On Wednesday 16 April 2008 17:22:50 Kick, Claus wrote:
- You need to do changes in the /etc/nsswitch.ldap, for this file
gets
copied over tp /etc/nsswitch.conf once you are using the ldapclient.
It should contain something like:
passwd: files ldap group: files ldap
Actually, the bigger issue is ensuring that hostname resolution would
work
with the settings in /etc/nsswitch.ldap, e.g., you may want to ensure
hosts
and ipnodes have sane plugins configured (e.g. 'files dns', and not just 'ldap').
Right, we actually stumbled over this once, but I had already forgotten about this.
- You need to run ldapclient manually once:
I used the following parameters for it:
ldapclient manual -v -a domainName=********** -a defaultSearchBase=************** -a proxyDN=cn=proxyagent,ou=profile,o=************ -a proxyPassword=************* -a searchTimeLimit=90 -a serviceSearchDescriptor=group:ou=Group,=************ -a serviceSearchDescriptor=passwd:ou=People,o=*************.com -a defaultSearchScope=sub -a objectclassMap=group:posixGroup=posixGroup -a defaultServerList=127.0.0.1 -a authenticationMethod=simple
That gets you both files: /var/ldap/: ldap_client_file ldap_client_cred
- then you need to restart the ldap client service.
(svc:/network/ldap/client:default)
The client then uses the already created files and does not recreate them.
Note that if you have changed the default umask (e.g. our corporate
security
standards for Solaris require umask to be 077), then you may have to
set
permissions on the /var/run/*door* files.
- the slapd.conf should definitely contain:
#that one almost gave me a headache sizelimit unlimited
I wouldn't do this myself. If you are going to use a proxy user, add
the proxy
user to a group that has limits set with the 'limits' statement.
Could you please give an example how to set limits in a group definition?
#if you are using standard solaris that is. password-hash {CRYPT}
This is only necessary if you are going to authenticate via a
"shadow"-like
mechanism (aka you like the insecurity NIS provides you with). I would suggest configuring pam instead.
True, I had forgotten to mention that we are not using pam.
modulepath /opt/csw/libexec/openldap # if you are using berkely db moduleload back_bdb.la
#this enables you to authenticate users via shell access to attrs=userpassword by self write by * read by anonymous
auth
I would much rather use PAM than "by * read" on userPassword ...
especially
with hashes in crypt.
#this is useful for caching index cn,sn,uid pres,eq,approx,sub index objectClass eq index memberUid eq,pres index uniqueMember eq,pres index uidNumber eq,pres index gidNumber eq,pres
#For Solaris 8, I think you also need (could also be necessary for Solaris 10, not sure here): allow bind_v2
I see some sites mention a solaris schema but I not found been able to
locate
that anywhere. Is this something that is possible?
You don't need the Solaris Schema, for the necessary objects are
already
included in the nis.schema. The information on the net regarding this is outdated.
Incorrect. You need the schema definitions if you want automatic mode
to work.
I stand corrected.
However, automatic mode can't work against OpenLDAP on Solaris <= 9
(I'm not
sure about 10), unless you have the 'allop' overlay (which ships with
2.4,
but can be made to work on 2.3 with some minor patching).
If I find the time, I might try that out. Can this be made to work with 2.3.39,REV=2008.01.01 ?
My 2.3 packages for RHEL4 (and 5) will ship the allop overlay. I have
attached
the schema definitions required for automatic mode to work.
I tried to look up those two objects in the solaris.schema, but they are not included there? (# Solaris Schema - igor@ypass.net # http://docs.sun.com/ab2/coll.786.2/LDAPCONFIG/@Ab2PageView/2344?Ab2Lang= C&Ab2Enc=iso-8859-1)
So, is there another solaris.schema flying around? I am confused about this now.
In automatic mode, the ldapclient does a search of the empty suffix (effectively 'ldapsearch -x -s base -b ""'), and expects to get the namingContexts without asking for them (which will occur if you have
allop
loaded). It will then search each of those suffixes in the
namingContexts
attribute for (nisdomain=$domain), where $domain is the domain provided
to
the ldapclient command. If it finds a matching entry, it will search
below
that entry for a objectclass DUAConfigProfile (so, you need this schema
too,
I think it ships with nss_ldap) matching (cn=$profilename) for the
profile
information.
Could you please explain how the automatic mode differs from the "normal" mode, i.e. how the normal mode works?
[...]
You can also configure nscd to really speed things up, if you need
help
there, just drop me a mail directly, do not want to swamp Openldap people with Solaris internals.
Well, this list is intended for the integration aspects that were
off-topic on
the OpenLDAP-software list, and I would prefer to have accurate
information
available than the current misinformation.
I am sorry, but I do not quite understand what you are trying to say here. Could you please rephrase?
Regards,
Claus