Setting up LDAP with OpenLDAP server, Solaris 10, AIX 6.1 and Linux clients.
This article is still a work in progress, more chapters will be added during the following days.
During the last couple of weeks I’ve been working on getting a central directory setup for my client, running on OpenLDAP 2.4. Not having worked with LDAP a lot before it proved quite a challenge, especially getting Solaris 10 to work with the LDAP server without any glitches.
In this document I’ll try and describe how this setup was made, because I have been unable to find a single consistent document describing all the intricate details.
At this time I have all my problems fixed (AFAIK), but during the setup phase I experienced various problems:
- Solaris 10 not seeing any users from LDAP
- Solaris seeing users, but not letting them log in
- Log-in working from console, but not ssh
- Passwordless login (pubkey) not working in SUN-SSH
- Users being able to hack extra permissions for themselves
- etc…. etc….etc…
Document Information
Information against a white background is general information, or valid for multiple guest operating systems.
Contents
- Setting up the OpenLDAP server
- Pupulating your directory
- Configuring a Solaris 10 client
- Configuring an AIX 6.1 client
- Configuring a RHEL client
- Netgroups
- Configuring a netgroup in your directory
- Solaris: Changing your nsswitch configuration
- AIX: Changing system settings for netgroups
- Allowing the netgroup
- Creating home directories
Setting up the OpenLDAP server
I won’t go into too much detail here, as this part is fairly straight-forward. Basically, download and compile OpenLDAP 2.4.x with the options that you like, optionally create a package, and then install OpenLDAP.
I used the following configure options:
BDBDIR=/usr/local/BerkeleyDB.4.2 ; export BDBDIR
LD_LIBRARY_PATH=${BDBDIR}/lib:/usr/sfw/lib \
CPPFLAGS="-I${BDBDIR}/include/ -I/usr/sfw/include" \
LDFLAGS="-L${BDBDIR}/lib -L/usr/sfw/lib" \
./configure --with-tls=openssl --enable-overlays --enable-crypt \
--enable-modules --enable-monitor --prefix=/opt/openldap \
--enable-syslog --enable-proctitle --without-subdir
make clean && make depend && make
After installing OpenLDAP you will probably want to add some schema’s. For solaris you need solaris.schema and I prefer to have my SUDO config in LDAP, so I also include it’s schema:
These schema files should be installed in <openldap-dir>/etc/schemas/
slapd.conf
This is an example config for <openldap-dir>/etc/slapd.conf
include /opt/openldap/etc/schema/core.schema
include /opt/openldap/etc/schema/cosine.schema
include /opt/openldap/etc/schema/nis.schema
include /opt/openldap/etc/schema/inetorgperson.schema
include /opt/openldap/etc/schema/solaris.schema
include /opt/openldap/etc/schema/duaconf.schema
include /opt/openldap/etc/schema/ppolicy.schema
include /opt/openldap/etc/schema/sudo.schema# TLS Certificate
TLSCACertificateFile /opt/openldap/etc/cacert.pem
TLSCertificateFile /opt/openldap/etc/server..pem
TLSCertificateKeyFile /opt/openldap/etc/server..pem
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSVerifyClient allow
#TLSVerifyClient demand | allow | never# ACL’s
access to dn.subtree=”ou=People,dc=domain,dc=tld” attrs=userPassword,shadowLastChange
by dn=”cn=proxyagent,ou=profile,dc=domain,dc=tld” write
by self write
by anonymous auth
by * read# Do not allow users so change their uid/gid/groupmembership
access to attrs=uid,uidNumber,gidNumber,memberUid
by * readaccess to dn.base=”"
by dn=”cn=proxyagent,ou=profile,dc=domain,dc=tld” read
by * readaccess to dn.base=”cn=Subschema”
by anonymous none
by * readaccess to dn.subtree=”ou=People,dc=domain,dc=tld”
