Solaris 10 Ldap authentication with Windows AD server 


Well documented is the User Management of Solaris using a Directory Server. Thisis documented in the Solaris manuals.
How to do a SSO using a Windows AD Server is also documented on various sites.
What is less obvious and not documented is how to just authenticate (check passwords) using ldap. Thats what should be documented in this post.


Bind User in Windows AD Server

First you need to create a bind user on the Window AD Server who has the rights to lookup all usernames, which should be able to authenticate.

Setup a user:

cn=unixbind,ou=USER system,ou=yyy,dc=xxx,dc=com

This user needs only to have read-only rights on the user objects. It is used to lookup the users cn using the sAMAccountName field to do the bind.

Import the CA-Cert into the certdb

If you are going to use ldaps you need the Certification authorithy certificate. This can be a root ca of you own organisation or a ca from an official authority like verisign, which was used to sign you certificate.

To find the authority cert use:

Armins-Air:Desktop ado$ openssl x509 -noout -text -in google.crt
Version: 3 (0x2)
Serial Number: 8057627504494046370 (0x6fd2718631c8eca2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Trust Services, CN=Google Internet Authority G3

Here it would be "Google Internet Authority G3"

As this is an official Trust authority you can find the cert in your web browser and export it.

For Firefox: Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities.

The cert found for Google Internet Authority G3 was:

Armins-Air:Desktop ado$ openssl x509 -noout -in GoogleInternetAuthorityG3.crt -text
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign

This cert was issued by GlobalSign Root CA - R2. So we get this cert from the browser too and then we check the trust chain using openssl:

We put the two certs in one file:

Armins-Air:Desktop ado$ cat GoogleInternetAuthorityG3.crt GlobalSignRootCA-R2.crt > ca.crt

and check then the cert of google.

Armins-Air:Desktop ado$ openssl verify -CAfile ca.crt google.crt
google.crt: OK

Then create a empty certdb:

/usr/sfw/bin/certutil -N -d /var/ldap

Then import the ca cert into the db:

/usr/sfw/bin/certutil -A -d /var/ldap -i ca.crt -n -t 'C,C,C'

The binary /usr/sfw/bin/certutil is installed by the package SUNWtlsu

Change the pam.conf

You can use ldap authentication for all logins. This is done using this "other section":

other auth requisite
other auth required
other auth required
other auth sufficient
other auth binding server_policy

Or you can use it only for ssh:

sshd-kbdint auth requisite
sshd-kbdint auth required
sshd-kbdint auth required
sshd-kbdint auth binding
sshd-password auth requisite
sshd-password auth required
sshd-password auth required
sshd-password auth binding

Then on the console no ldap authentication is used.

Setup ldap client

ldapclient manual \
-a \
-a credentialLevel=proxy \
-a authenticationMethod=tls:simple \
-a defaultSearchBase=dc=xxx,dc=com \
-a "proxyDN=cn=unixbind,ou=USER system,ou=LI,dc=xxx,dc=com" \
-a proxyPassword=wassimmer \
-a objectClassMap=passwd:posixaccount=user \
-a attributeMap=passwd:uid=sAMAccountName \
-a serviceSearchDescriptor=passwd:dc=xxx,dc=com?sub \
-a followReferrals=false \
-a preferredServerList=""

This will create to files in /var/ldap :

/var/ldap/ldap_client_cred: Bind user with its encrypted password
/var/ldap/ldap_client_file: The configration of the ldap service

Start ldap Service

Now we just have to enable the ldap service:

svcadm enable ldap/client

check the ldap service now:

xxx@yyy> /usr/lib/ldap/ldap_cachemgr -g

cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 63

cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2018/07/06 19:46:58
Next refresh time: 2018/07/12 19:47:11
Server information:
Previous refresh time: 2018/07/12 07:47:11
Next refresh time: 2018/07/12 10:57:02
server: xx.yy.zz.66, xyz, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0

Comments are not available for this entry.