While further searching the web I found this nice conclusion of how to debug a Solaris 10 Native LDAP-Client or more general, what is neccessary to know if you want to work with solaris native ldap client.
http://wiki.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Document#... I am a little bit concerned about the VLV support of OpenLDAP, I don't know how to disable this feature without compiling my own packages and disable that by configure.
This discussion is about disabling VLV to be able to work with the solaris native ldap client and AD: http://old.nabble.com/Solaris-native-ldap-client-to-Windows-Active-Directory...
Can somebody agree to that problem with VLVs and the solaris native ldap client?
Thanks and bye.
On Thu, Oct 28, 2010 at 15:12, Benjamin Griese der.darude@gmail.com wrote:
Correction: -w <passwd> or -w - instead of -W
On Thu, Oct 28, 2010 at 15:02, Benjamin Griese der.darude@gmail.com wrote:
Hello Günther,
sorry for my late reply, I hate sun cluster panics after patching those beasts. :(
Here is the content of solaris_profile:
dn: cn=solaris_profile,ou=profile,dc=example,dc=de objectClass: DUAConfigProfile objectClass: top cn: solaris_profile authenticationMethod: simple bindTimeLimit: 10 credentialLevel: proxy defaultSearchBase: dc=example,dc=de defaultSearchScope: sub defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured to mirrormode) followReferrals: FALSE profileTTL: 3600 searchTimeLimit: 30 serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub
Regarding to the sorting I found this in man ldapsearch:
"-F sep
Use sep as the field separator between attribute names and values. If this option has been specified, the -L option is ignored.
-S [-]attribute
Specify an attribute for sorting the entries returned by the search. The sort criteria is alphabetical on the attribute's value or reverse alphabetical with the form -attribute. You can give multiple -S options to refine the sorting, For example:
-S sn -S givenname
By default, the entries are not sorted. Use the -x option to perform server-side sorting."
If I use -x for server side sorting, I get the complete list of uid-Objects, but not sorted in any obvious way: # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:16:49 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) version: 1
If I use this string I get the complete list of uid-objects sorted by uidNumber # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:37:11 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) version: 1
If I try to search with -x and -S uidnumber I get the same message that appears in the OpenLDAP logfile: # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:25:50 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) ldap_search: Inappropriate matching ldap_search: additional info: serverSort control: No ordering rule ldap_parse_sort_control: Requested LDAP control not found
Finally I still have no clue how to prevent the client from doing these kinds of searches. And I couldn't find any templates regarding the ldapclient on my test machine.
Any other clues or ideas?
Bye, Benjamin.
On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter dieter@dkluenter.de wrote:
Benjamin Griese der.darude@gmail.com writes:
Hey thanks for quick reply,
I put the config of the ldapclient on the ML some days ago, but I can't figure out how I may have set such a rule on client side. Probably it is something hardcoded.
ldapclient config: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de NS_LDAP_BINDPASSWD= secret NS_LDAP_SERVERS= ldap01 NS_LDAP_SEARCH_BASEDN= dc=example,dc=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 60 NS_LDAP_PROFILE= solaris_profile NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub
That's all I setup, its like defaultest of the defaultest I guess :)
And thanks for describing EQUALITY.
I must admit I am not that familiar with old netscape tools, but the openldap log ist quite clear, there is a request for a Server Side Sorting extended operation, which in fact is quite unusual. You really should check Solaris 10 setup for appropriate templates, i.e. what is the content of solaris_profile? By the way, AFAIR the flag for sss is -F so you may check any templates, Redhat provides these in /usr/share/dirsrv, Solaris might be different.
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra