QuickStart to Solaris 10 LDAP Authentication
I pulled together these notes from when I was doing a lot of Sun Directory work earlier this summer. Solaris 10 LDAP authentication is so much more straightforward than previous revisions. This post could use some work, but someone may find it as a good starting point.
Preserve the existing environment
Backup /etc/pam.conf
Backup /etc/nsswitch.conf
Edit /etc/pam.conf
Modify the pam.conf modules to reflect the following:
*****************************************************
login Service
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
rlogin Service
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1
ppp service
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_ldap.so.1
authentication management
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd command
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
account management
other account sufficient pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
*****************************************************
Configure Naming Services for LDAP
Copy /etc/nsswitch.ldap to /etc/nsswitch.conf
Modify nsswitch.conf
Remove the [NOTFOUND=return] flag from each line in nsswitch.conf. This allows you to reference file entries that are static to the local host, but missing from the directory.
hosts: ldap [NOTFOUND=return] files
Add dns as an additional method of resolving hostnames.
hosts: ldap files dns
Enable the LDAP Client (ldapcachemgr) for SMF
svcadm enable svc:/network/ldap/client:default
*Note: Enabling the ldapclient service only prepares it for SMF management. The ldapcachmgr service will only begin running after the client is initialized.
Initialize the LDAP Client
ldapclient init a proxyDN=cn=proxyagent,ou=profile,dc=drbond,dc=net a domainName=drbond.net a profileName=default a proxyPassword=blahblah 192.186.20.101
Verify the LDAP Client is running
svcs|grep ldap
online Aug_30 svc:/network/ldap/client:default
At this point you should be in good shape. You can validate your configuration by logging into the server as one of the directory-based user accounts. Sun Docs is a great resource for LDAP configuration and troubleshooting, where I highly recommend reading up on directory design and best practice before jumping into it. Feedback is welcome….
5 Responses to “QuickStart to Solaris 10 LDAP Authentication”
Leave a Reply
Hi Ryan
What do you think about Sun’s claim on pam_ldap on ldap clients, that it doesn’t support trusted rsh/ssh. (nonpassword-based logins using tools such as rsh, rlogin, or ssh will fail.)
http://docs.sun.com/app/docs/doc/816-4556/6maort2sn?a=view
Any solution that you are aware of?
Thanks a lot.
Perry
I can’t give you a sure-fire formula for success, but I can give you a formula for failure: try to please everybody all the time.
i was starting to presume i may perhaps end up being the only man who cared about this, at the very least now i learn i’m not nutty
i am going to be sure to take a look at a few various other posts just after i get a little caffeine in me, it is really very difficult to read without my coffee, I was until the wee hours of the morning last night enjoying zynga poker and after having a few ales i ended up melting away all my facebook poker chips cheers 
Ok,thank you,I’m going to try this too.
You post great posts. Bookmarked !