How to setup Solaris 10 ldap client and glue it with ssh

Recently I wrote a post about configuring OpenLDAP server with TLS support using RHEL available here. There I also mentioned how to setup Linux to authenticate against a LDAP server. But I didn’t said a word about Solaris. That’s unfair and I’m going to fix that by providing a quick guide on how to setup LDAP client in Solaris 10.

  1. First of all add LDAP server’s certificate into your locale certificate database. Otherwise, you won’t be able to setup a TLS session:
  2. /usr/sfw/bin/certutil -N -d /var/ldap/
    /usr/sfw/bin/certutil -A -n "LDAP server certificate" -i /path_to_where_you_copied_ldap_certificate_file -a -t CT -d /var/ldap
  3. Just verify that everything was done right:
  4. /usr/sfw/bin/certutil -L -d /var/ldap/
  5. Setup Solaris ldap client:
  6. ldapclient manual \
    -a credentialLevel=proxy \
    -a authenticationMethod=tls:simple \
    -a \
    -a defaultSearchBase=DC=example,DC=com \
    -a proxyDN="cn=svc_ldp_proxy,dc=example,dc=com" \
    -a proxyPAssword=PASSWORD \
    -a serviceSearchDescriptor="passwd:ou=people,?sub" \
    -a serviceSearchDescriptor="group:ou=group,?sub?gidnumber" \
    -a serviceSearchDescriptor="netgroup:ou=netgroup,?sub" \
    -a serviceSearchDescriptor="shadow:ou=people,?sub?uid=*" \
    -a followReferrals=false LDAP_SERVER_IP:LDAP_SERVER_PORT

    Please note that your serviceSearchDescriptor attribute might be different and that depends on your LDAP structure. This attribute just instruct ldap client how it should build its query to search, in my particular case, for passwd, group and net group records.

  7. All the rest is just almost like in the Linux world:
  8. nssswitch.conf

    passwd:     compat
    passwd_compat: ldap
    group:      files ldap
    hosts:      files dns
    ipnodes:    files dns
    networks:   files
    protocols:  files
    rpc:        files
    ethers:     files
    netmasks:   files
    bootparams: files
    publickey:  files
    netgroup:   ldap
    automount:  files
    aliases:    files
    services:   files
    printers:   user files
    auth_attr:  files
    prof_attr:  files
    project:    files
    tnrhtp:     files
    tnrhdb:     files

    cat /etc/pam.conf | grep sshd-kbdint

    sshd-kbdint     auth requisite debug
    sshd-kbdint     auth required  debug
    sshd-kbdint     auth binding   server_policy debug
    sshd-kbdint     auth required  debug
  9. Just take another look at your configuration:
  10. ldapclient list
  11. Use some very basic tools,i.e. id or getent, to make sure your could query and receive correct response from LDAP server.
  12. Finally, try to ssh into your server with a LDAP aware account.

If anything goes wrong your could do the following:

  • Use ldapsearch -v to make you sure you could setup a TLS session with your LDAP server successfully.
  • Enable PAM debugging and check the logs. To do that just run “touch /etc/pam_debug”, edit /etc/syslog.conf and add a new line (if it doesn’t already there of course):
    *.debug      /path_to_where_you_want_to_store_debug_log

    And restart syslog with “svcadm restart svc:/system/system-log:default”.

  • Analyze the logs on your LDAP server.
  • Switch off TLS and try to sniff the traffic with snoop to make sure your ldap client sends reasonable queries.
  • Have fun and happy tinkering!

4 thoughts on “How to setup Solaris 10 ldap client and glue it with ssh

  1. Hello,
    I have configured Redhat Directory Server as my LDAP server. I did not see Proxy DN and Proxy password in the server configuration files.

    Also to start with I want to configure simple authentication not with TLS. Could you give your thoughts on this pls.

    • Hi,
      and thanks for stopping by. Sorry if that wasn’t stated more clearly but this post is not about how to configuring a LDAP server, whether it’s OpenLDAP or Redhat Directory server, but how to setup Solaris built in LDAP client to connect any LDAP server (in my case it was OpenLDAP). Regarding proxyDN and proxyPassword, I would recommend you to take a look at the official Oracle’s documentation to get a better idea what these parameters are used for –


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.