OpenSolaris LDAP Client to Linux OpenLDAP Server

The following outlines how to set up a OpenSolaris client to work with a Linux OpenLDAP server.

The following is one line

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=admin,dc=server -a proxyPassword=yourpassword -a defaultSearchBase=dc=server -a defaultServerList=192.168.1.1:389 -a serviceSearchDescriptor=passwd:ou=People,dc=server -a
serviceSearchDescriptor=group:ou=Groups,dc=server

Add the following lines to their appropriate sections in /etc/pam.conf

login   auth required           pam_ldap.so.1
other   auth required           pam_ldap.so.1
passwd  auth required         pam_ldap.so.1

Test LDAP with

ldaplist -l passwd

Test user authentication using the following steps

mkdir /export/home/ldapuser

chown ldapuser /export/home/ldapuser

Edit /etc/auto_home and add the following BEFORE “+auto_home”

ldapuser localhost:/export/home/ldapuser

SSH to test

ssh [email protected]

You should be in! If not, you may have to change the following in /etc/ssh/sshd_config

PAMAuthenticationViaKBDInt no

#Change from yes to no

Restart SSH

svcadm restart ssh

If you are still unable to log in, your userPassword attribute probably needs to be changed from md5/md5crypt to crypt.

su – ldapuser

passwd

After changing your password you should be able to log in.

5 Responses to “OpenSolaris LDAP Client to Linux OpenLDAP Server”

  1. termina says:

    This works on Solaris 10 (x86 at least). Just confirmed.

  2. alexander says:

    The ldapclient fails at this point:

    start: network/ldap/client:default… timed out

    anybody seen this before?

  3. termina says:

    What happens when you do:

    telnet server 389

    or if you use SSL/TLS

    telnet server 636

    My guess is that ldap/client is timing out because it can’t reach the LDAP server. Try re-running ldapclient with the -v option

    Can you paste the ldapclient command you used and any output it gave (with the -v flag)?

  4. Stu says:

    If you get a time out on ldap starting up, use this before binding:

    svcadm enable /network/ldap/client:default

    This allows the ldap network client to start up.

  5. In response to: Note that you cannot use base64 encoding, you have to use utf-8 encoding for special chars instead. — I have found that if I have a special character (or a newline) that ldap_add and ldap_modify will automatically do the base64 encoding for you. For example: <?php // assuming binding is done, etc. $entry[‘postalAddress’] = “123 East 456 WestnSuite A103”; ldap_modify($ds, $dn, $entry); ?> The function or server will take the newline and convert it into base64 automatically (same goes for other special characters). You may be able to verify by using a command-line ldapsearch ldapsearch -b “dc=example,dc=com” -x “(cn=Example Person)” postalAddress You’ll see that the result comes up as dn: cn=Example Person,dc=example,dc=com postalAddress:: MTIzIEVhc3QgNDU2IFdlc3QKU3VpdGUgQTEwMw== See the double colons after postal address? That’s how LDAP states it’s base64 encoded in this case.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.