[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring Solaris 8 clients

To: John Kloss <jkloss@sapiens.wustl.edu>
Subject: Re: Configuring Solaris 8 clients
From: Igor Brezac <igor@ipass.net>
Date: Wed, 26 Mar 2003 11:45:28 -0500 (EST)
Cc: LDAP Mailing List <openldap-software@OpenLDAP.org>
In-reply-to: <AFB16764-5FA1-11D7-938A-000A956C473C@sapiens.wustl.edu>
References: <AFB16764-5FA1-11D7-938A-000A956C473C@sapiens.wustl.edu>

Well put.  ;) I wrote this simple patch a long time ago, but never submit
it to devel folks because it breaks rfc.  I manually configuring the ldap
clients now, so I no longer need the patch.  ldapclient just makes way too
many (wrong) assumptions.  I was hoping Sun folks would fix their mess.
Wishfull thinking.  ;( It appears that ldapclient sasl/digest-md5 is not
working either, I am still testing.

You might want to upgrade to openldap 2.1.16.  It contains numerous fixes
including one nasty memory leak.

-Igor

On Wed, 26 Mar 2003, John Kloss wrote:

> There's a patch out to fix the reporting of OpenLDAP at the directory
> tree base.  Solaris depends on this to get the namingcontext and then
> from that  nisDomain and dc.  The patch hasn't been updated in a while,
> so I updated it (pretty simple, actually)
>
> 	http://sapiens.wustl.edu/~sysmain/info/openldap/patches/solaris_patch-
> 2.1.13
>
> It's for OpenLDAP 2.1.13 but should work for 2.1.16.  You also need to
> compile OpenLDAP with crypt password support and the default password
> hash should be crypt
>
> password-hash	{CRYPT}
>
> You'll need to index nisDomain with an equality index
>
> index	nisDomain	eq
>
> You can test the workings of this by using the native solaris ldapsearch
>
> 	ldapsearch -b '' -s base -h 127.0.0.1 'objectclass=*'
>
> assuming ldap is on your local host, otherwise change the ip.  This
> should report back something like
>
> dn:
> objectClass: top
> objectClass: OpenLDAProotDSE
> structuralObjectClass: OpenLDAProotDSE
> namingContexts: dc=yourdomain,dc=edu
> supportedControl: 1.2.826.0.1.334810.2.3
> supportedControl: 1.3.6.1.4.1.4203.1.10.1
> supportedControl: 1.3.6.1.4.1.4203.1.10.2
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 2.16.840.1.113730.3.4.18
> supportedExtension: 1.3.6.1.4.1.1466.20037
> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
> supportedLDAPVersion: 3
>
> Solaris will then use this naming context to get nisDomain and dc.  You
> can check with
>
> 	ldapsearch -b 'dc=yourdomain,dc=edu'  -s base -h 127.0.0.1
> 'objectclass=*'
>
> which should report something like
>
> dn: dc=yourdomain,dc=edu
> objectClass: top
> objectClass: dcObject
> objectClass: domain
> objectClass: nisDomainObject
> dc: yourdomain
> nisDomain: yourdomain.edu
>
> If that all works then you can use ldap_gen_profile on solaris to
> generate a profile
>
> ldap_gen_profile -P profile_name -a simple -D
> cn=proxy,dc=yourdomain,dc=edu \
> 	-w "proxy password" -b dc=yourdomain,dc=edu ip.of.ldap.server
>
> This generates a profile in ldif format.  Remove the tabs and insert
> that profile into your ldap DIT.  Solaris uses proxy users to bind to
> the ldap service. Configure a proxy user for solaris.  Like
>
> dn: cn=proxy,dc=yourdomain,dc=edu
> objectClass: top
> objectClass: person
> cn: proxy
> sn: Solaris Proxy User
> userPassword: {CRYPT}something generated by slappasswd
>
> and add to you ldap DIT and then use on your clients
>
> on solaris 8
>
> 	ldapclient -v -P profile_name -d yourdoman.edu  ip.of.ldap.server
>
> on solaris 9
>
> 	ldapclient -v init -a profileName=profile_name -a
> domainName=yourdomain.edu ip.of.ldap.server
>
> to completely configure you clients.
>
> There's nothing else on the client side that needs to be changed,
> unless you're trying to do netgroups.  That is a huge pain in the ass
> and took me the better part of a weekend to figure out.  Anyway, I got
> the complete set up now-- automounts, user, group, password, netgroup,
> everything, and I'm working on writing it up incase anyone else is
> interested.  OpenLDAP is pretty much awesome.  It's all the clients out
> there that are crap.  I read the RFC's.  Why can't they?
>
> As a warning, if you set up your server as an ldap client you need to
> change nsswitch.conf to read
>
> host: files dns ldap
>
> networks: files ldap
> protocols: files ldap
> etc.
>
> or your machine will hang during boot.  This is just for the server.
>
> I may have forgotten something.  Let me know.
>
> HTH.
>
> On Wednesday, March 26, 2003, at 08:28 AM, Igor Brezac wrote:
>
> > On Wed, 26 Mar 2003, Quanah Gibson-Mount wrote:
> >
> >>
> >>
> >> --On Wednesday, March 26, 2003 8:56 AM -0500 Igor Brezac
> >> <igor@ipass.net>
> >> wrote:
> >>
> >>
> >>>
> >>> This is a bit too simplistic and it will not work on Solaris 9 until
> >>> ldap_cachemgr is started.  To make this setup complete you need to
> >>> add
> >>> your domain to /etc/defaultdomain, /etc/init.d/ldap.client start and
> >>> restart nscd (/etc/init.d/nscd stop and then start).  nscd does not
> >>> need
> >>> to run in order for this to work, in the long run you do want nscd
> >>> running.  For more check out:
> >>>
> >>> Solaris 9
> >>> http://docs.sun.com/db/doc/806-4077/6jd6blbdk?a=view
> >>
> >> Igor,
> >>
> >> On my Solaris 9 box, at least, running that command started up nscd
> >> and the
> >> ldap cache manager.  It has been running on my system for several
> >> weeks
> >> without problem.  It also created /etc/defaultdomain.
> >>
> >
> > I stand corrected.  ldapclient will do all of this for you.  You do
> > need
> > to cleanup a bit after it runs.  ldapclient restarts some services
> > which
> > are not necessarily running (automounter in my case) and it installs a
> > default nsswitch.ldap which may need editing.  On Solaris 8 you have
> > to do
> > this by hand; however, ldap_cachemgr is not required to run in order
> > for
> > the ldap client to operate.  I do recommend getting solaris schema from
> > the links I mentioned earlier.  Unfortunately, automatic setup does not
> > work for both Solaris (8|9).  You need to patch openldap, or Sun needs
> > to
> > fix the ldapclient and specify what attributes it needs from rootDN.
> >
> > --
> > Igor
> >
> >
>
> John Kloss <jkloss@sapiens.wustl.edu>
> System Administrator, Database Administrator, Programmer
>
> Gish Lab, Genome Sequencing Center
> Washington University . . . in St. Louis
>
>

-- 
Igor

Follow-Ups:
- Re: Configuring Solaris 8 clients
  - From: John Kloss <jkloss@sapiens.wustl.edu>

References:
- Re: Configuring Solaris 8 clients
  - From: John Kloss <jkloss@sapiens.wustl.edu>

Prev by Date: Re: slapadd problems with 2.1.16
Next by Date: RE: Openldap reliability
Index(es):
- Chronological
- Thread