LDAP Authentication in Solaris 10
I’ve just been setting up a Solaris 10 machine to authenticate from a OpenLdap directory, this is the command I used to make it work, note that the IP on the end is the IP of the directory server
% ldapclient manual -v \
-a defaultsearchbase=dc=riviera,dc=org.uk \
-a domainname=riviera.org.uk \
192.168.254.100
The output produced is shown below
Parsing defaultsearchbase=dc=riviera,dc=org.uk
Parsing domainname=riviera.org.uk
Arguments parsed:
defaultSearchBase: dc=riviera,dc=org.uk
domainName: riviera.org.uk
defaultServerList: 192.168.254.100
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "riviera.org.uk"
file_backup: stat(/var/yp/binding/riviera.org.uk)=-1
file_backup: No /var/yp/binding/riviera.org.uk directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname riviera.org.uk... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
System successfully configured
#
Then test that this is indeed working:
% grep rk295 /etc/passwd
% getent passwd | grep rk295
rk295:x:512:512::/home/rk295:/bin/bash
%
I found that after this had finished, hostname resolution no longer worked. Looking inside /etc/nsswitch.conf I found that the hosts entry had been changed to:
hosts: ldap [NOTFOUND=return] files
I do not use LDAP for hostname resolution so I had to change this back to:
hosts: files dns
And similarly the networks line was the same so I had to change that to use files dns as well.
At this point you can query LDAP using getent but you still need to configure PAM to use it for authentication etc. To do this you need to make some changes to /etc/pam.conf. Principally these changes involved telling it should fall back to LDAP if it doesnt match your credentials against the local files. My edited pam.conf is shown below, the lines which I have edited or added are shown in red.
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
<font color="red">
login auth sufficient pam_unix_auth.so.1
</font>
login auth required pam_dial_auth.so.1
<font color="red">
login auth required pam_ldap.so.1
</font>
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
<font color="red">
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1
</font>
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
<font color="red">
ppp auth sufficient pam_unix_auth.so.1
</font>
ppp auth required pam_dial_auth.so.1
<font color="red">
ppp auth required pam_ldap.so.1
</font>
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
<font color="red">
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
</font>
#
# passwd command (explicit because of a different authentication module)
#
<font color="red">
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
</font>
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
<font color="red">
other account sufficient pam_ldap.so.1
</font>
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
Now you should be able to su to a user whose credentials are stored only in ldap.
Subscribe via RSS