[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 LDAP client issues

On Fri, 16 Aug 2002, Scott Moorhouse wrote:

> If anyone has a success story integrating Solaris 9's LDAP client with
> an OpenLDAP server, I need some help!

I set this up awhile back and it works very well.  I use OpenLDAP
2.0.25 and will upgrade soon.

> I'm currently experiencing some issues which just may be bugs/problems
> with integrating these two pieces of software.

Before you go any further make sure to update your schema:

> 1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
> even when you configure it with proxyDn and proxyPassword.
> I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
> to give special privileges to Solaris naming clients, but since it seems
> to refuse to bind as anything other than an anonymous user, this doesn't
> seem to help me much.  Here's my ldapclient config string:
> # ldapclient manual -a defaultServerList=myldapserverip -a
> defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
> credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
> proxyPassword=mypass -a
> serviceSearchDescriptor="automount:ou=AutomountMaps,dc=mydomain,dc=com"
> (I wish to keep my automount maps in a different container)

I've used a similar configuration, but I have not tried automount.

Start ldap_cachemgr (/etc/init.d/ldap.client start) and restart nscd
(/etc/init.d/nscd stop;/etc/init.d/nscd start).  This was not required in
Solaris 8.  Or reboot.

> The Sun documentation states that the pam_ldap module will try to
> authenticate a user based upon its ability to bind to the LDAP server.
>  I've also been trying to limit access to the userPassword attribute
> like so:
> access to dn="" by * read
> #access to dn="(.*,)+,ou=Hosts,dc=ae-solutions,dc=com"
> #       by self read
> #       by users read
> #       by anonymous read
> access to dn="(.*,)+ou=People,dc=ae-solutions,dc=com" attr=userPassword
>         by self write
>         by users none
>         by anonymous none
> access to *
>         by self read
>         by users read
>         by anonymous read

make sure that cn=NamingClient,dc=mydomain,dc=com can bind to the server.
For nss to work properly, cn=NamingClient,dc=mydomain,dc=com will need an
access to userPassword as well.

> 2. PAM TLS functionality is broken.
> When I add -a authenticationMethod="tls:simple" to the above

Try to make it work with simple bind before you try tls.

Hope this helps.