LDAP Authentication on RedHat Linux and on Solaris

7. Solaris 8 Client

Attempt to get boiler.csu.umist.ac.uk, Solaris 8, working as an authentication client for RedHat 7.2 OpenLDAP server.

Configuration

Steps

First step, get OpenLDAP server installed on a Linux box via the RPMs and get the Linux box authenticating to its own LDAP server. This is easy because the documentation is excellent and everything is open. See above for details.
Next, its all about getting the Solaris LDAP client working and PAM configured to use it. The problem is that all the official Solaris documentation is for the iPlanet LDAP server and has to be adapted.

To do this follow the instructions in Chapter 4 of Sun's LDAP Setup and Configuration Guide. In particular, use the ldapclient command, but note the paragraph re "Cannot find the rootDN" in "Potential Problems", above.

I could not get the ACI ldapmodify instructions to work (see "Real" doc).

Checked client was working by doing this on Solaris box:

    ldaplist -l

and it returned the details of accounts in the ldap server, hurrah --- the Solaris client was talking to OpenLDAP to some extent.

Edited /etc/nsswitch.conf:

    passwd:     files ldap [TRYAGAIN=5]
    group:      files ldap [TRYAGAIN=5]

Edited /etc/pam.conf:

    login   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 debug
    login   auth required   /usr/lib/security/$ISA/pam_ldap.so.1 debug 

    telnet  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 debug
    telnet  auth required   /usr/lib/security/$ISA/pam_ldap.so.1 debug

...but login as si4 did not work...

Got PADL/OpenLDAP versions of pam_ldap and nss_ldap.so sources from sourceforge, configured, compiled and installed and replaced the Solaris 2.8 ones (backing up theSolaris ones). (nss_ldap-184 pam_ldap-139). No apparent progress...

Found this the spack notes and followed some of its advice:

Shut down the client:

    /etc/init.d/ldapclient stop

Edited /var/ldap/ldap_client_file...

    NS_LDAP_SERVERS=130.88.100.77
    NS_LDAP_SEARCH_BASEDN=ou=people, o=talbycsuumist, c=gb
    NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
    NS_LDAP_DOMAIN=talbycsuumist.gb

the last coming from the entry in the LDAP directory:

    dn: o=talbycsuumist,c=gb
    associatedDomain: talbycsuumist.gb
    objectClass: top
    objectClass: domain
    objectClass: domainRelatedObject
    objectClass: nisDomainObject
    nisDomain: talbycsuumist.gb
    dc: Iwonderwhatgoeshere

... and ldap_client_cred:

    NS_LDAP_BINDDN= cn=Manager,o=talbycsuumist,c=gb
    NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxxxx

the last value coming from the profile earlier created from ldap_gen_profile.

Restarted:

    /etc/init.d/ldapclient start

Then, as a simpler step than logging in: finger the user who exists in LDAP only (i.e., not /etc/passwd, or elsewhere, on the Solaris box); it failed so I trussed it and looked...

There was an attempt to look for /usr/lib/nss_ldap.so.1 which failed so I linked (ln -s) nss_ldap.so to it (the padl one) and re-tried...

There was an attempt to look for /etc/ldap.conf (on the Solaris box) which did not exist so I created it from the one on the Linux box and edited appropriately (e.g., my server IP rather than 127.0.0.1).

At this point finger worked --- it returned the correct info for si4 --- so I tried telnetting to the Solaris box and logging in as si4: it worked. I wrote this. I went home to Sale and headed to The Bank to watch the footy.

Vintage Bergkamp yesterday (27 Feb 2001) against Bayern LeverKusan, I thought.

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/isd/public_html/_ldap_authentication/_reml_grp/index.reml
On: 5/7/2004 at 13:33:51
Options: reml2 -i noindex -l long -o html -p multiple