Solaris 9

Preliminary

The SUN versions of cc and make seem to cause endless issues when compiling open source code. You will need to use gcc and GNU make. These can be downloaded from http://www.sunfreeware.com/. First, remove the LDAP package that comes with Solaris 9. This will only confuse the issue.

root@ldap> pkgrm SUNWlldap

OpenSSL

Download the latest version of openssl (0.9.7b) from http://www.openssl.org/.

Then install it. (I was not able to get the complete LDAP software to compile using ./Configure solaris-sparcv9-gcc shared):

root@ldap > gunzip openssl-0.9.7b.tar.gz
root@ldap > tar -xvf openssl-0.9.7b.tar
root@ldap > cd openssl-0.9.7b
root@ldap > ./config
root@ldap > make
root@ldap > make test
root@ldap > make install

If you have any problems and need to make again ensure that you run make clean. If OpenSSL compiles but you have problems further down the track with OpenLDAP and decide to change the OpenSSL configuration, remove the installation directory (/usr/local/ssl). This may save you a good deal of grief!

OpenLDAP

Some environmental variables may need to be set. These will vary acccording to where you installed OpenSSL:

root@ldap > export LDFLAGS CPPFLAGS
root@ldap > unset LD_LIBRARY_PATH
root@ldap > LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib"
root@ldap > LDFLAGS="$LDFLAGS -R/usr/local/ssl/lib:/usr/local/lib"
root@ldap > CPPFLAGS="-I/usr/local/ssl/include -I/usr/local/include"

Download the latest stable source code (2.1.22) from http://www.openldap.org/

In this case we do not want the openLDAP server (slapd) installed, so we need to explicitly disable it.

root@ldap > gunzip openldap-2.1.22.tgz
root@ldap > tar -xvf openldap-2.1.22.tar
root@ldap > cd openldap-2.1.22
root@ldap > ./configure --with-tls --disable-slapd
root@ldap > make depend
root@ldap > make
root@ldap > make install

Finally, remember to install the CA certificate that you created and edit the ldap.conf file to match your configuration.

You should now have a working LDAP client. You could test it with ldapsearch. For example:

root@ldap >ldapsearch -LLL -x -H ldaps://ldap.your.site.com -b dc=your,dc=site,dc=com "uid=l.r*" dn

PAM_LDAP

Download the latest source code (1.6.4) from http://www.padl.com/

root@ldap > gunzip pam_ldap.tgz
root@ldap > tar -xvf pam_ldap.tar
root@ldap > cd pam_ldap-164
root@ldap > ./configure
root@ldap > export LD_LIBRARY_PATH
root@ldap > LD_LIBRARY_PATH=/usr/local/lib
root@ldap > make
root@ldap > make install

Don't forget to ensure that pam_ldap's link dependencies are satisfied after installation (you can verify this by doing ldd /usr/lib/security/pam_ldap.so.1). You must ensure that any libraries that it depends on (such as the LDAP client library) can be located by the dynamic linker. Otherwise, libpam may fail to load the pam_ldap module.

  • If /usr/local/lib was not in LD_LIBRARY_PATH, I got the error below. (Alternately you may need to find liblber.so and put its path in LD_LIBRARY_PATH):

    root@ldap > make gcc -DHAVE_CONFIG_H -I/usr/local/ssl/include -I/usr/local/include -DLDAP_REFERRALS -D_REENTRANT -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
    /usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ./exports.solaris -G -B group -lc pam_ldap.o md5.o -lldap -llber -lnsl -lcrypt -lresolv -lpam -ldl
    ld: fatal: library -llber: not found
    ld: fatal: File processing errors. No output written to pam_ldap.so
    make: *** [pam_ldap.so] Error 1

    Note: Eventually I found I needed to create two symbolic links /usr/lib/liblber.so.2 -> /usr/local/lib/liblber.so.2 and /usr/lib/libldap.so.2 -> /usr/local/lib/libldap.so.2 otherwise the system just could not find the libraries on startup. Maybe I did not follow the installation instructions correctly.

  • I also received an error using make:

    # make
    mksh: Fatal error in reader: = missing from replacement macro reference
    Current working directory /root/pam_ldap-164
    # which make
    /usr/ccs/bin/make

    This error occurs because the makefile was expecting GNU make. The solution is to install GNU make and make sure that it appears before /usr/ccs/bin/make in your path (or call it directly i.e. /usr/local/bin/make)

/etc/pam.conf

I'm still working through this but the following seems to work in general.

