on linux, i had to install a package called nss-pam-ldapd that would do lookups in the directory for users, groups etc.
Description : The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name service information (users, groups, etc.) on behalf of a lightweight nsswitch module. not sure if this is the case for solaris. On Mon, Mar 18, 2013 at 8:01 PM, Joe Phan <[email protected]> wrote: > Hi, > > I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10. > Adding users/groups to LDAP Server seems to be ok. > > From a second machine, I configured it to be LDAP Client using command > "ldapclient manual -v -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a > domainname=pg.dtveng.net 10.26.82.16". It was successful. > /var/ldap/ldap_client_file contains appropriate LDAP Server information. > Openldap-2.4.32 is not installed on the Client Machine. > > I updated PAM configuration on Client Machine for su and rlogin, results > are listed below: > - rlogin into Client Machine using root - OK > - rlogin into Client Machine using "jphan" user - Fails > - After login to Client Machine as root, su from root to "jphan" user - > OK (Note: jphan user does not exist in Client Machine /etc/passwd, jphan > user exists in LDAP Server) > - From "jphan" user, su to another user - Fails > > Could someone please take a look at the configuration for rlogin PAM below > to see if the configuration is correct. > Please let me know if there is anything missing from my setup. > Do I need to configure pam.conf on LDAP Server machine as well? > > Any help is greatly appreciated. > Best regards, > Joe Phan > > > Downloaded and installed following packages from SunFreeWare.com to LDAP > Server: > openldap-2.4.32-sol10-sparc-local.gz > db-4.7.25.NC-sol10-sparc-local.gz > gcc-3.3.2-sol10-sparc-local.gz > libgcc-3.3-sol10-sparc-local.gz > libtool-2.4.2-sol10-sparc-local.gz > openssl-1.0.1c-sol10-sparc-local.gz > sasl-2.1.25-sol10-sparc-local.gz > > Client Machine configuration: > - /etc/nsswitch.conf: > passwd: files ldap > group: files ldap > shadow: files ldap > > - /etc/pam.conf: > apggd08dev# more pam.conf > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > #login auth required pam_unix_auth.so.1 > login auth sufficient pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > login auth required pam_ldap.so.1 debug > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > #rlogin auth required pam_unix_auth.so.1 > rlogin auth sufficient pam_unix_auth.so.1 > rlogin auth required pam_ldap.so.1 debug > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth binding pam_krb5.so.1 > krlogin auth required pam_unix_auth.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth binding pam_krb5.so.1 > krsh auth required pam_unix_auth.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth binding pam_krb5.so.1 > ktelnet auth required pam_unix_auth.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > #ppp auth required pam_unix_auth.so.1 > ppp auth sufficient pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > ppp auth required pam_ldap.so.1 debug > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > #other auth required pam_unix_auth.so.1 > other auth sufficient pam_unix_auth.so.1 > other auth required pam_ldap.so.1 debug > # > # passwd command (explicit because of a different authentication module) > # > #passwd auth required pam_passwd_auth.so.1 > passwd auth sufficient pam_passwd_auth.so.1 > passwd auth required pam_ldap.so.1 debug > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > other account sufficient pam_ldap.so.1 debug > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password > management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 > > > jphan user info: > apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan' > # extended LDIF > # > # LDAPv3 > # base <dc=pg,dc=dtveng,dc=net> with scope subtree > # filter: uid=jphan > # requesting: ALL > # > > # jphan, people, pg.dtveng.net > dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net > objectClass: top > objectClass: posixAccount > objectClass: shadowAccount > objectClass: posixGroup > cn: jphan > uid: jphan > uidNumber: 2003 > gidNumber: 203 > homeDirectory: /export/home/jphan > loginShell: /usr/bin/csh > gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA== > shadowLastChange: 0 > shadowMax: 0 > shadowWarning: 0 > userPassword:: ....= > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > >
