On Monday, 9 July 2007, daniel perez del campo wrote: > Hi, > I have configurated openLdap in Debian, and it works well with Linux > clients. But I want to authenticate a Solaris client against the Ldap > server. I don't know how to do this. > Could someone tell me what have I have to do?? Or some guide? I have looked > for information in Google and I don't find anything clear. You need to provide a bit more information, e.g. exactly which versions of Solaris you are trying to support. For instance, with Solaris 10, you can use the "automatic" mode with the ldapclient tool, but it requires additional schemas and entries in your directory to work. The manual method works for Solaris 9 and 10 (I haven't tested anything older), but note that (AFAIK) neither support START_TLS or subjectAlternativeNames on certificates. The ldapclient tool can be used to essentially do the "nss" part, the pam part you have to do for yourself. Note that the ldapclient moves /etc/nsswitch.ldap to /etc/nsswitch.conf when it tries to configure, so be sure that your /etc/nsswitch.ldap will work (or ldapclient will roll back the changes). You need the version of certutil from the Sun JDS SDK to be able to create a certificate database that the ldapclient can use (the certutil version that ships with the OS generates the wrong version of database). I have attached the scripts I have used for Solaris 9 that work around some of the brokenness in ldapclient (but it does a few other things I require, such as loopback mounting /export/home under /home - as at present we don't use NFS homes). The only thing I still need is a working pam_mkhomedir for Solaris (preferably not just a binary from someone - I prefer to have source for things like this ...). I will try and document this further at another stage (as all the other guides I read while trying to get this to work left out some details). Now, this is off-topic for the list (as the only OpenLDAP-specific things I needed to do are not discussed here, and only pertain to the "automatic method" which only works on Solaris 10), and I think discussion should not continue on this list, but this is a very common problem (as seen on other fora), and I think having at least one answer in the OpenLDAP archives would be useful (to avoid the FUD situation where supporters/vendors of other software claim that OpenLDAP cannot be used due to some apparently missing feature needed by Solaris). Note, I don't need support for netgroups, so I have omitted anything related to netgroups. Regards, Buchan -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
Attachment:
setupldap.sh
Description: application/shellscript
{
if (( $1 == "login" || $1 == "other" ) && $2 == "auth" )
{
add = "yes"
service = $1
}
}
/^#/ {
if ( add == "yes" ) {
add = no
print service, "auth binding pam_unix_auth.so.1 server_policy"
print service, "auth required pam_ldap.so.1"
}
}
/other.*auth.*required.*pam_unix_auth.so.1/ {
$3 = "sufficient"
}
{print}
Attachment:
pgpBj4rWqNlXS.pgp
Description: PGP signature