System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Configuration Problems and Solutions

The following discussion briefly describes LDAP configuration problems and suggested solutions to the problems.

Unresolved Hostname

The Solaris operating environment LDAP client backend returns fully qualified hostnames for host lookups, such as hostnames returned by gethostbyname(3N) and getipnodebyname(3N). If the name stored is qualified that is contains at least one dot, the client returns the name as is. For example, if the name stored is hostB.eng, the returned name is hostB.eng.

If the name stored in the LDAP directory is not qualified (it does not contain any dot), the client backend appends the domain part to the name. For example, if the name stored is hostA, the returned name is hostA.domainname.

Unable to Reach Systems in the LDAP Domain Remotely

If the DNS domain name is different from the LDAP domain name, then the LDAP naming service cannot be used to serve host names unless the host names are stored fully qualified.

Login Does Not Work

LDAP clients use the pam(3) modules for user authentication during the logins. When using the standard UNIXTM PAM module, the password is read from the server and checked on the client side. This can fail due to one of the following reasons.

  1. ldap not used by the passwd service in the /etc/nsswitch.conf file

  2. The user's userPassword attribute on the server list is not readable by the proxy agent. You need to allow at least the proxy agent to read the password because the proxy agent returns it to the client for comparison. pam_ldap does not require read access to the password

  3. Proxy agent might not have correct password

  4. The entry does not have the shadowAccount objectclass

  5. There is no password defined for the user

    When you use ldapaddent, you must use the -p option to ensure that the password is added to the user entry. If you used ldapaddent without using the -p option, the, users's password will not be stored in the directory unless you also add the /etc/shadow file using ldapaddent.

  6. None of the LDAP servers are reachable.

    Check the status of the servers.

    # /usr/lib/ldap/ldap_cachemgr —g

  7. pam_conf is configured incorrectly.

  8. The user is not defined in the LDAP namespace.

  9. NS_LDAP_CREDENTIAL_LEVEL is set to anonymous for pam_unix and userPassword attribute is not available to anonymous users.

  10. Password is not stored in crypt format.

Lookup Too Slow

The LDAP database relies on indexes to improve the performance. A major performance degradation occurs when indexes are not configured properly. As part of the documentation, we have provided a common set of attributes that should be indexed. You can also add your own indexes to improve performance at your site.

ldapclient Cannot Bind to Server

ldapclient failed to initialize the client when using the init profile option. There are several possible reasons for this failure.

  1. The incorrect domain name was specified on the command line.

  2. nisDomain attribute is not set in the DIT to represent the entry point for the specified client domain.

  3. Access control information is not set up properly on the server, thus disallowing anonymous search in the LDAP database.

  4. Incorrect server address passed to the ldapclient command. Use ldapsearch(1) to verify the server address

  5. Incorrect profile name passed to the ldapclient command. Use ldapsearch(1) to verify the profile name in the DIT.

  6. Use snoop(1M) on the client's network interface to see what sort of traffic is going out, and determine to which server it is talking.

Using ldap_cachemgr for Debugging

Usingldap_cachemgr with the —g option can be a useful way to debug, as you can view the current client configuration and statistics. For example,

#ldap_cachemgr —g

would print current configuration and statistics to standard output, including the status of all LDAP servers, as mentioned previously. Note that you do not need to become superuser to execute this command.

ldapclient Hangs During Setup

If the ldapclient command hangs, hitting Ctrl-C will exit after restoring the previous environment. If this happens, check with the server administrator to make sure the server is running.

Also check the server list attributes on either the profile or the command line and make sure the server information is correct.