qqcindy
asked on
Solaris System login using LDAP user account
I have a set of client and server, both with Solaris 9 OS. I have setup the iPlanet Directory Server in the server.
I can successfully using ldapsearch to search information using both proxyagent and the username.
However, when i use the login command in the client. The user fail to login. I can see that there is request for the user information from the server log as well as snooping. Suitable information is also replied to the client.
I've tried both the pam_unix with crypt password encryption and pam_ldap with simple password. But failed.
I wonder how the client could set up those user-related information such as home directory. Does it do it automatically? Or do i need to set up the user environment in the client beforehand?
I can successfully using ldapsearch to search information using both proxyagent and the username.
However, when i use the login command in the client. The user fail to login. I can see that there is request for the user information from the server log as well as snooping. Suitable information is also replied to the client.
I've tried both the pam_unix with crypt password encryption and pam_ldap with simple password. But failed.
I wonder how the client could set up those user-related information such as home directory. Does it do it automatically? Or do i need to set up the user environment in the client beforehand?
if you have setup the system with pam_ldap, and your iPlanet logs show the request, then the problem is most likely on the client side.
Most commona are:
required shell is not listed in /etc/shells
home directory does not exist, or has wrong permissions
another reason might be that the password has expired in LDAP, did you check?
Most commona are:
required shell is not listed in /etc/shells
home directory does not exist, or has wrong permissions
another reason might be that the password has expired in LDAP, did you check?
ASKER
I'm using pam_ldap. It just prompt me "Incorrect password"
"unable to refresh profile" and "unable to qualify my own domain name" are in /var/adm/messages. But i just think it won't affect the authentication at all.
My configuration in client:
domainname=nep.com
defaultsearchbase=dc=nep,d c=com
authenticationmethod=simpl e
proxydn=cn=proxyuser,ou=Pe ople,dc=ne p,dc=com
proxypassword=proxyuser123
credentiallevel=proxy
My server has also configured CLEAR TEXT password storage.
"unable to refresh profile" and "unable to qualify my own domain name" are in /var/adm/messages. But i just think it won't affect the authentication at all.
My configuration in client:
domainname=nep.com
defaultsearchbase=dc=nep,d
authenticationmethod=simpl
proxydn=cn=proxyuser,ou=Pe
proxypassword=proxyuser123
credentiallevel=proxy
My server has also configured CLEAR TEXT password storage.
ASKER
I can't find /etc/shells.
Doesn't the home directory created when I first login??
Doesn't the home directory created when I first login??
ASKER
if i set the home directory to "/export/home/user1", will the dir be created in the server or the client?
ASKER
if i set the home directory to "/export/home/user1", will the dir be created in the server or the client?
Your domain name is (probably) wrong. iDS is usually setup as a "DNS-rooted" LDAP service (sorry, Novell speak). Administrators usually setup iDS so it uses DNS for host resolution, how's your /etc/domainname & resolv.conf? The dc= is indicative of a DNS based LDAP tree.
You need to check that you're using simple authentication on both client and server (not only the way that things are stored).
Home directory mapping can be achieved by auto_master, as it is with other naming systems (i.e.: yp) - Sun just extended the functionality in Solaris 8 or 9, can't remember which.
Best of luck.
You need to check that you're using simple authentication on both client and server (not only the way that things are stored).
Home directory mapping can be achieved by auto_master, as it is with other naming systems (i.e.: yp) - Sun just extended the functionality in Solaris 8 or 9, can't remember which.
Best of luck.
> ..will the dir be created in the server or the client?
No.
you need to create the directory first. This is done by the useradd (or wharever admin tool you use to setup your new users), usually
No.
you need to create the directory first. This is done by the useradd (or wharever admin tool you use to setup your new users), usually
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ No refund
Please leave any comments here within the next four days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
liddler
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
PAQ No refund
Please leave any comments here within the next four days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
liddler
EE Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Something is missing, what is the client requesting from the server, when it fails?
Otherwise, if you don't have available space or partions to create a home dir, it will fail and you won't see any errors.
Try to touch a dir where the user would be creating a home dir.
Are there any error(s) on screen or in /var/adm/messages?