[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 LDAP client issues

On Tue, 20 Aug 2002, Scott Moorhouse wrote:

> Igor Brezac wrote:
> >>I'm currently experiencing some issues which just may be bugs/problems
> >>with integrating these two pieces of software.
> >>
> >>
> >>
> >
> >Before you go any further make sure to update your schema:
> >http://docs.sun.com/?p=/doc/806-4077/6jd6blbf3&a=view
> >
> >
> Yes, I finally found this section of the documentation and was able to
> update my NIS schema according to what Sun has implemented of RFC 2307.
> It was sticking point number one that I overcame. :)
> Is there someplace appropriate to submit that schema so that others
> don't have to go through the same frustration?
> >
> >
> >>1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
> >>even when you configure it with proxyDn and proxyPassword.
> >>
> >>I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
> >>to give special privileges to Solaris naming clients, but since it seems
> >>to refuse to bind as anything other than an anonymous user, this doesn't
> >>seem to help me much.  Here's my ldapclient config string:
> >>
> >># ldapclient manual -a defaultServerList=myldapserverip -a
> >>defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
> >>credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
> >>proxyPassword=mypass -a
> >>serviceSearchDescriptor="automount:ou=AutomountMaps,dc=mydomain,dc=com"
> >>
> >>(I wish to keep my automount maps in a different container)
> >>
> >>
> >>
> >
> >I've used a similar configuration, but I have not tried automount.
> >
> >Start ldap_cachemgr (/etc/init.d/ldap.client start) and restart nscd
> >(/etc/init.d/nscd stop;/etc/init.d/nscd start).  This was not required in
> >Solaris 8.  Or reboot.
> >
> >
> This is still definitely not working.  OpenLDAP considers the LDAP
> client to be binding as an anonymous user.  Whether that means it
> botched the authentication or never tried it in the first place is
> something I'm not familiar enough with the debug output of slapd to
> determine yet.  I can't even get it to bind as my RootDN.
> I have been testing my binding capabilities and access controls with the
> GQ LDAP client, and everything works as expected there, so why doesn't
> the Solaris client work?

You do not hove something configured properly.

> Here's the ldif of the entry I've tried to bind to using Solaris 9's
> LDAP client.   Perhaps I'm missing some objectclass or attribute it expects?
> dn: cn=NamingClient,dc=mydomain,dc=com
> objectClass: organizationalRole
> objectClass: simpleSecurityObject
> cn: NamingClient
> userPassword: {crypt}[DEScryptstring]

This is all you need for the binding purposes.

What are the contents of /var/ldap/ldap_client_* and /etc/defaultdomain?

> My GQ client binds to that fine and gets the special permissions I have
> laid out for it in slapd.conf...
> I've also tried binding as the RootDN with the RootDN password with the
> same results.  Unless I allow anonymous read to the userPassword
> attribute, no one can log in.

I am not familiar with GQ LDAP client.  I suggest that you try ldapsearch
and use -b -D -W params (eg ldapsearch -x -b 'dc=mydomain,dc=com' -D
cn=NamingClient,dc=mydomain,dc=com -W 'cn=NamingClient').  If this works
and if the result shows userPassword you should be good to go.

> PAM_ldap is not configured, I assume it
> is trying pam_unix and thus using the naming services to get entries.