Bonjour,
Je souhaite qu'une de mes machines Solaris 10 s'authentifie en LDAP/TLS sur un OpenLDAP Solaris 9.
J'ai tenté de la configurer sans résultat.
J'ai généré les certificats.
Code :
1
2
3
4
5
6
7
8
9
10
11
12
|
# certutil -N -d /var/ldap
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
# certutil -A -d /var/ldap -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT
# certutil -A -d /var/ldap -n "serveur-ldap" -t C,, -i /var/tmp/slapd-cert-ldap1.pem |
J'ai tenté la méthode manuelle :
Code :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ldapclient manual -v \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyDN=cn=proxyagent,ou=profile,dc=toto,dc=fr \
-a proxyPassword=toto \
-a defaultsearchbase=dc=toto,dc=fr \
-a defaultServerList="serveur-ldap" \
-a certificatePath=/var/ldap \
-a domainName=toto.fr \
-a attributeMap=passwd:gecos=cn \
-a objectClassMap=group:posixGroup=posixGroup \
-a objectClassMap=passwd:posixAccount=posixAccount \
-a objectClassMap=shadow:shadowAccount=shadowAccount |
J'ai configuré le fichier nsswitch.ldap de cette façon :
Code :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| # cat /etc/nsswitch.ldap
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
#passwd: files ldap
passwd: compat
shadow: compat
passwd_compat: ldap
shadow_compat: ldap
group: files
hosts: files dns
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: ldap
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files |
Voici le fichier pam.conf :
Code :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
| #
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
# Depuis Solaris 10 on rajouter à chaque section la directive pam_unix_cred.so.1
# Ajoute par CAP auth binding pam_unix_auth.so.1 server_policy pour utiliser le LDAP server_policy
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# TAC_PLUS service
#
tac_plus auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account binding pam_unix_account.so.1 server_policy
cron account required pam_ldap.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password binding pam_authtok_store.so.1 server_policy
other password required pam_ldap.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
# |
Quand je lance un getent passwd, je n'obtient que les comptes locaux.
Je vois pas ce qu'il manque.
un ldaplist renvoie ceci :
ldaplist: Object not found (Session error no available conn.
)
Il y a bien un profil de configuré dans le LDAP mais en mode manuel je ne peux pas le précider, du coup je le rajoute manuel dans le fichier ldap_client_file, mais cela ne change rien.
Voici la config du profil
Code :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| cn=profilsolaris,ou=profile,dc=toto,dc=fr
authenticationMethod=tls:simple
bindTimeLimit=10
cn=s9tlsmaster
credentialLevel=proxy
defaultSearchBase=dc=toto,dc=fr
defaultSearchScope=sub
defaultServerList=serveur-ldap
followReferrals=TRUE
objectClass=DUAConfigProfile
objectClass=top
profileTTL=43200
searchTimeLimit=30
serviceSearchDescriptor=passwd: dc=toto,dc=fr?sub
serviceSearchDescriptor=shadow: dc=toto,dc=fr?sub
serviceSearchDescriptor=netgroup: dc=toto,dc=fr?sub |
Merci.
12/03/2009, 17h14
Configuration du client OpenLDAP Solaris 10
00
