[Date Prev][Date Next] [Chronological] [Thread] [Top]



Feedback to the list of getting Solaris2.6/openldap/nss_ldap/open_ldap running.
I am using ldap version 1.2.1. Berkeley DB version 2.7.7 (we tried 3.x and it
doesn't compile). and nss-ldap-149. We wanted to be able to use both ldap &
local accounts at the same time.

Download/Compile BerkeleyDB... I recommended version 2.7.7 standard compile and
Download/Compile OpenLDAP...
Compile openldap with the following lines...

env LIBS="-lpthread -lposix4" \
CPPFLAGS="-I/usr/local/BerkeleyDB/include" \
LDFLAGS="-L/usr/local/BerkeleyDB/lib" \
./configure --with-ldbm-api=db2 --enable-shared --enable-passwd
make depend
make install

Not sure if you need --enable-shared or --enable-passwd infact

Download and compile pam_ldap/nss_ldap modules from www.padl.com/ Nothing
here just follow installation instructions.

Now for the trickly bit... configure the /etc/ldap.conf and
/usr/local/etc/openldap/etc/slapd.conf files.

/etc/ldap.conf needs only

base dc=jpmorgan,dc=geneva,dc=ch
pam_password crypt

/usr/local/etc/openldap/etc/slapd.conf needs only

include         /usr/local/etc/openldap/slapd.at.conf
include         /usr/local/etc/openldap/slapd.oc.conf
schemacheck     off
pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args
database        ldbm
suffix          "dc=jpmorgan,dc=geneva,dc=ch"
rootdn          "cn=root,dc=jpmorgan,dc=geneva,dc=ch"
rootpw          secret
directory       /usr/local/var/openldap-ldbm
index           cn,sn,uid
access to attrs=userpassword
        by self write
        by dn="cn=root,ou=people,dc=jpmorgan,dc=geneva,dc=ch" write
        by * none
access to *
        by self write
        by dn="cn=root,ou=people,dc=jpmorgan,dc=geneva,dc=ch" write
access to * by * read

You need to add the following to /usr/local/etc/openldap/slapd.oc.conf (or I did
 anyway, if someone knows
better please let me know).

objectclass shadowAccount

And now start the ldap daemon and add the entries..

Examples of commands to run to add/delete/search for/change password entries in
the above example...

ldapadd -D cn=root,dc=jpmorgan,dc=geneva,dc=ch -W < add.ldiff (see below for
ldapdelete -D cn=root,dc=jpmorgan,dc=geneva,dc=ch -w secret
ldapsearch -L -b "dc=jpmorgan,dc=geneva,dc=ch" "(objectclass=*)"
ldappasswd -b "dc=jpmorgan,dc=geneva,dc=ch"

An example of the minimum five entries you would need to add for authentication
of a user and a group,
in this order.

dn: dc=jpmorgan,dc=geneva,dc=ch
description: jpmorgan
objectclass: organization
objectclass: top

dn: ou=People,dc=jpmorgan,dc=geneva,dc=ch
objectclass: organizationalUnit
objectclass: top

dn: ou=group,dc=jpmorgan,dc=geneva,dc=ch
objectclass: organizationalUnit
objectclass: top

dn: cn=users,ou=Group,dc=jpmorgan,dc=geneva,dc=ch
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 10

dn: uid=ldap,ou=People,dc=jpmorgan,dc=geneva,dc=ch
uid: ldap
cn: LDAP user
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}Y7GtTDeK
loginShell: /bin/ksh
uidnumber: 1000
gidnumber: 10
homeDirectory: /users/ldap
gecos: LDAP user
description: LDAP user

Then you need to edit /etc/pam.conf, mine looks like this..  we are just using
ldap for authentication of rlogin
users in this example. Beware the pam.conf in the nss_ldap directory doesn't
appear to work "out-of-the-box"
with Solaris 2.6.

login   auth required   /usr/lib/security/pam_unix.so.1
login   auth required   /usr/lib/security/pam_dial_auth.so.1
telnet  auth required   /usr/lib/security/pam_unix.so.1
rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin  auth sufficient /usr/lib/security/pam_ldap.so.1    <--------------- this
 is the new line -----
rlogin  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass <--- this
 parameter is new also -----

dtlogin auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/pam_unix.so.1
login   account required /usr/lib/security/pam_unix.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
other   account required /usr/lib/security/pam_unix.so.1
other   session required /usr/lib/security/pam_unix.so.1
other  password required /usr/lib/security/pam_unix.so.1

And change /etc/nsswitch.conf so that it references ldap, the two lines looking
like this..

passwd:     files ldap
group:      files ldap

And then you should be able to rlogin from another workstation referencing the
ldap server. I think I have
covered everything.

Good luck

Many Thanks to the users of this list which helped me to get here... time taken
approximately 1 week....

This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.