by self write
by * readaccess to dn.subtree=”ou=Group,dc=domain,dc=tld”
by * read# Sudo rules are only readable by the dedicated sudoers account
access to dn.subtree=”ou=SUDOers,dc=domain,dc=tld”
by dn=”cn=sudoagent,ou=profile,dc=domain,dc=tld” read
by * noneaccess to *
by * read# MirrorMode Replication
serverID 1database bdb
suffix “dc=domain,dc=tld”
rootdn “cn=Manager,dc=domain,dc=tld”#rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Synchronisation/Replication
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100syncrepl rid=001
provider=ldap://ldap2.domain.tld
bindmethod=simple
starttls=critical
binddn=”cn=proxyagent,ou=profile,dc=domain,dc=tld”
credentials=secretpassword
searchbase=”dc=domain,dc=tld”
schemachecking=on
type=refreshAndPersist
retry=”60 +”# 2-Master mode
mirrormode on# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
index uniqueMember pres
index sudoUser eq,sub# OVERLAY definitions: NEED TO BE __AFTER__ database definition they work on
overlay ppolicy
ppolicy_default “cn=default,ou=policies,dc=domain,dc=tld”
ppolicy_hash_cleartext on
ppolicy_use_lockoutoverlay unique
unique_uri ldap:///ou=People,dc=domain,dc=tld?uidNumber,uid?sub
unique_uri ldap:///ou=Group,dc=domain,dc=tld?gidNumber,cn?sub# Performance tuning directives
sizelimit 5000
threads 16
idletimeout 14400
cachesize 10000
checkpoint 256 15
password-hash {SSHA}# Monitor
database monitor
access to dn.subtree=”cn=Monitor”
by dn=”cn=Manager,dc=domain,dc=tld” write
by users read
by * none
Filling the LDAP Directory
Next step is to fill the LDAP directory with some starting content…
Below you will find an example ldif file that can be used to jumpstart your LDAP directory. It creates a test user, group and people entries, a skeleton sudo infrastructure, configuration profiles and a password policy template.
dn: dc=domain,dc=tld
associatedDomain: domain.tld
dc: ux
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: domainRelatedObject
objectClass: nisDomainObject
nisDomain: domain.tld
o: Organisation Namedn: cn=Manager, dc=domain,dc=tld
objectClass: organizationalRole
cn: Managerdn: ou=profile, dc=domain,dc=tld
ou: profile
objectClass: top
objectClass: organizationalUnitdn: ou=SUDOers, dc=domain,dc=tld
ou: SUDOers
objectClass: top
objectClass: organizationalUnitdn: cn=defaults,ou=SUDOers, dc=domain,dc=tld
objectClass: top
objectClass: sudoRole
description: Default sudoOption’s go here
sudoOption: ignore_dot
sudoOption: !mail_no_user
sudoOption: root_sudo
sudoOption: log_host
sudoOption: logfile=/var/log/sudolog
sudoOption: timestamp_timeout=5
cn: defaultsdn: cn=Global_Allowed_NOPASS,ou=SUDOers, dc=domain,dc=tld
sudoUser: ALL
sudoCommand: /some/script.sh
sudoHost: ALL
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
cn: Global_Allowed_NOPASSdn: ou=People, dc=domain,dc=tld
ou: People
objectClass: top
objectClass: organizationalUnitdn: ou=Group, dc=domain,dc=tld
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: cn=Users,ou=Group, dc=domain,dc=tld
gidNumber: 1000
objectClass: top
objectClass: posixGroup
cn: Usersdn: cn=proxyagent,ou=profile, dc=domain,dc=tld
userPassword:: MUNGED
objectClass: top
objectClass: person
sn: proxyagent
cn: proxyagentdn: cn=default,ou=profile, dc=domain,dc=tld
defaultSearchBase: dc=domain,dc=tld
authenticationMethod: simple
followReferrals: TRUE
profileTTL: 43200
searchTimeLimit: 30
objectClass: DUAConfigProfile
defaultServerList: ldapserver1.domain.tld ldapserver2.domain.tld
credentialLevel: proxy
cn: default
defaultSearchScope: onedn: cn=tls_profile,ou=profile, dc=domain,dc=tld
defaultSearchBase: dc=domain,dc=tld
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: ldapserver1.domain.tld ldapserver2.domain.tld
