[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: solaris8's ldap-client with RedHat's openldap-server
My notes for installing SSL on Solaris incorrectly described an earlier
compile of OpenLDAP. As far as I know, SSL is not required for the
Solaris8 native LDAP client, but it is required for stunnel, which I use
in my configuration. Instead, the instructions should be as follows:
cd openssl-0.9.6g
./config shared
make
Sorry for the confusion.
Mark
On Fri, 2002-09-20 at 11:19, Mark Smith wrote:
> On Wed, 18 Sep 2002 17:06:47 +0200, BRINER Cedric wrote:
> >Hi,
> >Does some of you had the following configurations which runs
> >-solaris8's ldap-client
> >-RedHat's openldap-server
> >
> >if so, please tell me any hints or give me any pointers to such
> >configuration!
> >
> >thanks in Advance
> >
> >Briner
>
>
> I _almost_ have this working. I'm also interested if anyone has any tips
> on helping me make the last couple of steps. We're migrating from NIS+
> running on a Sun box to an OpenLDAP server running on RedHat. The client
> setup on the RedHat machines was fairly straightforward since everything
> was OpenLDAP and easily installed by an rpm. We have some legacy Sun
> machines that we also need to be able to authenticate with the LDAP
> server. I initially tried putting OpenLDAP clients on the Solaris
> machines (also required an installation of OpenSSL). I was able to get
> user authentication (using the native pam_unix.so on solaris and by
> specifying 'pam_passwd crypt' in slapd.conf) and the host tables to work
> properly. Sun's automountd, however, uses its native LDAP libraries,
> which didn't work when I had the OpenLDAP client installed. Since I also
> wanted the netgroup table to work, I decided to try the native LDAP
> client in Solaris8 (padl's nss_ldap doesn't have netgroup implemented).
>
> Right now, I can list the LDAP contents with 'ldaplist -l'. This even
> shows the encrypted password, meaning the proxy user is binding with the
> proper credentials to read the passwords. When I do 'getent passwd',
> however, I don't see anything in the pasword fields, and,
> correspondingly, user authentication doesn't work. If you (or anyone
> else) have tips on getting this to work, please let me know.
>
> As you probably know, documentation on this topic is fairly sparse. One
> of the most useful sites I have found so far is
> http://www.okapi.ca/up2/solaris8_ldap.php
>
> I have included my setup notes below. Since I couldn't get the Solaris8
> LDAP client to connect to my SSL-enabled server, I used stunnel. If you
> don't need SSL, you can replace 127.0.0.1 in the configuration files
> with the ip address of your LDAP server.
>
> Also, on the linux LDAP clients, I had to update pam_ldap to be able to
> change passwords, and I had to update nss_ldap to get aliases to work.
>
> NB: the notes for setting up the server (which you'll need to do first
> unless you already have a server running) are at the bottom of this
> message.
>
> -----------------------------------------
> Install SSL if required.
>
> CPPFLAGS="-I/usr/local/ssl/include"
> export CPPFLAGS
> LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib"
> export LDFLAGS
> ./configure --prefix=/usr/local/openldap --disable-bdb \
> --disable-slapd --without-cyrus-sasl --with-tls
>
> Note: the build of the shared libraries on solaris-x86 doesn't work
> properly (the libraries have an undefined symbol 'main'. To fix, add
> the flag '-nostartfiles' to the gcc command that builds them). After
> the build takes place, perform the following:
> cd openssl-0.9.6g
> gcc -G -o libcrypto.so.0.9.6 -h libcrypto.so.0.9.6 \
> -z allextract libcrypto.a -L. -lsocket -lnsl -ldl -lc \
> -nostartfiles
> gcc -G -o libssl.so.0.9.6 -h libssl.so.0.9.6 \
> -z allextract libssl.a -L. -l crypto -lsocket -lnsl -ldl -lc \
> -nostartfiles
>
>
> cp /usr/local/ssl/lib/lib{crypto,ssl}.so.0.9.6 /usr/lib
> cp /usr/local/ssl/lib/lib{crypto,ssl}.a /usr/lib
> cd /usr/lib
> ln -s libcrypto.so.0.9.6 libcrypto.so.0
> ln -s libcrypto.so.0 libcrypto.so
> ln -s libssl.so.0.9.6 libssl.so.0
> ln -s libssl.so.0 libssl.so
> cp /usr/local/ssl/lib/lib{ldap,lber}.{la,a,so.2.0.16} /usr/lib
> ln -s libldap.so.2.0.16 libldap.so.2
> ln -s libldap.so.2 libldap.so
> ln -s liblber.so.2.0.16 liblber.so.2
> ln -s liblber.so.2 liblber.so
> -----------------------------------------
> Use Solaris native LDAP client with stunnel.
