RE: NSS_LDAP Solaris and Active directory

To: <henk.coenen@philips.com>, <openldap-software@OpenLDAP.org>

Subject: RE: NSS_LDAP Solaris and Active directory

From: "Davidson, Stuart" <Stuart.Davidson@hp.com>

Date: Thu, 20 Jun 2002 08:56:30 +0100

Content-class: urn:content-classes:message

Thread-index: AcIXxyqWWNH85DpnSqeERnmlAFJSOwAZMZew

Thread-topic: NSS_LDAP Solaris and Active directory

We have Solaris clients working with AD but not with OpenLDAP or OpenSSL. The combination is:

nss_ldap-184 + pam_ldap-140 from www.padl.com, iPlanet CSDK 5[1].08 for LDAP/SSL, Berkeley DB 3.1.17, Windows 2000 + SP2 + Q320711 hotfix + SFU

nss configured as follows:

./configure --with-ldap-lib=netscape5 --with-ldapdir=/export/home/dav/Netscape/ldapcsdk5[1].08-SunOS5.8 --enable-schema-mapping --enable-ssl --enable-debugging

pam configured as follows:

./configure --with-ldap-lib=netscape5 --with-ldapdir=/export/home/dav/Netscape/ldapcsdk5[1].08-SunOS5.8 --enable-ssl

You don't say what the symptoms are but we found ssldump and ethereal invaluable for tracing encrypted and non encrypted traffic respectively. Microsoft Q Q260729, Q314980 are useful for logging.

Stuart

-----Original Message-----
From: henk.coenen@philips.com [mailto:henk.coenen@philips.com]
Sent: Wednesday, June 19, 2002 8:20 PM
To: openldap-software@OpenLDAP.org
Subject: NSS_LDAP Solaris and Active directory

Hello all,

We are currently working on replacing NIS by a LDAP directory (iPlanet or Active
Directory). Initially we will focus on moving the UNIX account information into a LDAP
directory in order to enable a single point of account administration. We already
have deployed kerberos to implement a Single Sign-On infrastructure between UNIX
and Windows 2000, so we would like to use the Active Director

We have encountered a number of problems with respect to compatibility of the LDAP
client on Solaris in combination with Active Directory. We are looking for a solution that
works with the schema changes implemented by Microsoft Services for UNIX (MSFU).

Currently we have two demo environments:

Situation 1: Directory implemented by iPlanet
o HP-UX making use of native LDAP client -- OK
o Linux making use of NSS_LDAP software -- OK
o Solaris making use of native LDAP client -- OK

Situation 2: Directory implemented by Active Directory + MSFU
o HPUX making use of native LDAP client -- OK
o Linux making use of NSS_LDAP software -- OK
o Solaris making use of both native LDAP client and NSS_LDAP software -- NOT OK

Situation 1 is working fine!

In situation 2 we have compatibility problems with the Solaris LDAP clients and Active
Directory. This is true for both the native LDAP implementation on Solaris and also for
the NSS_LDAP implementation.

With regard to these problems we have some questions:

1. Who has the Solaris native LDAP client running in combination with the Active Directory
as primary naming service to replace NIS?

2. We compiled the NSS_LDAP v191 for Solaris 2.8 making use of BerkeleyDB4.0.14 and
openldap, but unfortunately things do not work as would like. Who has the NSS_LDAP
software running in combination with the Active Directory ?

If yes. what did you use in combination with NSS_LDAP, how did you compile
and configure things, or in other words where can we find a recep

Thanks in advance
Henk

Ir H.G.P. (Henk) Coenen phone: +31-40-2744161

Philips Research Laboratories
Prof Holstlaan 4,
5656 AA Eindhoven, The Netherlands
Mailto:henk.coenen@philips.com