[osol-discuss] LDAP Authentication without Posix user data

Howdy, I am actually running GA Solaris U7 but I think the problem is very 
similar in OpenSolaris. 

We have an OpenLDAP database with usernames and passwords but it is not in 
Posix style, i.e there are no uids, gids, etc. It uses whatever schema is the 
default in OpenLDAP 2.3, the one that came with the distro, SLES 10. It is very 
easy to get SSHD to use LDAP for password authentication in this distro, and 
get the rest of the user info from the /etc/passwd file (the account is locked 
in /etc/shadow). All you have to do is replace the "auth include commom-auth" 
line in the /etc/pam.d/sshd file with "auth required pam_ldap.so" on the second 
line, set "UsePAM yes" in the sshd config file, and point /etc/ldap.conf to 
your LDAP server. (Nsswitch.conf remains "files" only.) You will then get 
anonymous-type binding to check the LDAP password, and the rest of the Posix 
attributes will be set from /etc/passwd.

My root question: Is there a simple way to do with with the Solaris 10 LDAP 
client and the Solaris 10 sshd? 

I think I have LDAP set up correctly, and PAM is doing *something*: I added 
this line to pam.conf: "other auth sufficient pam_ldap.so.1'.  And when I snoop 
the connection to the LDAP server I am see something:

     backup2 -> services1     LDAP C port=33193 Search Request derefAlways
services1     -> backup2      LDAP R port=33193
services1     -> backup2      LDAP R port=33193 Search ResDone Success

But logins fail. (Maybe anonymous binding doesn't work?)

Has anyone succeeded in getting LDAP authentication to work without Posix 
format LDAP entries? Thanks 

-W Sanders
 St Marys College of CA
-- 
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@xxxxxxxxxxxxxxx