This is my initial summary, but I plan on sending another, more complete
summary when I am done with the whole process. I figure this process
was difficult enough for me that others would find this info valuable.
The main problem is that Netscape's Directory Server 3.1 does not ship
with a posixAccount or shadowAccount schema, both of which are required
for authentication into a UNIX system. My guess is that the newer
version (I think 4.0 or 4.1 is out) have these but...
I decided to use Sun's SDS LDAP server, which is part of Sun's Easy
Access Server and apparently comes free with a Solaris server license.
It comes with the schemas already, and one nice thing about it is that
it can emulate an NIS server, which will be useful for me.
>From David J. Begley at the U of W. Sydney, I got enough info that I got
it working (see <http://www.nepean.uws.edu.au/users/david/qn99> for
details). Here is how I did it:
I installed the SDS server, and then used dsadmintool (which is part of
the package) to change all of the domains and things to what I wanted.
Then I ran the dsypinit command, which imports all of the flat file info
into LDAP as NIS-style maps. The trick here is that when this info gets
imported, users are only marked with posixAccount objectclasses, but
they also need to be shadowAccount objectclasses.
Currently I am now able to authenticate using LDAP in ssh, telnet,
rlogin, and rsh. I cannot authenticate with ftp (if anyone has any
ideas, please tell me) because ftp does not seem to use PAMs for
authentication, contrary to the man pages of pam.conf and in.ftpd.
Additionally, I cannot get my client to see the LDAP server as an NIS
server, which means that I cannot use the LDAP server for automounting
information, which is necessary for me (again, if anyone has any info,
please email me).
When I finally get everything setup the way that I want it, I will write
a much more complete summary and will try to put it on the web
somewhere. I will post a link to that on sun-managers, instead of
sending the whole work, because it will probably be pretty long.
My original message is below, and if anyone has any additional good
info, I would be glad to try to use it, and to include it in my eventual
summary--there is a definite dearth of information on the net about
using LDAP for authentication, and I plan on helping to fix that
Thanks also to Misha Pavlov and Michael Kriss for info about Sun's SDS.
-------- Original Message --------
Subject: Solaris LDAP PAM authentication
Date: Fri, 01 Oct 1999 10:37:53 -0500
From: "Luke A. Kanies" <firstname.lastname@example.org>
Organization: Blue Star Communications
To: Sun Managers <email@example.com>
I have been trying to get LDAP authentication to work in Solaris for the
last two weeks or so, and I am having quite a few problems.
I downloaded the only pams I could find, which are from padl.com, and I
downloaded Netscape's LDAP libraries, 128-bit SSL version. I compiled
the PAM (after much effort), and then compiled the nss_ldap library
(again, after much effort).
After some work, I have gotten to the point where I know that my machine
is authenticating part way with my Netscape Directory Server 3.1. This
is what I get:
If I enter an account name and valid password for the LDAP server, I get
a bad login message.
If I enter a valid account but a bad password, I get prompted for a
If I enter an account that is not valid in LDAP, I get a prompt for a
No matter what, I can't get authenticated into the LDAP server in such a
way that I have a shell.
I have done some snooping on the traffic for authenticating, and the
LDAP server is definitely returning info about me to the client, so the
server is recognizing the user and returning info about the user to the
client machine. I think that the problem is related to the fields that
LDAP returns (i.e., uid=name and domain, stuff like that) versus the
fields the Solaris box wants (uid=number, group=number).
Has anyone had any luck authenticating Solaris into an LDAP server,
especially Netscape's Directory Server? If so, which version, and what
exactly did you have to do to get it to work? I have done lots of
research on the web on this topic, and I appear to be the only person in
the entire world who hasn't gotten this to work on the very first try
(I'm serious, too--all of the newsgroup articles I have seen say
'everything works great immediately, but I have this small
problem...'). All of the people I have talked to have said they didn't
have any problems and they couldn't help me, and emailing the developers
didn't do me any good.
-- If a `religion' is defined to be a system of ideas that contains unprovable statements, then Godel taught us that mathematics is not only a religion, it is the only religion that can prove itself to be one. -- John Barrow
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:26 CDT