Comments on: LDAP Authentication in Solaris 10

By: Syed

Syed — Wed, 13 Aug 2008 14:40:20 +0000

how to start ldap in Solaris 10 OS

By: blake

blake — Wed, 04 Jun 2008 19:01:22 +0000

I’ve been working from your ldapclient examples for Solaris 10, but I keep getting this error:

“restart: milestone/name-services:default… success
Error resetting system.”

and wondered if you might have any insights.

cheers,
Blake

By: T

Thu, 15 May 2008 23:36:46 +0000

Yes, port 389 has to remain open for the solaris client to work. I found that it uses an anonymous bind to pull schema info every few minutes. If you shut down 389, it works until the cache expires, then starts requesting a connection on 389 every few seconds until you open it again. While doing that it rejects any auth attempts. Simple fix for this is to use openLdap’s ssf feature in slapd.conf. Set all access lines to ssf=128 except for the ou=Profile (not sure this is even needed), which stores the client’s profile (though if manually setup, it shouldnt use, and my packet sniffs never showed it being pulled in the 389 traffic). ie:

access to attrs=userPassword
by ssf=128 self write
by ssf=128 dn=”cn=direcorymanager,dc=example,dc=com” read
by ssf=128 * auth

This restricts the port389 traffic to only that braindead solaris query. Nothing else in the ldap tree is visible to unencrypted (ssf < 128) connections.

By: T

Thu, 15 May 2008 23:35:08 +0000

access to attrs=userPassword
by ssf=128 self write
by ssf=128 dn=”cn=direcorymanager,dc=example,dc=com” read
by ssf=128 * auth

By: aNDREW

aNDREW — Tue, 15 Apr 2008 09:54:47 +0000

I have heard that is the LDAP server is configured for SSL you still need to have port 389 enabled, that you can’t just run SSL (636). This was definately true for Solaris 8 and 9.

In your experience is this still a requirement in Solaris 10?

Thanks in advance

Andrew

By: Anonymous

Anonymous — Tue, 11 Mar 2008 22:05:05 +0000

lkklklkljjjll

By: Tony

Tony — Thu, 14 Feb 2008 18:59:51 +0000

You may want to consider changing the order of your PAM configuration to prevent locking yourself out if the LDAP server(s) is unreachable. I would suggest changing:

auth sufficient pam_unix_auth.so.1
auth required pam_ldap.so.1

auth sufficient pam_ldap.so.1
auth required pam_unix_auth.so.1

so that LDAP is queried first to authenticate a user, then the local passwd file is. This way, if LDAP is unreachable, you can still log into the console as root.

By: Tim

Tim — Thu, 29 Nov 2007 20:24:33 +0000

I’ve had this working for a while for HP-UX and Linux but I’d had only partial luck with a Solaris 10 pam.conf. Thanks! Your version gets the Password change correct. You’ve helped a bunch!

By: THEODORE_3011@YAHOO.GR

THEODORE_3011@YAHOO.GR — Mon, 24 Sep 2007 07:45:35 +0000

HELLO
SORRY, BUT I HAVE MADE ALL WHAT YOU HAVE SAID BUT DIDNT WORK AT ALL.
DO YOU HAVE THE DEFAULT PAM.CONF BECAUSE I DIDNT MAKE A BACKUP.
MANY THANKS AND SORRY FOR MY ENGLISH

By: theodore

theodore — Thu, 20 Sep 2007 10:47:06 +0000

thanx Robin