credentialLevel: proxy
cn: tls_profile
serviceSearchDescriptor: passwd: ou=People,dc=domain,dc=tld
serviceSearchDescriptor: group: ou=Group,dc=domain,dc=tld
serviceSearchDescriptor: shadow: ou=People,dc=domain,dc=tld
serviceSearchDescriptor: netgroup: ou=netgroup,dc=domain,dc=tld
serviceSearchDescriptor: sudoers: ou=SUDOers,dc=domain,dc=tld
defaultSearchScope: onedn: ou=policies, dc=domain,dc=tld
ou: policies
objectClass: top
objectClass: organizationalUnitdn: uid=testuser,ou=People, dc=domain,dc=tld
shadowMin: 5
sn: User
userPassword:: MUNGED
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 1000
shadowFlag: 0
shadowExpire: -1
shadowMax: 99999
uid: testuser
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gecos: Test User
shadowLastChange: 0
cn: Test User
homeDirectory: /export/home/testuser
shadowInactive: -1
shadowWarning: 7dn: cn=default,ou=policies, dc=domain,dc=tld
pwdFailureCountInterval: 30
pwdSafeModify: FALSE
pwdGraceAuthNLimit: 5
pwdLockoutDuration: 10
objectClass: pwdPolicy
objectClass: person
objectClass: top
objectClass: pwdPolicyChecker
pwdMaxFailure: 5
pwdAllowUserChange: TRUE
pwdMinLength: 5
cn: default
pwdAttribute: userPassword
pwdMinAge: 5
pwdLockout: TRUE
pwdCheckQuality: 1
pwdInHistory: 5
sn: default policy
pwdMustChange: FALSE
pwdExpireWarning: 600
pwdMaxAge: 10
Configuring a Solaris 10 Client
If you have defined a profile in your LDAP tree, it should be quite easy to setup a LDAP client on a Solaris 10 system.
If you are using SSL or TLS with your server (you should), then you need to install the CA certificate first, so the server certificate can be checked.
certutil -N -d /var/ldap
certutil -A -d /var/ldap -n 'CA Name' -i /path/to/cacert.pem -a -t CT
- First copy /etc/nsswitch.ldap to /etc/nsswitch.ldap.bak and /etc/nsswitch to /etc/nsswitch.bak
- Edit /etc/nsswitch.ldap, making sure to change the entries for hosts and ipnodes to ‘files dns’
- run ldapclient init:
- If all is well, LDAP should be configured now.
ldapclient init -v \
-a proxyDN=cn=proxyagent,ou=profile,dc=domain,dc=tld \
-a proxyPassword=secret \
-a domainName=domain.tld \
-a profileName=tls_profile \
ldapserver.domain.tld
Using listusers you should be able to see the ldap accounts in your userlist.
Configuring PAM
Next step is configuring pam to allow people to actually log-in using ldap accounts, and have their passwords stored in LDAP. Sun-SSH uses seperate pam names for each authentication method, and the sshd-pubkey method has it’s own dedicated configuration.
# pam.conf.ldapv2_native_client
#
# http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
#
# IMPORTANT NOTES from Gary Tay
#
# 1) This is a /etc/pam.conf with password management support that works for:
#
# Solaris10 Native LDAP Client
# Solaris9 Native LDAP Client provided that:
# – latest kernel patch and Patch 112960 are applied
# – all the pam_unix_cred.so.1 lines are commented out
# Solaris8 Native LDAP Client provided that:
# – latest kernel patch and Patch 108993 are applied
# – all the pam_unix_cred.so.1 lines are commented out
#
# 2) If modules for “sshd” or any are not defined, default is “other”
# as seen by output of “grep other /etc/pam.conf”
#
# Notes from Mark Janssen
#
# 3) SSH Pubkey authentication needs it’s own pam rules on sshd-pubkey
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#other session required pam_mkhomedir.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 debug server_policy# Custom Stuff
# Allow ssh-pubkey (SUN-SSH) logins to work
sshd-pubkey account required pam_unix_account.so.1
Configuring a AIX 6.1 Client
Configuring AIX6.1 is quite easy, especially compared to Solaris.
