[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: Server and client setup for connecting Solaris to an openldap server.
Hello James,
>Hello all,
>I have set up a Red Hat Linux box with the Openldap server. I am
looking
>to replace our existing NIS infrastructure with Openldap. The majority
>of the clients are Solaris 8 with a third of them being Solaris 10. I
>have been able to connect Red Hat clients to authenticate through LDAP
>but I am having issues with the Solaris client configuration. I see
some
>stuff on the net but nothing concrete on how to get this working.
A few caveats with Solaris 10:
1. You need to do changes in the /etc/nsswitch.ldap, for this file gets
copied over tp /etc/nsswitch.conf once you are using the ldapclient.
It should contain something like:
passwd: files ldap
group: files ldap
2. You need to run ldapclient manually once:
I used the following parameters for it:
ldapclient
manual
-v
-a domainName=**********
-a defaultSearchBase=**************
-a proxyDN=cn=proxyagent,ou=profile,o=************
-a proxyPassword=*************
-a searchTimeLimit=90
-a serviceSearchDescriptor=group:ou=Group,=************
-a serviceSearchDescriptor=passwd:ou=People,o=*************.com
-a defaultSearchScope=sub
-a objectclassMap=group:posixGroup=posixGroup
-a defaultServerList=127.0.0.1
-a authenticationMethod=simple
That gets you both files:
/var/ldap/:
ldap_client_file
ldap_client_cred
3. then you need to restart the ldap client service.
(svc:/network/ldap/client:default)
The client then uses the already created files and does not recreate
them.
4. the slapd.conf should definitely contain:
#that one almost gave me a headache
sizelimit unlimited
#if you are using standard solaris that is.
password-hash {CRYPT}
modulepath /opt/csw/libexec/openldap
# if you are using berkely db
moduleload back_bdb.la
#this enables you to authenticate users via shell
access to attrs=userpassword by self write by * read by anonymous auth
#this is useful for caching
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
index memberUid eq,pres
index uniqueMember eq,pres
index uidNumber eq,pres
index gidNumber eq,pres
#For Solaris 8, I think you also need (could also be necessary for
Solaris 10, not sure here):
allow bind_v2
>I see
>some sites mention a solaris schema but I not found been able to locate
>that anywhere. Is this something that is possible?
You don't need the Solaris Schema, for the necessary objects are already
included in the nis.schema.
The information on the net regarding this is outdated.
>I am sure it is but i
>am relatively new to LDAP. Should I be looking at the Solaris native
>LDAP server?
Sun Java Directory Server you mean? I don't think that anyone here will
advise you to do so.
The server is free, but if you want a support contract, you need to pay
per ldap entry.
Due to budget cuts, that made it a nogo for us.
>I have openldap-servers-2.3.27-8 installed on RHEL4.
>The schemas listed in my slapd.conf are..
>
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/nis.schema
Those should be all you need.
You can also configure nscd to really speed things up, if you need help
there, just drop me a mail directly, do not want to swamp Openldap
people with Solaris internals.
If you need any further help, just ask. We just went through hell and
back to migrate our ldap stuff from netscape 4.16 to openldap 2.3.xx,
and memory is still fresh.
Cheers,
Claus