[Date Prev][Date Next]
Re: Solaris 9 LDAP client issues
On Fri, 16 Aug 2002, Scott Moorhouse wrote:
> If anyone has a success story integrating Solaris 9's LDAP client with
> an OpenLDAP server, I need some help!
I set this up awhile back and it works very well. I use OpenLDAP
2.0.25 and will upgrade soon.
> I'm currently experiencing some issues which just may be bugs/problems
> with integrating these two pieces of software.
Before you go any further make sure to update your schema:
> 1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
> even when you configure it with proxyDn and proxyPassword.
> I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
> to give special privileges to Solaris naming clients, but since it seems
> to refuse to bind as anything other than an anonymous user, this doesn't
> seem to help me much. Here's my ldapclient config string:
> # ldapclient manual -a defaultServerList=myldapserverip -a
> defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
> credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
> proxyPassword=mypass -a
> (I wish to keep my automount maps in a different container)
I've used a similar configuration, but I have not tried automount.
Start ldap_cachemgr (/etc/init.d/ldap.client start) and restart nscd
(/etc/init.d/nscd stop;/etc/init.d/nscd start). This was not required in
Solaris 8. Or reboot.
> The Sun documentation states that the pam_ldap module will try to
> authenticate a user based upon its ability to bind to the LDAP server.
> I've also been trying to limit access to the userPassword attribute
> like so:
> access to dn="" by * read
> #access to dn="(.*,)+,ou=Hosts,dc=ae-solutions,dc=com"
> # by self read
> # by users read
> # by anonymous read
> access to dn="(.*,)+ou=People,dc=ae-solutions,dc=com" attr=userPassword
> by self write
> by users none
> by anonymous none
> access to *
> by self read
> by users read
> by anonymous read
make sure that cn=NamingClient,dc=mydomain,dc=com can bind to the server.
For nss to work properly, cn=NamingClient,dc=mydomain,dc=com will need an
access to userPassword as well.
> 2. PAM TLS functionality is broken.
> When I add -a authenticationMethod="tls:simple" to the above
Try to make it work with simple bind before you try tls.
Hope this helps.