How to setup Solaris 10 ldap client and glue it with ssh

Recently I wrote a post about configuring OpenLDAP server with TLS support using RHEL available here. There I also mentioned how to setup Linux to authenticate against a LDAP server. But I didn’t said a word about Solaris. That’s unfair and I’m going to fix that by providing a quick guide on how to setup LDAP client in Solaris 10.

1. First of all add LDAP server’s certificate into your locale certificate database. Otherwise, you won’t be able to setup a TLS session:

/usr/sfw/bin/certutil -N -d /var/ldap/
/usr/sfw/bin/certutil -A -n "LDAP server certificate" -i /path_to_where_you_copied_ldap_certificate_file -a -t CT -d /var/ldap

2. Just verify that everything was done right:

/usr/sfw/bin/certutil -L -d /var/ldap/

3. Setup Solaris ldap client:

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a domainName=example.com \
-a defaultSearchBase=DC=example,DC=com \
-a proxyDN="cn=svc_ldp_proxy,dc=example,dc=com" \
-a proxyPAssword=PASSWORD \
-a serviceSearchDescriptor="passwd:ou=people,?sub" \
-a serviceSearchDescriptor="group:ou=group,?sub?gidnumber" \
-a serviceSearchDescriptor="netgroup:ou=netgroup,?sub" \
-a serviceSearchDescriptor="shadow:ou=people,?sub?uid=*" \
-a followReferrals=false LDAP_SERVER_IP:LDAP_SERVER_PORT

Please note that your serviceSearchDescriptor attribute might be different and that depends on your LDAP structure. This attribute just instruct ldap client how it should build its query to search, in my particular case, for passwd, group and net group records.

4. All the rest is just almost like in the Linux world:

nssswitch.conf

passwd:     compat
passwd_compat: ldap
group:      files ldap
hosts:      files dns
ipnodes:    files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   ldap
automount:  files
aliases:    files
services:   files
printers:   user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files

cat /etc/pam.conf | grep sshd-kbdint

sshd-kbdint     auth requisite          pam_authtok_get.so.1 debug
sshd-kbdint     auth required           pam_unix_cred.so.1 debug
sshd-kbdint     auth binding            pam_unix_auth.so.1 server_policy debug
sshd-kbdint     auth required           pam_ldap.so.1 debug

5. Just take another look at your configuration:

ldapclient list

6. Use some very basic tools,i.e. id or getent, to make sure your could query and receive correct response from LDAP server.
7. Finally, try to ssh into your server with a LDAP aware account.

If anything goes wrong your could do the following:

• Use ldapsearch -v to make you sure you could setup a TLS session with your LDAP server successfully.
• Enable PAM debugging and check the logs. To do that just run “touch /etc/pam_debug”, edit /etc/syslog.conf and add a new line (if it doesn’t already there of course):

  *.debug      /path_to_where_you_want_to_store_debug_log
  

  And restart syslog with “svcadm restart svc:/system/system-log:default”.

• Analyze the logs on your LDAP server.
• Switch off TLS and try to sniff the traffic with snoop to make sure your ldap client sends reasonable queries.

Have fun and happy tinkering!

Posted on July 11, 2013 at 8:57 pm by sergeyt · Permalink
In: Solaris

4 Responses

Subscribe to comments via RSS

1. Written by Swaraj
   on October 23, 2014 at 3:03 pm
   Reply ·