Bug 430003 - build nss_ldap for non-rhel(solaris)
build nss_ldap for non-rhel(solaris)
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: freeipa10 429034
  Show dependency treegraph
Reported: 2008-01-24 01:35 EST by Chandrasekar Kannan
Modified: 2015-01-04 18:30 EST (History)
6 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2008-01-24 01:35:07 EST
Ticket #58 (new task)

Opened 3 months ago

Last modified 3 months ago
Schema Translation Plugin
Reported by: 	shaines@redhat.com 	Assigned to: 	prowley
Priority: 	major 	Milestone: 	release-2
Component: 	ipa-server 	Version: 	1.0
Keywords: 		Cc: 	
Change History
2007-10-26 10:33:24 changed by kmacmill ¶

I thought we decided that this was a v2 feature.
2007-10-31 11:48:41 changed by kmacmill ¶

    * owner changed from kmacmill to prowley.
    * milestone changed from milestone-5 to release-2.

2007-10-31 11:50:35 changed by rcritten ¶

If you have a dumb client then we do what we can to fix up what is supplied in the entry in order to be a proper IPA user/group.
Comment 1 Rob Crittenden 2008-02-05 14:27:08 EST
This is apparently mostly about group membership.

So we need to test our clients to see if they support groups or not.

% getent group admins 

should return something
Comment 2 Chandrasekar Kannan 2008-05-06 18:06:30 EDT
rob - hv a talk with mharmsen who can point you at solaris 9 build machines..
Comment 7 Chandrasekar Kannan 2008-05-29 09:57:11 EDT
attempt on Solaris 9 seems to have failed. my notes below...

On Solaris 9 , I have done the following:

--> cat /etc/krb5.conf
        default_realm = DSQA.SJC2.REDHAT.COM

        DSQA.SJC2.REDHAT.COM = {
                kdc = ipaqa01.dsqa.sjc2.redhat.com:88
                admin_server = ipaqa01.dsqa.sjc2.redhat.com:749


 .dsqa.sjc2.redhat.com = DSQA.SJC2.REDHAT.COM
 dsqa.sjc2.redhat.com  = DSQA.SJC2.REDHAT.COM

        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
                period = 1d
                versions = 10

        kinit = {
                renewable = true
                forwardable= true
        gkadmin = {
                help_url =

--> cat /etc/pam.conf
added these to pam.conf
other auth sufficient   pam_unix.so.1
other auth optional     pam_nldap.so.1 use_first_pass
other account sufficient        pam_unix.so.1
other account required  pam_nldap.so.1
other session required  pam_unix.so.1
other password required         pam_unix.so.1
other password optional         pam_nldap.so.1

--> cat /etc/nsswitch.conf
edited these lines
passwd:     files nldap [NOTFOUND=return]
group:      files nldap [NOTFOUND=return]

--> reboot

--> attempted to login at the console prompt with a ipa user account (user3)

I see these error messages ...
May 29 08:35:06 arwen login: open_module: stat(/usr/lib/security/pam_nldap.so.1)
failed: No such file or directory
May 29 08:35:06 arwen login: load_modules: can not open module
Login incorrect
May 29 08:35:06 arwen login: login account failure: Dlopen failure

Comment 8 Rob Crittenden 2008-05-29 10:03:49 EDT
The problem is nldap. It should be just plain ldap everywhere.
Comment 9 Simo Sorce 2008-05-29 10:58:30 EDT
Why ldap in PAM ?
You want to use kerberos for auth not ldap.
Comment 10 Chandrasekar Kannan 2008-06-11 18:26:22 EDT
nss-ldap functionality has been verified to work ok on solaris 8, 9, 10 based on
these instructions that I wrote on freeipa

marking bug verified against rhel 5.2 ipa server.

Note You need to log in before you can comment on or make changes to this bug.