[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: Re: [pamldap] build fails on Solaris 8 (undefined symbol
From: "Ryan Anderson" <Ryan.Anderson () udlp ! com>
Date: 2004-01-28 15:52:03
Message-ID: s0178648.012 () asdmngwia ! mpls ! udlp ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I've gotten pam_ldap and nss_ldap compiled on Solaris 8. Attached are my
notes (they include some other info that can be ignored).
RCA
--
Ryan C. Anderson
Unix Administrator
United Defense LP
Desk: 763-572-6684
Mobile: 612-419-9362
Pager: 952-235-9936
>>> Mhess <MHess@telekom.de> 01/27/04 08:46AM >>>
Hello everybody,
I m currently working on setting up LDAP for centralized authentication
of our solaris accounts. The longer I try, the harder it seems to get.
;-) Basis for my recent approach is the document at
http://netmojo.ca/howto/solaris-openldap.html. Up to the point of
building pam_ldap everything worked fine. Here s what I get (- I cut out
the configure output. If you need it, let me know and I will provide
this as well)
------------------------
bash-2.03$ ./configure --prefix=/opt/pam_ldap --with-ldap-lib=openldap
--with-ldap-dir=/opt/openldap-2.1.25
--with-ldap-conf-file=/opt/openldap-2.1.25/etc/openldap/ldap.conf
--with-ldap-secret-file=/etc/ldap.secret
[...]
bash-2.03$ make
/opt/sfw/bin/gcc -DHAVE_CONFIG_H -I/opt/include
-I/usr/local/ssl/include -I/opt/BerkeleyDB.4.2/include
-I/opt/cyrus-sasl-2.1.17/include -DLDAP_REFERRALS -D_REENTRANT
-I/opt/openldap-2.1.25/include -g -O2 -Wall -fPIC -c -o pam_ldap.o
pam_ldap.c
/opt/sfw/bin/gcc -DHAVE_CONFIG_H -I/opt/include
-I/usr/local/ssl/include -I/opt/BerkeleyDB.4.2/include
-I/opt/cyrus-sasl-2.1.17/include -DLDAP_REFERRALS -D_REENTRANT
-I/opt/openldap-2.1.25/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ./exports.solaris -G -B
group -lc -L/opt/openldap-2.1.25/lib -R/opt/openldap-2.1.25/lib
pam_ldap.o md5.o -lldap -llber -lnsl -lcrypt -lresolv -lpam -ldl
-lcrypto -lssl -lsasl2
Undefined first referenced
symbol in file
__eprintf /opt/openldap-2.1.25/lib/libldap.so
ld: fatal: Symbol referencing errors. No output written to pam_ldap.so
make: *** [pam_ldap.so] Error 1
------------------------
I ve googled and searched the web and the only thread I came up with
was one from this list.
http://www.netsys.com/pamldap/2003/01/msg00063.html
In this thread, the author says he used gcc to compile and in an reply
it is pointed out, that pre-3.2 releases had problems with the above
mentioned (missing) symbol. I m using gcc 2.95.3 from sunfreeware.com,
and I m now wondering if I have to use gcc3.3 to compile pam_ldap (don t
think so, but I m getting desperate).
Even more questions: Why is it, that libldap.so references the unknown
symbol, although libldap.so did built just fine in the exactly same
build environment (i.e. LDFLAGS and so on). Running ldd with libldap.so
also shows no problems. Am I missing the basics here?
Any input would be very appreciated.
bye,
Michael Heß
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 10pt Tahoma; MARGIN-LEFT: 2px">
<DIV>I've gotten pam_ldap and nss_ldap compiled on Solaris 8. Attached are my
notes (they include some other info that can be ignored).</DIV>
<DIV> </DIV>
<DIV>RCA<BR>--<BR>Ryan C. Anderson<BR>Unix Administrator<BR>United Defense
LP<BR>Desk: 763-572-6684<BR>Mobile: 612-419-9362<BR>Pager:
952-235-9936<BR><BR>>>> Mhess <MHess@telekom.de> 01/27/04 08:46AM
>>><BR></DIV>
<P><FONT face=Arial size=2>Hello everybody,</FONT> </P>
<P><FONT face=Arial size=2>I´m currently working on setting up LDAP for
centralized authentication of our solaris accounts. The longer I try, the harder
it seems to get. ;-) Basis for my recent approach is the document at </FONT><A
href="http://netmojo.ca/howto/solaris-openldap.html"><U><FONT face=Arial
color=#0000ff
size=2>http://netmojo.ca/howto/solaris-openldap.html</FONT></U></A><FONT
face=Arial size=2>. Up to the point of building pam_ldap everything worked fine.
