Connect Solaris ldapclient to a Oracle internet directory
denis
I am looking for informations howto connect Solaris native ldapclient
to a Oracle internet directory.
Or a solution for the following problem:
Solaris 10
ldapclient init works
ssh with a ldap user doesn't
error:
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 219349 auth.debug]
pam_unix_auth: user MYUSER not found
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 453631 auth.debug] tid= 1:
Adding connection (serverAddr=xxx.xxx.xxx.xxx:389)
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 776464 auth.debug] tid= 1:
Initialized sessionPool
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 816976 auth.debug] tid= 1:
Connection added [0]
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 467101 auth.debug] tid= 1:
connectionID=1024
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 805042 auth.debug] tid= 1:
shared=1
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 982078 auth.debug] tid= 1:
usedBit=0
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 727660 auth.debug] tid= 1:
threadID=1
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 577507 auth.debug] tid= 1:
serverAddr=xxx.xxx.xxx.xxx:389
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 939703 auth.debug] tid= 1:
AuthType=0
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 142272 auth.debug] tid= 1:
TlsType=0
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 537450 auth.debug] tid= 1:
SaslMech=0
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 625532 auth.debug] tid= 1:
SaslOpt=0
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 323218 auth.debug] tid= 1:
unlocking sessionLock
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Keyboard-
interactive (PAM) userauth failed[13] while authenticating: No account
present for user
Jun 18 11:29:40 sissunws1 sshd[8033]: [ID 800047 auth.info] Failed
keyboard-interactive for <invalid username> from xxx.xxx.xxx.xxx port
1463 ssh2
ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 10.0.0.1:389
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
NS_LDAP_CACHETTL= 0
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
/etc/pam.conf
#ident "@(#)pam.conf 1.29 05/06/08 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth sufficient pam_ldap.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
#login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
#rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
#krsh auth required pam_unix_cred.so.1
#krsh auth binding pam_krb5.so.1
#krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
#ktelnet auth required pam_unix_cred.so.1
#ktelnet auth binding pam_krb5.so.1
#ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for
authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
#other auth required pam_unix_auth.so.1
#other auth sufficient pam_krb5.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 debug
#
# passwd command (explicit because of a different authentication
module)
#
#passwd auth required pam_passwd_auth.so.1
passwd auth sufficient pam_passwd_auth.so.1 debug
passwd auth sufficient pam_ldap.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
#other account required pam_unix_account.so.1
other account sufficient pam_unix_account.so.1 debug
other account sufficient pam_ldap.so.1 debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations
can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
krlogin auth required pam_krb5.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_krb5.so.1
Shakespeare
"denis" <Denis....@googlemail.com> schreef in bericht
news:b3ca07d0-d334-4230...@i76g2000hsf.googlegroups.com...
Are these entries
a) unmodified taken from your configuration?
b) correct?
Did you perform any preparations on the OID to make it work with Solaris
Ldap Client?
Shakespeare
Shakespeare
"Shakespeare" <wha...@xs4all.nl> schreef in bericht
news:485910d1$0$14342$e4fe...@news.xs4all.nl...
Are these entries
NS_LDAP_SERVERS= 10.0.0.1:389
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
denis
> "denis" <Denis.Nick...@googlemail.com> schreef in berichtnews:b3ca07d0-d334-4230...@i76g2000hsf.googlegroups.com...
>
> - Zitierten Text anzeigen -
to a) no I needed to change ipadresse to xxx.xxx.xxx.xxx and dc
entries <- company policy sorry
b) they are correct in the sense of cut and paste to the newsgroup if
the are correct in the sense of functionality? I hope so.
> Did you perform any preparations on the OID to make it work with Solaris
> Ldap Client?
As I am not the administrator of the OID I didn't changed anything.
But if you would be so ckind to give me a hint I would ask the admin
to do so (I didn't even knew that there are changes needed´, sorry).
thanks
denis
> "Shakespeare" <what...@xs4all.nl> schreef in berichtnews:485910d1$0$14342$e4fe...@news.xs4all.nl...
>
>
>
>
>
> > "denis" <Denis.Nick...@googlemail.com> schreef in bericht
denis
> "Shakespeare" <what...@xs4all.nl> schreef in berichtnews:485910d1$0$14342$e4fe...@news.xs4all.nl...
>
>
>
>
>
>
> - Zitierten Text anzeigen -
yes, they are (the original values) because the ldapclient initialize
sucessfully and ldapsearch works with these values.
