[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: solaris 10 as client to openldap

To: openldap-technical@openldap.org
Subject: Re: solaris 10 as client to openldap
From: Isaac Hailperin <hailperin@zib.de>
Date: Fri, 03 Sep 2010 15:49:17 +0200
In-reply-to: <4C7FCA53.4060900@zib.de>
References: <4C7FCA53.4060900@zib.de>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6

Finally I found out the following:

1. There seems to be a bug in opensolaris (I know, its not the same assolaris) which seems related:http://bugs.opensolaris.org/bugdatabase/printableBug.do?bug_id=69398992. The workaround is described here:http://docs.alkaloid.net/index.php/Solaris_LDAP_client_with_OpenLDAP_server

Unter "Configure the client using a profile" the author writes:

"As noted above, however, the LDAP client seems to have some strangebehaviors. In the configuration profile shown above, anonymous access isused to search the directory. However, unless a proxyDN and aproxyPassword are specified, the ldap service refuses to start! A simpleway to make ldapclient and the cache manager happy is to provide thosecredentials, even if they aren't valid."


So, for me, the following worked:

ldapclient -v init -a profileName=solarisbox -aproxyDN=cn=fake,ou=People,dc=example,dc=com -a proxyPassword=xxxx192.168.0.5


Isaac


On 09/02/2010 06:01 PM, Isaac Hailperin wrote:


Hi,

I am trying to set up an solaris 10 ldap client to work with an openldap
server.
The server serves the following profile:
dn: cn=solarisbox,ou=profile,dc=acme,dc=de
bindTimeLimit: 10
credentialLevel: anonymous
cn: solarisbox
profileTTL: 43200
searchTimeLimit: 30
defaultSearchScope: sub
followReferrals: TRUE
authenticationMethod: simple
defaultSearchBase: dc=acme,dc=de
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 192.168.0.5

On the solaris box, I issue:
ldapclient -v init -a profileName=solarisbox 192.168.0.5
Parsing profileName=solarisbox
Arguments parsed:
profileName: solarisbox
defaultServerList: 192.168.0.5
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 1 namingcontexts
findBaseDN: __ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=acme.de))"
rootDN[0] dc=acme,dc=de
found baseDN dc=acme,dc=de for domain acme.de
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 1
No proxyDN/proxyPassword required
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
[...]
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
[...]
top: network/ldap/client:default... restoring from maintenance state
stop: network/ldap/client:default... failed: required constraint not met
Stopping ldap failed with (1)
Error (1) while stopping services during reset
recover: stat(/var/ldap/restore/defaultdomain)=0
[...]


I am not very familiar with solaris, so I just drop a few other things
that I found that seemed related:

cat /var/ldap/cachemgr.log
[...]
Thu Sep 2 17:02:19.4557 Error: Unable to read
'/var/ldap/ldap_client_file': Configuration Error: No entry for
'NS_LDAP_BINDDN' found
Thu Sep 2 17:02:19.4601 detachfromtty(): child failed (rc = 255).
Thu Sep 2 17:32:56.9181 Starting ldap_cachemgr, logfile
/var/ldap/cachemgr.log
[...]

I can confirm that /var/ldap/ldap_client_file does not exist.

grep ldap /var/svc/log/*
/var/svc/log/network-ldap-client:default.log:[ Sep 2 17:02:19 Executing
start m
ethod ("/lib/svc/method/ldap-client start") ]
/var/svc/log/network-ldap-client:default.log:/usr/lib/ldap/ldap_cachemgr: failed

. Please see syslog for details.

/var/svc/log/svc.startd.log:Sep 2 17:32:57/458 ERROR:
svc:/network/ldap/client:
default: Method "/lib/svc/method/ldap-client start" failed with exit
status 1.
/var/svc/log/svc.startd.log:Sep 2 17:32:57/458:
network/ldap/client:default fai
led: transitioned to maintenance (see 'svcs -xv' for details)

cat /var/adm/messages
[...]
Sep 2 17:32:56 unknown ldap_cachemgr[1134]: [ID 293258 daemon.error]
libsldap: Status: 0 Mesg: Configuration Error: No entry for
'NS_LDAP_BINDDN' found
Sep 2 17:32:56 unknown ldap_cachemgr[1133]: [ID 703877 daemon.error]
ldap_cachemgr: failed (rc = 255).
Sep 2 17:32:57 unknown svc.startd[7]: [ID 652011 daemon.warning]
svc:/network/ldap/client:default: Method "/lib/svc/method/ldap-client
start" failed with exit status 1.
[...]

I had a look at another solaris 10 machine (which I did not set up).
The file /var/ldap/ldap_client_file exists, but has no entry
'NS_LDAP_BINDDN'.
Also, I can't find some sort of bindDN option to ldapclient, nor can I
find an attribute of that kind for the profile.

Any hints on how to get this working?

Isaac


--
Isaac Hailperin            tel: +49 30 84185 160
ZIB                        fax: +49 30 84185 311
Takustr. 7
D-14195 Berlin

References:
- solaris 10 as client to openldap
  - From: Isaac Hailperin <hailperin@zib.de>

Prev by Date: Re: Can't start replication
Next by Date: Re: Can't start replication
Index(es):
- Chronological
- Thread