[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: solaris8's ldap-client with RedHat's openldap-server

To: openldap-software@OpenLDAP.org
Subject: Re: solaris8's ldap-client with RedHat's openldap-server
From: Mark Smith <jm-ldap@snowboot.stanford.edu>
Date: 20 Sep 2002 11:19:37 -0700
Cc: BRINER Cedric <work@infomaniak.ch>
On Wed, 18 Sep 2002 17:06:47 +0200, BRINER Cedric wrote:
>Hi,
>Does some of you had the following configurations which runs
>-solaris8's ldap-client
>-RedHat's openldap-server
>
>if so, please tell me any hints or give me any pointers to such
>configuration!
>
>thanks in Advance
>
>Briner


I _almost_ have this working. I'm also interested if anyone has any tips
on helping me make the last couple of steps. We're migrating from NIS+
running on a Sun box to an OpenLDAP server running on RedHat. The client
setup on the RedHat machines was fairly straightforward since everything
was OpenLDAP and easily installed by an rpm. We have some legacy Sun
machines that we also need to be able to authenticate with the LDAP
server. I initially tried putting OpenLDAP clients on the Solaris
machines (also required an installation of OpenSSL). I was able to get
user authentication (using the native pam_unix.so on solaris and by
specifying 'pam_passwd crypt' in slapd.conf) and the host tables to work
properly. Sun's automountd, however, uses its native LDAP libraries,
which didn't work when I had the OpenLDAP client installed. Since I also
wanted the netgroup table to work, I decided to try the native LDAP
client in Solaris8 (padl's nss_ldap doesn't have netgroup implemented).

Right now, I can list the LDAP contents with 'ldaplist -l'. This even
shows the encrypted password, meaning the proxy user is binding with the
proper credentials to read the passwords. When I do 'getent passwd',
however, I don't see anything in the pasword fields, and,
correspondingly, user authentication doesn't work. If you (or anyone
else) have tips on getting this to work, please let me know.

As you probably know, documentation on this topic is fairly sparse. One
of the most useful sites I have found so far is
http://www.okapi.ca/up2/solaris8_ldap.php

I have included my setup notes below. Since I couldn't get the Solaris8
LDAP client to connect to my SSL-enabled server, I used stunnel. If you
don't need SSL, you can replace 127.0.0.1 in the configuration files
with the ip address of your LDAP server.

Also, on the linux LDAP clients, I had to update pam_ldap to be able to
change passwords, and I had to update nss_ldap to get aliases to work.

NB: the notes for setting up the server (which you'll need to do first
unless you already have a server running) are at the bottom of this
message.

-----------------------------------------
Install SSL if required.

CPPFLAGS="-I/usr/local/ssl/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib"
export LDFLAGS
./configure --prefix=/usr/local/openldap --disable-bdb \
	    --disable-slapd --without-cyrus-sasl --with-tls

Note: the build of the shared libraries on solaris-x86 doesn't work
properly (the libraries have an undefined symbol 'main'. To fix, add
the flag '-nostartfiles' to the gcc command that builds them). After
the build takes place, perform the following: 
cd openssl-0.9.6g
gcc -G -o libcrypto.so.0.9.6 -h libcrypto.so.0.9.6 \
    -z allextract libcrypto.a -L. -lsocket -lnsl -ldl -lc \
    -nostartfiles
gcc -G -o libssl.so.0.9.6 -h libssl.so.0.9.6 \
    -z allextract libssl.a -L. -l crypto -lsocket -lnsl -ldl -lc \
    -nostartfiles


cp /usr/local/ssl/lib/lib{crypto,ssl}.so.0.9.6 /usr/lib
cp /usr/local/ssl/lib/lib{crypto,ssl}.a /usr/lib
cd /usr/lib
ln -s libcrypto.so.0.9.6 libcrypto.so.0
ln -s libcrypto.so.0 libcrypto.so
ln -s libssl.so.0.9.6 libssl.so.0
ln -s libssl.so.0 libssl.so
cp /usr/local/ssl/lib/lib{ldap,lber}.{la,a,so.2.0.16} /usr/lib
ln -s libldap.so.2.0.16 libldap.so.2
ln -s libldap.so.2 libldap.so
ln -s liblber.so.2.0.16 liblber.so.2
ln -s liblber.so.2 liblber.so
-----------------------------------------
Use Solaris native LDAP client with stunnel.
Install openssl as described above.
compile stunnel
cp stunnel-3.22/src/stunnel /usr/sbin
mkdir /var/log/stunnel