Shakespeare
thanks
------------------------
For the changes you made in your post: no problem, I was just checking for a
misconfiguration by using some default values like mydomain.com
Actually, from what I read through Google, you'll have to change a lot in
OID to use it with a Solaris LDAP client.
But first you could try to add to your LDAP client:
NS_LDAP_BINDDN= cn=orcladmin
NS_LDAP_BINDPASSWD= ..... (orcladmin password)
For more reading, you might go to
http://forum.java.sun.com/thread.jspa?threadID=5052764&start=15&tstart=0
Shakespeare
Shakespeare
====================================================
Ok, if ldapsearch works, it looks like ldapcompare or ldapbind is not
working. Could you check ldapcompare?
Shakespeare
denis
> "denis" <Denis.Nick...@googlemail.com> schreef in berichtnews:e32cfdef-3bac-40e1...@25g2000hsx.googlegroups.com...
As far as I know the native Solaris ldap client doesn't have this
commands.
I found only:
ldapadd ldapaddent ldapclient ldapdelete ldaplist
ldapmodify ldapmodrdn ldapsearch
denis
> "denis" <Denis.Nick...@googlemail.com> schreef in berichtnews:99a1868b-5ab5-4834...@z66g2000hsc.googlegroups.com...
Ok, I think I need to do some more reading about the OID and do some
workouts with the OID admin.
Thanks a lot for now
Shakespeare
"denis" <Denis....@googlemail.com> schreef in bericht
news:b3ca07d0-d334-4230...@i76g2000hsf.googlegroups.com...
Denis,
you may want to take a look at this:
http://www.oracle.com/technology/products/oid/htdocs/oracleauthenticationservices_ds.pdf
It looks like a pre-cooked OID for OS platforms; Solaris is supported too...
I never knew it existed, just noted it in some blog...
Shakespeare
greg
> ldapclient list
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= 10.0.0.1:389
> NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
> NS_LDAP_CACHETTL= 0
> NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
this looks a bit odd. Mine (altho using OpenLDAP, not OID server):
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= obfuscated
NS_LDAP_BINDPASSWD= obfuscated
NS_LDAP_SERVERS= a.b.c.d, e.f.g.h, i.j.k.l
NS_LDAP_SEARCH_BASEDN= dc=my,dc=base
NS_LDAP_AUTH= tls:simple;simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SERVER_PREF= a.b.c.d
NS_LDAP_CACHETTL= 300
NS_LDAP_PROFILE= default-solaris
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=ou
NS_LDAP_ATTRIBUTEMAP= automount:automountKey=cn
I dont see the NS_LDAP_SERVICE_AUTH_METHOD on either sol9 or sol10, what
version are you using?
again, we differ:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 use_first_pass
login auth required pam_dial_auth.so.1
hope this helps
G
--
Greg Matthews 01491 692445
Head of UNIX/Linux, iTSS Wallingford
Chris Ridd
> As far as I know the native Solaris ldap client doesn't have this
> commands.
> I found only:
> ldapadd ldapaddent ldapclient ldapdelete ldaplist
> ldapmodify ldapmodrdn ldapsearch
You should first test whether NSS is working against your Oracle
directory - test using tools like id. The ldaplist tool is specific to
NSS as well, and a useful test tool.
Once you're happy all that's working, *then* go and fight PAM. If
memory serves, the objectclasses present on directory entries is
important for pam_ldap.
Cheers,
Chris
denis
Thanks for all your answers.
Here is an intermediate state:
Thanks to shakespeare I found the Oracle® Authentication Services for
Operating Systems Administrator’s Guide.
In which I have learned that oracle provides client setup scripts
(sslConfig_OIDclient.sh). I trying to find a test environment. I will
post the results.
According to Chris' advice I got ldaplist up and running but not id.
The Sol version I am using is 10.
NS_LDAP_SERVICE_AUTH_METHOD is added by using the ldapclient -v mod -
a "serviceSearchDescriptor=..." command
I found another very interesting thread:
http://forum.java.sun.com/thread.jspa?threadID=5176398&messageID=9682137
At the Moment I get the following error:
Jun 23 12:02:46 sun1 sshd[10553]: [ID 285619 auth.debug] ldap
pam_sm_authenticate(sshd-kbdint user1), flags = 0
Jun 23 12:02:46 sun1 sshd[10553]: [ID 647000 auth.debug] ldap
pam_sm_authenticate(sshd-kbdint user1), AUTHTOK not set
Jun 23 12:03:10 sun1 sshd[10553]: [ID 800047 auth.info] Keyboard-
interactive (PAM) userauth failed[9] while authenticating:
Authentication failed
Denis
Shakespeare
Denis
====================================================
Denis,
thanks for your update. I look forward to a follow up with the success
formula!
Shakespeare
Frank van Bortel
>
> you may want to take a look at this:
> http://www.oracle.com/technology/products/oid/htdocs/oracleauthenticationservices_ds.pdf
>
> It looks like a pre-cooked OID for OS platforms; Solaris is supported too...
>
> I never knew it existed, just noted it in some blog...
>
That's because it's brand new - the brochure is dated march 2008.
--
Regards,
Frank van Bortel
Denis
> "denis" <Denis.Nick...@googlemail.com> schreef in berichtnews:dcd6d005-36cb-4488...@t54g2000hsg.googlegroups.com...
>
> - Show quoted text -
ldapclient connects to the OID. Yippi :-)
It was a combination between nsswich.conf pam.conf and ldapclient.
Thanks for all your help so far.
I have found some more good resources:
http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp
http://blogs.sun.com/jo/entry/sun_directory_server_6_x
Now I would like to use SSL. The Solaris client needs PKCS12 formated
key.db files. My problem is to get this keys in the right format.
Chris Ridd
> ldapclient connects to the OID. Yippi :-)
> It was a combination between nsswich.conf pam.conf and ldapclient.
> Thanks for all your help so far.
>
> I have found some more good resources:
> http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp
> http://blogs.sun.com/jo/entry/sun_directory_server_6_x
>
> Now I would like to use SSL. The Solaris client needs PKCS12 formated
> key.db files. My problem is to get this keys in the right format.
You need Sun's directory server resource kit, which includes the
"certutil" tool which will sort all this stuff out for you. I had to do
something like this:
# LD_LIBRARY_PATH=/opt/dsrk52/lib:/opt/dsrk52/lib/nss/lib
# export LD_LIBRARY_PATH
# /opt/dsrk52/lib/nss/bin/certutil –A –n "My CA" -t "TCu,Cu,Tuw" -d
/tmp –i ~/myca.crt
Test with Sun's ldapsearch program using LDAPS and the files generated in /tmp:
/usr/bin/ldapsearch –h ldap.isode.com –Z –b "" -s base –P /tmp
"(objectclass=*)"
Then, copy the cert7.db and key3.db files from /tmp into /var/ldap and
chmod them to 0444.
Cheers,
Chris
Chris Ridd
> On 2008-07-03 10:00:22 +0100, Denis <Denis....@googlemail.com> said:
>
>> ldapclient connects to the OID. Yippi :-)
>> It was a combination between nsswich.conf pam.conf and ldapclient.
>> Thanks for all your help so far.
>>
>> I have found some more good resources:
>> http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp
>> http://blogs.sun.com/jo/entry/sun_directory_server_6_x
>>
>> Now I would like to use SSL. The Solaris client needs PKCS12 formated
>> key.db files. My problem is to get this keys in the right format.
>
> You need Sun's directory server resource kit, which includes the
> "certutil" tool which will sort all this stuff out for you. I had to do
> something like this:
>
> # LD_LIBRARY_PATH=/opt/dsrk52/lib:/opt/dsrk52/lib/nss/lib
> # export LD_LIBRARY_PATH
> # /opt/dsrk52/lib/nss/bin/certutil –A –n "My CA" -t "TCu,Cu,Tuw" -d
> /tmp –i ~/myca.crt
>
> Test with Sun's ldapsearch program using LDAPS and the files generated in /tmp:
>
> /usr/bin/ldapsearch –h ldap.example.com –Z –b "" -s base –P /tmp
> "(objectclass=*)"
Or whatever address your server's on...
Cheers,
Chris
Neal A. Lucier
> Now I would like to use SSL. The Solaris client needs PKCS12 formated
> key.db files. My problem is to get this keys in the right format.
>
On Solaris 10 if you have the CA certificate that signed your LDAP server's
certificate and it is base64 encoded then the following commands will create the
certificate database, import the certificate, and list the contents of the
database, see
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
/usr/sfw/bin/certutil -N -d /var/ldap
# the following command is all one line
/usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
/path/to/cert/cert.txt
/usr/sfw/bin/certutil -L -d /var/ldap
Neal
denis
Sad but true i am still fighting against SSL.
The problem:
libsldap: Status: 7 Mesg: Session error no available conn.
libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't
contact LDAP server
I tried ldapsearch and -list
/usr/sfw/bin/certutil -L -d /var/ldap/
testserver CT,C,c
prodserver CT,C,c
CA CT,,
snoop:
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 4:
Search ResEntry]
LDAP: [Object Name]
LDAP: *[Partial
Attributes]
LDAP: *[Attribute]
LDAP: [Type]
LDAP:
supportedco
LDAP:
ntrol
LDAP: *[Vals]
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113730.
LDAP:
3.4.2
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.1
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.2
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.3
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.4
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.5
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.6
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.7
LDAP:
[Value]
LDAP:
1.2.840.1
LDAP:
13556.1.4
LDAP: .
473
LDAP:
[Value]
LDAP:
1.2.840.1
LDAP:
13556.1.4
LDAP: .
319
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.14
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.16
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.23
LDAP:
[Value]
LDAP:
2.16.840.
LDAP:
1.113894.
LDAP:
1.8.29
LDAP: *[Attribute]
LDAP: [Type]
LDAP:
supportedsa
LDAP:
slmechanism
LDAP:
s
LDAP: *[Vals]
LDAP:
[Value]
LDAP:
DIGEST-MD
LDAP:
5
LDAP: LDAP:
*[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 5:
Search ResDone]
LDAP: [Result Code]
LDAP: Success
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation [APPL 2:
Unbind Request]
ldapclient
NS_LDAP_AUTH= tls:simple
I found out that there are some issues arround LDAP and SSL under
Solaris:
http://www.mail-archive.com/fedora-dire...@redhat.com/msg02100.html
denis
>
> - Zitierten Text anzeigen -
different URL same content:
http://osdir.com/ml/redhat.fedora.directory.user/2006-02/msg00189.html
Chris Ridd
> On 3 Jul., 19:27, "Neal A. Lucier" <nluc...@math.purdue.edu> wrote:
>> Denis wrote:
>>> Now I would like to use SSL. The Solaris client needs PKCS12 formated
>>> key.db files. My problem is to get this keys in the right format.
>>
>> On Solaris 10 if you have the CA certificate that signed your LDAP server's
>> certificate and it is base64 encoded then the following commands will
>> create the
>> certificate database, import the certificate, and list the contents of the
>> database, see
>>
>> http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>
>> /usr/sfw/bin/certutil -N -d /var/ldap
>>
>> # the following command is all one line
>> /usr/sfw/bin/certutil -A -d /var/ldap -n name_of_cert_in_db -t C,, -a -i
>> /path/to/cert/cert.txt
>>
>> /usr/sfw/bin/certutil -L -d /var/ldap
>>
>> Neal
>
> Sad but true i am still fighting against SSL.
> The problem:
> libsldap: Status: 7 Mesg: Session error no available conn.
> libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't
> contact LDAP server
The posted snoop output is a bit hard to parse, but it looks like it is
communicating with the server and reading the root DSE successfully. So
I don't believe the "Can't contact LDAP server" error is true :-)
There are two ways to talk SSL to an LDAP server, and I'm not sure
which you're trying to make work.
1) Create an SSL connection to port 636, and talk LDAP over that.
That's often called LDAPS, by analogy with HTTP and HTTPS.
2) Create a plaintext LDAP connection to port 389 and then switch using
STARTTLS to using SSL (TLS) on that same connection.
Can you clarify?
Cheers,
Chris
denis
>
> - Zitierten Text anzeigen -
Last but not least got got it working!!
Thanks for all your help!!
Here are some points that helped me
1. Using id ldaplist and ldapsearch for debuging
2. Configuring the nsswtich.ldap file
...
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
...
3. the ldapclient must look like this:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=adminunix,cn=userssystem,dc=xxx,dc=xxx
NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxxx
NS_LDAP_SERVERS= x.x.x.x
NS_LDAP_SEARCH_BASEDN= dc=xxx,dc=xxx
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=xxx,dc=xxx?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:dc=xxx,dc=xxx?sub
NS_LDAP_ATTRIBUTEMAP= passwd:uid=xuserid
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
3. pam.conf
docs.sun.com provides pam.conf templates for the different usages.
4. get it running without SSL
5. importing the certificates with certutil or mozilla and wathcing
out for the right permissions (of the certs and the db (chmod 444
*.db))
6. snoop and Wireshark
7. http://www.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Document
very usefull for me: the nameresolution hints and tests
Denis
Shakespeare
Shakespeare