Hi Sara,
what You listed is just a part of which has to be done to get a Solaris client authenticated against an OpenLDAP server.
Recommended steps: - upgrade to OpenLDAP 2.4.30 - upgrade and patch Solaris. You didn't mention the release level of Your Solaris box, and there are quite some patches out which affect Solaris LDAP client. Consult file /etc/release on that box. - beside output of 'ldapclient list' have a look at config files /etc/nsswitch.conf and /etc/pam.conf - use more than just one LDAP server in production. - check Your setup by running ldaplist, getent passwd and getent group - don't edit files in /var/ldap manually, use ldapclient - get access to a Solaris person at Your site. - use duaconfig profiles in Your LDAP server to provide standard configs. - get proper set up certificates with X509v3 Subject Alternative Names. Solaris client will need that. - check first whether client is working properly without tls to detect a certificate issue. - sample output of 'ldapclient list': NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=ourAgent,dc=ourdomain,dc=com NS_LDAP_BINDPASSWD= ={NS1}ourpassword NS_LDAP_SERVERS= oly-infra-ldap1.ourdomain.com, oly-infra-ldap2.ourdomain.com, oly-infra-ldap3.ourdomain.com, oly-infra-ldap4.ourdomain.com NS_LDAP_SEARCH_BASEDN= dc=ourdomain,dc=com NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 0 NS_LDAP_PROFILE= default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Account,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Account,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=ourdomain,dc=com?one NS_LDAP_BIND_TIME= 2
- Ymmv depending on Your environment. Not all arising questions will fit into this mailing list.
Regards
Juergen Sprenger
-----Original Message-----
Message: 2 Date: Thu, 29 Mar 2012 10:55:10 -0700 From: "Kline, Sara" SKline@tnsi.com To: "openldap-technical@openldap.org" openldap-technical@openldap.org Subject: Solaris client configuration Message-ID: C0C9408742654B429ECD3D1FF11A118D16EB097A0D@TNS-MAIL-NA1.win2k.corp.tnsi.com Content-Type: text/plain; charset="us-ascii"
Hey all, I am trying to get a Solaris 10 client to authenticate to our OpenLDAP (2.3.43) server, which was built on Red Hat 5.7. Linux clients (RHEL 4,5 and 6, and Oracle 5.7) authenticate without issue. I think it may be a simple misconfiguration but I am really not a Solaris person at all. Would someone be willing to send an ldapclient list to me? I would really appreciate it. Steps I have taken:
1. Imported the SSL cert according to Oracle's instructions
2. Made the 3 files cert8, keys3, and secmod readable to everyone with chmod 444 My current ldapclient list looks like this: LDAP_CLIENT_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=admin,dc=prod,dc=ourdomain,dc=com NS_LDAP_BINDPASSWD={NS1}ourpassword NS_LDAP_SERVERS=oly-infra-ldap1 (this is how the name appears on the cert, it is in the hosts file) NS_LDAP_SEARCH_BASEDN=dc=prod,dc=ourdomain,dc=com NS_LDAP_AUTH=tls:simple NS_LDAP_CACHETTL=0 NS_LDAP_CREDENTIAL_LEVEL=proxy NS_LDAP_SERVICE_AUTH_METHOD=pam_ldap:tls:simple NS_LDAP_HOST_CERTPATH=/var/ldap
Any help would be greatly appreciated.
Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495