[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.0.7 and solaris 8



actually i got everything working great last night.  there are still some
questions i have but it all works.

i'll be posting a howto on what i did later today.  if not then early next
week.

> There is a patch to OpenLDAP to make native Solaris PAM work. I
> believe that patch was posted to this list already.

the patch isn't required unless you want to use solaris 8's ability to
dynamically determine which ldap server to use and what attributes to use
via ldapclient.  personally i think this is kinda a pointless feature but
...

> I think you only need that patch to initialize LDAP support with the
> ldapclient tool. As far as I can tell, all that tool does is create
> the files /var/ldap/ldap_client_cred and /var/ldap/ldap_client_file.

yep.

> Sun says not to edit these files under any circumstances, but I found
> that the ONLY way to get Solaris to work with OpenLDAP in my setup was
> to manually edit these files. Solaris seems to work fine if your
> accounts are under "ou=People, $base_dn", but mine were not.
> ldapclient has a provision for changing that, but you need to change
> both the "passwd:" and the "shadow:" facilities and the ldapclient
> only seemed to allow me to change one of them.

from the book i have the tag to do this is in /var/ldap/ldap_client_file
is:

NS_LDAP_SEARCH_DN=passwd:(ou=people,dc=example,dc=com)

i don't know if substituting shadow password would have the desired
effect.  however i would think that since all shadow tags are part of the
user entry that if it can find that then it should all work regardless of
where it all is in the tree.

> In addition, I could not figure out how to get TLS support using the
> ldapclient tool. You should be able to hand hack those files to plug
> that into Solaris as well. The Sun documentation claims this is
> supported.

i think i have this working but i'm a little stumped as to how to tell if
it's actually using ssl.  i need to go digging to find if there is a
debugging level for openldap which shows binds and methods.  the tag in
the ldap_client_file for tls is:

NS_LDAP_TRANSPORT_SEC=NS_LDAP_SEC_TLS

> Lastly, I found that if I copied those files from one server to
> another, the system worked. I had to restart nscd. So you should not
> need to use that busted ldapclient tool at all. You will probably need
> to use the ldap_gen_profile tool to generate the password field.

yep that's what i found as well.  does anyone know what {NS1} encoding is
for the password in the ldap_client_cred file?

i have another question too.  it seems to me that ldap_cachemgr does the
job of nscd, only for ldap.  you get problems with nscd as it is caching
bad information everyonce in a while, the idea of double levels of caching
via nscd and ldap_cachemgr is a little scary to me.  does anyone have
anythoughts re. this?

thanks to everyone for all their help.

adam.