Solaris 10 Ldap installation Status I All generic Unix commands work on nyux0034 getent passwd local files for

/etc/passwd and ldap getent group directory server also. ldaplist which uses ldap client configuration finger Could not ssh from ssoadm1 to nyux0034 as user Steven.Abramson Check pam configuration? III Check linux hosts for their configuration in /etc/ldap.conf (nyvm0354) Reference Articles solaris LDAP client w/ OpenLDAP server From Docupedia Error is: No account present for user

II

IV

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: Status 08/19/2011

Page 1 of 11

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: Status 08/19/2011

Page 2 of 11

Solaris 10 LDAP Client to OpenLDAP Server Solaris 10 Server I Resources tldp.org openldap.org II a Commands For syslogd svcs system-log svcs -l system-log svcadm restart system-log For Automounter svcadm disable autofs svcs -l autofs To make home dir for sabramson 1 After 'getent password' works /home dir is automounted nyux0034 Comments OpenLDAP how to

gets local /etc/passwd & ldap directory passwords Common location to create home dir in Solaris 10

2 cd /export/home

b mkdir sabramson c chown Steven.Abramson:ssoadmin sabramson d # su - sabramson /export/home/sabramson gets mounted on /home/sabramson

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: Solaris 10

08/19/2011

Page 3 of 11

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: Solaris 10

08/19/2011

Page 4 of 11

LDAP Commands and Fileson Solaris 10 client, nyux0034 I A a b Preliminary Work nsswitch.conf cp /etc/nsswitch.conf nsswitch.conf.orig Edit nsswitch.conf hosts: files dns passwd: files ldap shadow: files ldap group: files ldap domainname: unhq.un.org /etc/defaultdomain: unhq.un.org packages needed for ldapclient 1 SUNWnisu 2 SUNWnisr 3 SUNWspnego 4 SUNWsndmr 5 SUNWatfsr 6 SUNWlldap Commands ldapclient manual -v -a <attribName=attribValue> -a <attribName=attribValue> <ldapServer IP> ldapclient manual -v -a defaultSearchBase=dc=unhq,dc=un,dc=org -a proxyDN=uid=proxyuser,ou=Users,ou=Applications,dc=unhq, dc=un,dc=org -a proxyPassword=Pr0xyUs3r -a domainname=unhq.un.org -a credentialLevel=proxy -a authenticationMethod=simple -a serviceSearchDescriptor=passwd:ou=People,dc=unhq,dc=un,dc=org -a serviceSearchDescriptor=shadow:ou=People,dc=unhq,dc=un.dc=org
08/19/2011

Comments

provides ldapclient gss-api related libs

II a

copies nsswitch.ldap to nsswitch.conf

a2

secint46 ldap svr

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: LDAP

Page 5 of 11

a3

-a service SearchDescriptor=group:ou=Groups,dc=unhq,dc=un,dc=org 157.150.184.70 Output is: system successfully configured ldapclient -v list

c d e f g h i

ldapclient -v mod -a credentialLevel=proxy ldapclient -v mod -a authenticationMethod=simple ldaplist ldaplist -l passwd Steven.Abramson ldaplist -vl group ssoadmin ldaplist -h ldapsearch -v -h secint46 -b "dc=unhq,dc=un,dc=org" -D "uid= Steven.Abramson,ou=People,dc=unhq,dc=un,dc=org" "cn=Steven.Abramson" getent passwd getent group id -a finger Files cd /var/ldap ldap_client_file ldap_client_cred /etc/ldap.conf Definitions authentication - Prove who you say you are by providing a password
08/19/2011 Page 6 of 11

ldaplist options <db> <key> -l = list all the attributes found in an entry. Default, just DNs group ldap db mapped to ou=Groups -h = list database mappings ldapsearch connects to ldap server 127.0.01 by default. That's why you specify the host to query as the ldap dir svr. It doesn't use ldapclient config

III a a1 a2 b III

solaris 10 credentials file linux host config file

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: LDAP

of passphrase.

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: LDAP

08/19/2011

Page 7 of 11

SSH Commands Comments I ssh authentication errors a Edit /etc/syslog.conf auth.info /var/log/authlog b svcadm restart system-log restart syslog svc c test ssh connection log will be in /var/log/authlog On ssoadm1: ssh -v -p1234 nyux0034 On solaris 10 host nyux0034 Regular sshd daemon runs on port 22 cd /usr/lib/ssh ,/sshd -p1234 -ddd -d = debug level sshd version Sun_ssh_1.1.2 switch to OpenSSH ?

II

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: ssh

08/19/2011

Page 8 of 11

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: ssh

08/19/2011

Page 9 of 11

PAM - Pluggable Authentication Modules I Purpose: Configure PAM to use it for authentication Tell it to fall back to LDAP if it doesn't match your credentials in local files Files /etc/pam.conf a b pam_unix module performs authentication locally pam_ldap module performs authentication on the LDAP server Change pam.conf for ldap for Solaris 10 client Original line a <service name> auth required pam_unix_auth.so.1 Changed line <service name> auth binding pam_unix_auth.so.1 server_policy <service name> auth required pam_unix_ldap.so.1

II

III

<service name> account required pam_unix_auth.so.1 <service name> account binding pam_unix_auth.so.1 server_policy <service name> account required pam_unix_ldap.so.1 other password required pam_auth_tok_store.so.1 other password required pam_auth_tok_store.so.1 server_policy

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: PAM

08/19/2011

Page 10 of 11

file:///opt/scribd/conversion/tmp/scratch9866/65569666.xls Tab: PAM

08/19/2011

Page 11 of 11