Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Directory Servers

Sunray LDAP authentication

I'm trying to get sunrays to authenticate using LDAP. So far I can log in successfully using SSH on an LDAP account, but not sunray. When I try to log in using a sunray, it just says incorrect login immediately. When I purposely type in the wrong password it takes a while to come back with incorrect login instead of immediately, so I think something is happening.

Heres what the access log shows when I try to log in:

[08/Aug/2006:09:40:33 -0600] conn=11551 op=-1 msgId=-1 - fd=312 slot=312 LDAP connection from xx.xx.xx.xx to xx.xx.xx.xx

[08/Aug/2006:09:40:33 -0600] conn=11551 op=0 msgId=1 - BIND dn="cn=proxyagent,ou=profile,dc=server,dc=example,dc=com" method=128 version=3

[08/Aug/2006:09:40:33 -0600] conn=11551 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=server,dc=example,dc=com"

[08/Aug/2006:09:40:33 -0600] conn=11551 op=1 msgId=2 - SRCH base="ou=people,dc=server,dc=example,dc=com" scope=1 filter="(&(objectClass=shadowAccount)(uid=user))" attrs="uid userPassword shadowFlag"

[08/Aug/2006:09:40:33 -0600] conn=11551 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0

[08/Aug/2006:09:40:33 -0600] conn=11551 op=2 msgId=3 - UNBIND

[08/Aug/2006:09:40:33 -0600] conn=11551 op=2 msgId=-1 - closing - U1

[08/Aug/2006:09:40:33 -0600] conn=11551 op=-1 msgId=-1 - closed.

And heres my pam.conf:

#

#ident"@(#)pam.conf1.2804/04/21 SMI"

#

# Authentication management

#

# login service (explicit because of pam_dial_auth)

#

loginauth requisitepam_authtok_get.so.1

loginauth requiredpam_dhkeys.so.1

loginauth requiredpam_dial_auth.so.1

loginauth requiredpam_unix_cred.so.1

loginauth sufficientpam_unix_auth.so.1

loginauth requiredpam_ldap.so.1

#

# rlogin service (explicit because of pam_rhost_auth)

#

rloginauth sufficientpam_rhosts_auth.so.1

rloginauth requisitepam_authtok_get.so.1

rloginauth requiredpam_dhkeys.so.1

rloginauth requiredpam_unix_cred.so.1

rloginauth sufficientpam_unix_auth.so.1

rloginauth requiredpam_ldap.so.1

#

# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)

#

rshauth sufficientpam_rhosts_auth.so.1

rshauth requiredpam_unix_cred.so.1

#

# Kerberized rlogin service

#

krloginauth requiredpam_unix_cred.so.1

krloginauth bindingpam_krb5.so.1

krloginauth requiredpam_unix_auth.so.1

#

# Kerberized rsh service

#

krshauth requiredpam_unix_cred.so.1

krshauth bindingpam_krb5.so.1

krshauth requiredpam_unix_auth.so.1

#

# PPP service (explicit because of pam_dial_auth)

#

pppauth requisitepam_authtok_get.so.1

pppauth requiredpam_dhkeys.so.1

pppauth requiredpam_dial_auth.so.1

pppauth sufficientpam_unix_auth.so.1

pppauth requiredpam_ldap.so.1

#

# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authentication

#

otherauth requisitepam_authtok_get.so.1

otherauth requiredpam_dhkeys.so.1

otherauth requiredpam_unix_cred.so.1

otherauth sufficientpam_unix_auth.so.1

otherauth requiredpam_ldap.so.1

#

# passwd command (explicit because of a different authentication module)

#

passwdauth sufficientpam_passwd_auth.so.1

passwdauth requiredpam_ldap.so.1

#

# cron service (explicit because of non-usage of pam_roles.so.1)

#

cronaccount requiredpam_unix_account.so.1

#

# Default definition for Account management

# Used when service name is not explicitly mentioned for account management

#

otheraccount requisitepam_roles.so.1

otheraccount requiredpam_unix_account.so.1

#

# Default definition for Session management

# Used when service name is not explicitly mentioned for session management

#

othersession requiredpam_unix_session.so.1

#

# Default definition for Password management

# Used when service name is not explicitly mentioned for password management

#

otherpassword requiredpam_dhkeys.so.1

otherpassword requisitepam_authtok_get.so.1

otherpassword requisitepam_authtok_check.so.1

otherpassword requiredpam_authtok_store.so.1

#

# Support for Kerberos V5 authentication and example configurations can

# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

#

# added to xscreensaver by SunRay Server Software -- xscreensaver

xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

xscreensaver auth requisite pam_authtok_get.so.1

xscreensaver auth required pam_dhkeys.so.1

xscreensaver auth required pam_unix_cred.so.1

xscreensaver auth sufficient pam_unix_auth.so.1 server_policy

xscreensaver auth required pam_ldap.so.1

xscreensaver account requisite pam_roles.so.1

xscreensaver account sufficient pam_unix_account.so.1 server_policy

xscreensaver account required pam_ldap.so.1

xscreensaver session required pam_unix_session.so.1

xscreensaver password required pam_dhkeys.so.1

xscreensaver password requisite pam_authtok_get.so.1

xscreensaver password requisite pam_authtok_check.so.1

xscreensaver password required pam_authtok_store.so.1 server_policy

# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay

dtlogin-SunRay session required pam_unix_session.so.1

dtlogin-SunRay password required pam_dhkeys.so.1

dtlogin-SunRay password requisite pam_authtok_get.so.1

dtlogin-SunRay password requisite pam_authtok_check.so.1

dtlogin-SunRay password required pam_authtok_store.so.1 server_policy

dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so

dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username

dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt

dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser

dtlogin-SunRay auth requisite pam_authtok_get.so.1

dtlogin-SunRay auth required pam_dhkeys.so.1

dtlogin-SunRay auth required pam_unix_cred.so.1

dtlogin-SunRay auth sufficient pam_unix_auth.so.1 server_policy

dtlogin-SunRay auth required pam_ldap.so.1

dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so

dtlogin-SunRay account requisite pam_roles.so.1

dtlogin-SunRay account sufficient pam_unix_account.so.1 server_policy

dtlogin-SunRay account required pam_ldap.so.1

# added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay

dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

dtsession-SunRay auth requisite pam_authtok_get.so.1

dtsession-SunRay auth required pam_dhkeys.so.1

dtsession-SunRay auth required pam_unix_cred.so.1

dtsession-SunRay auth sufficient pam_unix_auth.so.1 server_policy

dtsession-SunRay auth required pam_ldap.so.1

dtsession-SunRay account requisite pam_roles.so.1

dtsession-SunRay account sufficient pam_unix_account.so.1 server_policy

dtsession-SunRay account required pam_ldap.so.1

dtsession-SunRay session required pam_unix_session.so.1

dtsession-SunRay password required pam_dhkeys.so.1

dtsession-SunRay password requisite pam_authtok_get.so.1

dtsession-SunRay password requisite pam_authtok_check.so.1

dtsession-SunRay password required pam_authtok_store.so.1 server_policy

# added to utnsclogin by SunRay Server Software -- utnsclogin

utnsclogin account requisite pam_roles.so.1

utnsclogin account sufficient pam_unix_account.so.1 server_policy

utnsclogin account required pam_ldap.so.1

utnsclogin session required pam_unix_session.so.1

utnsclogin password required pam_dhkeys.so.1

utnsclogin password requisite pam_authtok_get.so.1

utnsclogin password requisite pam_authtok_check.so.1

utnsclogin password required pam_authtok_store.so.1 server_policy

utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username

utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

utnsclogin auth requisite pam_authtok_get.so.1

utnsclogin auth required pam_dhkeys.so.1

utnsclogin auth required pam_unix_cred.so.1

utnsclogin auth sufficient pam_unix_auth.so.1 server_policy

utnsclogin auth required pam_ldap.so.1

# added to utadmingui by SunRay Server Software -- utadmingui

utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1

# added to utgulogin by SunRay Server Software -- utgulogin

utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username

utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge

utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt

utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

[9394 byte] By [nate.wheeler] at [2007-11-26 9:19:45]
«« Announcement :- First blog on Version Control in Creator
»» MessageConsumer not consuming messages from Temporary queue
# 1

