[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring Solaris 8 clients

To: LDAP Mailing List <openldap-software@OpenLDAP.org>
Subject: Re: Configuring Solaris 8 clients
From: John Kloss <jkloss@sapiens.wustl.edu>
Date: Wed, 26 Mar 2003 09:43:27 -0600
In-reply-to: <Pine.GSO.4.53.0303260915421.18627@pula.ypass.net>

There's a patch out to fix the reporting of OpenLDAP at the directory tree base. Solaris depends on this to get the namingcontext and then from that nisDomain and dc. The patch hasn't been updated in a while, so I updated it (pretty simple, actually)

http://sapiens.wustl.edu/~sysmain/info/openldap/patches/solaris_patch- 2.1.13

It's for OpenLDAP 2.1.13 but should work for 2.1.16. You also need to compile OpenLDAP with crypt password support and the default password hash should be crypt

password-hash	{CRYPT}

You'll need to index nisDomain with an equality index

index	nisDomain	eq

You can test the workings of this by using the native solaris ldapsearch

	ldapsearch -b '' -s base -h 127.0.0.1 'objectclass=*'

assuming ldap is on your local host, otherwise change the ip. This should report back something like

dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=yourdomain,dc=edu
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.3.6.1.4.1.4203.1.10.2
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.18
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3

Solaris will then use this naming context to get nisDomain and dc. You can check with

ldapsearch -b 'dc=yourdomain,dc=edu' -s base -h 127.0.0.1 'objectclass=*'

which should report something like

dn: dc=yourdomain,dc=edu
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: nisDomainObject
dc: yourdomain
nisDomain: yourdomain.edu

If that all works then you can use ldap_gen_profile on solaris to generate a profile

ldap_gen_profile -P profile_name -a simple -D cn=proxy,dc=yourdomain,dc=edu \ -w "proxy password" -b dc=yourdomain,dc=edu ip.of.ldap.server

This generates a profile in ldif format. Remove the tabs and insert that profile into your ldap DIT. Solaris uses proxy users to bind to the ldap service. Configure a proxy user for solaris. Like

dn: cn=proxy,dc=yourdomain,dc=edu
objectClass: top
objectClass: person
cn: proxy
sn: Solaris Proxy User
userPassword: {CRYPT}something generated by slappasswd

and add to you ldap DIT and then use on your clients

on solaris 8

	ldapclient -v -P profile_name -d yourdoman.edu  ip.of.ldap.server

on solaris 9

ldapclient -v init -a profileName=profile_name -a domainName=yourdomain.edu ip.of.ldap.server

to completely configure you clients.

There's nothing else on the client side that needs to be changed, unless you're trying to do netgroups. That is a huge pain in the ass and took me the better part of a weekend to figure out. Anyway, I got the complete set up now-- automounts, user, group, password, netgroup, everything, and I'm working on writing it up incase anyone else is interested. OpenLDAP is pretty much awesome. It's all the clients out there that are crap. I read the RFC's. Why can't they?

As a warning, if you set up your server as an ldap client you need to change nsswitch.conf to read

host: files dns ldap

networks: files ldap
protocols: files ldap
etc.

or your machine will hang during boot.  This is just for the server.

I may have forgotten something.  Let me know.

HTH.

On Wednesday, March 26, 2003, at 08:28 AM, Igor Brezac wrote:

On Wed, 26 Mar 2003, Quanah Gibson-Mount wrote:
--On Wednesday, March 26, 2003 8:56 AM -0500 Igor Brezac <igor@ipass.net> wrote:
This is a bit too simplistic and it will not work on Solaris 9 until ldap_cachemgr is started. To make this setup complete you need to add your domain to /etc/defaultdomain, /etc/init.d/ldap.client start and restart nscd (/etc/init.d/nscd stop and then start). nscd does not need to run in order for this to work, in the long run you do want nscd running. For more check out:
Solaris 9
http://docs.sun.com/db/doc/806-4077/6jd6blbdk?a=view
Igor,
On my Solaris 9 box, at least, running that command started up nscd and the ldap cache manager. It has been running on my system for several weeks without problem. It also created /etc/defaultdomain.
I stand corrected. ldapclient will do all of this for you. You do need to cleanup a bit after it runs. ldapclient restarts some services which are not necessarily running (automounter in my case) and it installs a default nsswitch.ldap which may need editing. On Solaris 8 you have to do this by hand; however, ldap_cachemgr is not required to run in order for the ldap client to operate. I do recommend getting solaris schema from the links I mentioned earlier. Unfortunately, automatic setup does not work for both Solaris (8|9). You need to patch openldap, or Sun needs to fix the ldapclient and specify what attributes it needs from rootDN.
--
Igor


John Kloss <jkloss@sapiens.wustl.edu>
System Administrator, Database Administrator, Programmer

Gish Lab, Genome Sequencing Center
Washington University . . . in St. Louis

Follow-Ups:
- Re: Configuring Solaris 8 clients
  - From: Igor Brezac <igor@ipass.net>

References:
- RE: Configuring Solaris 8 clients
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: RE: Configuring Solaris 8 clients
Next by Date: Re: Openldap reliability
Index(es):
- Chronological
- Thread