Bonjour,
Je souhaite qu'une de mes machines Solaris 10 s'authentifie en LDAP/TLS sur un OpenLDAP Solaris 9.
J'ai tenté de la configurer sans résultat.
J'ai généré les certificats.
J'ai tenté la méthode manuelle :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12 # certutil -N -d /var/ldap Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: # certutil -A -d /var/ldap -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT # certutil -A -d /var/ldap -n "serveur-ldap" -t C,, -i /var/tmp/slapd-cert-ldap1.pem
J'ai configuré le fichier nsswitch.ldap de cette façon :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14 ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyDN=cn=proxyagent,ou=profile,dc=toto,dc=fr \ -a proxyPassword=toto \ -a defaultsearchbase=dc=toto,dc=fr \ -a defaultServerList="serveur-ldap" \ -a certificatePath=/var/ldap \ -a domainName=toto.fr \ -a attributeMap=passwd:gecos=cn \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=shadowAccount
Voici le fichier pam.conf :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45 # cat /etc/nsswitch.ldap # # Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "@(#)nsswitch.files 1.14 06/05/03 SMI" # # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; it # does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. #passwd: files ldap passwd: compat shadow: compat passwd_compat: ldap shadow_compat: ldap group: files hosts: files dns ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: ldap automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: files tnrhdb: files
Quand je lance un getent passwd, je n'obtient que les comptes locaux.
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116 # #ident "@(#)pam.conf 1.31 07/12/07 SMI" # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # # Depuis Solaris 10 on rajouter à chaque section la directive pam_unix_cred.so.1 # Ajoute par CAP auth binding pam_unix_auth.so.1 server_policy pour utiliser le LDAP server_policy login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth binding pam_unix_auth.so.1 server_policy rlogin auth required pam_ldap.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth binding pam_unix_auth.so.1 server_policy rsh auth required pam_ldap.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # TAC_PLUS service # tac_plus auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth binding pam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 # passwd command (explicit because of a different authentication module) # passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account binding pam_unix_account.so.1 server_policy cron account required pam_ldap.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password binding pam_authtok_store.so.1 server_policy other password required pam_ldap.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. #
Je vois pas ce qu'il manque.
un ldaplist renvoie ceci :
ldaplist: Object not found (Session error no available conn.
)
Il y a bien un profil de configuré dans le LDAP mais en mode manuel je ne peux pas le précider, du coup je le rajoute manuel dans le fichier ldap_client_file, mais cela ne change rien.
Voici la config du profil
Merci.
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 cn=profilsolaris,ou=profile,dc=toto,dc=fr authenticationMethod=tls:simple bindTimeLimit=10 cn=s9tlsmaster credentialLevel=proxy defaultSearchBase=dc=toto,dc=fr defaultSearchScope=sub defaultServerList=serveur-ldap followReferrals=TRUE objectClass=DUAConfigProfile objectClass=top profileTTL=43200 searchTimeLimit=30 serviceSearchDescriptor=passwd: dc=toto,dc=fr?sub serviceSearchDescriptor=shadow: dc=toto,dc=fr?sub serviceSearchDescriptor=netgroup: dc=toto,dc=fr?sub
Partager