Here´s what I get (- I cut out the configure output. If you need it, let me know
and I will provide this as well)</FONT></P>
<P><FONT face=Arial size=2>------------------------</FONT> <BR><FONT face=Arial
size=2>bash-2.03$ ./configure --prefix=/opt/pam_ldap --with-ldap-lib=openldap
--with-ldap-dir=/opt/openldap-2.1.25
--with-ldap-conf-file=/opt/openldap-2.1.25/etc/openldap/ldap.conf
--with-ldap-secret-file=/etc/ldap.secret</FONT></P>
<P><FONT face=Arial size=2>[...]</FONT> <BR><FONT face=Arial size=2>bash-2.03$
make</FONT> <BR><FONT face=Arial size=2>/opt/sfw/bin/gcc
-DHAVE_CONFIG_H -I/opt/include -I/usr/local/ssl/include
-I/opt/BerkeleyDB.4.2/include -I/opt/cyrus-sasl-2.1.17/include -DLDAP_REFERRALS
-D_REENTRANT -I/opt/openldap-2.1.25/include -g -O2 -Wall -fPIC -c -o
pam_ldap.o pam_ldap.c</FONT></P>
<P><FONT face=Arial size=2>/opt/sfw/bin/gcc -DHAVE_CONFIG_H
-I/opt/include -I/usr/local/ssl/include -I/opt/BerkeleyDB.4.2/include
-I/opt/cyrus-sasl-2.1.17/include -DLDAP_REFERRALS -D_REENTRANT
-I/opt/openldap-2.1.25/include -g -O2 -Wall -fPIC -c -o md5.o
md5.c</FONT></P>
<P><FONT face=Arial size=2>/usr/ccs/bin/ld -o pam_ldap.so -B
dynamic -M ./exports.solaris -G -B group -lc -L/opt/openldap-2.1.25/lib
-R/opt/openldap-2.1.25/lib pam_ldap.o md5.o -lldap -llber -lnsl -lcrypt
-lresolv -lpam -ldl -lcrypto -lssl -lsasl2</FONT></P>
<P><FONT face=Arial
size=2>Undefined \
first referenced</FONT> <BR><FONT face=Arial
size=2> symbol & \
nbsp; \
in file</FONT> <BR><FONT face=Arial
size=2>__eprintf &nbs \
p; \
/opt/openldap-2.1.25/lib/libldap.so</FONT> <BR><FONT face=Arial size=2>ld:
fatal: Symbol referencing errors. No output written to pam_ldap.so</FONT>
<BR><FONT face=Arial size=2>make: *** [pam_ldap.so] Error 1</FONT> <BR><FONT
face=Arial size=2>------------------------</FONT> </P>
<P><FONT face=Arial size=2>I´ve googled and searched the web and the only thread
I came up with was one from this list. </FONT><A
href="http://www.netsys.com/pamldap/2003/01/msg00063.html"><U><FONT face=Arial
color=#0000ff
size=2>http://www.netsys.com/pamldap/2003/01/msg00063.html</FONT></U></A><FONT
face=Arial size=2> </FONT></P>
<P><FONT face=Arial size=2>In this thread, the author says he used gcc to
compile and in an reply it is pointed out, that pre-3.2 releases had problems
with the above mentioned (missing) symbol. I´m using gcc 2.95.3 from
sunfreeware.com, and I´m now wondering if I have to use gcc3.3 to compile
pam_ldap (don´t think so, but I´m getting desperate).</FONT></P>
<P><FONT face=Arial size=2>Even more questions: Why is it, that libldap.so
references the unknown symbol, although libldap.so did built just fine in the
exactly same build environment (i.e. LDFLAGS and so on). Running ldd with
libldap.so also shows no problems. Am I missing the basics here?</FONT></P>
<P><FONT face=Arial size=2>Any input would be very appreciated.</FONT> </P>
<P><FONT face=Arial size=2>bye,</FONT> <BR><FONT face=Arial size=2>Michael
Heß</FONT> </P></BODY></HTML>
["sol8_install_notes.txt" (text/plain)]
Solaris 8 LDAP Authentication via eDirectory Configuration Notes
----------------------------------------------------------------
These instructions will allow you to authenticate Solaris 8 hosts
to use LDAP authentication from eDirectory 8.7.x. Linux clients
can authenticate using these instructions except using their pre-built
rpm with the Padl Ltd LDAP libraries and the same ldap.conf below.