- Make sure the LDAP client packages are installed
- idsldap.clt32bit61.rte 6.1.0.3 Directory Server – 32 bit Client
- idsldap.clt64bit61.rte 6.1.0.3 Directory Server – 64 bit Client
- idsldap.cltbase61.adt 6.1.0.3 Directory Server – Base Client
- idsldap.cltbase61.rte 6.1.0.3 Directory Server – Base Client
- run: mksecldap -c -h ldapserver1,ldapserver2 -a cn=proxyagent,ou=profile,dc=domain,dc=tld -p password -k /etc/security/ldap/your-ca.kdb -w keydbpassword -A ldap_auth
- Convert your cacert.pem file to a .kdb file using (java) gsk7ikm, and place it in /etc/security/ldap/your-ca.kdb
- keydbpassword = the password you use in gsk7ikm to encrypt your keyring (mandatory)
- password = the password used for the proxyagent
- Lastly, If your AIX clients need to interoperate with Linux and Solaris clients, you need to tell AIX to store the password-age in days-since-epoch, as it defaults to seconds-since-epoch. Change /etc/security/ldap/2307aixuser.map:
lastupdate SEC_INT shadowlastchange s days
Configuring a RHEL Client
Configuring a Redhat Enterprise Linux Client is quite easy. It consists of the following steps:
- Copy the CA-Certificate to /etc/openldap/cacerts/ca-cert.pem
- Edit /etc/ldap.conf: Add the correct values for ‘binddn’ and ‘bindpw’
binddn cn=proxyagent,ou=profile,dc=domain,dc=tld
bindpw secret
- Run /usr/bin/system-config-authentication
- Check ‘Cache Information’
- Check ‘Use LDAP’, Check ‘Use TLS’ and fill in the ldap hostname and base-DN
- Check ‘Use LDAP Authentication’
- Check ‘Local authentication is sufficient’
Configuring Netgroups
Using the setup described above lets any ldap user with a valid account log in to any ldap-enabled client machine. This might not be what you want. Using netgroups is a method to limit ldap account visibility on a per system basis. Using netgroups you can specify what (groups of) users can login and use what systems.
Configuring netgroups consists of the following steps:
- Configuring a netgroup in your directory
- Solaris: Changing your nsswitch configuration
- AIX: Changing system settings for netgroups
- Allowing the netgroup
Configuring a netgroup in LDAP
Import the following ldif-file into your directory:
dn: ou=Netgroup, dc=domain,dc=tld
ou: netgroup
objectClass: top
objectClass: organizationalUnit
dn: cn=Admins, ou=Netgroup, dc=domain,dc=tld
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (,someuser,domain.tld)
cn: Admins
dn: cn=App1, ou=Netgroup, dc=domain,dc=tld
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (,app1user,domain.tld)
memberNisNetgroup: Admins
cn: App1
This example creates the Netgroup infrastructure, and populates it with 2 netgroups. The ‘App1′ netgroup would be used on systems where ‘App1′ would run. The ‘Admins’ netgroup is a group for the admins, and it’s included in the ‘App1′ netgroup. This way I only need to allow the App1 netgroup on that system, and it automatically includes the users from the ‘Admins’ netgroup.
To specify a user in a netgroup, use a ‘nisNetgroupTriple’ where the value is: ‘(‘, <hostname>, <username>, <domainname>, ‘)’. All fields are optional and can be left out. In our case, we’re mostly interested in the ‘username’ field, so the entries look like ‘(,username,)’.
A netgroup can include another netgroup using ‘memberNisNetgroup: netgroupname’.
