Monday, December 1, 2008

Solaris 10, Kerberos, and OpenLDAP

Solaris 10 - Solaris in general - annoys me and Linux is favored for all instances except those where I need to reap the benefits of ZFS. Today as a precursor to deploying SUDO on a number of Solaris systems, I sought to eliminate ssh-key access and allow individual accounts to logon. Piece of cake in Linux but Solaris?

I want to use kerberos for authentication and ldap for authorization. I'm using OpenLDAP and not SUN LDAP so this already creates a bit of chafe, but I'm not going to install SUN LDAP or install a 3rd party PAM module - I want everything to be default so the next person to inherit this mess doesn't go mad.

Now I don't want to use pam_ldap for account authorization since this implies 1) I'm using SUN LDAP and 2) I'm storing account information like PASSWD in LDAP. We don't.

I *do* want to use vanilla pam_unix_account and rely on nsswitch.conf to state my name service preferences.

Now one would assume, given my requirements, that a reasonable SSH PAM stack would look like this:
other auth requisite
other auth required
other auth required
other auth sufficient
other auth required
other account requisite
other account required
other account sufficient

Then why doesn't it work???? Why, in debug mode, does it always complain that account so and so is not found?

After some investigation it turns out that if using OpenLDAP for authorization one needs to add "objectClass=shadowAccount", and that's it, as an attribute to every single uid=xxx,ou=People,dc=place,dc=org. At least for those users that want to be authorized for login.

What a pain. And how much precious time did I waste on this? 2, maybe 3 hours? Unbelievable.

No comments: