Solaris 10 Authentication with LDAP

1. Before Starting on the Solaris 10 Box

2. Account Creation on the Solaris 10 Box

This How-To describes only authentication, not authorisation. In order to login, a user must actually have an account created on the Solaris 10 box, with:

or equivalents in YP/NIS, etc., else login will fail!



Compile openldap, then the others, which link to it.

4. Misc Required Libs

You will need suitable versions of libssl, libcrypto, libgcc, etc, so get binary pkgs from, e.g.,:


5. Compilers, Make

Do yourself a favour and get GCC and Gnu Make from


Ensure that gcc, g++ and Gnu make are in your PATH before /usr/ccs/bin, else weirdness may happen.

7. OpenLDAP: configure, compile and install

    ./configure --disable-slapd --disable-slurpd
    make install

    ls -l /usr/local/lib:

8. SASL Header Files

The configure and/or make steps for one of pam_ldap or nss_ldap got its knickers in a twist over the SASL header files.

     ...some compilation fail related to <some_sasl_related_function> undefined...
The solution:
  cd /usr/include
  ln -s sasl/sasl.h sasl.h

9. pam_ldap configure, compile and install

    ./configure  --prefix=/usr/local --with-ldap-dir=/usr/local

    make install

    ls -l /usr/local/lib/security/                  ->

    ldd /usr/local/lib/security/ 

        . =>      /usr/local/lib/ =>      /usr/local/lib/

10. nss_ldap: configure, compile and install

    ./configure  --prefix=/usr/local --with-ldap-dir=/usr/local
    make install

    ls -l /usr/local/lib/*nss*

        /usr/local/lib/ ->

    ldd /usr/local/lib/ 

        . =>      /usr/local/lib/ =>      /usr/local/lib/

11. nss_ldap s-link

trussing sshd at some point suggested

    cd /usr/lib
    ln -s /usr/local/lib/ 
though I may have had the Solaris native LDAP libs installed at that point, so this step may not be necessary.

12. /etc/pam.conf

  other   auth requisite
  other   auth required 
  other   auth required 
  #other      auth required  
  #     ...original, as installed...
  #other      auth binding   server_policy
  #other      auth required           /usr/local/lib/security/
  # from
  #        for Solaris native ldap client...
  other   auth sufficient
  other   auth required           /usr/local/lib/security/ use_first_pass
  #     ...for OpenLDAP client, inspired by Simon's notes on Solaris 7 (Cosmos
  #        and Eric, RIP), from many years ago ("use_first_pass" optional)...
and perhaps
  login   auth requisite
  login   auth required 
  login   auth required 
  #login      auth required
  #login      auth binding   server_policy
  #login      auth required           /usr/local/lib/security/
  login   auth sufficient
  login   auth required         /usr/local/lib/security/
  login   auth required

13. nsswitch.conf

  passwd:     files ldap [TRYAGAIN=5]

14. ldap.conf

  /etc/ldap.conf -> /usr/local/etc/ldap.conf
  /usr/local/etc/openldap/ldap.conf -> /usr/local/etc/ldap.conf
      # ...I suspect the latter is not needed...

Development version, /usr/local/etc/ldap.conf:

  base ou=people,o=University of Manchester,c=GB
  scope sub
  pam_filter objectclass=posixAccount
  pam_login_attribute uid
  ssl no

Production version, /usr/local/etc/ldap.conf:

  base ou=uman,o=ac,c=uk
  scope sub
  pam_filter objectclass=posixAccount
  pam_login_attribute uid
  pam_password nds
  ssl no

15. LDAP Server Config — Required Attributes

This is rough and needs to be checked:

 -- google shows:

     -- pam_filter objectclass=posixAccount
     -- pam_login_attribute uid

      -- ldap posixAccount object class contains
          -- uidNumber

         so the ldap server must contain these attrs for authentication,
         _even_ if they are not to be used (e.g., nss specs another 
         name-service for home-dir)

          -- even ldap-bind success (i.e., correct cn/dn and password,
             as seen in ethereal) are not enough for pam_ldap to consider 
             auth to be successful

          -- confirmation from openldap _server_ logs:
             attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos

16. ldapsearch


    /usr/local/bin/ldapsearch -x -W -H ldap:// -s sub \
                                                        -b "c=uk" "cn=mpciish2"
        # ...empty password...


    /usr/local/bin/ldapsearch -x -W -H ldap:// \
        -D "cn=Simon Hood+umanroleid=43549,ou=Enterprise Systems,\
            ou=IT Services,ou=Administration & Central Services,ou=People,\
            o=University of Manchester,c=GB"  -s sub "cn=Simon Hood"

        # ...mpciish2's password...


    /usr/local/bin/ldapsearch -x -W -H ldap:// \
                            -D "cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk" \
                            -s sub -b "c=uk" "cn=mpciish2"

        # ...mpciish2's password...

17. SSL/TSL vs Diagnostics

Don't be a smartarse: do the whole thing plain-text first, so you can use tcpdump, tethereal and/or ethereal to diagnose problems easily.

18. Diagnostics/Troubleshooting

18.1. Steps

Ok, so it does not work! Suggested steps, in order:

  1. ensure an anonymous ldapsearch works — and that all posixAccount attributes are found (uidNumber, gidNumber, homeDirectory);

  2. check that ldapsearch will bind as a potentially LDAP-authenticated user works;

  3. check the bind/search sequence by using Ethereal (see below);

  4. check the PAM config (/etc/pam.conf).

  5. check the logs on the LDAP client;

  6. check the logs on the LDAP server;

  7. check the correct shared-object libraries are being loaded/found and that configuration files are being found, using truss (see below).

18.2. Ethereal/Tethereal

tethereal show shown a sequence of bind, search, bind as <username>:

  11.509128 -> TCP 35797 > ldap [SYN] Seq=0 Ack=0 Win=49640 Len=0 MSS=1460 WS=0
  11.509566 -> TCP ldap > 35797 [SYN, ACK] Seq=0 Ack=1 Win=6144 Len=0 MSS=1460 WS=2
  11.509594 -> TCP 35797 > ldap [ACK] Seq=1 Ack=1 Win=49640 Len=0
  11.510550 -> LDAP MsgId=1 Bind Request, DN=(null)
  11.511360 -> LDAP MsgId=1 Bind Result
  11.511386 -> TCP 35797 > ldap [ACK] Seq=15 Ack=15 Win=49640 Len=0
  11.513010 -> LDAP MsgId=2 Search Request, Base DN=ou=uman,o=ac,c=uk
  11.530484 -> LDAP MsgId=2 Search Entry, 1 result
  11.530505 -> TCP 35797 > ldap [ACK] Seq=135 Ack=1453 Win=49640 Len=0
  11.532352 -> LDAP MsgId=3 Bind Request, DN=cn=mpciish2,ou=mc,ou=admin,ou=uman,o=ac,c=uk
  11.534650 -> LDAP MsgId=3 Bind Result
  11.534886 -> LDAP MsgId=4 Bind Request, DN=(null)
  11.537365 -> LDAP MsgId=4 Bind Result
  11.641551 -> TCP 35797 > ldap [ACK] Seq=222 Ack=1481 Win=49640 Len=0
For more detail on each step, try tethereal -V, or ethereal.

18.3. Server Logs

Server logs are your friend...

18.4. sshd -d and truss

Have a look at

    /usr/lib/ssh/sshd -d -p 222
    truss /usr/lib/ssh/sshd -d -p 222
to check that the correct shared-object libraries are being picked up (e.g., not Solaris native libs) and appropriate configuration files (e.g.ldap.conf) are found ok.