Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Directory Servers

Authenticating with LDAP

I am setting up a Solaris computer to authenticate with a LDAP DS on Red Hat (RHDS7.1). I have gotten to the point where I can type getent passwd and get the list of users, but I can't log into them. I got a bunch of information below. If you need more information, just ask

# getent passwd

sdoo:x:1700:500:sdoo:/home/sdoo:/bin/bash

test9991:x:9991:102:test9991:/var/tmp:/bin/sh

root:x:0:0:Super-User:/:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

lp:x:71:8:Line Printer Admin:/usr/spool/lp:

uucp:x:5:5:uucp Admin:/usr/lib/uucp:

nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

smmsp:x:25:25:SendMail Message Submission Program:/:

listen:x:37:4:Network Admin:/usr/net/nls:

gdm:x:50:50:GDM Reserved UID:/:

webservd:x:80:80:WebServer Reserved UID:/:

nobody:x:60001:60001:NFS Anonymous Access User:/:

noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:

# getent passwd sdoo

sdoo:x:1700:500:sdoo:/home/sdoo:/bin/bash

# su sdoo

bash-3.00$ su sdoo

Password:

su: Sorry

bash-3.00$ cat /etc/pam.conf

#

#ident "@(#)pam.conf1.2804/04/21 SMI"

#

# Copyright 2004 Sun Microsystems, Inc. All rights reserved.

# Use is subject to license terms.

#

# PAM configuration

#

# Unless explicitly defined, all services use the modules

# defined in the "other" section.

#

# Modules are defined with relative pathnames, i.e., they are

# relative to /usr/lib/security/$ISA. Absolute path names, as

# present in this file in previous releases are still acceptable.

#

# Authentication management

#

# login service (explicit because of pam_dial_auth)

#

loginauth requisite pam_authtok_get.so.1

loginauth requiredpam_dhkeys.so.1

loginauth requiredpam_unix_cred.so.1

loginauth requiredpam_unix_auth.so.1

loginauth requiredpam_dial_auth.so.1

#

# rlogin service (explicit because of pam_rhost_auth)

#

rlogin auth sufficient pam_rhosts_auth.so.1

rlogin auth requisite pam_authtok_get.so.1

rlogin auth requiredpam_dhkeys.so.1

rlogin auth requiredpam_unix_cred.so.1

rlogin auth requiredpam_unix_auth.so.1

#

# Kerberized rlogin service

#

krlogin auth requiredpam_unix_cred.so.1

krlogin auth bindingpam_krb5.so.1

krlogin auth requiredpam_unix_auth.so.1

#

# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)

