[Date Prev][Date Next]
Re: Solaris 9 LDAP client issues
Igor Brezac wrote:
Yes, I finally found this section of the documentation and was able to
update my NIS schema according to what Sun has implemented of RFC 2307.
I'm currently experiencing some issues which just may be bugs/problems
with integrating these two pieces of software.
Before you go any further make sure to update your schema:
It was sticking point number one that I overcame. :)
Is there someplace appropriate to submit that schema so that others
don't have to go through the same frustration?
This is still definitely not working. OpenLDAP considers the LDAP
client to be binding as an anonymous user. Whether that means it
botched the authentication or never tried it in the first place is
something I'm not familiar enough with the debug output of slapd to
determine yet. I can't even get it to bind as my RootDN.
1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
even when you configure it with proxyDn and proxyPassword.
I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
to give special privileges to Solaris naming clients, but since it seems
to refuse to bind as anything other than an anonymous user, this doesn't
seem to help me much. Here's my ldapclient config string:
# ldapclient manual -a defaultServerList=myldapserverip -a
defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
(I wish to keep my automount maps in a different container)
I've used a similar configuration, but I have not tried automount.
Start ldap_cachemgr (/etc/init.d/ldap.client start) and restart nscd
(/etc/init.d/nscd stop;/etc/init.d/nscd start). This was not required in
Solaris 8. Or reboot.
I have been testing my binding capabilities and access controls with the
GQ LDAP client, and everything works as expected there, so why doesn't
the Solaris client work?
Here's the ldif of the entry I've tried to bind to using Solaris 9's
LDAP client. Perhaps I'm missing some objectclass or attribute it expects?
My GQ client binds to that fine and gets the special permissions I have
laid out for it in slapd.conf...
I've also tried binding as the RootDN with the RootDN password with the
same results. Unless I allow anonymous read to the userPassword
attribute, no one can log in. PAM_ldap is not configured, I assume it
is trying pam_unix and thus using the naming services to get entries.
Did you use manual configuration or configuration through profiles?
Even in the latter case, Solaris 9 stores the proxy dn and password
locally, I guess...
2. PAM TLS functionality is broken.
When I add -a authenticationMethod="tls:simple" to the above
Try to make it work with simple bind before you try tls.