[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring Solaris 8 clients



It looks like your /var/ldap/ldap_client_cred file lacks the NS_LDAP_BINDDN_PASSWD. The solaris client can only bind as an anonymous user. In fact your ldap_client_file states that with NS_LDAP_AUTH=NS_LDAP_AUTH_NONE. If you allow anonymous searching and reading of your ldap directory, then that's fine, not safe but fine. However, if you have an an ACL like

access to *
	by users	read
	by *		none

Then the solaris client can't bind to the ldap server.

The NS_LDAP_BINDDN_PASSWD={NS1}.... is a crypt password under solaris 8. It is either fetched from the solaris profile stored under your directory tree as

dn: cn=profile_name,ou=Profile,dc=amath,dc=unc,dc=edu
SolarisBindDN: cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu
SolarisBindPassword: {NS1}...
SolarisLDAPServers: ...

The ldif for the above is generated by the ldap_gen_profile. The profile will be fetched by the solaris client via

ldapclient -P profile_name -d amath.unc.edu ip.of.ldap.server

And will store the required info under

	/var/ldap/ldap_client_cred
	/var/ldap/ldap_client_file

The NS_LDAP_BINDDN_PASSWD can also be generated by ldapclient command

ldapclient -i -a simple -b dc=amath,dc=unc,dc=edu -d amath.unc.edu -D cn=solaris,ou=ldapuserd,cd=amath,dc=unc,dc=edu -w "some password" ip.of.ldap.server

The client will then initialize itself without fetching a profile from the ldap server. Again, this will store the required info under ldap_client_cred (where NS_LDAP_BINDDN_PASSWD will be along with NS_LDAP_BINDDN) and ldap_client_file.

You then need to have an actual proxy user in your ldap DIT. I'm sure you have that, but make sure you generate the password vi

	slappasswd -h {CRYPT} -w "some password"

and cut and paste the generated password into the userPassword: field for cn=solaris,ou=ldapusers,...

Check to see if you can bind as that user first

ldapsearch -x -D 'cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu' -w "some password" 'objectClass=*'

If that works and you get a dump of your DIT (assuming ACLs permit it) then your solaris client should be able to connect.

On solaris 8 and solaris 9 the login process _does_ use pam. One thing that might work is to change the stacking for login under pam.conf

login auth sufficient	/usr/lib/security/$ISA/pam_unix.so.1
login auth required	/usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

This will set the order for login to first check traditional unix systems (getpwent, etc.) and then switch to ldap if the first method fails. The use_first_pass tells the stack to use the password first given by the user, that is don't ask for it again.

HTH

On Thursday, March 27, 2003, at 12:16 AM, Matthew Mauzy wrote:

Thanks for the examples but I'm still not able to configure solaris 8 as a client of the openldap 2.1.12 server.

Here's my /var/ldap/ldap_client_file

NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 152.2.104.6:389
NS_LDAP_SEARCH_BASEDN= dc=amath,dc=unc,dc=edu
NS_LDAP_AUTH= NS_LDAP_AUTH_NONE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_NOREF
NS_LDAP_DOMAIN= amath.unc.edu
NS_LDAP_EXP= 1045640377
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=amath,dc=unc,dc=edu), group:(ou=People,d
c=amath,dc=unc,dc=edu)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30


Here's my /var/ldap/ldap_client_cred

NS_LDAP_BINDDN= cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu


I've edited /etc/nsswitch.conf to place ldap into the passwd, group, hosts, etc., but when I run listusers all I get are the local users.


My questions:

- For the BINDDN, don't I need the password? When adding that 'user' into the LDAP dir, why is it that the NS_LDAP_BINDDN_PASSWD has the {NS1} stuff?

- Would upgrading to openLDAP 2.1.16 solve any of these problems?


For Solaris 9 I've run the ldapclient command that you supplied (with proper alterations for my LDAP system) and am able to get all of the LDAP users with listusers (yah!), but when I try and login to one of the LDAP accounts I get incorrect password errors. I can su - <ldap account> so I'm getting proper info from the LDAP server. Is this a PAM problem???


Thanks again to everyone who sent suggestions and responses to my earlier email.

--Matthew

--On Wednesday, March 26, 2003 12:29 AM -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:



--On Wednesday, March 26, 2003 9:14 AM +0100 Ramon Corominas
<rcorominas@citec.es> wrote:

Hi,

Where can I get documentation about configuring solaris clients ?

Thanks in advance,


Ramon,

I got it working in Solaris 9 in the following fashion:

To set up a Solaris 9 machine for LDAP instead of NIS, one simply needs
to do the following:


edit /etc/nsswitch.ldap

Change the hosts: line from
hosts: ldap [blah.....] files
to
hosts: files dns

and then run this command:

ldapclient manual -a authenticationMethod=none -a
defaultSearchBase=dc=stanford,dc=edu -a
defaultServerList="ldap-test1.Stanford.EDU" -a domainName="stanford.edu"
-a followReferrals=false -a
serviceSearchDescriptor=passwd:cn=accounts,dc=stanford,dc=edu\?sub -a
serviceSearchDescriptor=group:cn=accounts,dc=stanford,dc=edu\?sub


Of course, this only works for Stanford, but it gives you an idea how to
configure it.




For Solaris 8:

1. Create /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use
# ldapclien
t (1M) instead.
#
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 172.24.14.237:389
NS_LDAP_SEARCH_BASEDN= dc=stanford,dc=edu
NS_LDAP_AUTH= NS_LDAP_AUTH_NONE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_NOREF
NS_LDAP_DOMAIN= stanford.edu
NS_LDAP_EXP= 1045640377
NS_LDAP_SEARCH_DN= passwd:(cn=accounts,dc=stanford,dc=edu),
group:(cn=accounts,d c=stanford,dc=edu)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30


2.Create /var/ldap/ldap_client_cred: # # Do not edit this file manually; your changes will be lost.Please use # ldapclient (1M) instead. # NS_LDAP_BINDDN= cn=accounts,dc=stanford,dc=edu

3. Edit /etc/nsswitch.conf so the passwd: line to read:

passwd: file ldap


4. tests:

/usr/bin/listuser


--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html



__________________________________________________________________
                       Matthew W. Mauzy
                     Systems Administrator
                     Applied Math @ UNC-CH
email : mauzy@amath.unc.edu           pager : mpager@amath.unc.edu
(W) 919.962.9819   www.amath.unc.edu/~mauzy/   (P) 919.347.0390
__________________________________________________________________



John Kloss <jkloss@sapiens.wustl.edu> System Administrator, Database Administrator, Programmer

Gish Lab, Genome Sequencing Center
Washington University . . . in St. Louis