Re: Directory Server LDAP/LDIF import - working yet not working???

From: Jesse DeFer (jdefer_at_dotd.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 16:34:48 GMT

John_B wrote:

> John_B wrote:
>
> -- lots o' snipping --
>
>> However, if I try to get in with a regular login (no "su" - enter the
>> user ID and password), I get rejected with "Login Incorrect". Very
>> odd, but it looks like the password is not being accepted. I thought
>> that it might have something to do with have SSHA configured as the
>> default password encryption, so I changed it so Crypt and restarted
>> the server but I still can't get in normally.
>
>
> I found something about this. Maybe someone can clarify this.
>
> When I'm on the client and I run "ldaplist -l passwd {userid}" I get the
> following:
>
> dn: uid=########,ou=People,dc=#####,dc=###
> loginShell: /usr/bin/bash
> gidNumber: 10000
> uidNumber: 20951
> shadowMax: 60
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> uid: #######
> gecos: ############
> shadowLastChange: 12695
> cn: ###########
> shadowInactive: 45
> homeDirectory: /export/home/#######
>
> One thing that is conspicuously missing is the userPassword entry. I
> just checked the LDIF files that I used for importing. Here is what is
> listed with each account:
>
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}#####################
>
> ...but there is no instance of the userPassword attribute in the
> ldaplist results. Curious.
>
> Any ideas?
>
> I'm gettin' there, folks. Please be patient. :)
>
> -- John
>

I am working on the same thing, using Solaris 9, DS 5.2, and pam_ldap.
I have reached the point where I can get see all data in LDAP, but am
not able to log with LDAP accounts (I see the user bind successfully to
the LDAP server, but the su/login still fails). Here are some things
that might help...

If you are using pam_ldap, then you don't need to see the userpassword,
if you are using pam_unix you do. pam_ldap uses and LDAP bind to
authenticate the users, pam_unix retrieves the crypted password and
compares it locally.

In case of pam_unix, check to see that idsconfig updated the proper ACI
that allows the proxy agent to read the password:
http://docs.sun.com/app/docs/doc/806-5580/6jej518pq?l=fr&a=view
Look in the section: Give the Proxy Agent Read Permission for Password.

One step idsconfig didn't do was add the proxy agent account, I had to
do it myself. In the URL above see the section: Add the proxyagent
Entry to the LDAP Server.

Make sure your directory server is patched. I had the original 5.2 and
it had a bug with VLVs that prevented groups from being enumerated (with
an operations error message). There are different patches depending on
if you have the package or the tarball version, a quick search on
sunsolve will turn them up.

ldap_cachemgr and nscd will cache things, so if you're changing
attributes in LDAP and getting weird results on the client, restart them.

The id and finger commands are useful to see if you're querying LDAP
properly.

I didn't add a authenticationMethod to my client profile when I created
it, assuming it would default to something (like simple), it doesn't.
Make sure you've got something in there.

Using a separate LDAP server and client, so you can sniff the LDAP
traffic is very useful.

-JD