Set up stunnel (this should be put in ldap client startup)
stunnel -c -d 389 -r @LDAP_SSL_SERVER_IP@:636 -P /var/log/stunnel

cat > /var/ldap/ldap_client_file <<EOF
NS_LDAP_SERVERS=127.0.0.1:389
NS_LDAP_SEARCH_BASEDN=dc=group,dc=example,dc=com
NS_LDAP_AUTH=NS_LDAP_AUTH_SIMPLE
NS_LDAP_TRANSPORT_SEC=NS_LDAP_SEC_NONE
NS_LDAP_DOMAIN=group.example.com
EOF
chmod 600 /var/ldap/ldap_client_file

test to see if it works:
% ldaplist

make credential file for proxy authentication(?)
cat > /var/ldap/ldap_client_cred <<EOF
NS_LDAP_BINDDN=cn=proxyuser,dc=group,dc=example,dc=com
NS_LDAP_BINDPASSWD={NS1}EnCrYpTeDPaSsWoRdHeRe
EOF
chmod 600 /var/ldap/ldap_client_cred

ldap_gen_profile -P bogus -b dc=group,dc=example,dc=com \
		 -a simple -w 'secretpasword' 127.0.0.1
Note: secretpassword is what you store in /etc/ldap.secret for
OpenLDAP clients.

Copy the {NS1}AbuNcH0FJunk password generated from ldap_gen_profile to
the appropriate line in /var/ldap/ldap_client cred

Add solaris.schema to slapd config (on OpenLDAP server):
  cp solaris.schema /etc/openldap/schema
  add include line in /etc/openldap/schema for solaris.schema

Add nisDomainObject to root DN:
cat << EOF > /tmp/entry
dn: dc=group,dc=example,dc=com
objectclass: nisDomainObject
nisDomain: group.example.com
EOF
-----------------------------------------------------------------
Notes for setting up OpenLDAP server to handle Solaris8 native LDAP
clients.

get solaris.schema from http://www.tzone.org/~okapi/up2/solaris.schema
  replace TBD with a number (I used 1466)
Add solaris.schema to slapd config (on OpenLDAP server):
  cp solaris.schema /etc/openldap/schema
  add include line in /etc/openldap/schema for solaris.schema

When initially setting up OpenLDAP server be sure also to specify the
nisDomain (specified below).

This file describes the installation and configuration of the OpenLDAP
server on a Linux Machine.

References:
http://www.mandrakesecure.net/en/docs/ldap-auth.php

Install LDAP server packages
----------------------------

in addition to the client packages, install: openldap-servers

Server configuration files
--------------------------

chgrp ldap /etc/openldap/slapd.conf
chmod 640 /etc/openldap/slapd.conf
Update /etc/openldap/slapd.conf:
  + put encrypted password on 'rootpw' line (use slappasswd)

make new slapd certificate:
  cd /usr/share/ssl/certs
  rm -f slapd.pem
  make slapd.pem
  chgrp ldap slapd.pem
  chmod 640 slapd.pem

/etc/init.d/ldap start

Check to make sure server is working:
  (make sure /etc/openldap/ldap.conf setup first)
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
    should return:
      dn:
      namingContexts: dc=group,dc=example,dc=com

If slapd was ever run as root: chown --recursive ldap:ldap /var/lib/ldap

### OpenLDAP clients only
Create Manager entry in database: (strip leading and trailing
whitespace)
cat << EOF > example.ldif
dn: dc=group,dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Wireless Research Group
dc: group

dn: cn=Manager,dc=group,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
EOF

### Solaris native LDAP clients included
cat << EOF > example.ldif
dn: dc=group,dc=example,dc=com
objectclass: dcObject
objectclass: nisDomainObject
objectclass: organization
o: Wireless Research Group
nisDomain: group.example.com
dc: group

dn: cn=Manager,dc=group,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
EOF

ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f example.ldif
rm -f example.ldif

Check to see if it works:
  ldapsearch -x -b 'dc=group,dc=example,dc=com' '(objectclass=*)'
  (should return all entries, including the one just created)

Create proxyuser for authentication:
cat << EOF > example.ldif
dn: cn=proxyuser,dc=group,dc=example,dc=com
cn: proxyuser
sn: proxyuser
objectclass: top
objectclass: person
userPassword: paste-encrypted-password-here
EOF

ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f example.ldif
rm -f example.ldif

Migration
---------

edit defaults in /usr/share/openldap/migration/migrate_common.ph:
$DEFAULT_MAIL_DOMAIN = "group.example.com";
$DEFAULT_BASE = "dc=group,dc=example,dc=com";
$DEFAULT_MAIL_HOST = "group.example.com";
$EXTENDED_SCHEMA = 0;

migrate_base.pl > base.ldif
+ remove entries for rpc, networks, services, protocols, mounts
+ remove first entry for dc=example,dc=com
+ remove entry for dc=group,dc=example,dc=com since already exists
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f base.ldif

Migrate individually: passwd, automount, netgroup, aliases, hosts, group

# migrate passwd
umask 077
niscat passwd.org_dir > passwd.txt
migrate_passwd.pl passwd.txt passwd.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f passwd.ldif
rm -f passwd.txt passwd.ldif

# migrate automount
## for each automount map, do the following: (replace "auto_home" with
mapname)
niscat auto_home.org_dir > auto_home
+ remove entries that begin with '+'
migrate_automount.pl auto_home nismap.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f nismap.ldif
rm -f auto_home nismap.ldif

#migrate netgroup 
scp group:/etc/netgroup .
migrate_netgroup.pl netgroup netgroup.ldif
migrate_netgroup_byhost.pl netgroup netgroup_byhost.ldif
migrate_netgroup_byuser.pl netgroup netgroup_byuser.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
netgroup.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
netgroup_byhost.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
netgroup_byuser.ldif
rm -f netgroup netgroup.ldif netgroup_byhost.ldif netgroup_byuser.ldif

# migrate aliases
scp group:/etc/aliases .
migrate_aliases.pl aliases aliases.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f aliases.ldif
rm -f aliases aliases.ldif

# migrate hosts
scp group:/etc/hosts .
migrate_hosts.pl hosts hosts.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f hosts.ldif
rm -f hosts hosts.ldif

# migrate group
niscat group.org_dir > group
migrate_group.pl group group.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f group.ldif
rm -f group group.ldif


######### Warning: accounts can be erased during this procedure
To re-sync passwd database from nis:
umask 077
niscat passwd.org_dir > passwd.txt
# this next step removes old accounts from LDAP
ldapdelete -r -x -D "cn=Manager,dc=group,dc=example,dc=com"
'ou=People,dc=group,dc=example,dc=com' -W
migrate_passwd.pl passwd.txt passwd.ldif
cat <<EOF > people.ldif
dn: ou=People,dc=group,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
EOF
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f people.ldif
ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f passwd.ldif
rm -f passwd.txt passwd.ldif people.ldif
######### End Warning
Follow-Ups:
- Re: solaris8's ldap-client with RedHat's openldap-server
  - From: Mark Smith <jm-ldap@snowboot.stanford.edu>
Prev by Date: Re: Problems...problems...problems...and....more problems
Next by Date: Re: Problems...problems...problems...and....more problems
Index(es):
- Chronological
- Thread