[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AW: Server and client setup for connecting Solaris to an openldap server.

On Wednesday 16 April 2008 17:22:50 Kick, Claus wrote:
> Hello James,
> >Hello all,
> >I have set up a Red Hat Linux box with the Openldap server. I am
> looking
> >to replace our existing NIS infrastructure with Openldap. The majority
> >of the clients are Solaris 8 with a third of them being Solaris 10. I
> >have been able to connect Red Hat clients to authenticate through LDAP
> >but I am having issues with the Solaris client configuration. I see
> some
> >stuff on the net but nothing concrete on how to get this working.
> A few caveats with Solaris 10:
> 1. You need to do changes in the /etc/nsswitch.ldap, for this file gets
> copied over tp /etc/nsswitch.conf once you are using the ldapclient.
> It should contain something like:
> passwd:     files ldap
> group:      files ldap

Actually, the bigger issue is ensuring that hostname resolution would work 
with the settings in /etc/nsswitch.ldap, e.g., you may want to ensure hosts 
and ipnodes have sane plugins configured (e.g. 'files dns', and not 
just 'ldap').

> 2. You need to run ldapclient manually once:
> I used the following parameters for it:
> ldapclient
> 	manual
> 	-v
> 	-a domainName=**********
> 	-a defaultSearchBase=**************
> 	-a proxyDN=cn=proxyagent,ou=profile,o=************
> 	-a proxyPassword=*************
> 	-a searchTimeLimit=90
> 	-a serviceSearchDescriptor=group:ou=Group,=************
> 	-a serviceSearchDescriptor=passwd:ou=People,o=*************.com
> 	-a defaultSearchScope=sub
> 	-a objectclassMap=group:posixGroup=posixGroup
> 	 -a defaultServerList=
> 	-a authenticationMethod=simple
> That gets you both files:
> /var/ldap/:
> ldap_client_file
> ldap_client_cred
> 3. then you need to restart the ldap client service.
> (svc:/network/ldap/client:default)
> The client then uses the already created files and does not recreate
> them.

Note that if you have changed the default umask (e.g. our corporate security 
standards for Solaris require umask to be 077), then you may have to set 
permissions on the /var/run/*door* files.

> 4. the slapd.conf should definitely contain:
> #that one almost gave me a headache
> sizelimit unlimited

I wouldn't do this myself. If you are going to use a proxy user, add the proxy 
user to a group that has limits set with the 'limits' statement.

> #if you are using standard solaris that is.
> password-hash {CRYPT}

This is only necessary if you are going to authenticate via a "shadow"-like 
mechanism (aka you like the insecurity NIS provides you with). I would 
suggest configuring pam instead.

> modulepath      /opt/csw/libexec/openldap
> # if you are using berkely db
> moduleload      back_bdb.la
> #this enables you to authenticate users via shell
> access to attrs=userpassword by self write by * read by anonymous auth

I would much rather use PAM than "by * read" on userPassword ... especially 
with hashes in crypt.

> #this is useful for caching
> index cn,sn,uid pres,eq,approx,sub
> index objectClass eq
> index memberUid eq,pres
> index uniqueMember eq,pres
> index uidNumber eq,pres
> index gidNumber eq,pres
> #For Solaris 8, I think you also need (could also be necessary for
> Solaris 10, not sure here):
> allow bind_v2
> >I see
> >some sites mention a solaris schema but I not found been able to locate
> >that anywhere. Is this something that is possible?
> You don't need the Solaris Schema, for the necessary objects are already
> included in the nis.schema.
> The information on the net regarding this is outdated.

Incorrect. You need the schema definitions if you want automatic mode to work. 
However, automatic mode can't work against OpenLDAP on Solaris <= 9 (I'm not 
sure about 10), unless you have the 'allop' overlay (which ships with 2.4, 
but can be made to work on 2.3 with some minor patching).

My 2.3 packages for RHEL4 (and 5) will ship the allop overlay. I have attached 
the schema definitions required for automatic mode to work. In automatic 
mode, the ldapclient does a search of the empty suffix 
(effectively 'ldapsearch -x -s base -b ""'), and expects to get the 
namingContexts without asking for them (which will occur if you have allop 
loaded). It will then search each of those suffixes in the namingContexts 
attribute for (nisdomain=$domain), where $domain is the domain provided to 
the ldapclient command. If it finds a matching entry, it will search below 
that entry for a objectclass DUAConfigProfile (so, you need this schema too, 
I think it ships with nss_ldap) matching (cn=$profilename) for the profile 

> >I am sure it is but i
> >am relatively new to LDAP. Should I be looking at the Solaris native
> >LDAP server?
> Sun Java Directory Server you mean? I don't think that anyone here will
> advise you to do so.
> The server is free, but if you want a support contract, you need to pay
> per ldap entry.
> Due to budget cuts, that made it a nogo for us.
> >I have openldap-servers-2.3.27-8 installed on RHEL4.
> >The schemas listed in my slapd.conf are..
> >
> >include         /etc/openldap/schema/core.schema
> >include         /etc/openldap/schema/cosine.schema
> >include         /etc/openldap/schema/inetorgperson.schema
> >include         /etc/openldap/schema/nis.schema
> Those should be all you need.
> You can also configure nscd to really speed things up, if you need help
> there, just drop me a mail directly, do not want to swamp Openldap
> people with Solaris internals.

Well, this list is intended for the integration aspects that were off-topic on 
the OpenLDAP-software list, and I would prefer to have accurate information 
available than the current misinformation.

> If you need any further help, just ask. We just went through hell and
> back to migrate our ldap stuff from netscape 4.16 to openldap 2.3.xx,
> and memory is still fresh.

I've been required to provide an easy method for our Solaris admins to 
configure LDAP authentication. I've got a script that does everything 
(including setting up PAM), which I will try and clean up and post tomorrow 
(or, at least the awk script that configures pam).

# bits of rfc2307bis.schema for Solaris:
attributetype ( NAME 'nisdomain'
  DESC 'NIS domain'
  EQUALITY caseIgnoreIA5Match

objectclass ( NAME 'nisDomainObject' SUP top AUXILIARY
  DESC 'Associates a NIS domain with a naming context'
  MUST nisdomain )