On Wednesday 16 April 2008 17:22:50 Kick, Claus wrote:
Hello James,
Hello all, I have set up a Red Hat Linux box with the Openldap server. I am
looking
to replace our existing NIS infrastructure with Openldap. The majority of the clients are Solaris 8 with a third of them being Solaris 10. I have been able to connect Red Hat clients to authenticate through LDAP but I am having issues with the Solaris client configuration. I see
some
stuff on the net but nothing concrete on how to get this working.
A few caveats with Solaris 10:
- You need to do changes in the /etc/nsswitch.ldap, for this file gets
copied over tp /etc/nsswitch.conf once you are using the ldapclient.
It should contain something like:
passwd: files ldap group: files ldap
Actually, the bigger issue is ensuring that hostname resolution would work with the settings in /etc/nsswitch.ldap, e.g., you may want to ensure hosts and ipnodes have sane plugins configured (e.g. 'files dns', and not just 'ldap').
- You need to run ldapclient manually once:
I used the following parameters for it:
ldapclient manual -v -a domainName=********** -a defaultSearchBase=************** -a proxyDN=cn=proxyagent,ou=profile,o=************ -a proxyPassword=************* -a searchTimeLimit=90 -a serviceSearchDescriptor=group:ou=Group,=************ -a serviceSearchDescriptor=passwd:ou=People,o=*************.com -a defaultSearchScope=sub -a objectclassMap=group:posixGroup=posixGroup -a defaultServerList=127.0.0.1 -a authenticationMethod=simple
That gets you both files: /var/ldap/: ldap_client_file ldap_client_cred
- then you need to restart the ldap client service.
(svc:/network/ldap/client:default)
The client then uses the already created files and does not recreate them.
Note that if you have changed the default umask (e.g. our corporate security standards for Solaris require umask to be 077), then you may have to set permissions on the /var/run/*door* files.
- the slapd.conf should definitely contain:
#that one almost gave me a headache sizelimit unlimited
I wouldn't do this myself. If you are going to use a proxy user, add the proxy user to a group that has limits set with the 'limits' statement.
#if you are using standard solaris that is. password-hash {CRYPT}
This is only necessary if you are going to authenticate via a "shadow"-like mechanism (aka you like the insecurity NIS provides you with). I would suggest configuring pam instead.
modulepath /opt/csw/libexec/openldap # if you are using berkely db moduleload back_bdb.la
#this enables you to authenticate users via shell access to attrs=userpassword by self write by * read by anonymous auth
I would much rather use PAM than "by * read" on userPassword ... especially with hashes in crypt.
#this is useful for caching index cn,sn,uid pres,eq,approx,sub index objectClass eq index memberUid eq,pres index uniqueMember eq,pres index uidNumber eq,pres index gidNumber eq,pres
#For Solaris 8, I think you also need (could also be necessary for Solaris 10, not sure here): allow bind_v2
I see some sites mention a solaris schema but I not found been able to locate that anywhere. Is this something that is possible?
You don't need the Solaris Schema, for the necessary objects are already included in the nis.schema. The information on the net regarding this is outdated.
Incorrect. You need the schema definitions if you want automatic mode to work. However, automatic mode can't work against OpenLDAP on Solaris <= 9 (I'm not sure about 10), unless you have the 'allop' overlay (which ships with 2.4, but can be made to work on 2.3 with some minor patching).
My 2.3 packages for RHEL4 (and 5) will ship the allop overlay. I have attached the schema definitions required for automatic mode to work. In automatic mode, the ldapclient does a search of the empty suffix (effectively 'ldapsearch -x -s base -b ""'), and expects to get the namingContexts without asking for them (which will occur if you have allop loaded). It will then search each of those suffixes in the namingContexts attribute for (nisdomain=$domain), where $domain is the domain provided to the ldapclient command. If it finds a matching entry, it will search below that entry for a objectclass DUAConfigProfile (so, you need this schema too, I think it ships with nss_ldap) matching (cn=$profilename) for the profile information.
I am sure it is but i am relatively new to LDAP. Should I be looking at the Solaris native LDAP server?
Sun Java Directory Server you mean? I don't think that anyone here will advise you to do so. The server is free, but if you want a support contract, you need to pay per ldap entry. Due to budget cuts, that made it a nogo for us.
I have openldap-servers-2.3.27-8 installed on RHEL4. The schemas listed in my slapd.conf are..
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
Those should be all you need.
You can also configure nscd to really speed things up, if you need help there, just drop me a mail directly, do not want to swamp Openldap people with Solaris internals.
Well, this list is intended for the integration aspects that were off-topic on the OpenLDAP-software list, and I would prefer to have accurate information available than the current misinformation.
If you need any further help, just ask. We just went through hell and back to migrate our ldap stuff from netscape 4.16 to openldap 2.3.xx, and memory is still fresh.
I've been required to provide an easy method for our Solaris admins to configure LDAP authentication. I've got a script that does everything (including setting up PAM), which I will try and clean up and post tomorrow (or, at least the awk script that configures pam).
Regards, Buchan