Hi, we've been using 389-ds running on RedHat7, our ldap clients are many devices and
RedHat Linux, now we want to add Solaris 10/11.
We have DUAProfile created and Solaris 11 ldap client initiation was successful, with
command :
"ldapclient -v init -a domainname=<example.com> -a profileName=solaris11
<server_ip>".
The command "ldapclient list" show:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= <ldap-server>
NS_LDAP_SEARCH_BASEDN= dc=<example>,dc=com
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= solaris11
NS_LDAP_SERVICE_SEARCH_DESC= passwd:l=AMER,dc=<example>,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:l=AMER,dc=<example>,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=<example>,dc=com?sub
NS_LDAP_BIND_TIME= 10
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
Some other relevant files' configurations are:
# grep ldap /etc/nsswitch.conf
passwd: files ldap
group: files ldap
netgroup: ldap
automount: files ldap
printers: user files ldap
# cat /etc/pam.d/login
auth requisite pam_authtok_get.so.1 debug
auth required pam_dhkeys.so.1 debug
auth required pam_unix_cred.so.1 debug
#auth binding pam_unix_auth.so.1 server_policy
auth sufficient pam_unix_auth.so.1 server_policy debug
auth required pam_ldap.so.1 debug
# cat /etc/pam.d/other | grep -v ^# | grep -v ^$
auth definitive pam_user_policy.so.1 debug
auth requisite pam_authtok_get.so.1 debug
auth required pam_dhkeys.so.1 debug
auth required pam_unix_cred.so.1 debug
auth sufficient pam_unix_auth.so.1 server_policy debug
auth required pam_ldap.so.1 debug
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
account required pam_tsol_account.so.1
session definitive pam_user_policy.so.1
session required pam_unix_session.so.1
password definitive pam_user_policy.so.1
password include pam_authtok_common
password required pam_authtok_store.so.1
Unfortunately, LDAP client cannot SSH, the logs are
sshd[2497]: [ID 293258 auth.warning] libsldap: Status: 50 Mesg: LDAP ERROR (50):
Insufficient access.
sshd[2497]: [ID 717705 auth.debug] pam_user_policy: pam_sm_authenticate(flags = 0x1, argc
= 1)
sshd[2497]: [ID 771769 auth.debug] pam_user_policy: find_pam_policy: pam_policy = NULL
for user 'zare'
sshd[2497]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
sshd[2497]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
sshd[2497]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint zare), flags = 1
sshd[2497]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
sshd[2497]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while
authenticating: Authentication failed
sshd[2497]: [ID 800047 auth.notice] Failed keyboard-interactive for zdudic from
10.211.55.1 port 52876 ssh2
sshd[2497]: [ID 717705 auth.debug] pam_user_policy: pam_sm_authenticate(flags = 0x1, argc
= 1)
sshd[2497]: [ID 771769 auth.debug] pam_user_policy: find_pam_policy: pam_policy = NULL
for user 'zare'
sshd[2497]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Any help is appreciated, thanks.
Show replies by thread