The UNIX way.

Around the clock, across the globe. By Vladimir Legeza

“! bad user” error for the LDAP (with TLS) account in /var/cron/log.

leave a comment »

The first of all, I found that each account should have a few objects of shadowAccount class. This is necessary because they are contains an information about account status (about expiration in this case).

objectClass: shadowAccount
shadowExpire:
shadowFlag:
0

After adding such objects for every single account, that might be used to perform tasks via cron daemon, I saw that these accounts become visible in shadow database as well as it was in passwd database before.

# ldaplist shadow mnt-indexer
dn: uid=mnt-indexer,ou=MNT Users,ou=Other Users,dc=rbcsoft,dc=ru
# ldaplist passwd mnt-indexer
dn: uid=mnt-indexer,ou=MNT Users,ou=Other Users,dc=rbcsoft,dc=ru

The second thing I found was that every process that makes request to LDAP with TLS trough pam_unix_account.so.1 should have a read access to the database that contains keys used to establish TLS connection (usually placed in /var/ldap in *.db files).

# ls -la /var/ldap
total 660
drwxr-xr-x 3  root sys        9 Jul  9 12:26 .
drwxr-xr-x 32 root sys       32 May 11 18:46 ..
-rw-r--r-- 1  root other    987 Jul  9 12:26 cachemgr.log
-rw------- 1  root root   65536 Jul  9 12:25 cert8.db
-rw------- 1  root root  131072 Jul  9 12:25 key3.db
-r-------- 1  root other    221 Jul  9 12:26 ldap_client_cred
-r-------- 1  root other    572 Jul  9 12:26 ldap_client_file
drwxr-xr-x 2  root other      4 Jul  9 11:45 restore
-rw------- 1  root root  131072 Jul  9 12:25 secmod.db

There are two ways of how to grant access: The first one is to change *.db file permissions. The second one, is to route all LDAP request through the ldap_cachemgr that already have got all required permissions. The second, is the better one! And only thing we need to do , is enabling name-service-cache service.

# svcadm enable name-service-cache

File permissions changing might solve only the half of problem! You will see similar records in a cron debug messages:

Jul  8 17:06:00 azzi.rbcsoft.ru cron[4768]: [ID 293258 user.warning] libsldap: Status: 81  Mesg: openConnection: simple bind failed - Can't contact LDAP server

and as a result:

Jul  8 17:06:00 azzi.rbcsoft.ru cron[4768]: [ID 715492 auth.debug] PAM[4768]: pam_end(808d080): status = No account present for user

the cron tasks were still not performed.

That’s it!

Advertisements

Written by Vladimir Legeza

July 10, 2010 at 6:09 pm

Posted in LDAP, Solaris, Solaris

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: