Hello James,
Hello all, I have set up a Red Hat Linux box with the Openldap server. I am
looking
to replace our existing NIS infrastructure with Openldap. The majority of the clients are Solaris 8 with a third of them being Solaris 10. I have been able to connect Red Hat clients to authenticate through LDAP but I am having issues with the Solaris client configuration. I see
some
stuff on the net but nothing concrete on how to get this working.
A few caveats with Solaris 10:
1. You need to do changes in the /etc/nsswitch.ldap, for this file gets copied over tp /etc/nsswitch.conf once you are using the ldapclient.
It should contain something like:
passwd: files ldap group: files ldap
2. You need to run ldapclient manually once:
I used the following parameters for it:
ldapclient manual -v -a domainName=********** -a defaultSearchBase=************** -a proxyDN=cn=proxyagent,ou=profile,o=************ -a proxyPassword=************* -a searchTimeLimit=90 -a serviceSearchDescriptor=group:ou=Group,=************ -a serviceSearchDescriptor=passwd:ou=People,o=*************.com -a defaultSearchScope=sub -a objectclassMap=group:posixGroup=posixGroup -a defaultServerList=127.0.0.1 -a authenticationMethod=simple
That gets you both files: /var/ldap/: ldap_client_file ldap_client_cred
3. then you need to restart the ldap client service. (svc:/network/ldap/client:default)
The client then uses the already created files and does not recreate them.
4. the slapd.conf should definitely contain:
#that one almost gave me a headache sizelimit unlimited
#if you are using standard solaris that is. password-hash {CRYPT}
modulepath /opt/csw/libexec/openldap # if you are using berkely db moduleload back_bdb.la
#this enables you to authenticate users via shell access to attrs=userpassword by self write by * read by anonymous auth
#this is useful for caching index cn,sn,uid pres,eq,approx,sub index objectClass eq index memberUid eq,pres index uniqueMember eq,pres index uidNumber eq,pres index gidNumber eq,pres
#For Solaris 8, I think you also need (could also be necessary for Solaris 10, not sure here): allow bind_v2
I see some sites mention a solaris schema but I not found been able to locate that anywhere. Is this something that is possible?
You don't need the Solaris Schema, for the necessary objects are already included in the nis.schema. The information on the net regarding this is outdated.
I am sure it is but i am relatively new to LDAP. Should I be looking at the Solaris native LDAP server?
Sun Java Directory Server you mean? I don't think that anyone here will advise you to do so. The server is free, but if you want a support contract, you need to pay per ldap entry. Due to budget cuts, that made it a nogo for us.
I have openldap-servers-2.3.27-8 installed on RHEL4. The schemas listed in my slapd.conf are..
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
Those should be all you need.
You can also configure nscd to really speed things up, if you need help there, just drop me a mail directly, do not want to swamp Openldap people with Solaris internals.
If you need any further help, just ask. We just went through hell and back to migrate our ldap stuff from netscape 4.16 to openldap 2.3.xx, and memory is still fresh.
Cheers,
Claus