[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris Client

On Monday, 9 July 2007, daniel perez del campo wrote:
> Hi,
> I have configurated openLdap in Debian, and it works well with Linux
> clients. But I want to authenticate a Solaris client against the Ldap
> server. I don't know how to do this.
> Could someone tell me what have I have to do?? Or some guide? I have looked
> for information in Google and  I don't find anything clear.

You need to provide a bit more information, e.g. exactly which versions of 
Solaris you are trying to support. For instance, with Solaris 10, you can use 
the "automatic" mode with the ldapclient tool, but it requires additional 
schemas and entries in your directory to work.

The manual method works for Solaris 9 and 10 (I haven't tested anything 
older), but note that (AFAIK) neither support START_TLS or 
subjectAlternativeNames on certificates.

The ldapclient tool can be used to essentially do the "nss" part, the pam part 
you have to do for yourself.

Note that the ldapclient moves /etc/nsswitch.ldap to /etc/nsswitch.conf when 
it tries to configure, so be sure that your /etc/nsswitch.ldap will work (or 
ldapclient will roll back the changes).

You need the version of certutil from the Sun JDS SDK to be able to create a 
certificate database that the ldapclient can use (the certutil version that 
ships with the OS generates the wrong version of database).

I have attached the scripts I have used for Solaris 9 that work around some of 
the brokenness in ldapclient (but it does a few other things I require, such 
as loopback mounting /export/home under /home - as at present we don't use 
NFS homes).

The only thing I still need is a working pam_mkhomedir for Solaris (preferably 
not just a binary from someone - I prefer to have source for things like 
this ...).

I will try and document this further at another stage (as all the other guides 
I read while trying to get this to work left out some details).

Now, this is off-topic for the list (as the only OpenLDAP-specific things I 
needed to do are not discussed here, and only pertain to the "automatic 
method" which only works on Solaris 10), and I think discussion should not 
continue on this list, but this is a very common problem (as seen on other 
fora), and I think having at least one answer in the OpenLDAP archives would 
be useful (to avoid the FUD situation where supporters/vendors of other 
software claim that OpenLDAP cannot be used due to some apparently missing 
feature needed by Solaris).

Note, I don't need support for netgroups, so I have omitted anything related 
to netgroups.


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: setupldap.sh
Description: application/shellscript

  if (( $1 == "login" || $1 == "other" ) && $2 == "auth" ) 
      add = "yes"
      service = $1
/^#/ {
  if ( add == "yes" ) {
    add = no
    print service, "auth binding            pam_unix_auth.so.1 server_policy"
    print service, "auth required           pam_ldap.so.1"
/other.*auth.*required.*pam_unix_auth.so.1/ {
$3 = "sufficient"

Attachment: pgpBj4rWqNlXS.pgp
Description: PGP signature