This section describes possible LDAP configuration problems and solutions.
The LDAP client software returns fully qualified host names for host lookups, such as host names returned by gethostbyname() and getaddrinfo().
If the name stored is qualified, that is, if it contains at least one dot, the client returns the name as is. For example, if the name stored is hostB.eng, the returned name is hostB.eng.
If the name stored in the LDAP directory is not qualified, that is, it does not contain a dot, the client appends the domain part to the host name as set in the nisDomain attribute set at the root DN in the object class of nisDomainObject. For example, if the name stored is hostA, the returned name is hostA.domain-name.
If the DNS domain name is different from the LDAP domain name, then the LDAP naming service cannot be used to serve host names unless the host names are stored as fully qualified names.
LDAP clients use the PAM modules for user authentication during login. When using the standard UNIX PAM module, the password is read from the server and checked on the client side. This process can fail for any of the following reasons:
ldap is not associated with the passwd database in the name service switch.
The proxy agent cannot read the user's userPassword attribute on the server list. You must enable at least the proxy agent to read the password because the proxy agent returns the password to the client for comparison. pam_ldap does not require read access to the password.
The proxy agent does not have the correct password.
The entry does not have the shadowAccount object class.
No password is defined for the user.
Make sure the user's userPassword attribute exists.
LDAP Server TLS Connection issues.
Ensure that either a local /etc/hosts or DNS entry (if nsswitch.conf is configured for DNS) exists for the LDAP server and that the X.509 Certificate CN attribute of the Subject DN or subjectAltName extension in the X.509 certificate matches that /etc/hosts or DNS entry for the configured LDAP server.
To determine what certificate the server has configured, you can attempt connection by using the openssl command:
$ openssl s_client -verify 2 -verify_hostname ldapservername \ -verify 1 -connect ldapservername:636 </dev/null
No LDAP servers are reachable.
Check the status of the servers.
# /usr/lib/ldap/ldap_cachemgr -g
pam.conf is configured incorrectly.
The user is not defined in the LDAP namespace.
NS_LDAP_CREDENTIAL_LEVEL is set to anonymous for the pam_unix_* modules, and userPassword is not available to anonymous users.
The password is not stored in crypt format.
If pam_ldap is configured to support account management, a login failure could be the result of one of the following causes:
The user's password has expired.
The user's account is locked out due to too many failed login attempts.
The user's account has been deactivated by the administrator.
The user tried to log in using a non-password based program, such as ssh or sftp.
If you are using per-user authentication and sasl/GSSAPI, then some component of Kerberos or the pam_krb5 configuration might be set up incorrectly. For more information about resolving Kerberos issues, see the Managing Kerberos in Oracle Solaris 11.4.
The LDAP database relies on indexes to improve search performance. You must index a common set of attributes that is included in the LDAP documentation provided by Oracle and other vendors. You can also add your own indexes to improve performance at your site.
The possible reasons for failure of the ldapclient command to initialize the client when using the –init option with the profileName attribute are as follows:
The incorrect domain name was specified on the command line.
The nisDomain attribute is not set in the DIT to represent the entry point for the specified client domain.
Access control information is not set up properly on the server, thus disabling anonymous search in the LDAP database.
An incorrect server address was passed to the ldapclient command. Use the ldapsearch command to verify the server address.
An incorrect profile name was passed to the ldapclient command. Use the ldapsearch command to verify the profile name in the DIT.
As a troubleshooting aid, use snoop on the client's network interface to see what sort of traffic is going out, and determine the server to which it is talking.
Running the ldap_cachemgr daemon with the –g option to view the current client configuration and statistics can be useful for debugging. This command displays current configuration and statistics to standard output, including the status of all LDAP servers. Note that you do not need to become superuser to execute this command. See Viewing Detailed Information About the State of the Service.
As the root user, you can use the –l log-file option to specify an alternate log file for ldap_cachemgr instead of the default /var/ldap/cachemgr.log log file. In addition, you can use the –d value option to enable or disable debugging in the running ldap_cachemgr process. A value of 0 disables debugging and the values 1 through 6 show increasingly detailed information.
If the ldapclient command hangs, press Ctrl-C to exit after restoring the previous environment. In such an event, check with the server administrator to ensure that the server is running.
Also check the server list attributes either in the profile or from the command line and make sure that the server information is correct.