[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring Solaris 8 clients

There's a patch out to fix the reporting of OpenLDAP at the directory tree base. Solaris depends on this to get the namingcontext and then from that nisDomain and dc. The patch hasn't been updated in a while, so I updated it (pretty simple, actually)

http://sapiens.wustl.edu/~sysmain/info/openldap/patches/solaris_patch- 2.1.13

It's for OpenLDAP 2.1.13 but should work for 2.1.16. You also need to compile OpenLDAP with crypt password support and the default password hash should be crypt

password-hash	{CRYPT}

You'll need to index nisDomain with an equality index

index	nisDomain	eq

You can test the workings of this by using the native solaris ldapsearch

	ldapsearch -b '' -s base -h 'objectclass=*'

assuming ldap is on your local host, otherwise change the ip. This should report back something like

objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=yourdomain,dc=edu
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.18
supportedLDAPVersion: 3

Solaris will then use this naming context to get nisDomain and dc. You can check with

ldapsearch -b 'dc=yourdomain,dc=edu' -s base -h 'objectclass=*'

which should report something like

dn: dc=yourdomain,dc=edu
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: nisDomainObject
dc: yourdomain
nisDomain: yourdomain.edu

If that all works then you can use ldap_gen_profile on solaris to generate a profile

ldap_gen_profile -P profile_name -a simple -D cn=proxy,dc=yourdomain,dc=edu \
-w "proxy password" -b dc=yourdomain,dc=edu ip.of.ldap.server

This generates a profile in ldif format. Remove the tabs and insert that profile into your ldap DIT. Solaris uses proxy users to bind to the ldap service. Configure a proxy user for solaris. Like

dn: cn=proxy,dc=yourdomain,dc=edu
objectClass: top
objectClass: person
cn: proxy
sn: Solaris Proxy User
userPassword: {CRYPT}something generated by slappasswd

and add to you ldap DIT and then use on your clients

on solaris 8

	ldapclient -v -P profile_name -d yourdoman.edu  ip.of.ldap.server

on solaris 9

ldapclient -v init -a profileName=profile_name -a domainName=yourdomain.edu ip.of.ldap.server

to completely configure you clients.

There's nothing else on the client side that needs to be changed, unless you're trying to do netgroups. That is a huge pain in the ass and took me the better part of a weekend to figure out. Anyway, I got the complete set up now-- automounts, user, group, password, netgroup, everything, and I'm working on writing it up incase anyone else is interested. OpenLDAP is pretty much awesome. It's all the clients out there that are crap. I read the RFC's. Why can't they?

As a warning, if you set up your server as an ldap client you need to change nsswitch.conf to read

host: files dns ldap

networks: files ldap
protocols: files ldap

or your machine will hang during boot.  This is just for the server.

I may have forgotten something.  Let me know.


On Wednesday, March 26, 2003, at 08:28 AM, Igor Brezac wrote:

On Wed, 26 Mar 2003, Quanah Gibson-Mount wrote:

--On Wednesday, March 26, 2003 8:56 AM -0500 Igor Brezac <igor@ipass.net>

This is a bit too simplistic and it will not work on Solaris 9 until
ldap_cachemgr is started. To make this setup complete you need to add
your domain to /etc/defaultdomain, /etc/init.d/ldap.client start and
restart nscd (/etc/init.d/nscd stop and then start). nscd does not need
to run in order for this to work, in the long run you do want nscd
running. For more check out:

Solaris 9


On my Solaris 9 box, at least, running that command started up nscd and the
ldap cache manager. It has been running on my system for several weeks
without problem. It also created /etc/defaultdomain.

I stand corrected. ldapclient will do all of this for you. You do need
to cleanup a bit after it runs. ldapclient restarts some services which
are not necessarily running (automounter in my case) and it installs a
default nsswitch.ldap which may need editing. On Solaris 8 you have to do
this by hand; however, ldap_cachemgr is not required to run in order for
the ldap client to operate. I do recommend getting solaris schema from
the links I mentioned earlier. Unfortunately, automatic setup does not
work for both Solaris (8|9). You need to patch openldap, or Sun needs to
fix the ldapclient and specify what attributes it needs from rootDN.


John Kloss <jkloss@sapiens.wustl.edu> System Administrator, Database Administrator, Programmer

Gish Lab, Genome Sequencing Center
Washington University . . . in St. Louis