The problem was two fold. 1) The certificates in /var/ldap were not readable by users other than root. Since pfksh tries to query LDAP for your roles/profiles/auths, your user(s) need to be able read the certificates 2) In Solaris 10, there are some problems with the runtime linking environment. I found an old post on sunmanagers referencing a similar problem with sudo and PAM ldap. The fix was to run: crle -u -s /usr/lib/mps crle -64 -u -s /usr/lib/mps/64 As soon as I did this, The Solaris 10 client started working correctly. Thanks to Gregory Shaw, he recommended the first fix. If anyone from Sun is actually reading this list - Please train your directory server reps. The rep that I spoke to told me that she had never even setup TLS, and was completely clueless when it came to troubleshooting my problem. - Mike -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Adams, Mike (Mike) Sent: Friday, December 22, 2006 2:00 PM To: sunmanagers@sunmanagers.org Subject: RE: LDAP problems with Solaris 10? I've been able to make some progress. Out of nowhere I started getting errors about not being able to connect to the LDAP server. I ldapclient uninit'd and tried to init again. The init was successful, but I still couldn't ldaplist, or see any users at all. I did uninit again and this time I init'd ldap without SSL. Without SSL, everything works great. RBAC works, netgroups work. I uninit and reinit with the SSL profile, Users work, netgroups work, but RBAC does not. I disable SSL, RBAC works again. Why would RBAC fail when I use LDAPS instead of LDAP? -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Adams, Mike (Mike) Sent: Friday, December 22, 2006 1:21 PM To: sunmanagers@sunmanagers.org Subject: LDAP problems with Solaris 10? Managers, I've got two problems with LDAP on Solaris 10. My first problem is with RBAC. I've gotten RBAC working over ldap in Solaris 9. In my lab I've got three servers. A Sun ONE Directory Server 5.2 2005Q4 running Solaris 9, and two LDAP clients. One running Solaris 10, the other Solaris 9. Both clients are able to authenticate users via LDAP. I've got a user created in ldap. This user has the Primary Administrator assigned to it, and his shell is set to pfksh. When I log into the Solaris 9 host, everything works as expected. I provide my login credentials and I am authenticated. I type id -a and it shows uid 0. When I log into the Solaris 10 host, I have no extended privileges. When I run profiles it says Primary Administrator, Basic Solaris User, All. When I run auths, it says solaris.* (as expected). However, I have no elevated access. It's as if my shell is unaware of the RBAC attributes. The second problem is with netgroups. If I change my nsswitch.conf to read passwd: compat and passwd_compat: files ldap and add a netgroup to /etc/passwd, I can not see any ldap users on my system. If I change it to passwd: files ldap, the ldap users are there, and can log in. I had a similar problem with Solaris 9 before I installed patch 112960-40. I couldn't find a similar patch for Solaris 10. Am I missing something? I've gotten all of the same stuff to work on a Solaris 9 box, Are there some pam changes that I need to make for Solaris 10 to support netgroups and RBAC in ldap? ------------------------------------- Mike Adams Verizon Business Application Solutions Systems Engineering and Operations mike.a.adams@verizonbusiness.com Tel: 916.649.6244 / Cell: 916.838.1790 ------------------------------------- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Dec 26 13:05:50 2006
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:03 EST