If it ain't broken, don't fix it...
Summary: LDAP-authentication is working on Cosmos and Eric (and Boiler and Mir) as of the beginning of 2003 July 14, but on the Solaris 7 machines (Cosmos, Eric and Mir) there is a persistent "feature" which can be see in /var/adm/messages
Jul 14 17:38:51 cosmos sshd[22001]: pam_ldap: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): Unknown error Jul 14 17:38:51 cosmos sshd[22001]: pam_ldap: _set_ssl_default_options failedThis does not seem to affect correct authentication, but...
Plan: to sort this out on Mir (test/devel machine), then Cosmos and Eric (user machines).
./configure --with-tls --enable-bdb=no --enable-slapd=no
make depend
make
make install
./configure --disable-ssl --with-ldap-dir=/usr/local --with-ldap-lib=openldap
make
make install
./configure --with-ldap-lib=openldap --with-ldap-dir=/usr/local --disable-ssl CC=/usr/local/bin/gcc
make
make install
Downloaded up-to-date versions of things:
nss_ldap-207.tar.gz
openldap-2.1.22.tar.gz
pam_ldap-164.tar.gz
Some Googling suggested that possible approaches were: enabling TLS within openldap; disabling TLS within pam_ldap (and perhaps nss_ldap).
Hit some problems with configure and make. Some solved via getting and installing (or updating):
autoconf-2.57-sol7-sparc-local
automake-1.6-sol7-sparc-local (NOT 1.7)
fileutils-4.1-sol7-sparc-local (for install)
m4-1.4-sol7-sparc-local
make-3.80-sol7-sparc-local (GNU make)
perl-5.8.0-sol7-sparc-local (auto-something needed this)
Did this:
./configure --with-tls --enable-bdb=no --enable-slapd=no make depend make make installN Note the --with-tls.
To get this to configure (with --with-tls) needed to install OpenSSL:
pkgadd -d openssl-0.9.7a-sol7-sparc-local
and put in some sym-links:
cd /usr/local/include
ln -s ../ssl/include/openssl/ssl.h ssl.h
cd /usr/local/lib
ln -s ../ssl/lib ssl
alternatively:
cd /usr/local/include
ln -s ../ssl/include/openssl openssl
ln -s ../ssl/lib openssl
cd /usr/lib
ln -s /usr/local/ssl/lib/libssl.so libssl.so
ln -s /usr/local/ssl/lib/libcrypto.so libcrypto.so
Had some bloody strange errors at the make install state. Updating install (via fileutils) seemed to solve this.
./configure --disable-ssl --with-ldap-dir=/usr/local --with-ldap-lib=openldap
make
make install
./configure --with-ldap-lib=openldap --with-ldap-dir=/usr/local --disable-ssl CC=/usr/local/bin/gcc
make
make install
Note the CC=/usr/local/bin/gcc.
This was a pain. Needed to define CC and get automake 1.6 (and in turn Perl, as required by automake --- how could this be missing??) for things to work.
Something, somewhere messed up /etc/ldap.conf and /etc/nsswitch.conf (I think /etc/pam.conf was left OK) --- fixed them from backups.
Ensure LDAP-related entries in /etc/pam.conf point to location of newly installed pam_ldap.so* files (which could be, e.g., /usr/local/lib/security).
Needed to update some sym-links:
rm libldap.so.2 # ...pointing to libldap.so.2.0.15, old and wrong! cd /usr/local/lib ln -s /usr/local/lib/libldap.so.2.0.122 libldap.so.2
Still didn't work. Could not login at all --- even local logins failed! Error:
load_modules: can not open module /usr/lib/security/pam_ldap.so.1
What? On mir itself, did
truss -f login 127.0.0.1 >& login.truss
to find the problem --- turned out libssl.so and libcrypto.so
were not being found (from the OpenSSL install from earlier), so more links
required:
cd /usr/local/lib
ln -s ssl/libssl.so.0.9.7 libssl.so.0.9.7
ln -s ssl/libcrypto.so.0.9.7 libcrypto.so.0.9.7
All is well.
| ...previous | up (conts) | next... |