Solaris: Changing nsswitch.conf
We will be using the ‘compat’ support for netgroups, so we need to change the ‘passwd’ entry in /etc/nsswitch.conf from:
passwd: files ldap
to
passwd: compat
passwd_compat: ldap
We are telling the nss system to use ‘compat’ (instead of the default files or ldap), and telling it that the database that it should check for NIS entries is ldap (default would be YP)
AIX: Changing system settings for netgroups
For AIX the following changes need to be made to enable netgroups:
- In /usr/lib/security/methods.cfg, change the LDAP group, add the options line:
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options = netgroup
- In /etc/group, add a line at the end:
+:
- In /etc/security/user, change the default group:
SYSTEM = compat
Allowing netgroups
Every netgroup you want to allow on the system needs to be included in the /etc/passwd file. Make sure you use the correct format, otherwise you will not be able to login.
+@netgroupname:x:::::
+@othernetgroup:x:::::
If you only add ‘+@netgroupname’ things seem to work, you can see the accounts with ‘listusers’ and even ‘su’ to them, however you still can’t login with these accounts. If you add the entry as specified above, and then run ‘pwconv’ the entry will be copied to ‘/etc/shadow’ in the correct format and you should then be able to login with netgroup-listed accounts.
+@netgroupname
+@othernetgroup
It’s recomendable to create dedicated netgroups for any system or group of systems that have their own user limitations. It’s also a good idea to include the ‘admin’ netgroup in any netgroup you create or explicitly include it on every system.
Creating home directories
Linux and AIX have PAM modules to create a home directory for a user if one doesn’t exist. Solaris sadly doesn’t have a PAM module for this (and I couldn’t get the linux module working for solaris).
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
The AIX PAM module is called pam_mkuserhome, however, I have not been able to get it to create an actual directory in my experiments. Since I already need to have a work-around for Solaris I used this method for AIX as well.
- Create a mkhome script and put it in /usr/local/bin
#!/bin/shif [ -d ${HOME} ]; then
exit 0
fimkdir -p ${HOME}
cp -r /etc/skel/.???* ${HOME}
cp -r /etc/skel/* ${HOME}
chown ${SUDO_UID}:${SUDO_GID} ${HOME} ${HOME}/* ${HOME}/.???*
echo "Created ${HOME}"
exit 0
- Allow this script to be run using sudo, without prompting for a password
- Call sudo /usr/local/bin/mkhome from /etc/profile when a home directory can’t be found
if [ ! -d $HOME ]
then
/usr/bin/sudo /usr/local/bin/mkhome
cd $HOME
fi
dn: cn=Global_Allowed_NOPASS,ou=SUDOers, dc=domain,dc=tld
sudoUser: ALL
sudoCommand: /usr/local/bin/mkhome
sudoHost: ALL
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
cn: Global_Allowed_NOPASS
How is the below policy referenced to user accounts
Are there further steps or do they just automatically apply becasue of the (pwdAttribute: userPassword)
Frank
##########################################
dn: cn=default,ou=policies, dc=domain,dc=tld
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
[snip]
Frank
3 Feb 09 at 18:30
The _default_ policy is specified in the slapd.conf
ppolicy_default “cn=default,ou=policies,dc=domain,dc=tld”
You can override the default policy on a per-user basis by creating ‘pwdPolicySubentry’ attribute in the users DN, containing the DN of a ‘pwdPolicy’ entry.
foobar
3 Feb 09 at 18:41
Foobar
I keep receiving client certificate errors during the before the bind operation
Do i need to create clients certificates?
Frank
Frank
12 Feb 09 at 18:41
Foobar
My issue wasnt related to client certs, it was an expired password, all is now working!
Only small issue i have, users are unable to change their own passwords, when i remove the ppolicy statement from slapd.conf they can , so i know it is to do with the ppolicy
Any Ideas?
Frank
17 Feb 09 at 00:54
The slapd logfile should show you why the password isn’t being accepted… could be that you are re-using a password, or that it isn’t long enough, or that your old password is still to new to be changed.
Either way… it’s only displayed in the slapd log (syslog)
foobar
17 Feb 09 at 09:20
I had a look through the logs but still to no avail in regards to a proper error message, after testing options in the ppolicy attributes i got it working by changing the following from
pwdSafeModify: TRUE
pwd CheckQuality: 2
to
pwdSafeModify: FALSE
pwd CheckQuality: 1
next task
replication
Man thanks Foobar
Frank
Frank
17 Feb 09 at 17:32
Oh yeah… pwdCheckQuality 2 doesn’t work… or at least… I couldn’t get it to work either. I see now that I still have the old config up there… I’ll replace that with what I’m actually using
Replication is dead-simple, and the config is included in my sample.
foobar
17 Feb 09 at 19:01
Foobar
In reagrds to replication, is it the case that slapd.conf are identical on each MirrorMode node apart from the Server ID
Frank
foobar
23 Feb 09 at 15:55
The ‘provider’, ‘syncrepl rid’ and Server-ID are different. The rest of the config is the same.
provider is the hostname of the ‘other’ node.
Rid/Server-ID need to be unique
FooBar
23 Feb 09 at 16:45
does not work
Yes, so I was unable to make this work. First off, the website has unicode ” characters. Managed to get over that.
But then adding the ldif I get this:
ldap_add: DSA is unwilling to perform
ldap_add: additional info: no global superior knowledge
Even worse, if I substitute my domain and tld, the result is:
ldap_add: Naming violation
ldap_add: additional info: value of naming attribute ‘dc’ is not present in entry
Georges
2 Mar 09 at 10:10
Linux and Solaris10 clients are all correctly authenticating, but the password policy isn’t picked up by either one.
Having not started from scratch (ldap/berkeley installation already in place), I’m having some trouble with the overlay + password policy.
When I have the overlay in the slapd.conf, it trips on startup over the fact that it can’t find the ppolicy overlay. Do I need to recompile the berkeley db?
Ape
6 Apr 09 at 13:33
@Ape: That shouldn’t be required. OpenLDAP will fail if the overlay for ppolicy is defined in the config file before the database. So make sure the definition is after the database config.
You could try to enable it only for 1 or 2 specific users first, and keep an eye out on the logfile.
FooBar
6 Apr 09 at 13:57
I’ve put the overlay ppolicy lines at the absolute bottom of slapd.conf. No luck, well some, but all of it bad. The ‘overlay ppolicy’ statement is the first overlay called in the slapd.conf. When I remove it and put in the ‘overlay unique’ statement it trips over that one. I don’t recall having compiled openldap with –enable-overlays, so for good measure I did so just now. Sadly, without better luck.
Ape
6 Apr 09 at 15:04
Apparently I felt the need to nominate myself for Village Idiot. When recompiling with modules and overlays enabled I managed to not modify the prefix path to match my installation. So any tests I performed thereafter was still not using the recompiled version.
The ppolicy overlay is correctly loading now that I’m using the correct path.
Sorry if have wasted your time..
Ape
15 Apr 09 at 10:30
Greetings,
Following this and other guides, I spent quite some hours trying to get openldap-2.4.11 and native Solaris 10 client to run with TLS/SSL but so far not even succeful on one single Solaris 10 machine. ldaplist always gives me “ldaplist: Object not found (Session error no available conn.)” and id azhang always “id: invalid user name: “azhang”" However, “ldapsearch -x -p 636 -Z -h” would work.
I was wondering if I could get some help if I posted my config and debug output.
Anchi Zhang
22 Apr 09 at 23:03
Hope You can help,
AIX – LDAP Client
LDAP Master – Linux machine OpenLdap
Need to add attributes like ShadowMax ShadowMin to the LDAP user accounts. I am using the /etc/security/ldap/2307user.map file with # The following attributes are optional
maxage SEC_INT shadowmax s
minage SEC_INT shadowmin s
maxexpired SEC_INT shadowexpire s
pwdwarntime SEC_INT shadowwarning s —
…So the question is how do I get the command “lsldap -a passwd jsmith” to show the attributes ShadowMax shadowMin ???
