[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Solaris client configuration

Hi Sara,

what You listed is just a part of which has to be done to get a Solaris client authenticated against an OpenLDAP server.

Recommended steps:
- upgrade to OpenLDAP 2.4.30
- upgrade and patch Solaris. You didn't mention the release level of Your Solaris box, and there are quite some patches out which affect Solaris LDAP client. Consult file /etc/release on that box.
- beside output of 'ldapclient list' have a look at config files /etc/nsswitch.conf and /etc/pam.conf
- use more than just one LDAP server in production.
- check Your setup by running ldaplist, getent passwd and getent group
- don't edit files in /var/ldap manually, use ldapclient
- get access to a Solaris person at Your site.
- use duaconfig profiles in Your LDAP server to provide standard configs.
- get proper set up certificates with X509v3 Subject Alternative Names. Solaris client will need that.
- check first whether client is working properly without tls to detect a certificate issue.
- sample output of 'ldapclient list':
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=ourAgent,dc=ourdomain,dc=com
NS_LDAP_BINDPASSWD= ={NS1}ourpassword
NS_LDAP_SERVERS= oly-infra-ldap1.ourdomain.com, oly-infra-ldap2.ourdomain.com, oly-infra-ldap3.ourdomain.com, oly-infra-ldap4.ourdomain.com
NS_LDAP_SEARCH_BASEDN= dc=ourdomain,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 0
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=ourdomain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Account,dc=ourdomain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Account,dc=ourdomain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=ourdomain,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=ourdomain,dc=com?one
NS_LDAP_BIND_TIME= 2

- Ymmv depending on Your environment. Not all arising questions will fit into this mailing list.

Regards

Juergen Sprenger

-----Original Message-----

Message: 2
Date: Thu, 29 Mar 2012 10:55:10 -0700
From: "Kline, Sara" <SKline@tnsi.com>
To: "openldap-technical@openldap.org"
	<openldap-technical@openldap.org>
Subject: Solaris client configuration
Message-ID:
	<C0C9408742654B429ECD3D1FF11A118D16EB097A0D@TNS-MAIL-NA1.win2k.corp.tnsi.com>
	
Content-Type: text/plain; charset="us-ascii"

Hey all,
I am trying to get a Solaris 10 client to authenticate to our OpenLDAP (2.3.43) server, which was built on Red Hat 5.7. Linux clients (RHEL 4,5 and 6, and Oracle 5.7) authenticate without issue. I think it may be a simple misconfiguration but I am really not a Solaris person at all. Would someone be willing to send an ldapclient list to me? I would really appreciate it. Steps I have taken:

1.       Imported the SSL cert according to Oracle's instructions

2.       Made the 3 files cert8, keys3, and secmod readable to everyone with chmod 444
My current ldapclient list looks like this:
LDAP_CLIENT_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=admin,dc=prod,dc=ourdomain,dc=com
NS_LDAP_BINDPASSWD={NS1}ourpassword
NS_LDAP_SERVERS=oly-infra-ldap1 (this is how the name appears on the cert, it is in the hosts file)
NS_LDAP_SEARCH_BASEDN=dc=prod,dc=ourdomain,dc=com
NS_LDAP_AUTH=tls:simple
NS_LDAP_CACHETTL=0
NS_LDAP_CREDENTIAL_LEVEL=proxy
NS_LDAP_SERVICE_AUTH_METHOD=pam_ldap:tls:simple
NS_LDAP_HOST_CERTPATH=/var/ldap

Any help would be greatly appreciated.

Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495