[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Patching openldap?

Am 07.10.2011 23:58, schrieb NetNinja:
> Ok that's good to know.
> I was reading in the book "Solaris 10 System Administration Essential"
> and it says on pg 365 that the openldap server needs to be patched so
> that the ldapclient init utility will configure properly.
> Do you happen to remeber how you setup the Solaris Native client? This
> my current issue, I installed openldap on a RHEL 5.5 server and have all
> the Linux servers working with the ldap server but the Solaris servers
> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
> get info on ldap users. I am in the process of troubleshooting the issue
> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
> uatomount or replication. I will add these later when I know what i'm doing.
> Anyway thanks for your help. If you have any advice on ldapclient setup
> let me know.
> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
> <moenoel@informatik.uni-bremen.de
> <mailto:moenoel@informatik.uni-bremen.de>> wrote:
>     Am 07.10.2011 20:25, schrieb NetNinja:
>     > Hello,
>     > I have been reading up on OpenLDAP. I have installed it on RHEL
>     5.5 but
>     > I have seen documention saying that openldap needs to be patched
>     to work
>     > with Solaris. Can someone tell me if this still the case and if so
>     where
>     > to get the patch. If not any info you can provide wold be great.
>     >
>     > Thanks
>     >
>     >
>     Hi,
>     I've been running OpenLDAP on Solaris 10 for years now. It works out of
>     the tarball, no patches needed.
>     Regards,
>     Christian Manal

Here's an example of an ldapclient invocation that works for me:

ldapclient manual \
  -a authenticationMethod="tls:simple" \
  -a credentialLevel="proxy" \
  -a defaultSearchBase="dc=example,dc=org" \
  -a defaultSearchScope="sub" \
  -a defaultServerList="ldap1.example.org,ldap2.example.org" \
  -a domainName="example.org" \
  -a preferredServerList="ldap1.example.org,ldap2.example.org" \
  -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
  -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
  -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
  -a attributeMap="auto_home:automountMapName=ou" \
  -a attributeMap="auto_home:automountKey=cn" \
  -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
  -a proxyPassword="foobar"

Before you invoke that, you need to modify /etc/nsswitch.ldap to your
needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
to put your TLS certs into /var/ldap in NSS format (you can
generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP

Christian Manal

[1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html