Joe Zoda
5 Jun 09 at 19:45
I managed to get pam_mkuserhome working on AIX 5.3 TL9 SP3 by making sure firstly that:
1. System is set for PAM authentication:
chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
2. OpenSSH is configured to use PAM:
/etc/ssh/sshd_config:
UsePAM yes
3. /etc/pam.conf contains:
sshd session optional /usr/lib/security/pam_mkuserhome
… just before the pam_prohibit in the session section of the file.
4. Use the latest version of OpenSSH – 5.0.0.5302. Version 4.3.0.5301 configured in the same way did NOT work.
pmcenery
11 Jun 09 at 08:07
I couldn’t get the “cn=default,ou=policies, dc=domain,dc=tld” added as above on OpenLDAP on Debian (lenny). I had to make modifications.
When running a ldapadd on I would get this:
examplehost:/etc/ldap/schema# ldapadd -x -D “cn=admin, dc=example, dc=com” -W -f /tmp/solaris.ldap.info.2.ldif
Enter LDAP Password:
adding new entry “cn=default,ou=policies,dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
Then I found this link which I think describes the problem.
http://www.openldap.org/its/index.cgi?findid=4025
Followup 6 of that link describes changing the value from userPassword to the OID of userPassword.
Once I changed this:
pwdAttribute: userPassword
with this:
#pwdAttribute: userPassword
pwdAttribute: 2.5.4.35
I was able to add the “cn=default,ou=policies, dc=domain,dc=tld” dn (or in my case “cn=default,ou=policies,dc=example,dc=com”).
I haven’t gotten far enough into integrating Solaris 10 in to the LDAP server to know if Solaris will accept this, so I’m not sure yet if this will work.
I also had problems adding that same distinguished name after I’d fixed the pwdAttribute value as well.
I got:
examplehost:/etc/ldap/schema# ldapadd -x -D “cn=admin, dc=example, dc=com” -W -f /tmp/solaris.base.ldap.info.2.ldif
Enter LDAP Password:
adding new entry “cn=default,ou=policies,dc=example,dc=com”
ldap_add: Invalid syntax (21)
additional info: pwdMaxAge: value #0 invalid per syntax
But this was caused by a space being present after the line:
pwdMaxAge: 10
in my LDIF file. Once the space was removed, it worked fine.
Hope that helps somebody.
spods
21 Jun 09 at 07:15
Hi,
I have a working Linux openLDAP server and I need to setup openldap client on AIX BOX. I have this setup but not 100% sure it all correct. I was able to do “ldapsearch -x” from it but if I do a “su – test1″, it said “test1″ does not exist. This tell me that there is some problem comunication between the Linux openLDAP server and the Aix openLDAP client.
Once this setup, a new user will be create and it home directory will be on /gpfs/home_dir. This is the GPFS cluster directory and it is existing on the AIX box but NOT the Linux.
ph
28 Aug 09 at 13:17
When running:
mksecldap -c -h 155.157.234.103 -a cn=root -p xxxxx -d dc=raytheon,dc=com -A ldap_auth
I got this error:
3001-730 Invalid bind DN or bind passwd.
Client presetup check failed.
ph
28 Aug 09 at 13:39
thanks, your pam.conf helped me a lot!
nik m
3 Feb 10 at 20:55
argh!
Locked myself out after edits to pam.conf and nsswitch.conf
using solaris 10,
any suggestions?
STM
19 Feb 10 at 00:04
STM: Boot off Solaris 10 media, mount your root disk, undo pam.conf changes and reboot.
PJ
24 Feb 10 at 16:29
So, now I’m at the state where I cannot log in via LDAP on Solaris, but I can su – . When I try to log in it says something about pam_ldap not having a valid method defined on the console. I basically copied your pam.conf.
