[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Barebone Solaris NS using OpenLdap
Hello,
Sorry if this is not the correct place to post a solution but this is
where I have turned for help in the past. If someone finds themself in a
position where they, "need to get a Solaris machine using an OpenLdap
directory to get name service information," this document will cover the
exact problems I faced as well as my (very special newb) way of fixing
them.
As always, I am here to learn, so all of your criticism (positive and
negative) is greatly invited and appreciated.
Before you invest any more time reading this email please be aware that
the ideas expressed below could very well be the most obvious thing in the
world to you.
If you are bored, "page down" with you, text follows.
Thank you,
Caylan Van Larson
Unix Administrator - Systems Team Member
University of North Dakota (Aerospace College)
caylan@cs.und.edu
701-777-6151 (work)
Barebone Solaris NS using OpenLDAP
==================================
Author: Caylan Van Larson
Date: 10/21/02
==================================
I have started working on getting ldap nss working on Solaris 8. The
machine is a Sun Enterprise 450. I am writing this as I work so let's
hope I get it working.
I do not need to get authentication working on this machine as it is a NFS
file server and I only need to use edquota, etc.
I spent about 10 minutes trying to get the native ldap client to work and
gave up after reading some horrible Sun documentation that just blew smoke.
I downloaded the latest (stable) release of openldap to slurpy using wget.
I then scp'ed the tarball over, unpacked it and ran the following.
./configure --with-tls --without-cyrus-sasl
No luck, bad compiler issues. I uninstalled gcc 3.0 using pkgrm and
installed gcc 3.2. I got the same error but noticed that configure was
looking in /usr/ucb/ for a compiler and found one called "cc." I moved
the file cc to cc.old temporarily to get configure to work and use the
new gcc. We will move cc.old back to cc when finished.
./configure --with-tls --without-cyrus-sasl
Went through fine but could not find tls libraries. Thats easy, just pass
them along via env vars.
CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib" \
./configure --with-tls --without-cyrus-sasl
Note: That is one whole command.
That did the trick for ssl but now I was getting
--SNIP
checking for db... no
checking for GDBM library... checking for gdbm_open... no
checking for gdbm_open in -lgdbm... no
checking for gdbm.h... no
checking for db... no
configure: warning: could not find suitable LDBM backend
configure: error: select appropriate LDBM options or disable
--SNAP
The LDBM is for the slapd server not the client. We do not need or want
the server on sirius. So lets try to disable LDBM.
CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib" \
./configure --with-tls --without-cyrus-sasl --disable-ldbm
But then I got the error:
checking configure arguments... configure: error: slapd requires a backend
Hmm, nice. Let's try to disable slapd.
CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib" \
./configure --with-tls --without-cyrus-sasl --disable-slapd --disable-ldbm
Ran it...
--SNIP
[...]
creating contrib/Makefile
creating contrib/saucer/Makefile
creating include/portable.h
creating include/ldap_features.h
creating include/lber_types.h
Please "make depend" to build dependencies
--SNAP
Good! I ran "make depend."
Still looking good. I ran "make."
... Still going...
Caylan Thinks, "Why does something so simple have to be so terribly complex?"
... Still compiling...
Caylan Thinks, "I sure hope this works and it does not give an error!"
... 20 Years later, still compiling...
Ok, done. No errors yet.
I run "make install."
Ok, everything is good to go, however when you run "ldapsearch" you are
actually running the one within /usr/bin. You have to remove the Solaris
ldap client utilities using pkgrm. After that you can try running
ldapsearch from /usr/local/bin/ldapsearch but it errors out saying it can
not find the libraries. You can use the command ldd to check the
connections to the specific libraries.
--SNIP
bash-2.03# pwd
/usr/local/bin
bash-2.03# ldd ldapsearch
libssl.so.0.9.6 => (file not found)
libcrypto.so.0.9.6 => (file not found)
libresolv.so.2 => /usr/lib/libresolv.so.2
libgen.so.1 => /usr/lib/libgen.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libc.so.1 => /usr/lib/libc.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1
--SNAP
Notice the libssl and libcrypto are not found. This is because Solaris is
only looking in /usr/lib (I am just guessing). A good, clean (and fun)
search on google using the search terms "ldconfig solairs" gave me this
document.
http://216.239.51.100/search?q=cache:WOC51vQ_gT0C:www.sunmanagers.org/pipermail/sunmanagers/2002-April/012729.html+ldconfig+solaris&hl=en&ie=UTF-8
or
http://www.sunmanagers.org/pipermail/sunmanagers/2002-April/012729.html
So I am now going to try to get Solaris to look in /usr/local/ssl/lib for
its libraries.
After much troubleshooting I got this to work!
--SNIP
bash-2.03# crle -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib
bash-2.03# ldd ldapsearch
libssl.so.0.9.6 => /usr/local/ssl/lib/libssl.so.0.9.6
libcrypto.so.0.9.6 => /usr/local/ssl/lib/libcrypto.so.0.9.6
libresolv.so.2 => /usr/lib//libresolv.so.2
libgen.so.1 => /usr/lib//libgen.so.1
libnsl.so.1 => /usr/lib//libnsl.so.1
libsocket.so.1 => /usr/lib//libsocket.so.1
libdl.so.1 => /usr/lib//libdl.so.1
libc.so.1 => /usr/lib//libc.so.1
libmp.so.2 => /usr/lib//libmp.so.2
/usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1
--SNIP
Pretty snazzy.
Ok, I then did this:
--SNIP
cd /etc
scp caylan@betamax:/etc/ldap.conf .
