HPE Community
Operating System - Tru64 Unix
1753900 Members
7856 Online
108810 Solutions
New Discussion юеВ

Problem with LDAP Authentication on Tru64

 
dompax
Occasional Advisor

тАО11-22-2006 02:13 AM

тАО11-22-2006 02:13 AM

Problem with LDAP Authentication on Tru64

Hi,
I have an OpenLDAP directory server (2.0.27) installed and configured on my windows machine and a TRU64 machine (TRU64 v.5.1B).

Please see the attachment.
Thanks in advance!
0 Kudos
5 REPLIES 5
Ivan Ferreira
Honored Contributor

тАО11-22-2006 04:50 AM

тАО11-22-2006 04:50 AM

Re: Problem with LDAP Authentication on Tru64

I assume that you have "LDAPCD_CONF yes" in rc.config. Can you post the ouput of:

finger

Where is a valid LDAP user. Ensure that your shell is valid.

Use ldapsearch to check if your bind dn credentials are valid and you can retrieve all the posixAccount attributes.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
dompax
Occasional Advisor

тАО11-22-2006 08:44 PM

тАО11-22-2006 08:44 PM

Re: Problem with LDAP Authentication on Tru64

Hi Ivan,
I have the LDAPCD_CONF yes in /etc/rc.config.

The output of finger is:


bash-3.00# finger ldapuser
Login name: ldapuser
In real life: ldapuser
Directory: /tmp Shell: /bin/sh
Never logged in.
No Plan.

The shell is valid. This shell is used by a local user (in passwd) that authenticate successfully.

This is the output of ldapsearch:

bash-3.00# ldapsearch -h xxx.xxx.xxx.xxx -p 389 -D "cn=root,ou=ldapusers,dc=xxx,dc=xxx,dc=xxx" -w xxx -b "ou=xxx,dc=xxx,dc=xxx,dc=xxx" uid=ldapuser
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: uid=ldapuser
# requesting: ALL
#

# ldapuser, People, xxx, xxx.xxx.xxx
dn: uid=ldapuser, ou=People, ou=xxx, dc=xxx,dc=xxx,dc=xxx
shadowMin: 2
userPassword:: e1NIQX1jKy9Tck1KdERuZkFiQ0taZlFHaER2Z2R0Rjg9
uidNumber: 154
gidNumber: 400
shadowFlag: -1
shadowExpire: 13757
shadowMax: 90
uid: ldapuser
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
gecos: ldapuser
shadowLastChange: 13469
cn: ldapuser
shadowInactive: 5
homeDirectory: /tmp
description: ldapuser
shadowWarning: 5
loginShell: /bin/sh

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


This is the output of ldap_check:

./ldap_check
Loaded Configuration file /etc/ldapcd.conf
Connected to LDAP server on xxx.xxx.xxx.xxx
Search base "dc=xxx,dc=xxx,dc=xxx" confirmed
User Branch "ou=xxx,dc=xxx,dc=xxx,dc=xxx" confirmed
Retrieved Object class information
Password object class attributes verified
Group object class attributes verified
Directory configuration verified


This is the output of command "id" :

bash-3.00# id ldapuser
uid=154(ldapuser) gid=400(test)

If log-in with root user and execute the command "su - ldapuser", I have this ouput :

su - ldapuser
su: Unknown id: ldapuser

Sorry

When i try to log-in via telnet, the output is:

Compaq Tru64 UNIX V5.1B (Rev. 2650) (xxx) (pts/3)

login: ldapuser
Password:
Login incorrect


Wait for login retry ...

Login incorrect
login:


What's the problem?...

Thanks.
0 Kudos
dompax
Occasional Advisor

тАО11-22-2006 09:29 PM

тАО11-22-2006 09:29 PM

Re: Problem with LDAP Authentication on Tru64

Hi Ivan,
in Tru64 Machine are installed this modules:

setld -i | grep -i LDAP
LDPUTILS120 - LDAP Client Utilities
OSFLDPAUTH540 - LDAP Authentication (Network-Server/Communications)

setld -i | grep -i Netscape
OSFNETSCAPE540 - Netscape Communicator V4.76 (Windows Applications)
OSFNETSCAPECLT540 - Netscape 6.2.3 Web Client (Windowing Environment)
OSFNETSCAPEGRT540 - Netscape 6.2.3 Gnome Runtime Support(Windowing Environment)

Are necessary other patch or modules?