I have tried to keep this as simple as possible. I will only a a specific reference to a service if I find that it requires different treatment.

# PAM configuration
#
# Authentication management
#
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth required /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

#
# Account management
#
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account sufficient      /usr/lib/security/$ISA/pam_unix.so.1
other   account required        /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

#
# Session management
#
other session sufficient /usr/lib/security/$ISA/pam_unix.so.1
other session optional   /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

#
# Password management
#
other   password sufficient      /usr/lib/security/$ISA/pam_ldap.so.1
other   password required        /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass

NSS_LDAP

Download the latest source code (2.0.7) from http://www.padl.com/

root@ldap > gunzip nss_ldap.tgz
root@ldap > tar -xvf nss_ldap.tar
root@ldap > cd nss_ldap-207
root@ldap > export LD_LIBRARY_PATH
root@ldap > LD_LIBRARY_PATH=/usr/local/lib
root@ldap > ./configure
root@ldap > make
root@ldap > make install

  • NOTE: 
    The new version (197) allowed successful compilation under Solaris 9.  There
    was one minor glitch in make install:
    
    make[1]: Entering directory `/usr/local/src/padl/nss_ldap-197'
    ./install-sh -c -o root -g root nss_ldap.so /lib/nss_ldap.so.1
    make[1]: execvp: ./install-sh: Permission denied
    make[1]: *** [install-exec-local] Error 127
    make[1]: Leaving directory `/usr/local/src/padl/nss_ldap-197'
    make: *** [install-am] Error 2
    
    this was easily fixed via
      chmod +x install-sh
    
    but that needs to be corrected in the package.
    
    I haven't yet tested since I am having problems compiling pam_ldap.  I will
    report that separately.
    
      --Jim Harle
    

    This was still the case for nss_ldap-207

  • I also received the following error:

    # make
    cd . && /bin/bash /root/nss_ldap-207/missing --run aclocal-1.6
    /root/nss_ldap-207/missing: aclocal-1.6: command not found
    WARNING: `aclocal-1.6' is needed, and you do not seem to have it handy on your
             system.  You might have modified some files without having the
             proper tools for further handling them.  Check the `README' file,
             it often tells you about the needed prerequirements for installing
             this package.  You may also peek at any GNU archive site, in case
             some other package would contain this missing `aclocal-1.6' program.
    *** Error code 1
    make: Fatal error: Command failed for target `aclocal.m4'
    

    You need to install automake, autoconf and m4 and then edit the nss_ldap Makefile. The Makefile references aclocal-1.6 and automake-1.6. These need to be changed to the versions on your machine. (Or better still in the package these references should be simply to aclocal and automake.)

    ACLOCAL = ${SHELL} /root/nss_ldap-207/missing --run aclocal-1.7
    AUTOCONF = ${SHELL} /root/nss_ldap-207/missing --run autoconf
    AUTOMAKE = ${SHELL} /root/nss_ldap-207/missing --run automake-1.7
    
  • If you haven't set your LD_LIBRARY_PATH you may get the following error:

    ld: fatal: library -llber: not found
    ld: fatal: File processing errors. No output written to nss_ldap.so
    make[1]: *** [nss_ldap.so] Error 1
    make[1]: Leaving directory `/root/nss_ldap-207'
    make: *** [all] Error 2
    

    Solution: set your LD_LIBRARY_PATH i.e.

    root@ldap > export LD_LIBRARY_PATH
    root@ldap > LD_LIBRARY_PATH=/usr/local/lib

Now /etc/nsswitch.conf needs to be edited. This is the file that tells the computer to use LDAP.

nsswitch.conf

I haven't really given this much thought but this seems to work:


# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf;
#
passwd:     files ldap
passwd_compat: ldap
shadow:     files ldap
group:      files
hosts:      files dns
ipnodes:    files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files
auth_attr:  files
prof_attr:  files
project:    files

SSH

ssh from http://www.ssh.com/ is available under a non-commercial license to academic institutions.

Download the latest source code (3.2.2) from http://www.ssh.com/

root@ldap > gunzip ssh-3.2.2.tar.gz
root@ldap > tar -xvf ssh-3.2.2.tar
root@ldap > cd ssh-3.2.2
root@ldap > ./configure --enable-pam
root@ldap > make
root@ldap > make install


Author: Lance Rathbone
Last modified: Wednesday June 18, 2008

Home