SUMMARY: Authenticating Solaris 10 through Active Directory

From: Twardzik, Mark J. <>
Date: Thu May 19 2011 - 08:25:04 EDT
Thanks everyone for all the replies.

I tried using Likewise Open as suggested by Brandon below, and it worked for
my situation. It was much simpler and faster than trying to manually configure
everything. Very good documentation as well.

Thanks again!



Hi Mark,

What we've recently started working with is the Likewise Open Source AD
package for Solaris and have had a good amount of success.  We haven't done a
full rollout yet as we still need to do more testing but this could be of some
use to you.  The page is at:

Hope that helps,

Brandon Battis


Thanks for the quick reply David. I have already been to those websites and
used some of the information. I believe it's just a matter of properly
configuring the ldap_client_file.

Haven't tried it myself, but you may want to check out:

It's a bit old now, but the principles should still apply.

David Magda

are you sure that the "proxy" account which you use, is defined in Active
Directory to allow a "simple" password authentication ? If I recall, per
default it will expect the Windows-style authentication, so will fail


Thanks for the quick reply. My ldap_client_file has  a few different
attributes, such as NS_LDAP_AUTH= sasl/GSSAPI and NS_LDAP_CREDENTIAL_LEVEL=
self. I had previously tried using simple and proxy, but that didn't work
either. Snoop output  a different error message with proxy and simple:

>           [message ID]
>      Operation *[APPL 1: Bind Response]
>                [Result Code]
>                          1
                    Invalid Credentials
>                [Matched DN]
>                [Error Message]
>                      80090308: LdapErr: DSID-0C0903A9
                         , comment: AcceptSecurityContext

I'm hoping it might just be a matter of tweaking the ldap_client_file.

Thanks again,



you need a "bind" (or "proxy") account (and its password) in the LDAP (Active
Directory) repository, that your Solaris clients can use to request data from
the AD

This "bind" account is what you will use in the command to manually configure
a Solaris-10 client as LDAP client:

ldapclient -v manual -a defaultServerList=kdc.ourdomain.internal -a
defaultSearchBase="dc=ourdomain,dc=internal" -a authenticationMethod=simple -a
followReferrals=FALSE -a defaultSearchScope=one \
-a searchTimeLimit=30 -a credentialLevel=proxy \
rnal" \
-a proxyPassword=somepwd \
#-a objectclassMap=passwd:posixAccount=user \
-a attributeMap=passwd:homeDirectory=unixHomeDirectory

This should result in a file "/var/ldap/ldap_client_file" with the following
contents :
NS_LDAP_SERVERS= kdc.ourdomain.internal
NS_LDAP_SEARCH_BASEDN= dc=ourdomain,dc=internal
NS_LDAP_AUTH= simple
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user

There are some additional important steps to take (like editing /etc/pam.conf
and /etc/nsswitch.conf), but I guess you figured these already out. If not, I
can inform you of more.

good luck

Rob De Langhe

-----Original Message-----
[] On Behalf Of Twardzik, Mark J.
Sent: Thursday, May 12, 2011 3:57 PM
Subject: Authenticating Solaris 10 through Active Directory

I have a Sun Netra T5440 SPARC running Solaris 5.10 with a fresh End User
installation, no additional patches. I am trying to authenticate it through
Active Directory on a Windows Server 2008 R2 system.  I followed the
instructions in Sun document 'Using Kerberos to Authenticate a SolarisTM 10
LDAP Client With Microsoft Active Directory' , although I had to change a few
things to successfully navigate some of the steps. This was expected, as I
realize the document was written for Server 2003.

I believe Kerberos is configured properly, as 'kinit (test user)' obtains
tickets according to klist. However, neither 'ldaplist -l passwd (test user)'
nor 'getent passwd (test user)' work. It looks like a binding issue with
sasl/GSSAPI based on the following error messages:

'cat /var/adm/messages | grep ldap'  results contain the repeated error
'libsldap: makeConnection: failed to open connection using sasl/GSSAPI to'

'snoop -v | grep -I ldap'  contains

          [message ID]
     Operation *[APPL 1: Bind Response]
               [Result Code]
               [Matched DN]
               [Error Message]
          SASL Credentials    [7]

Any help would be greatly appreciated, as I have spent a great deal of time
looking through message boards and playing with different configurations.

Send email and I will summarize to the list.
sunmanagers mailing list
sunmanagers mailing list
Received on Thu May 19 08:25:39 2011

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:18 EST