Many Thanks!!!...
0 Kudos
Ivan Ferreira
Honored Contributor

тАО11-23-2006 06:52 AM

тАО11-23-2006 06:52 AM

Re: Problem with LDAP Authentication on Tru64

There are two configurations options that I don't know if it's correct in your /etc/ldapcd.conf file:

userbranch: "ou=,dc=xxx,dc=xxx,dc=xxx"
crypt_passwd: 1


The userbranch I suppose that should be:

ou=ldapusers,dc=xxx,dc=xxx,dc=xxx

Or comment to use the default searchbase.

And for crypt_passwd, I cannot find any information about in the man pages or the security guide that describes this option. I would try commenting it also.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
dompax
Occasional Advisor

тАО11-23-2006 08:13 PM

тАО11-23-2006 08:13 PM

Re: Problem with LDAP Authentication on Tru64

Hi Ivan,
I try to authenticate with LDAP user without userbranch but the authentication fails.

I have this tree structure in my LDAP Server:

dc=xxx,dc=xxx,dc=xxx
|
--> ou=
|
--> ou=People
|
--> ou=Group

Under the branch People there are my ldap users (e.g. : uid=ldapuser). Under the branch Group there are my ldap groups (e.g. : cn=test).

I try to use also this branch:
ou=People,ou=,dc=xxx,dc=xxx,dc=xxx
but authentication doesn't work.
I try to cancel the userbranch but I have the same problems.

The document "Configuring a System to Use LDAP for User Authentication Using Internet Express" (released by Compaq for Tru64) report that:

" If you intend to use a directory server (such as OpenLDAP) that requires user passwords to be encrypted prior to sending them to the server, you
MUST manually add the following line to the /etc/ldapcd.conf file:
crypt_passwd: 1 "

I try to cancel this configuration but I have the same problems.

I see that the command "id" and the command "telnet" produce a different client log (on Tru64 machine):

-- Telnet log:
-------------------------------------------
connected: 126291: Thu Nov 23 17:26:39 2006

THREAD 0 starting: 126291: Thu Nov 23 17:26:39 2006
waiting for a connection: 126291: Thu Nov 23 17:26:39 2006
doCommand - start: 126291: Thu Nov 23 17:26:39 2006
reqtype = 1, reqdata = ldapuser: 126291: Thu Nov 23 17:26:39 2006
ldap_getpwnam: 126291: Thu Nov 23 17:26:39 2006
_ldap_pwlookup: 126291: Thu Nov 23 17:26:39 2006
_ldap_pwgetvals - start: 126291: Thu Nov 23 17:26:39 2006
_ldap_pwgetvals - end: 126291: Thu Nov 23 17:26:39 2006
doCommand - ldap_getpwnam() completed: 126291: Thu Nov 23 17:26:39 2006
doCommand - end: 126291: Thu Nov 23 17:26:39 2006
THREAD 0 exiting: 126291: Thu Nov 23 17:26:39 2006
connected: 126291: Thu Nov 23 17:26:42 2006

THREAD 0 starting: 126291: Thu Nov 23 17:26:42 2006
waiting for a connection: 126291: Thu Nov 23 17:26:42 2006
doCommand - start: 126291: Thu Nov 23 17:26:42 2006
reqtype = 1, reqdata = ldapuser: 126291: Thu Nov 23 17:26:42 2006
ldap_getpwnam: 126291: Thu Nov 23 17:26:42 2006
doCommand - ldap_getpwnam() completed: 126291: Thu Nov 23 17:26:42 2006
doCommand - end: 126291: Thu Nov 23 17:26:42 2006
THREAD 0 exiting: 126291: Thu Nov 23 17:26:42 2006
connected: 126291: Thu Nov 23 17:26:44 2006

THREAD 0 starting: 126291: Thu Nov 23 17:26:44 2006
waiting for a connection: 126291: Thu Nov 23 17:26:44 2006
doCommand - start: 126291: Thu Nov 23 17:26:44 2006
reqtype = 1, reqdata = ldapuser: 126291: Thu Nov 23 17:26:44 2006
ldap_getpwnam: 126291: Thu Nov 23 17:26:44 2006
doCommand - ldap_getpwnam() completed: 126291: Thu Nov 23 17:26:44 2006
doCommand - end: 126291: Thu Nov 23 17:26:44 2006
THREAD 0 exiting: 126291: Thu Nov 23 17:26:44 2006
-------------------------------------------
-- id log:
-------------------------------------------
connected: 126226: Thu Nov 23 17:24:39 2006

THREAD 0 starting: 126226: Thu Nov 23 17:24:39 2006
waiting for a connection: 126226: Thu Nov 23 17:24:39 2006
doCommand - start: 126226: Thu Nov 23 17:24:39 2006
reqtype = 1, reqdata = ldapuser: 126226: Thu Nov 23 17:24:39 2006
ldap_getpwnam: 126226: Thu Nov 23 17:24:39 2006
_ldap_pwlookup: 126226: Thu Nov 23 17:24:39 2006
_ldap_pwgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_pwgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getpwnam() completed: 126226: Thu Nov 23 17:24:39 2006
doCommand - end: 126226: Thu Nov 23 17:24:39 2006
THREAD 0 exiting: 126226: Thu Nov 23 17:24:39 2006
connected: 126226: Thu Nov 23 17:24:39 2006

THREAD 0 starting: 126226: Thu Nov 23 17:24:39 2006
waiting for a connection: 126226: Thu Nov 23 17:24:39 2006
doCommand - start: 126226: Thu Nov 23 17:24:39 2006
reqtype = 32, reqdata = 400: 126226: Thu Nov 23 17:24:39 2006
ldap_getgrgid: 126226: Thu Nov 23 17:24:39 2006
_ldap_grlookup: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrgid() completed: 126226: Thu Nov 23 17:24:39 2006
doCommand - end: 126226: Thu Nov 23 17:24:39 2006
THREAD 0 exiting: 126226: Thu Nov 23 17:24:39 2006
connected: 126226: Thu Nov 23 17:24:39 2006

THREAD 0 starting: 126226: Thu Nov 23 17:24:39 2006
waiting for a connection: 126226: Thu Nov 23 17:24:39 2006
doCommand - start: 126226: Thu Nov 23 17:24:39 2006
reqtype = 41, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_setgrent: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_setgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - start: 126226: Thu Nov 23 17:24:39 2006
_ldap_grgetvals - end: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() completed: 126226: Thu Nov 23 17:24:39 2006
reqtype = 42, reqdata = : 126226: Thu Nov 23 17:24:39 2006
ldap_getgrent: 126226: Thu Nov 23 17:24:39 2006
doCommand - ldap_getgrent() failed: 126226: Thu Nov 23 17:24:39 2006
doCommand - end: 126226: Thu Nov 23 17:24:39 2006
THREAD 0 exiting: 126226: Thu Nov 23 17:24:39 2006
-------------------------------------------

I suppose that other module and/or patch are necessary!

In my Tru64 Machine are installed this modules:

setld -i | grep -i LDAP
LDPUTILS120 - LDAP Client Utilities
OSFLDPAUTH540 - LDAP Authentication (Network-Server/Communications)

setld -i | grep -i Netscape
OSFNETSCAPE540 - Netscape Communicator V4.76 (Windows Applications)
OSFNETSCAPECLT540 - Netscape 6.2.3 Web Client (Windowing Environment)
OSFNETSCAPEGRT540 - Netscape 6.2.3 Gnome Runtime Support(Windowing Environment)

How are the pre-requisiste module that must be installed on machine Tru64?...The module that are installed on my Tru64 machine are sufficient?

Thanks!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.