[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: AW: Server and client setup for connecting Solaris to an openldap server.



On Wednesday 16 April 2008 17:22:50 Kick, Claus wrote:

>> 1. You need to do changes in the /etc/nsswitch.ldap, for this file
gets
>> copied over tp /etc/nsswitch.conf once you are using the ldapclient.
>>
>> It should contain something like:
>>
>> passwd:     files ldap
>> group:      files ldap


>Actually, the bigger issue is ensuring that hostname resolution would
work 
>with the settings in /etc/nsswitch.ldap, e.g., you may want to ensure
hosts 
>and ipnodes have sane plugins configured (e.g. 'files dns', and not 
>just 'ldap').

Right, we actually stumbled over this once, but I had already forgotten
about this.

>
> 2. You need to run ldapclient manually once:
>
> I used the following parameters for it:
>
> ldapclient
> 	manual
> 	-v
> 	-a domainName=**********
> 	-a defaultSearchBase=**************
> 	-a proxyDN=cn=proxyagent,ou=profile,o=************
> 	-a proxyPassword=*************
> 	-a searchTimeLimit=90
> 	-a serviceSearchDescriptor=group:ou=Group,=************
> 	-a serviceSearchDescriptor=passwd:ou=People,o=*************.com
> 	-a defaultSearchScope=sub
> 	-a objectclassMap=group:posixGroup=posixGroup
> 	 -a defaultServerList=127.0.0.1
> 	-a authenticationMethod=simple
>
> That gets you both files:
> /var/ldap/:
> ldap_client_file
> ldap_client_cred
>
> 3. then you need to restart the ldap client service.
> (svc:/network/ldap/client:default)
>
> The client then uses the already created files and does not recreate
> them.

>Note that if you have changed the default umask (e.g. our corporate
security 
>standards for Solaris require umask to be 077), then you may have to
set 
>permissions on the /var/run/*door* files.

> 4. the slapd.conf should definitely contain:
>
> #that one almost gave me a headache
> sizelimit unlimited

>I wouldn't do this myself. If you are going to use a proxy user, add
the proxy 
>user to a group that has limits set with the 'limits' statement.

Could you please give an example how to set limits in a group
definition?

> #if you are using standard solaris that is.
> password-hash {CRYPT}

>This is only necessary if you are going to authenticate via a
"shadow"-like 
>mechanism (aka you like the insecurity NIS provides you with). I would 
>suggest configuring pam instead.

True, I had forgotten to mention that we are not using pam.

>> modulepath      /opt/csw/libexec/openldap
>> # if you are using berkely db
>> moduleload      back_bdb.la
>>
>> #this enables you to authenticate users via shell
>> access to attrs=userpassword by self write by * read by anonymous
auth

>I would much rather use PAM than "by * read" on userPassword ...
especially 
>with hashes in crypt.


> #this is useful for caching
> index cn,sn,uid pres,eq,approx,sub
> index objectClass eq
> index memberUid eq,pres
> index uniqueMember eq,pres
> index uidNumber eq,pres
> index gidNumber eq,pres
>
> #For Solaris 8, I think you also need (could also be necessary for
> Solaris 10, not sure here):
> allow bind_v2
>
> >I see
> >some sites mention a solaris schema but I not found been able to
locate
> >that anywhere. Is this something that is possible?
>
> You don't need the Solaris Schema, for the necessary objects are
already
> included in the nis.schema.
> The information on the net regarding this is outdated.

>Incorrect. You need the schema definitions if you want automatic mode
to work. 

I stand corrected. 

>However, automatic mode can't work against OpenLDAP on Solaris <= 9
(I'm not 
>sure about 10), unless you have the 'allop' overlay (which ships with
2.4, 
>but can be made to work on 2.3 with some minor patching).

If I find the time, I might try that out.
Can this be made to work with  2.3.39,REV=2008.01.01 ?

>My 2.3 packages for RHEL4 (and 5) will ship the allop overlay. I have
attached 
>the schema definitions required for automatic mode to work. 

I tried to look up those two objects in the solaris.schema, but they are
not included there?
(# Solaris Schema - igor@ypass.net
#
http://docs.sun.com/ab2/coll.786.2/LDAPCONFIG/@Ab2PageView/2344?Ab2Lang=
C&Ab2Enc=iso-8859-1)

So, is there another solaris.schema flying around? I am confused about
this now.

>In automatic 
>mode, the ldapclient does a search of the empty suffix 
>(effectively 'ldapsearch -x -s base -b ""'), and expects to get the 
>namingContexts without asking for them (which will occur if you have
allop 
>loaded). It will then search each of those suffixes in the
namingContexts 
>attribute for (nisdomain=$domain), where $domain is the domain provided
to 
>the ldapclient command. If it finds a matching entry, it will search
below 
>that entry for a objectclass DUAConfigProfile (so, you need this schema
too, 
>I think it ships with nss_ldap) matching (cn=$profilename) for the
profile 
>information.

Could you please explain how the automatic mode differs from the
"normal" mode, 
i.e. how the normal mode works?

[...]

>> You can also configure nscd to really speed things up, if you need
help
>> there, just drop me a mail directly, do not want to swamp Openldap
>> people with Solaris internals.

>Well, this list is intended for the integration aspects that were
off-topic on 
>the OpenLDAP-software list, and I would prefer to have accurate
information 
>available than the current misinformation.

I am sorry, but I do not quite understand what you are trying to say
here. Could you please rephrase?

Regards,

Claus