> Install openssl as described above.
> compile stunnel
> cp stunnel-3.22/src/stunnel /usr/sbin
> mkdir /var/log/stunnel
>
> Set up stunnel (this should be put in ldap client startup)
> stunnel -c -d 389 -r @LDAP_SSL_SERVER_IP@:636 -P /var/log/stunnel
>
> cat > /var/ldap/ldap_client_file <<EOF
> NS_LDAP_SERVERS=127.0.0.1:389
> NS_LDAP_SEARCH_BASEDN=dc=group,dc=example,dc=com
> NS_LDAP_AUTH=NS_LDAP_AUTH_SIMPLE
> NS_LDAP_TRANSPORT_SEC=NS_LDAP_SEC_NONE
> NS_LDAP_DOMAIN=group.example.com
> EOF
> chmod 600 /var/ldap/ldap_client_file
>
> test to see if it works:
> % ldaplist
>
> make credential file for proxy authentication(?)
> cat > /var/ldap/ldap_client_cred <<EOF
> NS_LDAP_BINDDN=cn=proxyuser,dc=group,dc=example,dc=com
> NS_LDAP_BINDPASSWD={NS1}EnCrYpTeDPaSsWoRdHeRe
> EOF
> chmod 600 /var/ldap/ldap_client_cred
>
> ldap_gen_profile -P bogus -b dc=group,dc=example,dc=com \
> -a simple -w 'secretpasword' 127.0.0.1
> Note: secretpassword is what you store in /etc/ldap.secret for
> OpenLDAP clients.
>
> Copy the {NS1}AbuNcH0FJunk password generated from ldap_gen_profile to
> the appropriate line in /var/ldap/ldap_client cred
>
> Add solaris.schema to slapd config (on OpenLDAP server):
> cp solaris.schema /etc/openldap/schema
> add include line in /etc/openldap/schema for solaris.schema
>
> Add nisDomainObject to root DN:
> cat << EOF > /tmp/entry
> dn: dc=group,dc=example,dc=com
> objectclass: nisDomainObject
> nisDomain: group.example.com
> EOF
> -----------------------------------------------------------------
> Notes for setting up OpenLDAP server to handle Solaris8 native LDAP
> clients.
>
> get solaris.schema from http://www.tzone.org/~okapi/up2/solaris.schema
> replace TBD with a number (I used 1466)
> Add solaris.schema to slapd config (on OpenLDAP server):
> cp solaris.schema /etc/openldap/schema
> add include line in /etc/openldap/schema for solaris.schema
>
> When initially setting up OpenLDAP server be sure also to specify the
> nisDomain (specified below).
>
> This file describes the installation and configuration of the OpenLDAP
> server on a Linux Machine.