#

rshauth sufficient pam_rhosts_auth.so.1

rshauth requiredpam_unix_cred.so.1

#

# Kerberized rsh service

#

krshauth requiredpam_unix_cred.so.1

krshauth bindingpam_krb5.so.1

krshauth requiredpam_unix_auth.so.1

#

# Kerberized telnet service

#

ktelnet auth requiredpam_unix_cred.so.1

ktelnet auth bindingpam_krb5.so.1

ktelnet auth requiredpam_unix_auth.so.1

#

# PPP service (explicit because of pam_dial_auth)

#

pppauth requisite pam_authtok_get.so.1

pppauth requiredpam_dhkeys.so.1

pppauth requiredpam_unix_cred.so.1

pppauth requiredpam_unix_auth.so.1

pppauth requiredpam_dial_auth.so.1

#

# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authentication

#

otherauth sufficient pam_ldap.so.1

otherauth requisite pam_authtok_get.so.1

otherauth requiredpam_dhkeys.so.1

otherauth requiredpam_unix_cred.so.1

otherauth requiredpam_unix_auth.so.1

#

# passwd command (explicit because of a different authentication module)

#

passwd auth requiredpam_passwd_auth.so.1

#

# cron service (explicit because of non-usage of pam_roles.so.1)

#

cronaccount requiredpam_unix_account.so.1

#

# Default definition for Account management

# Used when service name is not explicitly mentioned for account management

#

#other account sufficientpam_ldap.so.1

otheraccount requisitepam_roles.so.1

otheraccount requiredpam_unix_account.so.1

#

# Default definition for Session management

# Used when service name is not explicitly mentioned for session management

#

othersession requiredpam_unix_session.so.1

#

# Default definition for Password management

# Used when service name is not explicitly mentioned for password management

#

otherpassword requiredpam_dhkeys.so.1

otherpassword requisitepam_authtok_get.so.1

otherpassword requisitepam_authtok_check.so.1

otherpassword requiredpam_authtok_store.so.1

#

# Support for Kerberos V5 authentication and example configurations can

# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

#

#

#

#

#

#

#

#

#

#

bash-3.00$ cat /etc/nsswitch.conf

#

# /etc/nsswitch.files:

#

# An example file that could be copied over to /etc/nsswitch.conf; it

# does not use any naming service.

#

# "hosts:" and "services:" in this file are used only if the

# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

passwd:ldap files

group:ldap files

shadow:ldap files

hosts:files

ipnodes:files

networks:files

protocols: files

rpc:files

ethers:files

netmasks:files

bootparams: files

publickey: files

# At present there isn't a 'files' backend for netgroup; the system will

#figure it out pretty quickly, and won't use netgroups at all.

netgroup:ldap files

automount: files

aliases:files

services:files

printers:user files

auth_attr: files

prof_attr: files

project:files

bash-3.00$

bash-3.00$

bash-3.00$

============I extracted these users from the LDAP server to show the parameters

# entry-id: 103

dn: uid=sdoo,ou=People, dc=rocaf,dc=aads

modifyTimestamp: 20070725171346Z

modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo

t

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowaccount

objectClass: account

gecos: sdoo

gidNumber: 500

givenName: scooby

sn: doo

loginShell: /bin/bash

uidNumber: 1700

uid: sdoo

cn: scooby doo

homeDirectory: /home/sdoo

userPassword: {SSHA}JMrO4wSMo2l2JKLQyhiaaYSfiJ6WIPy6QKn+uQ==

creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

createTimestamp: 20070725155427Z

nsUniqueId: 39fc2101-1dd211b2-80e7c451-f2770000

# entry-id: 81

dn: cn=proxyagent,ou=profile,dc=rocaf,dc=aads

cn: proxyagent

sn: proxyagent

objectClass: top

objectClass: person

userPassword: {SSHA}vAaM167uHBY9671CwK5Tgs4ijjI74HtwPvzv1Q==

creatorsName: cn=directory manager

modifiersName: cn=directory manager

createTimestamp: 20070717125656Z

modifyTimestamp: 20070717125656Z

nsUniqueId: 2e747e93-1dd211b2-8087c451-f2770000

# entry-id: 92

dn: cn=default, ou=profile, dc=rocaf, dc=aads

modifyTimestamp: 20070725163437Z

modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo

t

objectClass: top

objectClass: DUAConfigProfile

profileTTL: 43200

bindTimeLimit: 10

credentialLevel: proxy

searchTimeLimit: 30

defaultSearchScope: one

defaultSearchBase: dc=rocaf,dc=aads

cn: default

authenticationMethod: tls:simple

defaultServerList: 172.20.12.61

creatorsName: cn=directory manager

createTimestamp: 20070723174648Z

nsUniqueId: 9f73d482-1dd111b2-8067c451-f2770000

[8218 byte] By [CLawa] at [2007-11-27 11:45:09]
«« java.lang.OutOfMemoryError
»» silly question
# 1

Which type of authentican method are you using? None, Simple or SASL? I had a lot of problems, similar to yours, where I was able to "READ" the LDAP DB but unable to authenticate (telnet, ssh etc). The solution was to put the client to use SIMPLE as authentication method.

afberendsena at 2007-7-29 18:00:08 > top of Java-index,Web & Directory Servers,Directory Servers...
# 2

is simple the same as tls:simple? I want to use SSL so that passwords are encrypted.

CLawa at 2007-7-29 18:00:08 > top of Java-index,Web & Directory Servers,Directory Servers...
Web & Directory Servers
Directory Servers

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified