--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
0) Make sure every time you restart /etc/init.d/ldap.client
(ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache
daemon).
well, I decided to turn off the nscd completely, while I'm testing.
1) Make sure you define "CRYPT" as the default
passwordStorageScheme in
LDAP DIT (right click cn=config and edit its properties).
yes.
2) Make sure you have these three lines in
/var/ldap/ldap_client_file
and also in "default" profile in LDAP DIT?
I have them in the ldap.client.file but the default profile looks like this:
# default, profile,
composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
Am I missing anything? I don't have serviceSearchDescriptor but I think it should
chain
ou=People+defaultSearchBase, right?
And there is a "shadow: files ldap" line in
/etc/nsswitch.conf.
yes.
4) Did you install a binary version of OpenSSH Server with PAM
support
or compile from source with an "./configure --with-pam" option?
it was a pkg:
bash-2.03# ldd /usr/local/sbin/sshd
libpam.so.1 => /usr/lib/libpam.so.1
6) For ssh client connection, do this way to see more:
$ ssh -v testdba(a)192.85.86.87
OK. This is me trying to a linux box under the FDS control:
cnyitsun01/ > ssh testdba@cnyitlin01
testdba@cnyitlin01's password:
Last login: Fri Aug 26 11:02:06 2005 from
cnyitlin02.composers.foo.com
[testdba@cnyitlin01 ~]$
Works fine. Now, to the test sun box:
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
LDAP Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
And notice it's asking me for a separate ldap password. What's up with that?
Also, I ran this:
bash-2.03# ldapsearch -D "uid=proxyagent,ou=profile,dc=composers,dc=foo,dc=com"
-w
password -h cnyitlin02 -s base -b "" "objectclass=*"
objectClass=top
namingContexts=dc=composers,dc=foo,dc=com
namingContexts=dc=example, dc=com
namingContexts=o=NetscapeRoot
supportedExtension=2.16.840.1.113730.3.5.7
supportedExtension=2.16.840.1.113730.3.5.8
[more crap...]
So, looks like the proxy id/password is correct....
I hate Solaris. It took me ONE MINUTE to get a linux client working. One command -
authconfig. This is just retarded.
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html