From: Nicole Skyrca (nskyrca@syr.edu)
Date: Fri Jul 06 2007 - 13:50:40 EDT
Hello,
I'm trying to setup a Solaris 10 machine to authenticate against a Sun
One Directory Server for the first time.
Is it possible to just get only the user password from the ldap server
for authentication, but get the home directory and shell information
from the local password file? If so, how? We have this type of
configuration on linux and I would like to do it on Solaris. I get valid
output from the ldap server when I run "ldaplist -l passwd username",
but I cannot log in via ssh. The ldap admin sees the bind in the logs
on the ldap server, and doesn't see any errors.
Any suggestions?
I do have a local account for nskyrca, which has a different password
than in ldap. If I type the local password, I could get in.
When I try to login to this machine and type the ldap password, I get:
sshd[3257]: Failed keyboard-interactive for nskyrca from 128.230.xx.yy
port 35899 ssh2
sshd[3257]: [ID 896952 auth.debug] pam_unix_auth: entering
pam_sm_authenticate()
sshd[3257]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint
nskyrca), flags = 0
sshd[3257]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth
failed[9] while authenticating: Authentication failed
sshd[3257]: [ID 800047 auth.notice] Failed keyboard-interactive for
nskyrca from 128.230.xx.yy port 35899 ssh2
I also saw this error a couple of times:
Sshd: libslap: Status: 49: Mesg: openConnection: simple bind failed -
Invalid credentials
I used the following to initialize the client:
ldapclient -v manual -a credentialLevel=anonymous -a
serviceAuthenticationMethod=pam_ldap:simple -a
defaultSearchBase='dc=syr,dc=edu' -a
defaultServerList='128.230.xx.yy:389' -a domainName='syr.edu' -a
objectclassMap=p asswd:posixAccount=syreduPerson
Here are the pertinent lines from /etc/pam.conf:
# login service (explicit because of pam_dial_auth) #
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 debug
# Default definitions for Authentication management # Used when service
name is not explicitly mentioned for authenctication #
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy debug
#other auth required pam_unix_auth.so.1
other auth required pam_ldap.so.1 debug
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1) #
cron account required pam_unix_account.so.1
#
# Default definition for Account management # Used when service name is
not explicitly mentioned for account management #
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management # Used when service name is
not explicitly mentioned for session management #
other session required pam_unix_session.so.1
other session optional pam_ldap.so.1 debug
#
Thanks!
Nicole
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:06 EDT