[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Patching openldap?

Am 09.10.2011 14:33, schrieb NetNinja:
> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal
> <moenoel@informatik.uni-bremen.de> wrote:
>> Am 07.10.2011 23:58, schrieb NetNinja:
>>> Ok that's good to know.
>>> I was reading in the book "Solaris 10 System Administration Essential"
>>> and it says on pg 365 that the openldap server needs to be patched so
>>> that the ldapclient init utility will configure properly.
>>> Do you happen to remeber how you setup the Solaris Native client? This
>>> my current issue, I installed openldap on a RHEL 5.5 server and have all
>>> the Linux servers working with the ldap server but the Solaris servers
>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
>>> get info on ldap users. I am in the process of troubleshooting the issue
>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
>>> uatomount or replication. I will add these later when I know what i'm doing.
>>> Anyway thanks for your help. If you have any advice on ldapclient setup
>>> let me know.
>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
>>> <moenoel@informatik.uni-bremen.de
>>> <mailto:moenoel@informatik.uni-bremen.de>> wrote:
>>>     Am 07.10.2011 20:25, schrieb NetNinja:
>>>     > Hello,
>>>     > I have been reading up on OpenLDAP. I have installed it on RHEL
>>>     5.5 but
>>>     > I have seen documention saying that openldap needs to be patched
>>>     to work
>>>     > with Solaris. Can someone tell me if this still the case and if so
>>>     where
>>>     > to get the patch. If not any info you can provide wold be great.
>>>     >
>>>     > Thanks
>>>     >
>>>     >
>>>     Hi,
>>>     I've been running OpenLDAP on Solaris 10 for years now. It works out of
>>>     the tarball, no patches needed.
>>>     Regards,
>>>     Christian Manal
>> Here's an example of an ldapclient invocation that works for me:
>> ldapclient manual \
>>  -a authenticationMethod="tls:simple" \
>>  -a credentialLevel="proxy" \
>>  -a defaultSearchBase="dc=example,dc=org" \
>>  -a defaultSearchScope="sub" \
>>  -a defaultServerList="ldap1.example.org,ldap2.example.org" \
>>  -a domainName="example.org" \
>>  -a preferredServerList="ldap1.example.org,ldap2.example.org" \
>>  -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
>>  -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
>>  -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
>>  -a
>> serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org"
>> \
>>  -a attributeMap="auto_home:automountMapName=ou" \
>>  -a attributeMap="auto_home:automountKey=cn" \
>>  -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
>>  -a proxyPassword="foobar"
>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your
>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
>> to put your TLS certs into /var/ldap in NSS format (you can
>> generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP
>> authentication.
>> Regards,
>> Christian Manal
>> [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
> Thanks,
> I will try your command. Since you used ldapclient manual and not
> ldapclient init I don't need to add a profile of proxy ldif file to
> the ldap server, right?

Right. It's possible to deposit most of those infos in a profile in the
DIT, but since I have a script for configuring LDAP clients it doesn't
make any difference for me. I have only one set of settings for Solaris
boxes. Though, it might be worth looking into for you, if you have
different setups.

> I have been using examples like the one you
> just gave me and I can only get the info from the server. The password
> seems to not work. I get the same erros on the prompt that I would get
> if the password or username where wrong. Though I have not tried the
> command with the serviceSearchDescriptor before maybe this is what I'm
> missing.

You replaced the credentials with existing ones from your DIT, right? Do
they work with ldapsearch? Does the DN have read access to the user and
group data in your DIT?

You might want to call ldapclient with '-v' to get some debugging info.

>  I'm also not using TLS or automount can I leave these out, for now?
> Sotls:simple would be simple, right. 


> Also could Solaris 10 not want to
> work because I'm not using TLS?

I don't think so. It shouldn't make any difference. Though, I'd
recommend adding TLS support before putting anything in production.

> Anyway thanks for your time. I will let you know if it works.

Christian Manal