Important: All Solaris login binaries (telnet, ftp, etc) use PAM authentication
fine, but if you use OpenSSH or any application using the name service, they
may need to be re-compiled with the --with-pam option before working with
LDAP authentication.
MODIFY THE LDAP GROUP OBJECT IN EDIRECTORY
1. Find the container with the server objects, and find the object labeled:
'LDAP Group - <hostname of master>'
2. Rename it to something more all-encompassing, as this LDAP server
group will be the LDAP group for all servers and clients
3. Create a proxy user in eDirectory with a null password to be
used by the LDAP group later. From a container at or above where users
are kept, give inheritable rights to Read and Compare:
CN
Description
O
Object Class
dc
gecos
gidNumber
homeDirectory
loginShell
memberUID
uidNumber
uniqueID
Add browse rights to:
[Entry Rights]
4. Right-click the LDAP Group object and:
a) Make the proxy user you created the 'Proxy Username' in the General tab.
* This is the username anonymous requests will be made as
b) Add any servers in the same workforce tree into the Server List tab.
c) Under the Class Mappings tab, add mappings for:
posixAccount <--> posixAccount
shadowAccount <--> shadowAccount
posixGroup <--> posixGroup
5. Open 'LDAP Server - <hostname>' for each LDAP server.
a) SSL/TLS Configuration --> Select SSL Certificate DNS
for 'Server Certificate' (should be the default already)
b) Click 'Refresh NLDAP Server Now' to make sure changes apply
COMPILE AND CONFIGURE THE PADL OPEN SOURCE LIBRARIES
* These instructions apply to Solaris only; Linux already comes with
the Padl libraries by default, so we will use them instead. However,
the /etc/ldap.conf is the same on each platform
* For Solaris, I put LDAP software into /opt/ldap so it does not
clobber Sun's software, or get lost in /usr/lib. I then make
links in /usr/lib, but you can do it however you choose.
* Quick tutorial: nss_ldap is a replacement name service switch library
that comes with Solaris. On Linux the included one is what we will use,
it comes from PADL also. nss_ldap simply maps UIDs to names from LDAP
in the same way /usr/lib/nss_nis.so maps UIDs and names from NIS. When
you do 'ls -l' in a directory, the OS knows to look in the naming services
listed in nsswitch.conf, and if it has 'ldap' listed after the 'passwd'
entry, it will query /usr/lib/nss_ldap.so, which in turn looks at its
config in /etc/ldap.conf to look to the LDAP server you specify to get
UID to name mapping; NO AUTHENTICATION.
pam_ldap.so is a replacement pluggable authentication module (PAM)
library that replaces the one on Solaris at /usr/lib/security. The
sole job of this is to provide authentication. It too looks at
/etc/ldap.conf to know what server(s) to authenticate to.
1. Download openssl-0.9.7c (openssl.org), openldap-1.2.23 (openldap.org),
pam_ldap-1.66, and nss_ldap-212 (padl.com)
2. Get the right tools: A recent gcc compiled on the OS you are compiling
on (I used 3.2.3; the compile will fail if you use gcc compiled on Solaris
2.6 on Solaris 8), gnu m4, gnu make, perl, autoconf 1.6.
3. Fix the gotchas:
a) Temporarily rename /usr/lib/libldap.so.4 during
compilation so you don't link against it (it doesn't work w/eDir),
b) You must rename /usr/ccs/bin/m4, then make a sym-link from
/usr/ccs/bin/m4 to gnu m4: cd /usr/ccs/bin; ln -s /usr/local/bin/m4
* Fix these when done compiling
4. Set your PATH to be: <path to gcc>:<path to gnu tools>:/usr/ccs/bin:$PATH
5. Set gcc env variables to compile everthing in 32-bit mode:
export CFLAGS="-mcpu=v7 -m32"
export LDFLAGS="-mcpu=v7 -m32"
6. Compile openssl:
a) untar openssl into /var/tmp/ossl, then cd into it
b) ./Configure --prefix=/var/tmp/ossl solaris-sparcv9-gcc
c) make depend
d) make
e) make install
f) copy /var/tmp/ossl/bin/openssl to /opt/ldap/bin
7. Setup shell environment in preparation for openldap:
a) unset LD_LIBRARY_PATH
b) export CPPFLAGS="-I/var/tmp/ossl/include"
c) export LDFLAGS="$LDFLAGS -L/var/tmp/ossl/lib"
d) Fix your PATH to remove any instance of 'cc'. OpenLDAP will
use 'cc' even if gcc is in your path first!
