[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: configuring Solaris 8 pre-installed LDAP as NIS replacement?

To: openldap-software@OpenLDAP.org
Subject: Re: configuring Solaris 8 pre-installed LDAP as NIS replacement?
From: Igor Brezac <igor@ipass.net>
Date: Tue, 12 Sep 2000 17:01:24 -0400 (EDT)
Here it goes.

First apply the patch below to OpenLDAP.  This patch allows OpenLDAP to
return all root DSE attributes without explicitely specifying 
attribute list in a query.  Kurt, please let me know if I am missing
something.  

--- servers/slapd/result.c.orig	Fri Sep  8 12:59:11 2000
+++ servers/slapd/result.c	Fri Sep  8 18:38:50 2000
@@ -628,8 +628,10 @@
 			/* all addrs request, skip operational attributes */
 			if( is_at_operational( desc->ad_type ) )
 			{
-				continue;
-			}
+				if (strcasecmp( e->e_dn, LDAP_ROOT_DSE )) {
+					continue;
+				}
+			} 
 
 		} else {
 			/* specific addrs requested */
@@ -700,7 +702,9 @@
 		if ( attrs == NULL ) {
 			/* all addrs request, skip operational attributes */
 			if( is_at_operational( desc->ad_type ) ) {
-				continue;
+				if (strcasecmp( e->e_dn, LDAP_ROOT_DSE )) {
+					continue;
+				}
 			}
 
 		} else {

------------------------------------------------

Add the following schema to your OpenLDAP config:

# solaris.schema
# ''works in progress and incomplete''.  
# It would help if sun would publish this information! 
# If you have any comments/suggestion/correction
# please let me know (igor@ipass.net)

attributetype ( 1.3.6.1.4.1.TBD.1.1.12 SUP name
	NAME 'nisDomain' )

objectclass ( 1.3.6.1.4.1.TBD.1.4.2
	NAME 'nisDomainObject'
	SUP top AUXILIARY
	MUST ( nisDomain ) )

# Below is optional unless you want to use ldap_gen_profile
attributetype ( 1.3.6.1.4.1.TBD.1.1.1 SUP name
	NAME 'SolarisBindDN'
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.TBD.1.1.2 SUP name
	NAME 'SolarisBindPassword'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.3 SUP name
	NAME 'SolarisLDAPServers'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.4 SUP name
	NAME 'SolarisSearchBaseDN'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.5 SUP name
	NAME 'SolarisAuthMethod'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.6 SUP name
	NAME 'SolarisTransportSecurity'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.7 SUP name
	NAME 'SolarisSearchReferral'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.8 SUP name
	NAME 'SolarisDataSearchDN'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.9 SUP name
	NAME 'SolarisSearchScope'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.10 
	NAME 'SolarisSearchTimeLimit'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.TBD.1.1.11 
	NAME 'SolarisCacheTTL'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.TBD.1.4.1
	NAME 'SolarisNamingProfile'
	DESC 'Solaris LDAP NSS Profile'
	SUP top AUXILIARY
	MUST ( cn $ SolarisLDAPServers )
	MAY	( SolarisBindDN $ SolarisBindPassword $ 
		SolarisSearchBaseDN $ SolarisAuthMethod $
		SolarisTransportSecurity $ SolarisSearchReferral $
		SolarisDataSearchDN $ SolarisSearchScope $
		SolarisSearchTimeLimit $ SolarisCacheTTL ) )


# End of solaris.scheam 

-----------------------------------------------------

The nisDomainObject object must be added to the root DN:
dn: dc=example,dc=com
objectclass: nisDomainObject
nisDomain: example.com

------------------------------------------------------
Run ldapclient
# ldapclient -i -d example.com -b dc=example,dc=com <ldap servers>

Check "man ldapclient" for more info.  You may need to pass -a -D -w

OR  -------------------

Profile use:
Add to ldap directory:
dn: ou=Profile,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Profile

ldap_gen_profile -P eng -d example.com -b dc=example,dc=com <ldap servers>|\
ldapadd 
Again, You may need to pass -a -D -w 
ldapclient -P eng -d example.com <ldap servers>
------------------------------------------------------
Double check /etc/nssswitch.conf.

If you use LDAP for groups, make sure to add userPassword (ex. userPassword:
{crypt}*) to (objectclass=posixGroup) entries.  Otherwise nscd will be
crashing and, trust me, you want nscd to work.

Be careful with pam_ldap.  Service names need to look similar to
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
other   auth sufficient  /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
The Man pages suggest 
other   auth sufficient   /usr/lib/security/$ISA/pam_unix.so.1
other   auth required     /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
which will make your system open for public use.

I think that this is it...

Good luck.

-Igor

On Tue, 12 Sep 2000, Donald Hudson wrote:

> Date: Tue, 12 Sep 2000 12:19:55 -0700
> From: Donald Hudson <donh@ejasent.com>
> To: openldap-general@OpenLDAP.org
> Subject: configuring Solaris 8 pre-installed LDAP as NIS replacement?
> 
> Has anyone successfully pulled together the information necessary to set
> up a directory to work as a NIS replacement for Solaris 8 clients using
> the "pre-installed" ldap support?  Solaris 8 appears to come
> pre-installed with the necessary modules (nss_ldap, pam_ldap) to use
> LDAP as a replacement for NIS, but documentation for setting it up seems
> to be almost non-existent!
> 
> To start with, I've run into schema isssues.   Their client
> configuration utility "ldapclient", which is supposed to be the way to
> quickly configure a client for LDAP replacement of NIS, looks for a
> "nisDomainObject", which I was unable to find in the current set of
> nis/rfc2307 defs.  I did eventually locate a copy of Luke's 2307bis
> draft  with the additional defs (though that was difficult, as it
> appears to have expired and been dropped from the IETF site), so I was
> able to add the missing classes and attributes by hand.
> 
> If I run their "ldap_gen_profile", which is supposed to create a LDIF
> file that can used to set up an LDAP entry that client machines can then
> use to when being configured for LDAP support, I see another set of
> objects and atttributes ( SolarisNamingProfile,  SolarisLDAPServers,
> SolarisSearchBaseDN, etc.)  that also don't appear to be in the schemas
> known to either the OpenLDAP server or the Netscape Directory Server.
> Anyone know where I can find the Solaris schema?
> 
> Also, one side note about schema conflicts that I noticed when searching
> through the schemas.  RFC2307(bis) defines "nisMap" as .2.9, and appears
> to skip .2.13 in the list of class definitions.  Netscape's server
> appears to define .2.9 as "automount" (noting that it is deprecated),
> and defines .2.13 as "nisMap".
> 
> Anyhow, if anyone out there has been through this same headache of
> trying to set up a Solaris 8 ldap client with the pre-installed software
> and can post a few details on how to do it, I'm sure it will be
> appreciated by more than just me.
> 
> Donald Hudson
> donh@ejasent.com
>
Follow-Ups:
- Re: configuring Solaris 8 pre-installed LDAP as NIS replacement?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Prev by Date: Re: [Fwd: migrating data from 1.2 to 2.0]
Next by Date: Re: configuring Solaris 8 pre-installed LDAP as NIS replacement?
Index(es):
- Chronological
- Thread