I''m looking for troubleshooting advice- hope someone has some insight I can borrow. Trying to get a Solaris8 client (with the latest ldap patchcluster) to do simple authentication against FDS. When setup for anonymous auth, I''m able to do ldap list just fine: # ldaplist -l passwd tester dn: cn=test user,ou=People,dc=corp,dc=example,dc=com givenName: test sn: user loginShell: /bin/bash gidNumber: 1024 uidNumber: 5351 mail: tester@example.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: tester gecos: test user cn: test user homeDirectory: /nethome/tester When setup for simple auth (and that''s all I''ve changed), I''m seeing error 49 (invalid credentials) in the FDS logs: [10/Aug/2007:14:45:02 -0700] conn=25532 fd=65 slot=65 connection from 172.20.100.85 to 172.20.200.125 [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 BIND dn="cn=sunldap,ou=profile,dc=corp,dc=example,dc=com" method=128 version=3 [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 UNBIND [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 fd=65 closed - U1 Here''s my /var/ldap/ldap_client_cred file NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045e How do I verify that the NS1 crypt is correct outside of the solaris client (or ldap_gen_profile)? The password in FDS for the above proxy user is stored in CRYPT format in FDS- is this mismatch really supported ? I can bind with the ''sunldap'' user just fine from my linux hosts using ldapsearch. suggestions?
Doug, Doug Chapman wrote:> I''m looking for troubleshooting advice- hope someone has some insight > I can borrow.[snip]> Here''s my /var/ldap/ldap_client_cred file > NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com > NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045eI think you can even put the password in CLEAR. When you restart cachemgr and nscd, the password will be encoded again. Or you can place encrypted password http://jpirr.nic.ad.jp/crypt_gen_web.html -Satish.> > How do I verify that the NS1 crypt is correct outside of the solaris > client (or ldap_gen_profile)? > > The password in FDS for the above proxy user is stored in CRYPT format > in FDS- is this mismatch really supported ? > > I can bind with the ''sunldap'' user just fine from my linux hosts using > ldapsearch. > > suggestions? > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
> > How do I verify that the NS1 crypt is correct outside of the solaris > client (or ldap_gen_profile)?Don''t know... I''ve only ever seen {NS1} with Solaris'' LDAP client. Anyone know more about this hash, and what other tools can work with it?> The password in FDS for the above proxy user is stored in CRYPT format > in FDS- is this mismatch really supported ?Yes. The NS1 hash is really just to obscure the password in the ldap_client_cred file. When doing a simple bind, it is reversed and transmitted as clear text.> suggestions?Try putting the password cleartext directly in your ldap_client_cred file. Maybe there was a typo when generating the NS1 hash? e.g.: NS_LDAP_BINDPASSWD= the-password Then restart Solaris'' ldapclient. Doug Chapman wrote:> I''m looking for troubleshooting advice- hope someone has some insight > I can borrow. > > Trying to get a Solaris8 client (with the latest ldap patchcluster) to > do simple authentication against FDS. > When setup for anonymous auth, I''m able to do ldap list just fine: > > # ldaplist -l passwd tester > dn: cn=test user,ou=People,dc=corp,dc=example,dc=com > givenName: test > sn: user > loginShell: /bin/bash > gidNumber: 1024 > uidNumber: 5351 > mail: tester@example.com > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > uid: tester > gecos: test user > cn: test user > homeDirectory: /nethome/tester > > > When setup for simple auth (and that''s all I''ve changed), I''m seeing > error 49 (invalid credentials) in the FDS logs: > > [10/Aug/2007:14:45:02 -0700] conn=25532 fd=65 slot=65 connection from > 172.20.100.85 to 172.20.200.125 > [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 BIND > dn="cn=sunldap,ou=profile,dc=corp,dc=example,dc=com" method=128 > version=3 > [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 RESULT err=49 tag=97 > nentries=0 etime=0 > [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 UNBIND > [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 fd=65 closed - U1 > > Here''s my /var/ldap/ldap_client_cred file > NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com > NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045e > > How do I verify that the NS1 crypt is correct outside of the solaris > client (or ldap_gen_profile)? > > The password in FDS for the above proxy user is stored in CRYPT format > in FDS- is this mismatch really supported ? > > I can bind with the ''sunldap'' user just fine from my linux hosts using > ldapsearch. > > suggestions? >
Thanks ! Removing the special characters from my password caused it to start working- I guess using dollar signs for your proxy account isn''t supported (bug in solaris client?) On 8/10/07, George Holbert <gholbert@broadcom.com> wrote:> > > > How do I verify that the NS1 crypt is correct outside of the solaris > > client (or ldap_gen_profile)? > > Don''t know... I''ve only ever seen {NS1} with Solaris'' LDAP client. > Anyone know more about this hash, and what other tools can work with it? > > > The password in FDS for the above proxy user is stored in CRYPT format > > in FDS- is this mismatch really supported ? > > Yes. The NS1 hash is really just to obscure the password in the > ldap_client_cred file. When doing a simple bind, it is reversed and > transmitted as clear text. > > > > suggestions? > > Try putting the password cleartext directly in your ldap_client_cred > file. Maybe there was a typo when generating the NS1 hash? > > e.g.: > > NS_LDAP_BINDPASSWD= the-password > > > Then restart Solaris'' ldapclient. > > > > > Doug Chapman wrote: > > I''m looking for troubleshooting advice- hope someone has some insight > > I can borrow. > > > > Trying to get a Solaris8 client (with the latest ldap patchcluster) to > > do simple authentication against FDS. > > When setup for anonymous auth, I''m able to do ldap list just fine: > > > > # ldaplist -l passwd tester > > dn: cn=test user,ou=People,dc=corp,dc=example,dc=com > > givenName: test > > sn: user > > loginShell: /bin/bash > > gidNumber: 1024 > > uidNumber: 5351 > > mail: tester@example.com > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > uid: tester > > gecos: test user > > cn: test user > > homeDirectory: /nethome/tester > > > > > > When setup for simple auth (and that''s all I''ve changed), I''m seeing > > error 49 (invalid credentials) in the FDS logs: > > > > [10/Aug/2007:14:45:02 -0700] conn=25532 fd=65 slot=65 connection from > > 172.20.100.85 to 172.20.200.125 > > [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 BIND > > dn="cn=sunldap,ou=profile,dc=corp,dc=example,dc=com" method=128 > > version=3 > > [10/Aug/2007:14:45:02 -0700] conn=25532 op=0 RESULT err=49 tag=97 > > nentries=0 etime=0 > > [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 UNBIND > > [10/Aug/2007:14:45:02 -0700] conn=25532 op=1 fd=65 closed - U1 > > > > Here''s my /var/ldap/ldap_client_cred file > > NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com > > NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045e > > > > How do I verify that the NS1 crypt is correct outside of the solaris > > client (or ldap_gen_profile)? > > > > The password in FDS for the above proxy user is stored in CRYPT format > > in FDS- is this mismatch really supported ? > > > > I can bind with the ''sunldap'' user just fine from my linux hosts using > > ldapsearch. > > > > suggestions? > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >