JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Working With Naming and Directory Services in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  Name Service Switch (Overview)

3.  Managing DNS (Tasks)

4.  Setting Up Oracle Solaris Active Directory Clients (Tasks)

Part II NIS Setup and Administration

5.  Network Information Service (Overview)

6.  Setting Up and Configuring NIS (Tasks)

7.  Administering NIS (Tasks)

8.  NIS Troubleshooting

Part III LDAP Naming Services

9.  Introduction to LDAP Naming Services (Overview)

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

Monitoring LDAP Client Status

Verifying That the ldap_cachemgr Daemon Is Running

Checking the Current Profile Information

Verifying Basic Client-Server Communication

Checking Server Data From a Non-Client Machine

LDAP Configuration Problems and Solutions

Unresolved Host Name

Unable to Reach Systems in the LDAP Domain Remotely

Login Does Not Work

Lookup Too Slow

ldapclient Command Cannot Bind to a Server

Using the ldap_cachemgr Daemon for Debugging

ldapclient Command Hangs During Setup

14.  LDAP Naming Service (Reference)

15.  Transitioning From NIS to LDAP (Tasks)

Glossary

Index

LDAP Configuration Problems and Solutions

The following sections describe LDAP configuration problems and suggests solutions to the problems.

Unresolved Host Name

The LDAP client back end returns fully qualified host names for host lookups, such as host names returned by gethostbyname() and getaddrinfo(). If the name stored is qualified, that is, contains at least one dot, the client returns the name as is. For example, if the name stored is hostB.eng, the returned name is hostB.eng.

If the name stored in the LDAP directory is not qualified (it does not contain a dot), the client back end appends the domain part to the name. For example, if the name stored is hostA, the returned name is hostA.domainname.

Unable to Reach Systems in the LDAP Domain Remotely

If the DNS domain name is different from the LDAP domain name, then the LDAP naming service cannot be used to serve host names unless the host names are stored fully qualified.

Login Does Not Work

LDAP clients use the PAM modules for user authentication during login. When using the standard UNIX PAM module, the password is read from the server and checked on the client side. This process can fail due to one of the following reasons:

  1. ldap is not associated with the passwd database in the name service switch.

  2. The user's userPassword attribute on the server list is not readable by the proxy agent. You need to allow at least the proxy agent to read the password because the proxy agent returns it to the client for comparison. pam_ldap does not require read access to the password.

  3. The proxy agent might not have the correct password.

  4. The entry does not have the shadowAccount object class.

  5. No password is defined for the user.

    When you use ldapaddent, you must use the -p option to ensure that the password is added to the user entry. If you use ldapaddent without the -p option, the user's password is not stored in the directory unless you also add the /etc/shadow file by using ldapaddent.

  6. No LDAP servers are reachable.

    Check the status of the servers.

    # /usr/lib/ldap/ldap_cachemgr -g

  7. pam.conf is configured incorrectly.

  8. The user is not defined in the LDAP namespace.

  9. NS_LDAP_CREDENTIAL_LEVEL is set to anonymous for the pam_unix_* modules, and userPassword is not available to anonymous users.

  10. The password is not stored in crypt format.

  11. If pam_ldap is configured to support account management, login failure could be the result of one of the following:

    • The user's password has expired.

    • The user's account is locked out due to too many failed login attempts.

    • The user's account has been deactivated by the administrator.

    • The user tried to log in using a nonpassword-based program, such as ssh or sftp.

  12. If per-user authentication and sasl/GSSAPI are being used, then some component of Kerberos or the pam_krb5 configuration is setup incorrectly. Refer to the Oracle Solaris 11.1 Administration: Security Services for details on resolving these issues.

Lookup Too Slow

The LDAP database relies on indexes to improve search performance. A major performance degradation occurs when indexes are improperly configured. The documentation includes a common set of attributes that should be indexed. You can also add your own indexes to improve performance at your site.

ldapclient Command Cannot Bind to a Server

The ldapclient command failed to initialize the client when using the init option with the profileName attribute specified. Possible reasons for failure include the following:

  1. The incorrect domain name was specified on the command line.

  2. The nisDomain attribute is not set in the DIT to represent the entry point for the specified client domain.

  3. Access control information is not set up properly on the server, thus disallowing anonymous search in the LDAP database.

  4. An incorrect server address passed to the ldapclient command. Use the ldapsearch command to verify the server address.

  5. An incorrect profile name passed to the ldapclient command. Use the ldapsearch command to verify the profile name in the DIT.

  6. Use snoop on the client's network interface to see what sort of traffic is going out, and determine to which server it is talking.

Using the ldap_cachemgr Daemon for Debugging

Running the ldap_cachemgr daemon with the -g option can be a useful way to debug, as you can view the current client configuration and statistics. For example,

# ldap_cachemgr -g

would print current configuration and statistics to standard output, including the status of all LDAP servers, as mentioned previously. Note that you do not need to become super user to execute this command.

ldapclient Command Hangs During Setup

If the ldapclient command hangs, pressing Ctrl-C will exit after restoring the previous environment. If this happens, check with the server administrator to ensure that the server is running.

Also check the server list attributes in either the profile or from the command line and make sure that the server information is correct.

Copyright © 2002, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next