[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 LDAP client issues



Igor Brezac wrote:

I'm currently experiencing some issues which just may be bugs/problems
with integrating these two pieces of software.




Before you go any further make sure to update your schema:
http://docs.sun.com/?p=/doc/806-4077/6jd6blbf3&a=view


Yes, I finally found this section of the documentation and was able to update my NIS schema according to what Sun has implemented of RFC 2307.
It was sticking point number one that I overcame. :) Is there someplace appropriate to submit that schema so that others don't have to go through the same frustration?




1. Solaris 9 LDAP client doesn't bind properly to the OpenLDAP server
even when you configure it with proxyDn and proxyPassword.

I set up a user cn=NamingClient,dc=mydomain,dc=com in order to be able
to give special privileges to Solaris naming clients, but since it seems
to refuse to bind as anything other than an anonymous user, this doesn't
seem to help me much.  Here's my ldapclient config string:

# ldapclient manual -a defaultServerList=myldapserverip -a
defaultSearchBase="dc=mydomain,dc=com" -a defaultSearchScope=sub -a
credentialLevel=proxy -a proxyDn="cn=NamingClient,dc=mydomain,dc=com" -a
proxyPassword=mypass -a
serviceSearchDescriptor="automount:ou=AutomountMaps,dc=mydomain,dc=com"

(I wish to keep my automount maps in a different container)




I've used a similar configuration, but I have not tried automount.

Start ldap_cachemgr (/etc/init.d/ldap.client start) and restart nscd
(/etc/init.d/nscd stop;/etc/init.d/nscd start). This was not required in
Solaris 8. Or reboot.


This is still definitely not working. OpenLDAP considers the LDAP client to be binding as an anonymous user. Whether that means it botched the authentication or never tried it in the first place is something I'm not familiar enough with the debug output of slapd to determine yet. I can't even get it to bind as my RootDN.

I have been testing my binding capabilities and access controls with the GQ LDAP client, and everything works as expected there, so why doesn't the Solaris client work?

Here's the ldif of the entry I've tried to bind to using Solaris 9's LDAP client. Perhaps I'm missing some objectclass or attribute it expects?

dn: cn=NamingClient,dc=mydomain,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: NamingClient
userPassword: {crypt}[DEScryptstring]

My GQ client binds to that fine and gets the special permissions I have laid out for it in slapd.conf...

I've also tried binding as the RootDN with the RootDN password with the same results. Unless I allow anonymous read to the userPassword attribute, no one can log in. PAM_ldap is not configured, I assume it is trying pam_unix and thus using the naming services to get entries.

Did you use manual configuration or configuration through profiles? Even in the latter case, Solaris 9 stores the proxy dn and password locally, I guess...

2. PAM TLS functionality is broken.

When I add -a authenticationMethod="tls:simple" to the above



Try to make it work with simple bind before you try tls.



Sound advice.