Ok, I sort of have this working now, but there are still some loose ends. Comments inline
>>> 2. Setup Solaris properly >>> NS_LDAP_AUTH=tls:simple >>> NS_LDAP_CREDENTIAL_LEVEL=proxy >>> NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test >>> NS_LDAP_BINDPASSWD=ohaimakethissimethingtoughtobreak >>> NS_LDAP_CACHETTL=0 >>> NS_LDAP_HOST_CERTPATH=/var/ldap When I added NS_LDAP_HOST_CERTPATH to the ldap_client_file it complained about that particular setting being invalid. I think that setting doesn't exist on Solaris 10? I had to remove that line. >>Is that functionally equivalent to what you were trying to do with the >>cert database or were you trying to do something different? > More or less -- create an NSS database and add a CA cert there. OK, great, I think the manual copy worked. The reason is because if I delete those 2 .db files I get the following log entries: [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed to initialize TLS security (security library: bad database.) [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to ipadc1.ipadomain.net [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. createTLSSession: failed to initialize TLS security (security library: bad database.) But if those 2 files I manually copied exist, then those messages don't happen. Also, FYI, certutil is not really supported on Solaris 10. Any download links to that program are now 404. It wasn't included in the Solaris 10 cd either. > PAM has different stages -- authentication, session, etc. Shell, > UID/GID and other parameters are coming from nsswitch interface, not > PAM. > > On the other hand PAM allows to stack multiple modules to perform the > same action so you can have both pam_krb5 and pam_ldap in the stack and > cover both Kerberos ticket and password-based logins. > >>Also, if what you wrote below is true and AD users are authenticated not >>by kerberos, but by authenticated ldap binds, won't that totally fail if >> I >>don't mention pam_ldap in my pam configuration? > Yep, it would fail but there are few separate things we need to clarify > first. > > Did you add your Solaris host into IPA? Did you create a keytab for > it? Is your Solaris host FQDN > > If answers are yes, yes, and yes, then AD users, when connecting to > Solaris host from their Windows machines will attempt to obtain Kerberos > ticket and IPA KDC will grant a service ticket to them thanks to > cross-forest trust. When AD user using putty would present that ticket > to Solaris, chances are that pam_krb5 will accept it and allow to login. > > When AD users have no Kerberos ticket, then they would attempt to do a > password login. To verify this login you would need to bind to IPA > LDAP's as AD user, using its DN from the compat tree and then actual > authentication would happen on IPA master as part of LDAP bind > processing. Yes, yes, and yes :) OK, I have added the following 2 lines to my pam.conf file and I can now authenticate AD users: other auth sufficient pam_ldap.so.1 other account required pam_ldap.so.1 However, I had to use a slighly different setting when initiating ldap client: ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple Note that if I chose tls:simple, the bind failed and I received the following log entries : Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net ldap_cachemgr[650]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net ldap_cachemgr[650]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to ipadc1.ipadomain.net Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net ldap_cachemgr[650]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP server So... any ideas why I could bind 'simple' but not 'tls:simple' ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