ENTERED PW
--SNAP
But I kept getting errors:
--SNIP
bash-2.03# ./ldapsearch -h ldap.aero.und.edu uid=caylan
version: 2
#
# filter: uid=caylan
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
--SNAP
I noticed that this command would work:
--SNIP
bash-2.03# ./ldapsearch -LLL -b dc=aero,dc=und,dc=edu -h ldap.aero.und.edu uid=caylan dn
dn: cn=caylan,ou=CompSci,ou=Students,ou=People,dc=aero,dc=und,dc=edu
--SNAP
So it was not getting the right config. EUREKA!
--SNIP
bash-2.03# ls -l /usr/local/etc/openldap/ldap.conf
-rw-r--r-- 1 root other 337 Oct 16 16:57 /usr/local/etc/openldap/ldap.conf
bash-2.03# ls -l /etc/ldap.conf
-rw-r--r-- 1 root root 4072 Oct 16 17:01 /etc/ldap.conf
--SNAP
When you run ldapsearch it looks at /usr/local/etc/openldap/ldap.conf for
its configuration. Note how we put our config in /etc.
Duh... :)
Heres what I did to fix it:
--SNIP
bash-2.03# cd /etc/
bash-2.03# cp /etc/ldap.conf /usr/local/etc/openldap/ldap.conf
bash-2.03# rm /etc/ldap.conf
bash-2.03# ln -s /usr/local/etc/openldap/ .
bash-2.03# ln -s /usr/local/etc/openldap/ldap.conf .
bash-2.03# ls -l ldap.conf
lrwxrwxrwx 1 root other 33 Oct 16 17:31 ldap.conf -> /usr/local/etc/openldap/ldap.conf
bash-2.03# ls -l openldap
lrwxrwxrwx 1 root other 23 Oct 16 17:31 openldap -> /usr/local/etc/openldap
--SNAP
Now our ldapsearch command should be provided with some nice configs.
--SNIP
bash-2.03# /usr/local/bin/ldapsearch -LLL uid=caylan dn
dn: cn=caylan,ou=CompSci,ou=Students,ou=People,dc=aero,dc=und,dc=edu
--SNAP
Good. So lets get the nss stuff working.
"id"s were still not working so I decided to recompile nss-ldap.
Now that I removed the Solaris ldap client libraries nss-ldap complained:
--SNIP
configure: error: could not locate a valid LDAP library
--SNAP
***NOTE***
I have stopped working at 6:00pm (10/16/02).
I have started working on this again at 11:30pm (10/16/02).
This is so you know why I have not emailed you earlier.
***END NOTE***
I checked the config.log file to see what was failing when it was trying
to get the above valid "LDAP library."
Here is a sample from that file as well as some commands that I did to
test what was happening.
--SNIP
configure:8402: checking for main in -lldap
configure:8429: gcc -o conftest -g -O2 -Wall -fPIC -D_REENTRANT
-I/usr/local/include -L/usr/local/lib -R/usr/local/lib conftest.c -lldap -llbe
r -ldl -lnsl -lresolv -llber -ldl -lnsl -lresolv >&5
cc1: warning: changing search order for system directory "/usr/local/include"
cc1: warning: as it has already been specified as a non-system directory
ld: warning: file libssl.so.0.9.6: required by /usr/local/lib/libldap.so, not found
ld: warning: file libcrypto.so.0.9.6: required by /usr/local/lib/libldap.so, not found
--SNAP
Thats weird that ld does not find the libraries but ldd does. I emailed
Andy for any advice eariler this evening and I am awaiting a response.
Since the error is only with 2 libraries I am just going to make a link
from the libraries in /usr/local/ssl/lib to /usr/lib. That way everything
should be good to go.
Doing this allowed the ./configure to go through but it got hung up on the
actual make.
--SNIP
[00:23am][root@sirius:/usr/local/src/nss_ldap-202]$ /usr/ccs/bin/ld -o \
nss_ldap.so -Bdynamic -M ./exports.solaris -G ldap-nss.o ldap-pwd.o \
ldap-grp.o ldap-rpc.o ldap-hosts.o ldap-network.o ldap-proto.o ldap-spwd.o \
ldap-alias.o ldap-service.o ldap-schema.o ldap-ethers.o ldap-bp.o util.o \
globals.o ltf.o snprintf.o resolve.o dnsconfig.o irs-nss.o sasl.o \
pagectrl.o -lldap -llber -ldl -lnsl -lresolv
ld: fatal: library -llber: not found
ld: fatal: File processing errors. No output written to nss_ldap.so
--SNAP
***NOTE***
I have stopped working at 12:30am (10/17/02).
I have started working on this again at 9:00am (10/21/02)
This is so you know why I have not emailed you earlier.
***END NOTE***
So. nss-ldap can not find liblber. I checked out agassiz and confirmed
that lib/(ldap/lber) exist in /usr/lib and /usr/local/lib identically. I
finally decided to break down and copy the following files.
cp /usr/local/lib/libldap* /usr/lib/
cp /usr/local/lib/liblber* /usr/lib/
and run make. All went well and a `make install` leads me to:
--SNIP
[10:05am][root@sirius:/usr/local/src/nss_ldap-202]$ id lundeby
uid=3947(lundeby) gid=1003(scc)
[10:05am][root@sirius:/usr/local/src/nss_ldap-202]$ id copp
uid=1246(copp) gid=1003(scc)
--SNAP
Looks like name services are working on solaris. Having this guide to
show you the pitfalls of compiling ldap related modules should come in handy.
Let's not forget to move /usr/ucb/cc.old to /usr/ucb.cc. Also, copy the
neccessary certificates to the proper location as well as the cert7.db
Thanks,
Caylan Van Larson
Unix Administrator - Systems Team Member
University of North Dakota (Aerospace College)
caylan@cs.und.edu
701-777-6151 (work)