[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: mapping one search to another

To: "'Greg Matthews'" <gmatt@nerc.ac.uk>
Subject: RE: mapping one search to another
From: "Smith, Steve" <Steve.Smith@CommerzbankIB.com>
Date: Tue, 24 Jun 2003 16:28:47 +0100
Cc: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Greg,

Had problems with the openldap/padl stack on Solaris when trying to
get the sasl/gssapi part working.  Works OK for simple/auth.

I run tls encryption from sol8 and sol9 native clients to openldap
server.  By installing the ldap2 back-port (patch 108993-nn) on sol8
you get the sol9 ldap client functionality, which is easier to use
than the sol8.

I'm using simple auth (as you are probably already doing on the sol8
client?).  Here's an example below of a usable ldap2 (sol9)
ldap_client_file,
in which the mappings may not match the objectclasses and attributes
you are using at your sol9 openldap server, but I'm sure you'll get the
gist.

btw, I never use the solaris profiles, which seem to get in the way of
configuring clients rather than helping, but maybe I've not worked out
how to use them properly.

Let me know if you need details on getting the tls part working.

Steve
----------------------------------------------------------------------------
---------------
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= nnn.nnn.nnn.nnn
NS_LDAP_SEARCH_BASEDN= dc=usp,dc=net
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
services:ou=IpServices,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
bootparams:ou=Bootparams,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
netgroup:ou=Netgroups,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC= ethers:ou=Ethers,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:nisMapName=auto_master,dc=Automount,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
auto_proj:nisMapName=auto_proj,dc=Automount,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
auto_home:nisMapName=auto_home,dc=Automount,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_SERVICE_SEARCH_DESC=
auto_direct:nisMapName=auto_direct,dc=Automount,dc=ClientA,dc=usp,dc=net?one
NS_LDAP_BIND_TIME= 30
NS_LDAP_ATTRIBUTEMAP= automount:automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount:automountInformation=nismapentry
NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= netgroup:membernisnetgroup=memberNisNetgroup
NS_LDAP_ATTRIBUTEMAP= netgroup:nisnetgrouptriple=nisNetgroupTriple
NS_LDAP_ATTRIBUTEMAP= services:ipserviceport=ipServicePort
NS_LDAP_ATTRIBUTEMAP= services:ipserviceprotocol=ipServiceProtocol
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= shadow:shadowFlag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= shadow:shadowExpire=shadowExpire
NS_LDAP_ATTRIBUTEMAP= shadow:shadowInactive=shadowInactive
NS_LDAP_ATTRIBUTEMAP= shadow:shadowWarning=shadowWarning
NS_LDAP_ATTRIBUTEMAP= shadow:shadowMax=shadowMax
NS_LDAP_ATTRIBUTEMAP= shadow:shadowMin=shadowMin
NS_LDAP_ATTRIBUTEMAP= shadow:shadowLastChange=shadowLastChange
NS_LDAP_ATTRIBUTEMAP= shadow:userPassword=userPassword
NS_LDAP_ATTRIBUTEMAP= shadow:uid=uid
NS_LDAP_ATTRIBUTEMAP= passwd:loginShell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
NS_LDAP_ATTRIBUTEMAP= passwd:gidNumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidNumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:userPassword=userPassword
NS_LDAP_ATTRIBUTEMAP= passwd:uid=uid
NS_LDAP_ATTRIBUTEMAP= ethers:macAddress=macAddress
NS_LDAP_OBJECTCLASSMAP= automount:automount=nisObject
NS_LDAP_OBJECTCLASSMAP= automount:automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= netgroup:nisnetgroup=NisNetgroup
NS_LDAP_OBJECTCLASSMAP= services:ipservice=ipService
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=shadowAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= ethers:ieee802Device=ieee802Device
------------------------------------------------------------------

> 
> So far I've only got the native stack to work with any 
> success and only
> unencrypted. Getting the padl modules to work is proving 
> difficult (for
> me anyway). Also according to Sun, Sol9 *requires* the use of profiles
> which pretty much necessitates the use of the native pam because it
> looks in /var/ldap/ldap_client_file rather than 
> /path/to/your/ldap.conf
> 
> (I could be wrong about this - I'm not a Solaris expert, by a 
> long shot)
> 
> If I'm using padl's pam module (pam_ldap.so.1) do I need to 
> use the nss
> module as well? what is the difference between this and the solaris
> nss_ldap.so.1?
> 
> I would prefer to use the solaris stuff but encryption is my 
> main aim at
> the moment and I'm willing to try anything to get it working.
> 
> Doesnt anyone run encrypted solaris clients on openldap server?
> 
> GREG
> 
> On Tue, 2003-06-24 at 15:40, Smith, Steve wrote:
> > Are you using the native ldap client or the openldap/padl stack?
> > 
> > > 
> > > I'm using openldap 2.1.21 running on Solaris9. I've got 
> it working and
> > > behaving itself with a RedHat9 client (with tls) and also 
> > > with solaris 8
> > > (without encryption).
> > > 
> > > I now need to get it working with sol9 but sol9 searches for
> > > (&(objectclass=automount)(automountkey=foobar)) as opposed to 
> > > solaris 8
> > > (&(nismapname=auto.users)(cn=foobar)) when searching for the 
> > > users home
> > > directories (where foobar is the user group corresponding to
> > > /home/foobar/username home directory).
> > > 
> > > How can I map one onto the other? do I need a service search 
> > > descriptor
> > > or objectclass mapping or attribute mapping? Am I 
> oversimplifying the
> > > problem? 
> > > 
> > > apologies if this is a faq (i cant find it)...
> > > 
> > > TIA
> > > 
> > > GREG
> > > -- 
> > > Greg Matthews
> > > iTSS Wallingford	01491 692445
> > > 
> > 
> > 
> > 
> **************************************************************
> ******** 
> > This is a commercial communication from Commerzbank AG.
> > 
> > This communication is confidential and is intended only for 
> the person to
> > whom it is addressed.  If you are not that person you are 
> not permitted to
> > make use of the information and you are requested to notify
> > <mailto:LONIB.Postmaster@commerzbankib.com> immediately 
> that you have
> > received it and then destroy the copy in your possession.
> > 
> > Commerzbank AG may monitor outgoing and incoming e-mails. 
> By replying to
> > this e-mail you consent to such monitoring. This e-mail 
> message and any
> > attached files have been scanned for the presence of 
> computer viruses.
> > However, you are advised that you open attachments at your own risk.
> > 
> > This email was sent either by Commerzbank AG, London Branch, or by
> > Commerzbank Securities, a division of Commerzbank.  
> Commerzbank AG is a
> > limited liability company incorporated in the Federal 
> Republic of Germany.
> > Registered Company Number in England BR001025. Our 
> registered address in
> > the UK is 23 Austin Friars, London, EC2P 2JD. We are 
> regulated by the
> > Financial Services Authority for the conduct of investment 
> business in the
> > UK and we appear on the FSA register under number 124920. 
> > 
> > 
> **********************************************************************
> -- 
> Greg Matthews
> iTSS Wallingford	01491 692445
> 


********************************************************************** 
This is a commercial communication from Commerzbank AG.

This communication is confidential and is intended only for the person to
whom it is addressed.  If you are not that person you are not permitted to
make use of the information and you are requested to notify
<mailto:LONIB.Postmaster@commerzbankib.com> immediately that you have
received it and then destroy the copy in your possession.

Commerzbank AG may monitor outgoing and incoming e-mails. By replying to
this e-mail you consent to such monitoring. This e-mail message and any
attached files have been scanned for the presence of computer viruses.
However, you are advised that you open attachments at your own risk.

This email was sent either by Commerzbank AG, London Branch, or by
Commerzbank Securities, a division of Commerzbank.  Commerzbank AG is a
limited liability company incorporated in the Federal Republic of Germany.
Registered Company Number in England BR001025. Our registered address in
the UK is 23 Austin Friars, London, EC2P 2JD. We are regulated by the
Financial Services Authority for the conduct of investment business in the
UK and we appear on the FSA register under number 124920. 

**********************************************************************
Follow-Ups:
- RE: mapping one search to another
  - From: Greg Matthews <gmatt@nerc.ac.uk>
Prev by Date: RE: mapping one search to another
Next by Date: Re: slurpd from 1.2 to 2.1
Index(es):
- Chronological
- Thread