[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd 2.0.7 and solaris 8
One last thing. If you do have an alternate DIT (i.e. not
"ou=People..." and you did not put:
NS_LDAP_SEARCH_DN=shadow:( whatever )
then telnet and ssh will work fine with authentication, but for some
reason su lets you switch from user to user without prompting for a
password.
Just thought I would mention that.
Landon McDowell
On Fri, 2 Feb 2001, Adam Shand wrote:
>
> actually i got everything working great last night. there are still some
> questions i have but it all works.
>
> i'll be posting a howto on what i did later today. if not then early next
> week.
>
> > There is a patch to OpenLDAP to make native Solaris PAM work. I
> > believe that patch was posted to this list already.
>
> the patch isn't required unless you want to use solaris 8's ability to
> dynamically determine which ldap server to use and what attributes to use
> via ldapclient. personally i think this is kinda a pointless feature but
> ...
>
> > I think you only need that patch to initialize LDAP support with the
> > ldapclient tool. As far as I can tell, all that tool does is create
> > the files /var/ldap/ldap_client_cred and /var/ldap/ldap_client_file.
>
> yep.
>
> > Sun says not to edit these files under any circumstances, but I found
> > that the ONLY way to get Solaris to work with OpenLDAP in my setup was
> > to manually edit these files. Solaris seems to work fine if your
> > accounts are under "ou=People, $base_dn", but mine were not.
> > ldapclient has a provision for changing that, but you need to change
> > both the "passwd:" and the "shadow:" facilities and the ldapclient
> > only seemed to allow me to change one of them.
>
> from the book i have the tag to do this is in /var/ldap/ldap_client_file
> is:
>
> NS_LDAP_SEARCH_DN=passwd:(ou=people,dc=example,dc=com)
>
> i don't know if substituting shadow password would have the desired
> effect. however i would think that since all shadow tags are part of the
> user entry that if it can find that then it should all work regardless of
> where it all is in the tree.
>
> > In addition, I could not figure out how to get TLS support using the
> > ldapclient tool. You should be able to hand hack those files to plug
> > that into Solaris as well. The Sun documentation claims this is
> > supported.
>
> i think i have this working but i'm a little stumped as to how to tell if
> it's actually using ssl. i need to go digging to find if there is a
> debugging level for openldap which shows binds and methods. the tag in
> the ldap_client_file for tls is:
>
> NS_LDAP_TRANSPORT_SEC=NS_LDAP_SEC_TLS
>
> > Lastly, I found that if I copied those files from one server to
> > another, the system worked. I had to restart nscd. So you should not
> > need to use that busted ldapclient tool at all. You will probably need
> > to use the ldap_gen_profile tool to generate the password field.
>
> yep that's what i found as well. does anyone know what {NS1} encoding is
> for the password in the ldap_client_cred file?
>
> i have another question too. it seems to me that ldap_cachemgr does the
> job of nscd, only for ldap. you get problems with nscd as it is caching
> bad information everyonce in a while, the idea of double levels of caching
> via nscd and ldap_cachemgr is a little scary to me. does anyone have
> anythoughts re. this?
>
> thanks to everyone for all their help.
>
> adam.
>