[email protected] wrote: > Ok, I sort of have this working now, but there are still some loose ends. > Comments inline > >>>> 2. Setup Solaris properly >>>> NS_LDAP_AUTH=tls:simple >>>> NS_LDAP_CREDENTIAL_LEVEL=proxy >>>> NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test >>>> NS_LDAP_BINDPASSWD=ohaimakethissimethingtoughtobreak >>>> NS_LDAP_CACHETTL=0 >>>> NS_LDAP_HOST_CERTPATH=/var/ldap > > When I added NS_LDAP_HOST_CERTPATH to the ldap_client_file it complained > about that particular setting being invalid. I think that setting doesn't > exist on Solaris 10? I had to remove that line. > >>> Is that functionally equivalent to what you were trying to do with the >>> cert database or were you trying to do something different? >> More or less -- create an NSS database and add a CA cert there. > > OK, great, I think the manual copy worked. The reason is because if I > delete those 2 .db files I get the following log entries: > > [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: > failed to initialize TLS security (security library: bad database.) > [ID 545954 daemon.error] libsldap: makeConnection: failed to open > connection to ipadc1.ipadomain.net > [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL > mode for __ns_ldap_getRootDSE. createTLSSession: failed to initialize TLS > security (security library: bad database.) > > But if those 2 files I manually copied exist, then those messages don't > happen. > > Also, FYI, certutil is not really supported on Solaris 10. Any download > links to that program are now 404. It wasn't included in the Solaris 10 > cd either.
SUNWtlsu which installs in /usr/sfw/bin/certutil. It's in my install. I don't recall if I did any CD swapping during the install or not, though I installed x86 from iso. > >> PAM has different stages -- authentication, session, etc. Shell, >> UID/GID and other parameters are coming from nsswitch interface, not >> PAM. >> >> On the other hand PAM allows to stack multiple modules to perform the >> same action so you can have both pam_krb5 and pam_ldap in the stack and >> cover both Kerberos ticket and password-based logins. >> >>> Also, if what you wrote below is true and AD users are authenticated not >>> by kerberos, but by authenticated ldap binds, won't that totally fail if >>> I >>> don't mention pam_ldap in my pam configuration? >> Yep, it would fail but there are few separate things we need to clarify >> first. >> >> Did you add your Solaris host into IPA? Did you create a keytab for >> it? Is your Solaris host FQDN >> >> If answers are yes, yes, and yes, then AD users, when connecting to >> Solaris host from their Windows machines will attempt to obtain Kerberos >> ticket and IPA KDC will grant a service ticket to them thanks to >> cross-forest trust. When AD user using putty would present that ticket >> to Solaris, chances are that pam_krb5 will accept it and allow to login. >> >> When AD users have no Kerberos ticket, then they would attempt to do a >> password login. To verify this login you would need to bind to IPA >> LDAP's as AD user, using its DN from the compat tree and then actual >> authentication would happen on IPA master as part of LDAP bind >> processing. > > Yes, yes, and yes :) > > OK, I have added the following 2 lines to my pam.conf file and I can now > authenticate AD users: > other auth sufficient pam_ldap.so.1 > other account required pam_ldap.so.1 > > However, I had to use a slighly different setting when initiating ldap > client: > > ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple > > Note that if I chose tls:simple, the bind failed and I received the > following log entries : > Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net > ldap_cachemgr[650]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: > openConnection: simple bind failed - Can't contact LDAP server > Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net > ldap_cachemgr[650]: [ID 545954 daemon.error] libsldap: makeConnection: > failed to open connection to ipadc1.ipadomain.net > Mar 5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net > ldap_cachemgr[650]: [ID 687686 daemon.warning] libsldap: Falling back to > anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple > bind failed - Can't contact LDAP server > > So... any ideas why I could bind 'simple' but not 'tls:simple' ? I'd check the 389-ds access log for connection problems. This works for me: ldapclient -v manual -a authenticationMethod=tls:simple \ -a defaultSearchBase=dc=example,dc=com \ -a defaultServerList=ipa.example.com \ -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \ -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=example,dc=com \ -a proxyDN=uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ -a proxyPassword=secret123 \ -a objectclassMap=shadow:shadowAccount=posixAccount I'd suggest you look bug https://bugzilla.redhat.com/show_bug.cgi?id=815515 Another IPA user contributed a secure DUA Profile which is quite complete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
