Bonjour,

Je souhaite qu'une de mes machines Solaris 10 s'authentifie en LDAP/TLS sur un OpenLDAP Solaris 9.

J'ai tenté de la configurer sans résultat.
J'ai généré les certificats.
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
 
# certutil -N -d /var/ldap
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
 
Enter new password:
Re-enter password:
 
# certutil -A -d /var/ldap -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT 
 
# certutil -A -d /var/ldap -n "serveur-ldap" -t C,, -i /var/tmp/slapd-cert-ldap1.pem
J'ai tenté la méthode manuelle :

Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
ldapclient manual -v \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyDN=cn=proxyagent,ou=profile,dc=toto,dc=fr \
-a proxyPassword=toto \
-a defaultsearchbase=dc=toto,dc=fr \
-a defaultServerList="serveur-ldap" \
-a certificatePath=/var/ldap \
-a domainName=toto.fr \
-a attributeMap=passwd:gecos=cn \
-a objectClassMap=group:posixGroup=posixGroup \
-a objectClassMap=passwd:posixAccount=posixAccount \
-a objectClassMap=shadow:shadowAccount=shadowAccount
J'ai configuré le fichier nsswitch.ldap de cette façon :

Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# cat /etc/nsswitch.ldap 
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.files     1.14    06/05/03 SMI"
 
#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
 
#passwd:     files ldap
passwd:         compat
shadow:         compat
passwd_compat:  ldap
shadow_compat:  ldap
group:      files
hosts:      files dns
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   ldap
automount:  files
aliases:    files
services:   files
printers:       user files
 
auth_attr:  files
prof_attr:  files
project:    files
 
tnrhtp:     files
tnrhdb:     files
Voici le fichier pam.conf :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#
#ident  "@(#)pam.conf   1.31    07/12/07 SMI"
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
# Depuis Solaris 10 on rajouter à chaque section la directive pam_unix_cred.so.1
# Ajoute par CAP auth binding           pam_unix_auth.so.1 server_policy pour utiliser le LDAP server_policy 
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
# rlogin        auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth binding            pam_unix_auth.so.1 server_policy
rlogin  auth required           pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
krlogin auth required       pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
# rsh   auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
rsh     auth binding            pam_unix_auth.so.1 server_policy
rsh     auth required           pam_ldap.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
krsh    auth required       pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
ktelnet auth required       pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
# TAC_PLUS service
#
tac_plus        auth required           pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth binding            pam_unix_auth.so.1 server_policy
other   auth required           pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding            pam_passwd_auth.so.1 server_policy
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account binding         pam_unix_account.so.1 server_policy
cron    account required        pam_ldap.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account binding         pam_unix_account.so.1 server_policy
other   account required        pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password binding        pam_authtok_store.so.1 server_policy
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
Quand je lance un getent passwd, je n'obtient que les comptes locaux.
Je vois pas ce qu'il manque.
un ldaplist renvoie ceci :

ldaplist: Object not found (Session error no available conn.
)


Il y a bien un profil de configuré dans le LDAP mais en mode manuel je ne peux pas le précider, du coup je le rajoute manuel dans le fichier ldap_client_file, mais cela ne change rien.

Voici la config du profil
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cn=profilsolaris,ou=profile,dc=toto,dc=fr
authenticationMethod=tls:simple
bindTimeLimit=10
cn=s9tlsmaster
credentialLevel=proxy
defaultSearchBase=dc=toto,dc=fr
defaultSearchScope=sub
defaultServerList=serveur-ldap
followReferrals=TRUE
objectClass=DUAConfigProfile
objectClass=top
profileTTL=43200
searchTimeLimit=30
serviceSearchDescriptor=passwd: dc=toto,dc=fr?sub
serviceSearchDescriptor=shadow: dc=toto,dc=fr?sub
serviceSearchDescriptor=netgroup: dc=toto,dc=fr?sub
Merci.