SEO

Ok, I must be doing something tremendously wrong. I'm mucking about with
tryint to set up a Sun ONE Directory Server 5.2 server to provide user
management functions. I'm having mixed results.

Once I've done the `directoryserver configure; idsconfig; ldapaddent`
stuff and add the pam_ldap.so.1 to /etc/pam.conf, I am able to log in
using users that exist only in the LDAP (but currently can't change
passwds - get "permission denied"). So, some success there.

However, some other oddities:

- If I add a user from the directory server console, I can't log in with
that user at all. Doing an LDAP search for the new user versus one
created via an ldapaddent of /etc/passwd, there appear to be several
differences in the associated records:

GOOD RECORD (`ldapaddent -f /etc/passwd passwd` created):
uid=jonesth1,ou=people,o=wsl.digex.com.kntr
cn=jonesth1
uidNumber=10100
gidNumber=100
gecos=Thomas H Jones II
homeDirectory=/home/jonesth1
loginShell=/bin/ksh
objectClass=posixAccount
objectClass=shadowAccount
objectClass=account
objectClass=top
uid=jonesth1
userPassword={crypt}yOnLXx68L26pE
shadowLastChange=11748
shadowFlag=0

BAD RECORD (console created):
uid=tinkerb,ou=People, o=wsl.digex.com.kntr
userPassword={crypt}eBC5RjZcoZwFg
givenName=Tinker
sn=Bell
telephoneNumber=240-264-2000
loginShell=/bin/ksh
gidNumber=204
uidNumber=44444
mail=tinkerb@wsl.digex.com
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
objectClass=posixAccount
uid=tinkerb
gecos=Tinker Bell
cn=Tinker Bell

So, I also tried adding the user via the OS (non-LDAP*) command line
tools. The user got created into the local files, rather than the LDAP.
So, I'm guessing I need to use the ldapadd/ldapmodify tools?

Now, I thought that when I ran the idsconfig, it creates the proxy user with
sufficient priveleges to do LDAP passwd changes. If this isn't the case,
what have I missed (I know, probably something simple)? I've been digging
through docs.sun.com, but I can't see straight any more.

-tom

On Mon, 17 Nov 2003 15:36:10 -0600, Thomas H Jones II wrote:

> Ok, I must be doing something tremendously wrong. I'm mucking about with
> tryint to set up a Sun ONE Directory Server 5.2 server to provide user
> management functions. I'm having mixed results.
>
> Once I've done the `directoryserver configure; idsconfig; ldapaddent`
> stuff and add the pam_ldap.so.1 to /etc/pam.conf, I am able to log in
> using users that exist only in the LDAP (but currently can't change
> passwds - get "permission denied"). So, some success there.
>
> However, some other oddities:
>
> - If I add a user from the directory server console, I can't log in
> with
> that user at all. Doing an LDAP search for the new user versus one
> created via an ldapaddent of /etc/passwd, there appear to be several
> differences in the associated records:
>
...snip
> So, I also tried adding the user via the OS (non-LDAP*) command line
> tools. The user got created into the local files, rather than the
> LDAP. So, I'm guessing I need to use the ldapadd/ldapmodify tools?
>
> Now, I thought that when I ran the idsconfig, it creates the proxy user
> with sufficient priveleges to do LDAP passwd changes. If this isn't the
> case, what have I missed (I know, probably something simple)? I've been
> digging through docs.sun.com, but I can't see straight any more.
>
> -tom

I am no expert, but I have spent a lot of time on the ldap subject, so I
will try to help.

Solaris naming service requires objectclass=shadowaccount.

passwd with the '-r ldap' option should let you change the password in
ldap, but again, the objectclass shadowaccount must exist for the user.
You may want to check ldapclient list and verify the service-auth-method
entries.

ldapadd/ldapmodify is a good way to enter data using ldif files (more
reading again?). You can use the gui if you desire, but it is a bit
cumbersome for me. Check nsswitch.conf for the proper entries on passwd
and group. It sounds like you also want files.

If you get really stuck, check the access log for the slapd server. This
has pointed me in the correct direction on many occasions.

Alex