Got any ideas? I’m not sure my domain name matched the OpenLDAP server, but that’s the only thing I can see different from your configuration.
Help me Obi Wan…
JarOfSonicMen
26 Feb 10 at 01:31
Oops. I lied. You can do a sudo su – as root. As a regular (local) user it says the same thing as when you try to log in:
pam_ldap: No legal authentication method configured.
JarOfSonicMen
26 Feb 10 at 21:52
OK, so, dumb question: What formats does the Solaris native LDAP client support encrypting passwords in? Is it still just crypt (as Sun’s troubleshooting documentation suggests)? I’m not sure it supports the one our server is configured for.
JarOfSonicMen
8 Mar 10 at 06:37
Probably only crypt, but it should send the password in plaintext to the LDAP server, which will encrypt it with it’s hashing algorithm of choice (SSHA in most cases)
foobar
9 Mar 10 at 08:49
OK, got it working. The “no valid authenticaion method configured” error is its way of telling me to use a -a authenticationMethod=simple in my call to ldapclient. I had to set it up with the manual flag because I don’t have control of the LDAP server. TUrned out that we were able to use anonymous credentials and simple authentication BUT for some reason, to get ldapclient to take (not fail) we still had to supply a proxyPassword. It did not matter what value we used for the password.
JarOfSonicMen
10 Mar 10 at 20:22
Oh, I should say that I have not tested changing the password – I don’t need that to work, so I’m leaving be for now.
JarOfSonicMen
10 Mar 10 at 20:23
Solaris doesn’t need a workaround nor a pam module
http://bugs.opensolaris.org/view_bug.do?bug_id=6211761
Ibraima
Ibraima
16 Mar 10 at 12:56
FYI – I have used a lot of this to get an AIX LDAP client to authenticate to an OID (Oracle Internet Directory) LDAP server as well as getting the client to create the user’s home directory if it doesn’t already exist. I would like to get PAM to create the user on the AIX machine if it doesn’t exist on first login – is this possible in AIX and if so does anyone know of a PAM module to do the job?
Steve
Stevo
21 Mar 10 at 22:54
It is possible to compile the Linux PAM module(pam_mkhomedir.so) for solaris, we currently are using this now in production & it does work, google for more info..
Frank
Frank
19 Apr 10 at 15:11
Added a section on AIX Clients to improve interoperability with Linux and Solaris.
shadowlastchange has a flag to save times in (standard) days.
This only works for AIX 5.3 TL 09 or newer, and AIX 6.1 TL 03 or newer.
This option is not documented in the config-file. But info can be found here: http://www.gate.io/tiki-send_blog_post.php?postId=29
foobar
27 May 10 at 13:10
Hi Foobar,
For AIX I knew that you require separate schema. But It seems you worked without it. Can you please confirm as I would start work on this from tomorrow. Also the LInk you have provided isn’t working.
The link given for AIX “http://www.gate.io/tiki-send_blog_post.php?postId=29″ is not working.
Thanks for all the trouble you took, to update the details.
See your next update very soon.
Kas
Kas
14 Nov 10 at 05:49
Hi,
Thanks for this. Havent tried it yet but i have 2 remarks :
The duaconf.schema isnt provided with openldap package, you can find it there http://itsecureadmin.com/wiki/index.php/DUAConfig.schema (you should add it)
There is a typo error for the UserPassword of proxyagent
It’s UserPassword: MUNGED and not UserPassword::
Gautier
Gautier
27 Jan 11 at 13:24
Hi,
Do you have a completed writeup on this please, I cannot get it to work
Thanks
Wynand
Wynand
18 Feb 11 at 13:20
[...] . The other thing is you have to use a proxy user that’s used to search for the accounts, otherwise authentication just won’t work. Have a read of Sun’s LDAP client docs too, and this guide. [...]
How do I make a Solaris 10 based NFS server get username data from a remote OpenLDAP server? Drija
20 Apr 11 at 03:13