LDAP Authentication in Solaris 10
I’ve just been setting up a Solaris 10 machine to authenticate from a OpenLdap directory, this is the command I used to make it work, note that the IP on the end is the IP of the directory server
# ldapclient manual -v \\
-a defaultsearchbase=dc=riviera,dc=org.uk \\
-a domainname=riviera.org.uk \\
192.168.254.100
The output produced is shown below
Parsing defaultsearchbase=dc=riviera,dc=org.uk
Parsing domainname=riviera.org.uk
Arguments parsed:
defaultSearchBase: dc=riviera,dc=org.uk
domainName: riviera.org.uk
defaultServerList: 192.168.254.100
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "riviera.org.uk"
file_backup: stat(/var/yp/binding/riviera.org.uk)=-1
file_backup: No /var/yp/binding/riviera.org.uk directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname riviera.org.uk... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
System successfully configured
#
Then test that this is indeed working:
# grep rk295 /etc/passwd # getent passwd | grep rk295 rk295:x:512:512::/home/rk295:/bin/bash #
I found that after this had finished, hostname resolution no longer worked. Looking inside /etc/nsswitch.conf I found that the hosts entry had been changed to:
hosts: ldap [NOTFOUND=return] files
I do not use LDAP for hostname resolution so I had to change this back to:
hosts: files dns
And similarly the networks line was the same so I had to change that to use files dns as well.
At this point you can query LDAP using getent but you still need to configure PAM to use it for authentication etc. To do this you need to make some changes to /etc/pam.conf. Principally these changes involved telling it should fall back to LDAP if it doesnt match your credentials against the local files. My edited pam.conf is shown below, the lines which I have edited or added are shown in red.
# #ident "@(#)pam.conf 1.28 04/04/21 SMI" # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. #
Now you should be able to su to a user whose credentials are stored only in ldap.
I did everything as you but it still doesn’t work :/
If user is in LDAP and in /etc/passwd – it has access with a password from LDAP
if user is only in LDAP (no entry in /etc/passwd) it doesn’t have access
Log said:
Jun 8 11:05:06 saule sshd[4139]: [ID 219349 auth.debug] pam_unix_auth: user user3 not found
Jun 8 11:05:06 saule sshd[4139]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint user3), flags = 0
Jun 8 11:05:06 saule sshd[4139]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user.
p.s.
getent passwd shows user3 with all his attribute (UID,GID,shell,homedir).
the same to me. nothing happened. any other help??
I’ve not played with this snice I hit the problem, if I pick it up again I’ll post any news!
thanx Robin
HELLO
SORRY, BUT I HAVE MADE ALL WHAT YOU HAVE SAID BUT DIDNT WORK AT ALL.
DO YOU HAVE THE DEFAULT PAM.CONF BECAUSE I DIDNT MAKE A BACKUP.
MANY THANKS AND SORRY FOR MY ENGLISH
I’ve had this working for a while for HP-UX and Linux but I’d had only partial luck with a Solaris 10 pam.conf. Thanks! Your version gets the Password change correct. You’ve helped a bunch!
You may want to consider changing the order of your PAM configuration to prevent locking yourself out if the LDAP server(s) is unreachable. I would suggest changing:
auth sufficient pam_unix_auth.so.1
auth required pam_ldap.so.1
to
auth sufficient pam_ldap.so.1
auth required pam_unix_auth.so.1
so that LDAP is queried first to authenticate a user, then the local passwd file is. This way, if LDAP is unreachable, you can still log into the console as root.
lkklklkljjjll
I have heard that is the LDAP server is configured for SSL you still need to have port 389 enabled, that you can’t just run SSL (636). This was definately true for Solaris 8 and 9.
In your experience is this still a requirement in Solaris 10?
Thanks in advance
Andrew
Yes, port 389 has to remain open for the solaris client to work. I found that it uses an anonymous bind to pull schema info every few minutes. If you shut down 389, it works until the cache expires, then starts requesting a connection on 389 every few seconds until you open it again. While doing that it rejects any auth attempts. Simple fix for this is to use openLdap’s ssf feature in slapd.conf. Set all access lines to ssf=128 except for the ou=Profile (not sure this is even needed), which stores the client’s profile (though if manually setup, it shouldnt use, and my packet sniffs never showed it being pulled in the 389 traffic). ie:
access to attrs=userPassword
by ssf=128 self write
by ssf=128 dn=”cn=direcorymanager,dc=example,dc=com” read
by ssf=128 * auth
Yes, port 389 has to remain open for the solaris client to work. I found that it uses an anonymous bind to pull schema info every few minutes. If you shut down 389, it works until the cache expires, then starts requesting a connection on 389 every few seconds until you open it again. While doing that it rejects any auth attempts. Simple fix for this is to use openLdap’s ssf feature in slapd.conf. Set all access lines to ssf=128 except for the ou=Profile (not sure this is even needed), which stores the client’s profile (though if manually setup, it shouldnt use, and my packet sniffs never showed it being pulled in the 389 traffic). ie:
access to attrs=userPassword
by ssf=128 self write
by ssf=128 dn=”cn=direcorymanager,dc=example,dc=com” read
by ssf=128 * auth
This restricts the port389 traffic to only that braindead solaris query. Nothing else in the ldap tree is visible to unencrypted (ssf < 128) connections.
I’ve been working from your ldapclient examples for Solaris 10, but I keep getting this error:
“restart: milestone/name-services:default… success
Error resetting system.”
and wondered if you might have any insights.
cheers,
Blake
how to start ldap in Solaris 10 OS
@Blake, you can avoid “Error resetting system.” using IP instead of hostname
Anyway, despite I could succesfully use ldapclient, I wasn’t able to authenticate users.
Thanks for making this blog post. I have OpenLDAP running on RHEL and was able to get the native client on a Solaris server to work. Now I just need to get TLS working and set set up automount/autofs for the home directories.
I did what your guide said but It don’t work. I can su to a user in ldap as root. I can use the id and getent commands to get info on LDAP user but I can not login as one or su to the user as a none root user. It is like the Solaris server can’t read the password or shadow information.
Any help would be great