Professional Documents
Culture Documents
Configuration Notes From Nyux0034
Configuration Notes From Nyux0034
Configuration Notes From Nyux0034
/etc/passwd and ldap getent group directory server also. ldaplist which uses ldap client configuration finger Could not ssh from ssoadm1 to nyux0034 as user Steven.Abramson Check pam configuration? III Check linux hosts for their configuration in /etc/ldap.conf (nyvm0354) Reference Articles solaris LDAP client w/ OpenLDAP server From Docupedia Error is: No account present for user
II
IV
Page 1 of 11
Page 2 of 11
Solaris 10 LDAP Client to OpenLDAP Server Solaris 10 Server I Resources tldp.org openldap.org II a Commands For syslogd svcs system-log svcs -l system-log svcadm restart system-log For Automounter svcadm disable autofs svcs -l autofs To make home dir for sabramson 1 After 'getent password' works /home dir is automounted nyux0034 Comments OpenLDAP how to
gets local /etc/passwd & ldap directory passwords Common location to create home dir in Solaris 10
2 cd /export/home
b mkdir sabramson c chown Steven.Abramson:ssoadmin sabramson d # su - sabramson /export/home/sabramson gets mounted on /home/sabramson
08/19/2011
Page 3 of 11
08/19/2011
Page 4 of 11
LDAP Commands and Fileson Solaris 10 client, nyux0034 I A a b Preliminary Work nsswitch.conf cp /etc/nsswitch.conf nsswitch.conf.orig Edit nsswitch.conf hosts: files dns passwd: files ldap shadow: files ldap group: files ldap domainname: unhq.un.org /etc/defaultdomain: unhq.un.org packages needed for ldapclient 1 SUNWnisu 2 SUNWnisr 3 SUNWspnego 4 SUNWsndmr 5 SUNWatfsr 6 SUNWlldap Commands ldapclient manual -v -a <attribName=attribValue> -a <attribName=attribValue> <ldapServer IP> ldapclient manual -v -a defaultSearchBase=dc=unhq,dc=un,dc=org -a proxyDN=uid=proxyuser,ou=Users,ou=Applications,dc=unhq, dc=un,dc=org -a proxyPassword=Pr0xyUs3r -a domainname=unhq.un.org -a credentialLevel=proxy -a authenticationMethod=simple -a serviceSearchDescriptor=passwd:ou=People,dc=unhq,dc=un,dc=org -a serviceSearchDescriptor=shadow:ou=People,dc=unhq,dc=un.dc=org
08/19/2011
Comments
II a
a2
Page 5 of 11
a3
-a service SearchDescriptor=group:ou=Groups,dc=unhq,dc=un,dc=org 157.150.184.70 Output is: system successfully configured ldapclient -v list
c d e f g h i
ldapclient -v mod -a credentialLevel=proxy ldapclient -v mod -a authenticationMethod=simple ldaplist ldaplist -l passwd Steven.Abramson ldaplist -vl group ssoadmin ldaplist -h ldapsearch -v -h secint46 -b "dc=unhq,dc=un,dc=org" -D "uid= Steven.Abramson,ou=People,dc=unhq,dc=un,dc=org" "cn=Steven.Abramson" getent passwd getent group id -a finger Files cd /var/ldap ldap_client_file ldap_client_cred /etc/ldap.conf Definitions authentication - Prove who you say you are by providing a password
08/19/2011 Page 6 of 11
ldaplist options <db> <key> -l = list all the attributes found in an entry. Default, just DNs group ldap db mapped to ou=Groups -h = list database mappings ldapsearch connects to ldap server 127.0.01 by default. That's why you specify the host to query as the ldap dir svr. It doesn't use ldapclient config
III a a1 a2 b III
of passphrase.
08/19/2011
Page 7 of 11
SSH Commands Comments I ssh authentication errors a Edit /etc/syslog.conf auth.info /var/log/authlog b svcadm restart system-log restart syslog svc c test ssh connection log will be in /var/log/authlog On ssoadm1: ssh -v -p1234 nyux0034 On solaris 10 host nyux0034 Regular sshd daemon runs on port 22 cd /usr/lib/ssh ,/sshd -p1234 -ddd -d = debug level sshd version Sun_ssh_1.1.2 switch to OpenSSH ?
II
08/19/2011
Page 8 of 11
08/19/2011
Page 9 of 11
PAM - Pluggable Authentication Modules I Purpose: Configure PAM to use it for authentication Tell it to fall back to LDAP if it doesn't match your credentials in local files Files /etc/pam.conf a b pam_unix module performs authentication locally pam_ldap module performs authentication on the LDAP server Change pam.conf for ldap for Solaris 10 client Original line a <service name> auth required pam_unix_auth.so.1 Changed line <service name> auth binding pam_unix_auth.so.1 server_policy <service name> auth required pam_unix_ldap.so.1
II
III
<service name> account required pam_unix_auth.so.1 <service name> account binding pam_unix_auth.so.1 server_policy <service name> account required pam_unix_ldap.so.1 other password required pam_auth_tok_store.so.1 other password required pam_auth_tok_store.so.1 server_policy
08/19/2011
Page 10 of 11
08/19/2011
Page 11 of 11