Finally I found out the following: 1. There seems to be a bug in opensolaris (I know, its not the same as solaris) which seems related: http://bugs.opensolaris.org/bugdatabase/printableBug.do?bug_id=6939899 2. The workaround is described here: http://docs.alkaloid.net/index.php/Solaris_LDAP_client_with_OpenLDAP_server Unter "Configure the client using a profile" the author writes: "As noted above, however, the LDAP client seems to have some strange behaviors. In the configuration profile shown above, anonymous access is used to search the directory. However, unless a proxyDN and a proxyPassword are specified, the ldap service refuses to start! A simple way to make ldapclient and the cache manager happy is to provide those credentials, even if they aren't valid."
So, for me, the following worked: ldapclient -v init -a profileName=solarisbox -a proxyDN=cn=fake,ou=People,dc=example,dc=com -a proxyPassword=xxxx 192.168.0.5
Isaac
On 09/02/2010 06:01 PM, Isaac Hailperin wrote:
Hi,
I am trying to set up an solaris 10 ldap client to work with an openldap server. The server serves the following profile: dn: cn=solarisbox,ou=profile,dc=acme,dc=de bindTimeLimit: 10 credentialLevel: anonymous cn: solarisbox profileTTL: 43200 searchTimeLimit: 30 defaultSearchScope: sub followReferrals: TRUE authenticationMethod: simple defaultSearchBase: dc=acme,dc=de objectClass: top objectClass: DUAConfigProfile defaultServerList: 192.168.0.5
On the solaris box, I issue: ldapclient -v init -a profileName=solarisbox 192.168.0.5 Parsing profileName=solarisbox Arguments parsed: profileName: solarisbox defaultServerList: 192.168.0.5 Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: ldap not running findBaseDN: calling __ns_ldap_default_config() found 1 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=acme.de))" rootDN[0] dc=acme,dc=de found baseDN dc=acme,dc=de for domain acme.de Proxy DN: NULL Proxy password: NULL Credential level: 0 Authentication method: 1 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services Stopping sendmail [...] restart: milestone/name-services:default... success Error resetting system. Recovering old system settings. Stopping network services Stopping sendmail stop: sleep 100000 microseconds [...] top: network/ldap/client:default... restoring from maintenance state stop: network/ldap/client:default... failed: required constraint not met Stopping ldap failed with (1) Error (1) while stopping services during reset recover: stat(/var/ldap/restore/defaultdomain)=0 [...]
I am not very familiar with solaris, so I just drop a few other things that I found that seemed related:
cat /var/ldap/cachemgr.log [...] Thu Sep 2 17:02:19.4557 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found Thu Sep 2 17:02:19.4601 detachfromtty(): child failed (rc = 255). Thu Sep 2 17:32:56.9181 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log [...]
I can confirm that /var/ldap/ldap_client_file does not exist.
grep ldap /var/svc/log/* /var/svc/log/network-ldap-client:default.log:[ Sep 2 17:02:19 Executing start m ethod ("/lib/svc/method/ldap-client start") ] /var/svc/log/network-ldap-client:default.log:/usr/lib/ldap/ldap_cachemgr: failed
. Please see syslog for details.
/var/svc/log/svc.startd.log:Sep 2 17:32:57/458 ERROR: svc:/network/ldap/client: default: Method "/lib/svc/method/ldap-client start" failed with exit status 1. /var/svc/log/svc.startd.log:Sep 2 17:32:57/458: network/ldap/client:default fai led: transitioned to maintenance (see 'svcs -xv' for details)
cat /var/adm/messages [...] Sep 2 17:32:56 unknown ldap_cachemgr[1134]: [ID 293258 daemon.error] libsldap: Status: 0 Mesg: Configuration Error: No entry for 'NS_LDAP_BINDDN' found Sep 2 17:32:56 unknown ldap_cachemgr[1133]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc = 255). Sep 2 17:32:57 unknown svc.startd[7]: [ID 652011 daemon.warning] svc:/network/ldap/client:default: Method "/lib/svc/method/ldap-client start" failed with exit status 1. [...]
I had a look at another solaris 10 machine (which I did not set up). The file /var/ldap/ldap_client_file exists, but has no entry 'NS_LDAP_BINDDN'. Also, I can't find some sort of bindDN option to ldapclient, nor can I find an attribute of that kind for the profile.
Any hints on how to get this working?
Isaac