Bug 430003
| Summary: | build nss_ldap for non-rhel(solaris) | ||
|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Chandrasekar Kannan <ckannan> |
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 1.0 | CC: | benl, mgregg, mharmsen, rcritten, ssorce, yzhang |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | freeipa-2.0.0-1.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 246164, 429034 | ||
This is apparently mostly about group membership. So we need to test our clients to see if they support groups or not. % getent group admins should return something rob - hv a talk with mharmsen who can point you at solaris 9 build machines.. attempt on Solaris 9 seems to have failed. my notes below...
On Solaris 9 , I have done the following:
--> cat /etc/krb5.conf
[libdefaults]
default_realm = DSQA.SJC2.REDHAT.COM
[realms]
DSQA.SJC2.REDHAT.COM = {
kdc = ipaqa01.dsqa.sjc2.redhat.com:88
admin_server = ipaqa01.dsqa.sjc2.redhat.com:749
}
[domain_realm]
.dsqa.sjc2.redhat.com = DSQA.SJC2.REDHAT.COM
dsqa.sjc2.redhat.com = DSQA.SJC2.REDHAT.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
--> cat /etc/pam.conf
added these to pam.conf
other auth sufficient pam_unix.so.1
other auth optional pam_nldap.so.1 use_first_pass
#
other account sufficient pam_unix.so.1
other account required pam_nldap.so.1
#
other session required pam_unix.so.1
#
other password required pam_unix.so.1
other password optional pam_nldap.so.1
--> cat /etc/nsswitch.conf
edited these lines
passwd: files nldap [NOTFOUND=return]
group: files nldap [NOTFOUND=return]
--> reboot
--> attempted to login at the console prompt with a ipa user account (user3)
I see these error messages ...
May 29 08:35:06 arwen login: open_module: stat(/usr/lib/security/pam_nldap.so.1)
failed: No such file or directory
May 29 08:35:06 arwen login: load_modules: can not open module
/usr/lib/security/pam_nldap.so.1
Login incorrect
May 29 08:35:06 arwen login: login account failure: Dlopen failure
The problem is nldap. It should be just plain ldap everywhere. Why ldap in PAM ? You want to use kerberos for auth not ldap. nss-ldap functionality has been verified to work ok on solaris 8, 9, 10 based on these instructions that I wrote on freeipa http://www.freeipa.com/page/ConfiguringSolarisClients marking bug verified against rhel 5.2 ipa server. |
Ticket #58 (new task) Opened 3 months ago Last modified 3 months ago Schema Translation Plugin Reported by: shaines Assigned to: prowley Priority: major Milestone: release-2 Component: ipa-server Version: 1.0 Keywords: Cc: Change History 2007-10-26 10:33:24 changed by kmacmill ¶ I thought we decided that this was a v2 feature. 2007-10-31 11:48:41 changed by kmacmill ¶ * owner changed from kmacmill to prowley. * milestone changed from milestone-5 to release-2. 2007-10-31 11:50:35 changed by rcritten ¶ If you have a dumb client then we do what we can to fix up what is supplied in the entry in order to be a proper IPA user/group.