[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Solaris 9 LDAP client issues
If anyone has a success story integrating Solaris 9's LDAP client with
an OpenLDAP server, I need some help!
I'm currently experiencing some issues which just may be bugs/problems
with integrating these two pieces of software.
1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
even when you configure it with proxyDn and proxyPassword.
I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
to give special privileges to Solaris naming clients, but since it seems
to refuse to bind as anything other than an anonymous user, this doesn't
seem to help me much. Here's my ldapclient config string:
# ldapclient manual -a defaultServerList=myldapserverip -a
defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
proxyPassword=mypass -a
serviceSearchDescriptor="automount:ou=AutomountMaps,dc=mydomain,dc=com"
(I wish to keep my automount maps in a different container)
The Sun documentation states that the pam_ldap module will try to
authenticate a user based upon its ability to bind to the LDAP server.
I've also been trying to limit access to the userPassword attribute
like so:
access to dn="" by * read
#access to dn="(.*,)+,ou=Hosts,dc=ae-solutions,dc=com"
# by self read
# by users read
# by anonymous read
access to dn="(.*,)+ou=People,dc=ae-solutions,dc=com" attr=userPassword
by self write
by users none
by anonymous none
access to *
by self read
by users read
by anonymous read
2. PAM TLS functionality is broken.
When I add -a authenticationMethod="tls:simple" to the above
configuration, and having dug through the documentation to find I need
to load Netscape Navigator 4, etc to get cert7.db and key3.db, I can get
the naming client side to work. However, logins then fail to work! It
is as if PAM won't recognize the server's certificate, but lib_nss_ldap
will. I followed the Sun documentation and made these cert db's
readable by everyone, etc. but to no effect. I can then use ldaplist
and getent to see user information, but I can't log in with telnet or su
to that user.
Any advice would be appreciated. This is my first LDAP project so there
might be some newbie mistakes. My current opinion is that Solaris 9's
LDAP client has a couple of broken pieces in its implementation, at
least if you are not trying to integrate it with iPlanet directory server.