SUMMARY: LDAP problems with Solaris 10?

From: Adams, Mike (Mike) <>
Date: Tue Dec 26 2006 - 13:05:25 EST
The problem was two fold.

1) The certificates in /var/ldap were not readable by users other than
root. Since pfksh tries to query LDAP for your roles/profiles/auths,
your user(s) need to be able read the certificates

2) In Solaris 10, there are some problems with the runtime linking
environment. I found an old post on sunmanagers referencing a similar
problem with sudo and PAM ldap. The fix was to run:

crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64

As soon as I did this, The Solaris 10 client started working correctly.

Thanks to Gregory Shaw, he recommended the first fix.

If anyone from Sun is actually reading this list - Please train your
directory server reps. The rep that I spoke to told me that she had
never even setup TLS, and was completely clueless when it came to
troubleshooting my problem.

- Mike

-----Original Message-----
[] On Behalf Of Adams, Mike
Sent: Friday, December 22, 2006 2:00 PM
Subject: RE: LDAP problems with Solaris 10?

I've been able to make some progress.

   Out of nowhere I started getting errors about not being able to
connect to the LDAP server. I ldapclient uninit'd and tried to init
again. The init was successful, but I still couldn't ldaplist, or see
any users at all. I did uninit again and this time I init'd ldap without

  Without SSL, everything works great. RBAC works, netgroups work.

  I uninit and reinit with the SSL profile, Users work, netgroups work,
but RBAC does not. I disable SSL, RBAC works again.

  Why would RBAC fail when I use LDAPS instead of LDAP?

-----Original Message-----
[] On Behalf Of Adams, Mike
Sent: Friday, December 22, 2006 1:21 PM
Subject: LDAP problems with Solaris 10?


  I've got two problems with LDAP on Solaris 10.

  My first problem is with RBAC. I've gotten RBAC working over ldap in
Solaris 9. In my lab I've got three servers. A Sun ONE Directory Server
5.2 2005Q4 running Solaris 9, and two LDAP clients. One running Solaris
10, the other Solaris 9. Both clients are able to authenticate users via
LDAP. I've got a user created in ldap. This user has the Primary
Administrator assigned to it, and his shell is set to pfksh.

  When I log into the Solaris 9 host, everything works as expected. I
provide my login credentials and I am authenticated. I type id -a and it
shows uid 0. When I log into the Solaris 10 host, I have no extended
privileges. When I run profiles it says Primary Administrator, Basic
Solaris User, All. When I run auths, it says solaris.* (as expected).
However, I have no elevated access. It's as if my shell is unaware of
the RBAC attributes.

   The second problem is with netgroups. If I change my nsswitch.conf to
read passwd: compat and passwd_compat: files ldap and add a netgroup to
/etc/passwd, I can not see any ldap users on my system. If I change it
to passwd: files ldap, the ldap users are there, and can log in. I had a
similar problem with Solaris 9 before I installed patch 112960-40. I
couldn't find a similar patch for Solaris 10.

   Am I missing something? I've gotten all of the same stuff to work on
a Solaris 9 box, Are there some pam changes that I need to make for
Solaris 10 to support netgroups and RBAC in ldap?

Mike Adams
Verizon Business
Application Solutions
Systems Engineering and Operations
Tel: 916.649.6244 / Cell: 916.838.1790
sunmanagers mailing list
sunmanagers mailing list
sunmanagers mailing list
Received on Tue Dec 26 13:05:50 2006

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:03 EST