How to setup Solaris 10 ldap client and glue it with ssh

Recently I wrote a post about configuring OpenLDAP server with TLS support using RHEL available here. There I also mentioned how to setup Linux to authenticate against a LDAP server. But I didn’t said a word about Solaris. That’s unfair and I’m going to fix that by providing a quick guide on how to setup LDAP client in Solaris 10.

  1. First of all add LDAP server’s certificate into your locale certificate database. Otherwise, you won’t be able to setup a TLS session:
  2. /usr/sfw/bin/certutil -N -d /var/ldap/
    /usr/sfw/bin/certutil -A -n "LDAP server certificate" -i /path_to_where_you_copied_ldap_certificate_file a -t CT -d /var/ldap
    
  3. Just verify that everything was done right:
  4. /usr/sfw/bin/certutil -L -d /var/ldap/
    
  5. Setup Solaris ldap client:
  6. ldapclient manual \
    -a credentialLevel=proxy \
    -a authenticationMethod=tls:simple \
    -a domainName=example.com \
    -a defaultSearchBase=DC=example,DC=com \
    -a proxyDN="cn=svc_ldp_proxy,dc=example,dc=com" \
    -a proxyPAssword=PASSWORD \
    -a serviceSearchDescriptor="passwd:ou=people,?sub" \
    -a serviceSearchDescriptor="group:ou=group,?sub?gidnumber" \
    -a serviceSearchDescriptor="netgroup:ou=netgroup,?sub" \
    -a serviceSearchDescriptor="shadow:ou=people,?sub?uid=*" \
    -a followReferrals=false LDAP_SERVER_IP:LDAP_SERVER_PORT

    Please note that your serviceSearchDescriptor attribute might be different and that depends on your LDAP structure. This attribute just instruct ldap client how it should build its query to search, in my particular case, for passwd, group and net group records.

  7. All the rest is just almost like in the Linux world:
  8. nssswitch.conf

    passwd:     compat
    passwd_compat: ldap
    group:      files ldap
    hosts:      files dns
    ipnodes:    files dns
    networks:   files
    protocols:  files
    rpc:        files
    ethers:     files
    netmasks:   files
    bootparams: files
    publickey:  files
    netgroup:   ldap
    automount:  files
    aliases:    files
    services:   files
    printers:   user files
    auth_attr:  files
    prof_attr:  files
    project:    files
    tnrhtp:     files
    tnrhdb:     files
    

    cat /etc/pam.conf | grep sshd-kbdint

    sshd-kbdint     auth requisite          pam_authtok_get.so.1 debug
    sshd-kbdint     auth required           pam_unix_cred.so.1 debug
    sshd-kbdint     auth binding            pam_unix_auth.so.1 server_policy debug
    sshd-kbdint     auth required           pam_ldap.so.1 debug
    
  9. Just take another look at your configuration:
  10. ldapclient list
    
  11. Use some very basic tools,i.e. id or getent, to make sure your could query and receive correct response from LDAP server.
  12. Finally, try to ssh into your server with a LDAP aware account.

If anything goes wrong your could do the following:

  • Use ldapsearch -v to make you sure you could setup a TLS session with your LDAP server successfully.
  • Enable PAM debugging and check the logs. To do that just run “touch /etc/pam_debug”, edit /etc/syslog.conf and add a new line (if it doesn’t already there of course):
    *.debug      /path_to_where_you_want_to_store_debug_log
    

    And restart syslog with “svcadm restart svc:/system/system-log:default”.

  • Analyze the logs on your LDAP server.
  • Switch off TLS and try to sniff the traffic with snoop to make sure your ldap client sends reasonable queries.
  • Have fun and happy tinkering!