[OmniOS-discuss] ldap auth

Brian High high at uw.edu
Fri Aug 23 21:56:46 UTC 2013 

I would very much like to migrate from OpenIndiana to OmniOS. But I am
hung up on one issue. I am having trouble with ldap authentication
(pam_ldap) in OmniOS. I am hoping someone on this list will have some
experience with this and can enlighten me.

On oi_151.1.7 we are able to get LDAP auth working against our 389
Directory (FDS) with TLS, using these commands to set it up:

### Install Mozilla-NSS to get "certutil".
# pkg set-publisher -p http://pkg.openindiana.org/dev
# pkg install system/mozilla-nss

### Import the CA Cert.
# certutil -A -n defaultCert \
   -i /path/to/cacert.asc \
   -a -t CT -d /var/ldap

### Test with "ldapsearch"
# ldapsearch -v -x -ZZ \
  -h ldap.example.com -p 636 \
  -b OU=People,dc=example,dc=com \
  -P /var/ldap/cert8.db \
  -D cn=xxxx,ou=DSA,dc=example,dc=com \
  -w yyyy \
  -LLL "(uid=root)" gecos

### Configure with "ldapclient"
# ldapclient manual -vvv \
  -a domainName=example.com \
  -a serviceSearchDescriptor=passwd:OU=People,dc=example,dc=com \
  -a serviceSearchDescriptor=group:OU=Groups,dc=example,dc=com \
  -a authenticationMethod=tls:simple \
  -a credentialLevel=proxy \
  -a certificatePath=/var/ldap \
  -a defaultSearchBase=dc=example,dc=com \
  -a searchTimeLimit=60 \
  -a defaultServerList=ldap.example.com,ldap2.example.com \
  -a proxyDN=cn=xxxx,ou=DSA,dc=example,dc=com \
  -a proxyPassword=yyyy

### Edit "/etc/nsswitch.conf" to use "files ldap" for "passwd" & "group"
### Edit "/etc/pam.conf" for "auth required pam_ldap.so.1"


... However, in OmniOS r151006 (omnios-b281e50) the ldapsearch test
fails when using TLS (-Z or -ZZ switches used) with:

   ldap_simple_bind: Can't contact LDAP server

But does not fail if TLS is not used (-Z or -ZZ omitted).

And, similarly, when using ldap auth (PAM), we see in the logs:

Aug 23 12:48:00 MYHOST ldap_cachemgr[847]: [ID 545954 daemon.error]
libsldap: makeConnection: failed to open connection to MYLDAPSERVER
Aug 23 12:48:00 MYHOST ldap_cachemgr[847]: [ID 687686 daemon.warning]
libsldap: Falling back to anonymous, non-SSL mode for
__ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact
LDAP server

Since debug has not been compiled into the ldapsearch client, I can't
get any more details from that. But, interestingly, when I compile my
own OpenSSL and OpenLDAP and use it's ldapsearch, I can use TLS with it
with no problems.

# /usr/local/bin/ldapsearch -x -Z -h MYLDAPSERVER -b
OU=People,dc=example,dc=com -LLL "(uid=root)" gecos
dn: uid=root,ou=People,dc=example,dc=com
gecos: Netbios Domain Administrator


Any ideas of what might be wrong here with the OmniOS ldap client?


-- 
Brian High <high at uw.edu>

More information about the OmniOS-discuss mailing list