8. Compile openldap-2.1.23:
a) cd <temp dir w/openldap>
b) ./configure --prefix=/opt/ldap --enable-syslog --disable-slapd \
--with-tls
c) make
d) make depend
e) make install
NOTE: If you get errors about not finding a valid TLS/SSL library,
its probably because its trying to compile 64-bit! Make
sure you still have the 32-bit env vars from step 5.
9. Rename all occurrences of 'pam_ldap' or 'nss_ldap' in the pam_ldap and
nss_ldap source files to pam_nldap and nss_nldap (or whatever) so that
the files when compiled don't clobber files by the same name that are
part of Solaris.
a) cd <dir w/pam_ldap-166>
b) Run this shell script:
FILES=`ls`
for file in $FILES; do
perl -p -i.sav -e "s:nss_ldap:nss_nldap:g" $file
perl -p -i.sav -e "s:pam_ldap:pam_nldap:g" $file
done
c) Rename pam_ldap.* files to pam_nldap.* (or whatever)
d) cd <dir w/nss_ldap 2.12>
e) Run the same shell script after doing: FILES=`ls`
f) Rename nss_ldap.spec to nss_nldap.spec
10. Compile pam_ldap 1.66:
a) Reset your shell to have the same environmental variables
from step 5
b) cd <dir w/pam_ldap-166>
c) ./configure --prefix=/opt/ldap --enable-debug --with-ldap-dir=\
/opt/ldap --with-ldap-lib=openldap
d) make
e) Do 'ldd pam_nldap.so' and verify its linked correctly.
f) su -c "make install"
11. Compile nss_ldap 2.12:
a) cd <dir w/nss_ldap-212>
b) ./configure --prefix=/opt/ldap --enable-debug --with-ldap-dir= \
/opt/ldap --with-ldap-lib=openldap --enable-rfc2307bis
c) make
d) su -c "make install"
MAKE LINKS
1. Make the following sym links:
/usr/lib/nss_nldap.so.1 -> /opt/ldap/lib/nss_nldap.so.1
/usr/lib/nss_nldap.so -> /usr/lib/nss_nldap.so.1
/usr/lib/security/pam_nldap.so.1 -> /opt/ldap/lib/nss_nldap.so.1
/usr/lib/security/pam_nldap.so -> /usr/lib/security/pam_nldap.so.1
SETUP THE /etc/ldap.conf FILE
On Solaris and Linux the contents are the same. Contents of the file:
*******************************************************
# @(#)Id: ldap.conf.nldap,v 1.5 2004/01/12 20:36:24 andersrc Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library (nss_ldap) and the LDAP PAM module (pam_ldap).
# PADL Software http://www.padl.com
# LDAP servers
host server1 server2
# The distinguished name of the search base.
base ou=FOO,o=BAR
ldap_version 3
# The search scope. Options are: sub, one, base
scope sub
# These were changed from the defaults for fast failover
timelimit 10
bind_timelimit 1
# Applies to SunONE only
pam_lookup_policy no
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute member
# RFC2307bis naming contexts
# NOTE: must compile nss_ldap.so with --enable-rfc2307bis to use this!
#
# Unix sysadmins are a member of group 'admin'; entry belongs on every
# system regardless of NIS domain. This is optional.
nss_base_passwd ou=FOO,o=BAR?sub?groupMembership=cn=admin,ou=FOO,o=BAR
# Group users are in; try to make group name the same as `domainname`
nss_base_passwd ou=FOO,o=BAR?sub?groupMembership=cn=usersgrp,ou=FOO,o=BAR
# Where the groups are
nss_base_group ou=FOO,o=BAR?one
# attribute/objectclass mapping
# Suggested (not required) for NDS
nss_map_attribute uniqueMember member
# TLS/SSL settings
tls_ciphers TLSv1
ssl on
*******************************************************
SETUP THE /etc/pam.conf FILE ON SOLARIS
* No two pam.conf files are the same, and none that I've seen
get you the same behavior as the Solaris default (ie, three
failed attempts, then kicks you off).
