From: Anthony Gunia (aggunia@comcast.net)
Date: Sat Jan 14 2006 - 11:59:47 EST
Hello,
I am having some issues using LDAP and PADL on a Solaris 9 V890 server. I
can authenticate via SSH to the server using LDAP accounts. However, as root
on the server, when I enter the 'groups' command for an LDAP user, the OS
returns accounts of other users and some of the groups the LDAP user is in.
So, something is getting confused. I am pointing the ldap.conf to another
Solaris server running NDS. I can see using an LDAP trace what apears to be
happening, but what I don't understand is how to tell the processes
requesting the searches that they got the answer that they needed.
>From an NDS trace, the first seach is to find the DN of the user. Seems
pretty standard and the result appears to be correctly interpereted by the
system:
Search: "(&(objectclass=posixAccount)(uid=U25775))"
Result: cn=U25775,ou=prod,ou=chi,ou=il,o=hcsc
The next search also seem to make sense. The system searches for any groups
containing the user returning the DN of the group and the GID. It does not
appear to interpret this correctly as seen in the proceeding searches.
Search:
(&(objectclass=posixGroup)(|(memberUid=U25775)(uniqueMember=cn=U25775,ou=pro
d,ou=chi,ou=il,o=hcsc))),
attribute: "gidNumber"
Result: cn=bluesource,ou=prod,ou=chi,ou=il,o=hcsc, gidNumber=204
The system should have everything it needs at this point, but it continues
to try and resolve the group. It performs an invalid search of the group
using the DN of the group as a member. This tells me that it did not
understand the result from the preceeding search.
Search:
(&(objectclass=posixGroup)(uniqueMember=cn=bluesource,ou=prod,ou=chi,ou=il,o
=hcsc)),
attribute: "gidNumber"
Result:
This looks like it may be a PAM or PADL configuration problem. This is
where I am stuck. I am not sure how to tell PAM that it got the result that
is was looking for. Here's the full trace:
6:21:15 A LDAP: Sending operation result 0:"":"" to connection 0x279e00
16:21:15 9 LDAP: DoSearch on connection 0x279e00
16:21:15 9 LDAP: Search request:
base: "ou=prod,ou=chi,ou=il,o=hcsc"
scope:2 derefence:0 sizelimit:1 timelimit:10 attrsonly:0
filter: "(&(objectclass=posixAccount)(uid=U25775))"
16:21:15 9 LDAP: Sending search result entry
"cn=U25775,ou=prod,ou=chi,ou=il,o=hcsc" to connection 0x279e00
16:21:15 9 LDAP: Sending operation result 0:"":"" to connection 0x279e00
16:21:15 9 LDAP: DoSearch on connection 0x279e00
16:21:15 9 LDAP: Search request:
base: "ou=prod,ou=chi,ou=il,o=hcsc"
scope:2 derefence:0 sizelimit:0 timelimit:10 attrsonly:0
filter:
"(&(objectclass=posixGroup)(|(memberUid=U25775)(uniqueMember=cn=U25775,ou=pr
od,ou=chi,ou=il,o=hcsc)))"
16:21:15 9 LDAP: attribute: "gidNumber"
16:21:15 9 LDAP: Sending search result entry
"cn=bluesource,ou=prod,ou=chi,ou=il,o=hcsc" to connection 0x279e00
16:21:15 9 LDAP: Sending operation result 0:"":"" to connection 0x279e00
16:21:15 9 LDAP: DoSearch on connection 0x279e00
16:21:15 9 LDAP: Search request:
base: "ou=prod,ou=chi,ou=il,o=hcsc"
scope:2 derefence:0 sizelimit:0 timelimit:10 attrsonly:0
filter:
"(&(objectclass=posixGroup)(uniqueMember=cn=bluesource,ou=prod,ou=chi,ou=il,
o=hcsc))"
16:21:15 9 LDAP: attribute: "gidNumber"
01/13/06
16:21:15 9 LDAP: Sending operation result 0:"":"" to connection 0x279e00
16:21:15 13 LDAP: Monitor 0x13 found connection 0x279e00 socket closed, err
= 134, 0 of 0 bytes read
16:21:15 13 LDAP: Monitor 0x13 initiating close for connection 0x279e00
16:21:15 9 LDAP: Server closing connection 0x279e00, socket error = 134
I can forward my ldap.conf and pam.conf files if needed. I am really stuck
on this one, and would appreciate anyone's help. If this is not the correct
listserve for this, perhaps someone can suggest another one? Thanks again!
Anthony
aggunia@comcast.net
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:38:27 EDT