>
> References:
> http://www.mandrakesecure.net/en/docs/ldap-auth.php
>
> Install LDAP server packages
> ----------------------------
>
> in addition to the client packages, install: openldap-servers
>
> Server configuration files
> --------------------------
>
> chgrp ldap /etc/openldap/slapd.conf
> chmod 640 /etc/openldap/slapd.conf
> Update /etc/openldap/slapd.conf:
> + put encrypted password on 'rootpw' line (use slappasswd)
>
> make new slapd certificate:
> cd /usr/share/ssl/certs
> rm -f slapd.pem
> make slapd.pem
> chgrp ldap slapd.pem
> chmod 640 slapd.pem
>
> /etc/init.d/ldap start
>
> Check to make sure server is working:
> (make sure /etc/openldap/ldap.conf setup first)
> ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
> should return:
> dn:
> namingContexts: dc=group,dc=example,dc=com
>
> If slapd was ever run as root: chown --recursive ldap:ldap /var/lib/ldap
>
> ### OpenLDAP clients only
> Create Manager entry in database: (strip leading and trailing
> whitespace)
> cat << EOF > example.ldif
> dn: dc=group,dc=example,dc=com
> objectclass: dcObject
> objectclass: organization
> o: Wireless Research Group
> dc: group
>
> dn: cn=Manager,dc=group,dc=example,dc=com
> objectclass: organizationalRole
> cn: Manager
> EOF
>
> ### Solaris native LDAP clients included
> cat << EOF > example.ldif
> dn: dc=group,dc=example,dc=com
> objectclass: dcObject
> objectclass: nisDomainObject
> objectclass: organization
> o: Wireless Research Group
> nisDomain: group.example.com
> dc: group
>
> dn: cn=Manager,dc=group,dc=example,dc=com
> objectclass: organizationalRole
> cn: Manager
> EOF
>
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f example.ldif
> rm -f example.ldif
>
> Check to see if it works:
> ldapsearch -x -b 'dc=group,dc=example,dc=com' '(objectclass=*)'
> (should return all entries, including the one just created)
>
> Create proxyuser for authentication:
> cat << EOF > example.ldif
> dn: cn=proxyuser,dc=group,dc=example,dc=com
> cn: proxyuser
> sn: proxyuser
> objectclass: top
> objectclass: person
> userPassword: paste-encrypted-password-here
> EOF
>
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f example.ldif
> rm -f example.ldif
>
> Migration
> ---------
>
> edit defaults in /usr/share/openldap/migration/migrate_common.ph:
> $DEFAULT_MAIL_DOMAIN = "group.example.com";
> $DEFAULT_BASE = "dc=group,dc=example,dc=com";
> $DEFAULT_MAIL_HOST = "group.example.com";
> $EXTENDED_SCHEMA = 0;
>
> migrate_base.pl > base.ldif
> + remove entries for rpc, networks, services, protocols, mounts
> + remove first entry for dc=example,dc=com
> + remove entry for dc=group,dc=example,dc=com since already exists
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f base.ldif
>
> Migrate individually: passwd, automount, netgroup, aliases, hosts, group
>
> # migrate passwd
> umask 077
> niscat passwd.org_dir > passwd.txt
> migrate_passwd.pl passwd.txt passwd.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f passwd.ldif
> rm -f passwd.txt passwd.ldif
>
> # migrate automount
> ## for each automount map, do the following: (replace "auto_home" with
> mapname)
> niscat auto_home.org_dir > auto_home
> + remove entries that begin with '+'
> migrate_automount.pl auto_home nismap.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f nismap.ldif
> rm -f auto_home nismap.ldif
>
> #migrate netgroup
> scp group:/etc/netgroup .
> migrate_netgroup.pl netgroup netgroup.ldif
> migrate_netgroup_byhost.pl netgroup netgroup_byhost.ldif
> migrate_netgroup_byuser.pl netgroup netgroup_byuser.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
> netgroup.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
> netgroup_byhost.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f
> netgroup_byuser.ldif
> rm -f netgroup netgroup.ldif netgroup_byhost.ldif netgroup_byuser.ldif
>
> # migrate aliases
> scp group:/etc/aliases .
> migrate_aliases.pl aliases aliases.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f aliases.ldif
> rm -f aliases aliases.ldif
>
> # migrate hosts
> scp group:/etc/hosts .
> migrate_hosts.pl hosts hosts.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f hosts.ldif
> rm -f hosts hosts.ldif
>
> # migrate group
> niscat group.org_dir > group
> migrate_group.pl group group.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f group.ldif
> rm -f group group.ldif
>
>
> ######### Warning: accounts can be erased during this procedure
> To re-sync passwd database from nis:
> umask 077
> niscat passwd.org_dir > passwd.txt
> # this next step removes old accounts from LDAP
> ldapdelete -r -x -D "cn=Manager,dc=group,dc=example,dc=com"
> 'ou=People,dc=group,dc=example,dc=com' -W
> migrate_passwd.pl passwd.txt passwd.ldif
> cat <<EOF > people.ldif
> dn: ou=People,dc=group,dc=example,dc=com
> ou: People
> objectClass: top
> objectClass: organizationalUnit
> EOF
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f people.ldif
> ldapadd -x -D "cn=Manager,dc=group,dc=example,dc=com" -W -f passwd.ldif
> rm -f passwd.txt passwd.ldif people.ldif
> ######### End Warning
>
>
>
>
>
>
>
>
>
>
>