Ticket #58 (new task) Opened 3 months ago Last modified 3 months ago Schema Translation Plugin Reported by: shaines Assigned to: prowley Priority: major Milestone: release-2 Component: ipa-server Version: 1.0 Keywords: Cc: Change History 2007-10-26 10:33:24 changed by kmacmill ¶ I thought we decided that this was a v2 feature. 2007-10-31 11:48:41 changed by kmacmill ¶ * owner changed from kmacmill to prowley. * milestone changed from milestone-5 to release-2. 2007-10-31 11:50:35 changed by rcritten ¶ If you have a dumb client then we do what we can to fix up what is supplied in the entry in order to be a proper IPA user/group.
This is apparently mostly about group membership. So we need to test our clients to see if they support groups or not. % getent group admins should return something
rob - hv a talk with mharmsen who can point you at solaris 9 build machines..
attempt on Solaris 9 seems to have failed. my notes below... On Solaris 9 , I have done the following: --> cat /etc/krb5.conf [libdefaults] default_realm = DSQA.SJC2.REDHAT.COM [realms] DSQA.SJC2.REDHAT.COM = { kdc = ipaqa01.dsqa.sjc2.redhat.com:88 admin_server = ipaqa01.dsqa.sjc2.redhat.com:749 } [domain_realm] .dsqa.sjc2.redhat.com = DSQA.SJC2.REDHAT.COM dsqa.sjc2.redhat.com = DSQA.SJC2.REDHAT.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } gkadmin = { help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195 } --> cat /etc/pam.conf added these to pam.conf other auth sufficient pam_unix.so.1 other auth optional pam_nldap.so.1 use_first_pass # other account sufficient pam_unix.so.1 other account required pam_nldap.so.1 # other session required pam_unix.so.1 # other password required pam_unix.so.1 other password optional pam_nldap.so.1 --> cat /etc/nsswitch.conf edited these lines passwd: files nldap [NOTFOUND=return] group: files nldap [NOTFOUND=return] --> reboot --> attempted to login at the console prompt with a ipa user account (user3) I see these error messages ... May 29 08:35:06 arwen login: open_module: stat(/usr/lib/security/pam_nldap.so.1) failed: No such file or directory May 29 08:35:06 arwen login: load_modules: can not open module /usr/lib/security/pam_nldap.so.1 Login incorrect May 29 08:35:06 arwen login: login account failure: Dlopen failure
The problem is nldap. It should be just plain ldap everywhere.
Why ldap in PAM ? You want to use kerberos for auth not ldap.
nss-ldap functionality has been verified to work ok on solaris 8, 9, 10 based on these instructions that I wrote on freeipa http://www.freeipa.com/page/ConfiguringSolarisClients marking bug verified against rhel 5.2 ipa server.