People,dc=purple,dc=net -a >authenticationMethod=tls:simple -a >proxyDN=cn=proxyagent,ou=profile,dc=purple,dc=net -a >proxyPassword=<password> > >nsswitch.conf >passwd: files ldap >group: files ldap >shadows: files ldap > ># consult /etc "files" only if ldap is down. >hosts: dns files > ># Note that IPv4 addresses are searched for in all of the ipnodes databases ># before searching the hosts databases. >ipnodes: files > >networks: files >protocols: files >rpc: files >ethers: files >networks: files >bootparams: files >publickey: files > >netgroup: ldap > >automount: files ldap >aliases: files ldap > ># for efficient getservbyname() avoid ldap >services: files ldap > >printers: user files ldap > >auth_attr: files ldap >prof_attr: files ldap > >project: files ldap > > >What version of solaris are you running - will check my boxes to see which >ones are close. >What version of openldap you using and where you get it from. > >All i do is run the setup script - pasted the pam.conf and change >nsswitch.conf back to files first. It has worked fine for all boxes apart >from b62 which ldap is broke. > >Daniel Pérez del Campo wrote: >> >> >> >>>From: John-Paul Drawneek <[EMAIL PROTECTED]> >>>To: zones-discuss@opensolaris.org >>>Subject: Re: [zones-discuss] trying to login with solaris Ldap client >>>Date: Fri, 24 Aug 2007 01:49:54 PDT >>> >>>try: >>> >>>passwd auth binding pam_passwd_auth.so.1 server_policy >>>passwd auth required pam_ldap.so.1 >>> >>>I have got several solaris 10 boxes using ldap of openldap, I will have a >>>look at my setup if you still need help. >> >>I have tried your suggestion but the result is the same. I always have to >>change the password, and I can't login. >>Could you have a look at my setup and compare with the yours?? >> >>Thank you very much for your help. >>> >>> >>>This message posted from opensolaris.org >>>_______________________________________________ >>>zones-discuss mailing list >>>zones-discuss@opensolaris.org >> _________________________________________________________________ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
