[Date Prev][Date Next] [Chronological] [Thread] [Top]

Solaris 9 LDAP client issues

If anyone has a success story integrating Solaris 9's LDAP client with an OpenLDAP server, I need some help!

I'm currently experiencing some issues which just may be bugs/problems with integrating these two pieces of software.

1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server even when you configure it with proxyDn and proxyPassword.

I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able to give special privileges to Solaris naming clients, but since it seems to refuse to bind as anything other than an anonymous user, this doesn't seem to help me much. Here's my ldapclient config string:

# ldapclient manual -a defaultServerList=myldapserverip -a defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a proxyPassword=mypass -a serviceSearchDescriptor="automount:ou=AutomountMaps,dc=mydomain,dc=com"

(I wish to keep my automount maps in a different container)

The Sun documentation states that the pam_ldap module will try to authenticate a user based upon its ability to bind to the LDAP server. I've also been trying to limit access to the userPassword attribute like so:

access to dn="" by * read

#access to dn="(.*,)+,ou=Hosts,dc=ae-solutions,dc=com"
#       by self read
#       by users read
#       by anonymous read

access to dn="(.*,)+ou=People,dc=ae-solutions,dc=com" attr=userPassword
       by self write
       by users none
       by anonymous none

access to *
       by self read
       by users read
       by anonymous read

2. PAM TLS functionality is broken.

When I add -a authenticationMethod="tls:simple" to the above configuration, and having dug through the documentation to find I need to load Netscape Navigator 4, etc to get cert7.db and key3.db, I can get the naming client side to work. However, logins then fail to work! It is as if PAM won't recognize the server's certificate, but lib_nss_ldap will. I followed the Sun documentation and made these cert db's readable by everyone, etc. but to no effect. I can then use ldaplist and getent to see user information, but I can't log in with telnet or su to that user.

Any advice would be appreciated. This is my first LDAP project so there might be some newbie mistakes. My current opinion is that Solaris 9's LDAP client has a couple of broken pieces in its implementation, at least if you are not trying to integrate it with iPlanet directory server.