* I'm not including one here, so look for one online or make your
own. Your basically going to have to add entries like this:
other auth sufficient pam_unix.so.1
other auth optional pam_nldap.so.1 use_first_pass
#
other account sufficient pam_unix.so.1
other account required pam_nldap.so.1
#
other session required pam_unix.so.1
#
other password required pam_unix.so.1
other password optional pam_nldap.so.1
* BTW: Since 'other' covers all services not explicitly defined,
the above is a working pam.conf
CHANGE /etc/nsswitch.conf FILE
1. passwd: files nldap [NOTFOUND=return] nis
2. group: files nldap [NOTFOUND=return] nis
MAKE A SOLARIS PACKAGE
If you are going to use LDAP authentication on more than a couple Sun systems,
make a Solaris package:
1. Copy all files in /opt/ldap into /opt/pkg/opt/ldap
2. Copy your example nsswitch.conf, pam.conf, and ldap.conf to /opt/pkg/etc
with .nldap appended to their name. Also add /usr/lib links in
/opt/pkg/usr/lib.
3. Make a pkginfo file in /opt/pkg with at least the following:
PKG=<package name; ie CORPldap>
NAME=<Short name; ie "LDAP client files">
ARCH=sparc
VERSION=1.0
CATEGORY=system
4. Create a prototype file into /opt/pkg:
a) find /opt/pkg -print | pkgproto > /opt/pkg/prototype
b) Edit prototyp to include: i pkginfo as the first line
c) Change the three fields after existing paths (ie /etc) to ? ? ?
d) Edit ownership and modes accordingly
5. Build the package:
a) pkgmk -o -r . -d /var/tmp -f prototype
b) pkgtrans -s /var/tmp CORPldap_SunOS5.8.pkg
ADD UNIX USERS OR GROUPS INTO EDIRECTORY OR ADD UNIX
ATTRIBUTES TO EXISTING USERS OR GROUPS
User:
1. Remove the Unix snap-in from ConsoleOne; it doesn't work well
2. Create the user in ConsoleOne as is normally done.
3. Right-click the user object --> Extensions of this Object...
4. Add Extension... --> Select posixAccount. A 'Generic editing' pop-up
will display say, just click OK. It means there is no Unix snap-in
6. Enter the following:
Name: posixAccount
homeDirectory: /home/<username>
(Create home directory from Unix and update NIS auto.home!)
uniqueID: <username>
Common Name: <username>
gidNumber: <Default GID number>
uidNumber: <UID number>
Then click OK
7. Right-click the user object again --> Extensions of this Object...
8. Add Extension... --> shadowAccount. A 'Generic editing' pop-up, click OK
9. Enter the following:
Name: shadowAccount
uniqueID: <username>
Then click OK
10. You then have to go to the 'Other' tab for the user and add the following
attributes:
gecos: <Full Name>
loginShell: /bin/bash (or whatever)
11. You can also update an existing user with Unix attributes with an LDIF
file and this command:
ldapmodify -r -D cn=admin,ou=FOO,o=BAR -W -h <server> -f <LDIF file>
LDIF file contents:
dn: cn=<username>,ou=FOO,o=BAR
changetype: modify
-
add: objectClass
objectClass: posixAccount
-
add: objectClass
objectClass: shadowAccount
-
add: uidNumber
uidNumber: <UID number>
-
add: gidNumber
gidNumber: <GID number>
-
add: gecos
gecos: <GECOS>
-
add: homeDirectory
homeDirectory:/home/<username>
-
add: loginShell
loginShell:/bin/csh
* On a Solaris/Linux eDirectory server, its preferable to use the included
'ice' command to do the same thing (man ice)
Group:
1. Create a group object as is normally done
2. In ConsoleOne, right-click the group object --> Extensions of this
object.. --> Add Extension... --> posixGroup (ignore the pop-up;click OK)
3. Enter the following:
Name: posixGroup
Common Name: <name of group>
gidNumber: <GID>
Then click OK
4. If a user has this GID as their default, nothing else needs to be done
to associate them with this group. If you want to add a user to the
group, you will need to add them in the Members tab in ConsoleOne.
On Unix, do 'groups' to verify they are in the group.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic