Hi Gary,

I'm trying to use netgroup facilities with the SUN Native LDAP client installed on a Solaris 8 server.

I'm using Oracle Internet Directory (from Oracle Application Server 10G) for the LDAP server. It is installed on a Linux server.

Currently, this configuration is working properly with an AIX LDAP client.

Unfortunately, on Solaris, although I have access to LDAP user accounts, if I update the nsswitch.conf file regarding to your recommandations for using netgroup facilities, I'm no longer able to log with any of the LDAP user accounts.

Of course, I have followed all your recommandations, including the pam.conf file update and the following adds to the nisNetgroupTriple attribute from nis.schema on the LDAP server :

EQUALITY  caseIgnoreIA5Match
	SUBSTR  caseIgnoreSubStringsMatch

My kernel patch is 108993-40 (cf. http://sunsolve.sun.com/search/document.do?assetkey=1-26-57638-1), but the following command line returns nothing :

ldapsearch -h <ldap_Server_name> -b <baseDN> -p <ldap_Server_port> -D cn=orcladmin -w <passwd> aci=\*

If someone has any idea, it will help me greatly.

Thanks,

Patrice

 

 

Hi Pelasri,

Just wonder, are you able to perform a simple "ldaplist" command on the Solaris Native LDAP Client?

$ ldaplist -l netgroup

If you can't, host access based on netgroup is not going to work.

The nisNetgroupTriple schema patch is provided by Diego in this URL, and it is meant for for OpenLDAP server, NOT meant for SUN DS, not sure if it will help Oracle Internet Directory.

http://lists.fini.net/pipermail/ldap-interop/2005-January/000211.html

I have no experience using OID, and am not sure if netgroups will work on OID, so far I have seen it works for SUN DS5.2 and OpenLDAP 2.2.X.

However, to make a Solaris Native LDAP Clients (Solaris8 or Solaris9) worked against OpenLDAP Server, I have to do a little hackings to make OpenLDAP Server acts like a SUN DS5.2 ldapclient profile(s) provider, described as in the following notes, against I have no idea if they are applicable to OID.

- Add "nisDomain" to rootDN so that "ldapclient" will be able to find this object.

objectClass: nisDomainObject
nisDomain: example.com

- Add two schemas to the OpenLDAP Server, DUAConfigProfile.schema and solaris.schema, to support ldapclient proflles LDAP data.

- Apply a "result.c" patch to OpenLDAP server code, I don't know the corresponding OID changes if any, this again is to make "ldapclient" command worked.

- Create ou=profile subtree and add cn=ProxyAgent as a proxy credentials proxy user.

- Create "default" or "customized" ldapclient profile(s) under the ou=profile subtree for simple bind or simple bind + TLS or others, using ldif file or "ldapclient genprofile" command.

-Grant ACL, again I don't know the equivalent of OID, in OpenLDAP it is in slapd.conf (Note: the order it appears with respect to other ACLs is important to make sure it works)

===
access to dn="ou=People,dc=example,dc=com"
by self write
by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
by users auth
by anonymous read
==

-It is advisable to set password hash scheme to CRYPT in OID, as netgroups feature is sort of migrated from NIS to LDAP.

- It is advisable to add "shadowAccount" objectclass to your user entries in OID, on top of "posixAccount".

- Note that Solaris "ldapclient" has a irritating act that it reset the "hosts:" entry to "hosts: files ldap", this should be adjusted back to "hosts: files dns", otherwise something like telnet/ftp/ssh will break on hostname lookup.

You may refer to this URL for the above mentioned hacks.

http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenLDAP%20for%20Solaris9.htm

Rgds
Gary

 

 

Regarding authentication with applications:

While I am not well familiar with OID (or at all, for that matter), I do know for a fact that there are some applications that will not consult LDAP netgroups for authentication information. BEA Weblogic seems to be one of them, since I've not only tried about every way to get it to work, but also that their support has said that they don't support it (that should be the word, right?).

OID may require LDAP groups and user information directly, so you may need to configure in the bases for your user DN's and your group DN's.

Just a thought...

Patrick

 

 

Hi Gary,

First of all, thank you for you answer.

As you can see, I'm able to perform a simple "ldaplist" command :

root@my_client $ ldaplist -l passwd user1
dn: cn=user1,cn=users,dc=my,dc=domain,dc=fr
	givenname: patrice
	sn: user1
	telephonenumber: nn.nn.nn.nn.nn
	mail: patrice.user1@domain.com
	objectclass: posixaccount
	objectclass: shadowaccount
	objectclass: top
	objectclass: person
	objectclass: inetorgperson
	objectclass: organizationalperson
	objectclass: orcluser
	objectclass: orcluserv2
	uid: user1
	cn: user1
	employeenumber: 4285
	orclisenabled: ENABLED
	userpassword: {SHA}jXxdbn0wAUXwiPbhRVlxrsfjLZ8=
	authpassword;oid: {SASL/MD5}psAUUZfy7M6Gls8cHBC9CQ==
	authpassword;oid: {SASL/MD5-DN}G/fiA6YEU3776zkaO9mhvA==
	authpassword;oid: {SASL/MD5-U}4S3YML2Y1gAsvEDXHpDH1Q==
	authpassword;orclcommonpwd: {MD5}Np7vuoHXmUi1PdQ1mkuAeg==
	authpassword;orclcommonpwd: {X- ORCLLMV}DBB25BAEDD1A036673251AA2B4314B90
	authpassword;orclcommonpwd: {X- ORCLNTV}6A2CF83044B9750565A8F75A62FA1AB3
	authpassword;orclcommonpwd: {X- ORCLIFSMD5}I4/z1nSsZs60V9BGS4aDlw==
	authpassword;orclcommonpwd: {X- ORCLWEBDAV}uiiUin2s4RDrbZ3qROxpFA==
	orclpassword: {x- orcldbpwd}1.0:FC7678D9B7D06492
	homedirectory: /USERS/user1
	gecos: utilisateur user1
	gidnumber: 9999
	loginshell: /bin/ksh
	uidnumber: 9999
	orclactivestartdate: 20050610000000z
 
root@my_client $ ldaplist -l netgroup
dn: cn=sysadmins,cn=Netgroup,dc=my,dc=domain,dc=fr
	objectclass: nisNetgroup
	objectclass: top
	cn: sysadmins
	nisnetgrouptriple: (,user1,)
	nisnetgrouptriple: (toto,user2,)
 
dn: cn=allusers,cn=Netgroup,dc=my,dc=domain,dc=fr
	membernisnetgroup: sysadmins
	objectclass: nisNetgroup
	objectclass: top
	cn: allusers

However, the "getent passwd ldap_userid" returns nothing; although the "ldap_userid" line is returned with the whole "getent passwd" command :

root@my_client $ getent passwd
root:x:0:1:Super-User:/:/usr/bin/ksh
...
user1:x:9999:9999:utilisateur user1:/USERS/user1:/bin/ksh

The same command works properly with a local user :

root@my_client $ getent passwd uucp
uucp:x:5:5:uucp Admin:/usr/lib/uucp:

In fact, as I said in my first message, when I don't use netgroup facilities (cf. nsswitch.conf file update), all is working fine and LDAP users can log into my server.

Here is the "ldapclient" command I used to configure my client :

root@my_client $ ldapclient -i -a simple -b dc=my,dc=domain,dc=fr -c proxy \
	  -D cn=orcladmin -w secret -S "group:cn=Groups,dc=my,dc=domain,dc=fr?one" \
	  -S "netgroup:cn=Netgroup,dc=my,dc=domain,dc=fr?one" \
	  -S "passwd:cn=Users,dc=my,dc=domain,dc=fr?one" \
	  -S "shadow:cn=Users,dc=my,dc=domain,dc=fr?one" XX.XX.XX.XX:3060
 
root@my_client $ ldapclient -l
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=orcladmin
NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxxxx
NS_LDAP_SERVERS= XX.XX.XX.XX:3060
NS_LDAP_SEARCH_BASEDN= dc=my,dc=domain,dc=fr
NS_LDAP_AUTH= simple
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=Users,dc=my,dc=domain,dc=fr?one
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=Groups,dc=my,dc=domain,dc=fr?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=Netgroup,dc=my,dc=domain,dc=fr?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:cn=Users,dc=my,dc=domain,dc=fr?on

And my nsswitch.conf file :

passwd:     compat
passwd_compat:     ldap
group:      files ldap
shadow:      files ldap
 
# consult /etc "files" only if ldap is down. 
hosts:      files dns ldap
ipnodes:    files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:    ldap [NOTFOUND=return] files
 
networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   ldap [NOTFOUND=return] files	
bootparams: ldap [NOTFOUND=return] files
publickey:  ldap [NOTFOUND=return] files
 
netgroup:   ldap
 
automount:  files ldap
aliases:    files ldap
 
# for efficient getservbyname() avoid ldap
services:   files ldap
sendmailvars:   files
 
# role-based access control
auth_attr: files ldap
exec_attr: files ldap
prof_attr: files ldap
user_attr: files ldap
 
# audit
audit_user: files ldap
project:    files ldap

As you can see, my DIT differs from the one usualy set by SUN DS (i.e. "cn=Users" instead of "ou=People", ...)

I would like to know if the changes you applied to your OpenLDAP server are required only by the "ldapclient" command, at the configuration time. Or are they required for using netgroup facilities too.

A last thing : a Linux (SuZE) OpenLDAP client, I have configured, has a different behaviour : netgroups are supported except that the host field isn't taken in account.

Regards,

Patrice.

 

 

The files that "ldapclient" configured are clearly stated in "man ldapclient", it does not seem to say anything about the netgroups.

So it is at your discretion to decide what you would like to do with OID configuration, you may check with Oracle tech supp if OID supports UNIX NIS style netgroups.

You may want to capture the debug output of "getent" and see if there is any useful info.

# truss -aef "getent passwd ldap_userid" 2>getent.log

# more getent.log

Rgds
Gary

 

 

I have the same problem with netgroup. I'm using solaris 10 x86 with an openldap server on linux. Logging in with ldap users works fine. When I activate netgroup, login/su with an ldap user fails (the user is in the netgroup). The nis.schema on my openldap server is patched to match the rfc2307bis.
"getent passwd" lists the ldap user, but "getent passwd ldapuser" doesn't. I've included some command outputs and a truss.

-bash-3.00# egrep '(passwd|netgroup)' /etc/nsswitch.conf | grep -v '^#'
passwd:     compat
passwd_compat:  ldap
netgroup:   ldap
-bash-3.00#
-bash-3.00# ldaplist -l netgroup onlyikke
dn: cn=onlyikke,ou=netgroup,dc=haerens,dc=be
        objectClass: nisNetgroup
        objectClass: top
        cn: onlyikke
        nisNetgroupTriple: (,haerench,)
-bash-3.00#
-bash-3.00#
-bash-3.00# grep onlyikke /etc/passwd /etc/shadow
/etc/passwd:+@onlyikke:x:::::
/etc/shadow:+@onlyikke::::::::
-bash-3.00#
-bash-3.00#
-bash-3.00# ldaplist -l passwd haerench
dn: uid=haerench,ou=people,dc=haerens,dc=be
        cn: haerench
        uidNumber: 500
        gidNumber: 500
        gecos: haerench
        loginShell: /bin/bash
        objectClass: posixAccount
        objectClass: shadowAccount
        objectClass: account
        objectClass: top
        uid: haerench
        shadowLastChange: 12953
        shadowMin: 0
        shadowMax: 99999
        shadowWarning: 7
        shadowFlag: 0
        homeDirectory: /export/home/haerench
-bash-3.00#
-bash-3.00#
-bash-3.00# getent passwd | grep haerench
haerench:x:500:500:haerench:/export/home/haerench:/bin/bash
-bash-3.00#
-bash-3.00#
-bash-3.00# getent passwd haerench
-bash-3.00# echo $?
2
-bash-3.00#
-bash-3.00# truss -eaf getent passwd haerench
2332:   execve("/usr/bin/getent", 0x08047DF8, 0x08047E08)  argc = 3
2332:    argv: getent passwd haerench
2332:    envp: TERM=xterm SHELL=/bin/bash
2332:     SSH_CLIENT=192.168.7.1 54228 22 SSH_TTY=/dev/pts/1 USER=root
2332:     MAIL=/var/mail//root PATH=/usr/sbin:/usr/bin PWD=/export/home
2332:     LANG=C TZ=Europe/Brussels SHLVL=1 HOME=/ LOGNAME=root
2332:     SSH_CONNECTION=192.168.7.1 54228 192.168.7.101 22
2332:     _=/usr/bin/truss OLDPWD=/ 
2332:   resolvepath("/usr/bin/getent", "/usr/bin/getent", 1023) = 15
2332:   sysconfig(_CONFIG_PAGESIZE)                     = 4096
2332:   resolvepath("/usr/lib/ld.so.1", "/lib/ld.so.1", 1023) = 12
2332:   xstat(2, "/usr/bin/getent", 0x08047BE8)         = 0
2332:   open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
2332:   xstat(2, "/lib/libsocket.so.1", 0x080474A0)     = 0
2332:   resolvepath("/lib/libsocket.so.1", "/lib/libsocket.so.1", 1023) = 19
2332:   open("/lib/libsocket.so.1", O_RDONLY)           = 3
2332:   mmap(0x00010000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ALIGN, 3, 0) = 0xD27D0000
2332:   mmap(0x00010000, 114688, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xD27B0000
2332:   mmap(0xD27B0000, 42018, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xD27B0000
2332:   mmap(0xD27CB000, 2605, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 45056) = 0xD27CB000
2332:   munmap(0xD27BB000, 65536)                       = 0
2332:   memcntl(0xD27B0000, 11376, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
2332:   close(3)                                        = 0
2332:   xstat(2, "/lib/libnsl.so.1", 0x080474A0)        = 0
2332:   resolvepath("/lib/libnsl.so.1", "/lib/libnsl.so.1", 1023) = 16
2332:   open("/lib/libnsl.so.1", O_RDONLY)              = 3
2332:   mmap(0xD27D0000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xD27D0000
2332:   mmap(0x00010000, 577536, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xD2720000
2332:   mmap(0xD2720000, 521973, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xD2720000
2332:   mmap(0xD27A0000, 19745, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 524288) = 0xD27A0000
2332:   mmap(0xD27A5000, 29912, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xD27A5000
2332:   mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xD2710000
2332:   memcntl(0xD2720000, 57384, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
2332:   close(3)                                        = 0
2332:   xstat(2, "/lib/libc.so.1", 0x080474A0)          = 0
2332:   resolvepath("/lib/libc.so.1", "/lib/libc.so.1", 1023) = 14
2332:   open("/lib/libc.so.1", O_RDONLY)                = 3
2332:   mmap(0xD27D0000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xD27D0000
2332:   mmap(0x00010000, 843776, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xD2640000
2332:   mmap(0xD2640000, 744005, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xD2640000
2332:   mmap(0xD2706000, 24243, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 745472) = 0xD2706000
2332:   mmap(0xD270C000, 5568, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0xD270C000
2332:   munmap(0xD26F6000, 65536)                       = 0
2332:   memcntl(0xD2640000, 112856, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
2332:   close(3)                                        = 0
2332:   munmap(0xD27D0000, 4096)                        = 0
2332:   mmap(0x00010000, 24576, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xD2630000
2332:   getcontext(0x08047990)
2332:   getrlimit(RLIMIT_STACK, 0x08047988)             = 0
2332:   getpid()                                        = 2332 [2331]
2332:   lwp_private(0, 1, 0xD2632000)                   = 0x000001C3
2332:   setustack(0xD2632060)
2332:   sigfillset(0xD270C6F0)                          = 0
2332:   sysi86(SI86FPSTART, 0xD270CC80, 0x0000133F, 0x00001F80) = 0x00000001
2332:   brk(0x080637C8)                                 = 0
2332:   brk(0x080657C8)                                 = 0
2332:   sysconfig(_CONFIG_PAGESIZE)                     = 4096
2332:   open64("/var/run/name_service_door", O_RDONLY)  = 3
2332:   fcntl(3, F_SETFD, 0x00000001)                   = 0
2332:   door_info(3, 0xD270C3A8)                        = 0
2332:   door_call(3, 0x08047928)                        = 0
2332:   _exit(2)
-bash-3.00#
-bash-3.00#
 

Any suggestions?

 

 

I have not used any Solaris10 (x86 or sparc) LDAP clients, yet.

I am not sure if the following post at comp.unix.solaris would help you.

===
From: Jesse DeFer <easynews@dotd.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050217
MIME-Version: 1.0
Newsgroups: comp.unix.solaris
Subject: LDAP naming service with TLS on Solaris 10
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <4343r2-797.ln1@sacrifice.dotd.com>
Lines: 17
X-Complaints-To: abuse@easynews.com
Organization: EasyNews, UseNet made Easy!
X-Complaints-Info: Please be sure to forward a copy of ALL headers otherwise we will be unable to process your complaint properly.
Date: Thu, 21 Jul 2005 00:08:08 GMT
Path: news.starhub.net.sg!newsvr.starhub.net.sg!in.100proofnews.com!in.100proofnews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!newsfeed2.easynews.com!easynews.com!easynews!easynews-local!fe04.news.easynews.com.POSTED!sacrifice.dotd.com!news
Xref: newscenter.starhub.net.sg comp.unix.solaris:313586

I was having problems with LDAP as a naming service with Solaris 10 with
TLS enabled. su would say 'Unknown id', while everything else appeared
to work. Thanks to Sun Support the fix is to add two directories to the
system trusted directory list with crle: /usr/lib/mps and /usr/lib/mps/64.

If you haven't already use crle to create an ld.config use:
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64

If you don't know if you have a custom ld.config or what the default
trusted directories are, just run crle with no arguments.

This only applies to Solaris 10 and is hopefully only a temporary fix
until they add that directory by default or move some libs around.
There may be other things related to LDAP and TLS it will fix too.

-JD
===

Gary

 

 

TLS isn't used in our setup. Nevertheless I created the directories with crle. The problem remains. As long as I don't use netgroups, everything works fine, but then any ldap user can login to any machine ...

 

 

Found my error. The nis.schema was restored in it's original form after restarting ldap. So I stopped ldap, patched the nis.schema and restarted ldap.
Now netgroups works fine.

 

 

I should point out the keyword "binding" doesn't work in Solaris 8 or 9. I changed it to required and it appeared to work, however, SSH public/private keys won't work. (only password authentication.)

Setting:

other account sufficient pam_ldap.so.1

Seems to fix this.

 

 

Oops.. I had the wrong information.

Which line in /etc/pam.conf does Solaris' SSH server use? 'other'?

Maybe I need to set up a separate 'sshd' line in pam.conf? Or is it fine the way it is?

 

 

To response to the last two responses.

The keyword "binding" DOES WORK for Solaris8, ONLY after applying latest kernel patch and LDAP patch 108993-48. There is a RISK of not beling able to boot Solaris8 up if you do not have these patches. (You got to go into Single User mode to repair pam.conf it this happens).

When you do not specify "sshd" in /etc/pam.conf, it will default to follow the "other" entries for the PAM module actions. i.e.

# grep -v "^#" /etc/pam.conf | grep "^other"
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#

You have the choice to explicitly define "sshd" entries in /etc/pam.conf by copying and pasting the above lines, and replace "other" with "sshd", and make further fine tuning if you do wish.

Gary

 

 

Also, the keyword "binding" DOES WORK for Solaris9, ONLY after applying latest kernel patch and LDAP patch 112960-30.

Gary

 

 

I replaced the pam.conf with the solaris 10 one and removed the unix_cred lines. Everything works except that SSH keys won't work (it always asks for password), and sudo stopped working (prompts for password and still fails after putting in correct password 3 times.)

 

 

SSH key based auth. has no concept of uid and userPassword, so why should it work with LDAP based acct? anyway I may be wrong and you got to ask OpenSSH developer.

sudo: I assume you are talking about sudo+LDAP, i.e. LDAP based sudo maps.

1) Did you compile sudo using "--with-pam"?

# sudo -V | head
Sudo version 1.6.8p8

Authentication methods: 'pam'
....

2) Did you setup a /etc/ldap.conf with content something like below, this file is usually not present for Solaris Native LDAP client but is used by the sudo code I believe.

host ldap1.example.com
base dc=example,dc=com
sudoers_base ou=sudoers,dc=example,dc=com

3) You may add "debug" keywords at the end of ALL lines in /etc/pam.conf and observe /var/adm/messages to troubleshooting sudo.

Gary