[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 LDAP client issues

To: openldap-software@OpenLDAP.org
Subject: Re: Solaris 9 LDAP client issues
From: Igor Brezac <igor@ipass.net>
Date: Fri, 16 Aug 2002 15:59:19 -0400 (EDT)
In-reply-to: <3D5D3E40.105@ae-solutions.com>

On Fri, 16 Aug 2002, Scott Moorhouse wrote:

> If anyone has a success story integrating Solaris 9's LDAP client with
> an OpenLDAP server, I need some help!
>

I set this up awhile back and it works very well.  I use OpenLDAP
2.0.25 and will upgrade soon.

> I'm currently experiencing some issues which just may be bugs/problems
> with integrating these two pieces of software.
>

Before you go any further make sure to update your schema:
http://docs.sun.com/?p=/doc/806-4077/6jd6blbf3&a=view

> 1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
> even when you configure it with proxyDn and proxyPassword.
>
> I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
> to give special privileges to Solaris naming clients, but since it seems
> to refuse to bind as anything other than an anonymous user, this doesn't
> seem to help me much.  Here's my ldapclient config string:
>
> # ldapclient manual -a defaultServerList=myldapserverip -a
> defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
> credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
> proxyPassword=mypass -a
> serviceSearchDescriptor="automount:ou=AutomountMaps,dc=mydomain,dc=com"
>
> (I wish to keep my automount maps in a different container)
>

I've used a similar configuration, but I have not tried automount.

Start ldap_cachemgr (/etc/init.d/ldap.client start) and restart nscd
(/etc/init.d/nscd stop;/etc/init.d/nscd start).  This was not required in
Solaris 8.  Or reboot.

> The Sun documentation states that the pam_ldap module will try to
> authenticate a user based upon its ability to bind to the LDAP server.
>  I've also been trying to limit access to the userPassword attribute
> like so:
>
> access to dn="" by * read
>
> #access to dn="(.*,)+,ou=Hosts,dc=ae-solutions,dc=com"
> #       by self read
> #       by users read
> #       by anonymous read
>
> access to dn="(.*,)+ou=People,dc=ae-solutions,dc=com" attr=userPassword
>         by self write
>         by users none
>         by anonymous none
>
> access to *
>         by self read
>         by users read
>         by anonymous read
>

make sure that cn=NamingClient,dc=mydomain,dc=com can bind to the server.
For nss to work properly, cn=NamingClient,dc=mydomain,dc=com will need an
access to userPassword as well.

> 2. PAM TLS functionality is broken.
>
> When I add -a authenticationMethod="tls:simple" to the above

Try to make it work with simple bind before you try tls.

Hope this helps.

-- 
Igor

Follow-Ups:
- Re: Solaris 9 LDAP client issues
  - From: Scott Moorhouse <smoorhouse@ae-solutions.com>

References:
- Solaris 9 LDAP client issues
  - From: Scott Moorhouse <smoorhouse@ae-solutions.com>

Prev by Date: Problems with SSL certification on openldap 2.1.3
Next by Date: Re: Problems with SSL certification on openldap 2.1.3
Index(es):
- Chronological
- Thread