[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.0.7 and solaris 8



	One last thing. If you do have an alternate DIT (i.e. not
"ou=People..." and you did not put:

	NS_LDAP_SEARCH_DN=shadow:( whatever )

then telnet and ssh will work fine with authentication, but for some
reason su lets you switch from user to user without prompting for a
password.

	Just thought I would mention that. 

			Landon McDowell



On Fri, 2 Feb 2001, Adam Shand wrote:

> 
> actually i got everything working great last night.  there are still some
> questions i have but it all works.
> 
> i'll be posting a howto on what i did later today.  if not then early next
> week.
> 
> > There is a patch to OpenLDAP to make native Solaris PAM work. I
> > believe that patch was posted to this list already.
> 
> the patch isn't required unless you want to use solaris 8's ability to
> dynamically determine which ldap server to use and what attributes to use
> via ldapclient.  personally i think this is kinda a pointless feature but
> ...
> 
> > I think you only need that patch to initialize LDAP support with the
> > ldapclient tool. As far as I can tell, all that tool does is create
> > the files /var/ldap/ldap_client_cred and /var/ldap/ldap_client_file.
> 
> yep.
> 
> > Sun says not to edit these files under any circumstances, but I found
> > that the ONLY way to get Solaris to work with OpenLDAP in my setup was
> > to manually edit these files. Solaris seems to work fine if your
> > accounts are under "ou=People, $base_dn", but mine were not.
> > ldapclient has a provision for changing that, but you need to change
> > both the "passwd:" and the "shadow:" facilities and the ldapclient
> > only seemed to allow me to change one of them.
> 
> from the book i have the tag to do this is in /var/ldap/ldap_client_file
> is:
> 
> NS_LDAP_SEARCH_DN=passwd:(ou=people,dc=example,dc=com)
> 
> i don't know if substituting shadow password would have the desired
> effect.  however i would think that since all shadow tags are part of the
> user entry that if it can find that then it should all work regardless of
> where it all is in the tree.
> 
> > In addition, I could not figure out how to get TLS support using the
> > ldapclient tool. You should be able to hand hack those files to plug
> > that into Solaris as well. The Sun documentation claims this is
> > supported.
> 
> i think i have this working but i'm a little stumped as to how to tell if
> it's actually using ssl.  i need to go digging to find if there is a
> debugging level for openldap which shows binds and methods.  the tag in
> the ldap_client_file for tls is:
> 
> NS_LDAP_TRANSPORT_SEC=NS_LDAP_SEC_TLS
> 
> > Lastly, I found that if I copied those files from one server to
> > another, the system worked. I had to restart nscd. So you should not
> > need to use that busted ldapclient tool at all. You will probably need
> > to use the ldap_gen_profile tool to generate the password field.
> 
> yep that's what i found as well.  does anyone know what {NS1} encoding is
> for the password in the ldap_client_cred file?
> 
> i have another question too.  it seems to me that ldap_cachemgr does the
> job of nscd, only for ldap.  you get problems with nscd as it is caching
> bad information everyonce in a while, the idea of double levels of caching
> via nscd and ldap_cachemgr is a little scary to me.  does anyone have
> anythoughts re. this?
> 
> thanks to everyone for all their help.
> 
> adam.
>