I got it with a change to my pam.conf the sunray part is now:

xscreensaver auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

xscreensaver auth requisite pam_authtok_get.so.1

xscreensaver auth required pam_dhkeys.so.1

xscreensaver auth required pam_unix_cred.so.1

xscreensaver auth required pam_unix_auth.so.1

xscreensaver account requisite pam_roles.so.1

xscreensaver account required pam_unix_account.so.1

xscreensaver session required pam_unix_session.so.1

xscreensaver password required pam_dhkeys.so.1

xscreensaver password requisite pam_authtok_get.so.1

xscreensaver password requisite pam_authtok_check.so.1

xscreensaver password required pam_authtok_store.so.1

# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay

dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so

dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username

dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt

dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser

dtlogin-SunRay auth requisite pam_authtok_get.so.1

dtlogin-SunRay auth required pam_dhkeys.so.1

dtlogin-SunRay auth required pam_unix_cred.so.1

dtlogin-SunRay auth sufficient pam_unix_auth.so.1

dtlogin-SunRay auth required pam_ldap.so.1

dtlogin-SunRay account requisite pam_roles.so.1

dtlogin-SunRay account sufficient pam_unix_account.so.1

dtlogin-SunRay account required pam_ldap.so.1

dtlogin-SunRay session required pam_unix_session.so.1

dtlogin-SunRay password required pam_dhkeys.so.1

dtlogin-SunRay password requisite pam_authtok_get.so.1

dtlogin-SunRay password requisite pam_authtok_check.so.1

dtlogin-SunRay password required pam_authtok_store.so.1

# added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay

dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay

dtsession-SunRay auth requisite pam_authtok_get.so.1

dtsession-SunRay auth required pam_dhkeys.so.1

dtsession-SunRay auth required pam_unix_cred.so.1

dtsession-SunRay auth sufficient pam_unix_auth.so.1

dtsession-SunRay auth required pam_ldap.so.1

dtsession-SunRay account requisite pam_roles.so.1

dtsession-SunRay account sufficient pam_unix_account.so.1

dtsession-SunRay account required pam_ldap.so.1

dtsession-SunRay session required pam_unix_session.so.1

dtsession-SunRay password required pam_dhkeys.so.1

dtsession-SunRay password requisite pam_authtok_get.so.1

dtsession-SunRay password requisite pam_authtok_check.so.1

dtsession-SunRay password required pam_authtok_store.so.1

# added to utnsclogin by SunRay Server Software -- utnsclogin

utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username

utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

utnsclogin auth requisite pam_authtok_get.so.1

utnsclogin auth required pam_dhkeys.so.1

utnsclogin auth required pam_unix_cred.so.1

utnsclogin auth sufficient pam_unix_auth.so.1

utnsclogin auth required pam_ldap.so.1

utnsclogin account requisite pam_roles.so.1

utnsclogin account sufficient pam_unix_account.so.1

utnsclogin account required pam_ldap.so.1

utnsclogin session required pam_unix_session.so.1

utnsclogin password required pam_dhkeys.so.1

utnsclogin password requisite pam_authtok_get.so.1

utnsclogin password requisite pam_authtok_check.so.1

utnsclogin password required pam_authtok_store.so.1

# added to utadmingui by SunRay Server Software -- utadmingui

utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1

#added to utgulogin by SunRay Server Software -- utgulogin

utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username

utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 token=auth,JavaBadge

utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt

utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

natewheeler at 2007-7-6 23:50:08 > top of Java-index,Web & Directory Servers,Directory Servers...
Web & Directory Servers
Directory Servers

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified