[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring Solaris 8 clients

To: Matthew Mauzy <matthew_mauzy@unc.edu>
Subject: Re: Configuring Solaris 8 clients
From: John Kloss <jkloss@sapiens.wustl.edu>
Date: Thu, 27 Mar 2003 09:33:19 -0600
Cc: LDAP Mailing List <openldap-software@OpenLDAP.org>
In-reply-to: <2503484600.1048727789@[192.168.1.102]>

It looks like your /var/ldap/ldap_client_cred file lacks the NS_LDAP_BINDDN_PASSWD. The solaris client can only bind as an anonymous user. In fact your ldap_client_file states that with NS_LDAP_AUTH=NS_LDAP_AUTH_NONE. If you allow anonymous searching and reading of your ldap directory, then that's fine, not safe but fine. However, if you have an an ACL like

access to *
	by users	read
	by *		none

Then the solaris client can't bind to the ldap server.

The NS_LDAP_BINDDN_PASSWD={NS1}.... is a crypt password under solaris 8. It is either fetched from the solaris profile stored under your directory tree as

dn: cn=profile_name,ou=Profile,dc=amath,dc=unc,dc=edu
SolarisBindDN: cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu
SolarisBindPassword: {NS1}...
SolarisLDAPServers: ...

The ldif for the above is generated by the ldap_gen_profile. The profile will be fetched by the solaris client via

ldapclient -P profile_name -d amath.unc.edu ip.of.ldap.server

And will store the required info under

	/var/ldap/ldap_client_cred
	/var/ldap/ldap_client_file

The NS_LDAP_BINDDN_PASSWD can also be generated by ldapclient command

ldapclient -i -a simple -b dc=amath,dc=unc,dc=edu -d amath.unc.edu -D cn=solaris,ou=ldapuserd,cd=amath,dc=unc,dc=edu -w "some password" ip.of.ldap.server

The client will then initialize itself without fetching a profile from the ldap server. Again, this will store the required info under ldap_client_cred (where NS_LDAP_BINDDN_PASSWD will be along with NS_LDAP_BINDDN) and ldap_client_file.

You then need to have an actual proxy user in your ldap DIT. I'm sure you have that, but make sure you generate the password vi

	slappasswd -h {CRYPT} -w "some password"

and cut and paste the generated password into the userPassword: field for cn=solaris,ou=ldapusers,...

Check to see if you can bind as that user first

ldapsearch -x -D 'cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu' -w "some password" 'objectClass=*'

If that works and you get a dump of your DIT (assuming ACLs permit it) then your solaris client should be able to connect.

On solaris 8 and solaris 9 the login process _does_ use pam. One thing that might work is to change the stacking for login under pam.conf

login auth sufficient	/usr/lib/security/$ISA/pam_unix.so.1
login auth required	/usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass

This will set the order for login to first check traditional unix systems (getpwent, etc.) and then switch to ldap if the first method fails. The use_first_pass tells the stack to use the password first given by the user, that is don't ask for it again.

HTH

On Thursday, March 27, 2003, at 12:16 AM, Matthew Mauzy wrote:

Thanks for the examples but I'm still not able to configure solaris 8 as a client of the openldap 2.1.12 server.
Here's my /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 1.0 NS_LDAP_SERVERS= 152.2.104.6:389 NS_LDAP_SEARCH_BASEDN= dc=amath,dc=unc,dc=edu NS_LDAP_AUTH= NS_LDAP_AUTH_NONE NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE NS_LDAP_SEARCH_REF= NS_LDAP_NOREF NS_LDAP_DOMAIN= amath.unc.edu NS_LDAP_EXP= 1045640377 NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=amath,dc=unc,dc=edu), group:(ou=People,d c=amath,dc=unc,dc=edu) NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE NS_LDAP_SEARCH_TIME= 30
Here's my /var/ldap/ldap_client_cred
NS_LDAP_BINDDN= cn=solaris,ou=ldapusers,dc=amath,dc=unc,dc=edu
I've edited /etc/nsswitch.conf to place ldap into the passwd, group, hosts, etc., but when I run listusers all I get are the local users.
My questions:
- For the BINDDN, don't I need the password? When adding that 'user' into the LDAP dir, why is it that the NS_LDAP_BINDDN_PASSWD has the {NS1} stuff?
- Would upgrading to openLDAP 2.1.16 solve any of these problems?
For Solaris 9 I've run the ldapclient command that you supplied (with proper alterations for my LDAP system) and am able to get all of the LDAP users with listusers (yah!), but when I try and login to one of the LDAP accounts I get incorrect password errors. I can su - <ldap account> so I'm getting proper info from the LDAP server. Is this a PAM problem???

Thanks again to everyone who sent suggestions and responses to my earlier email.
--Matthew
--On Wednesday, March 26, 2003 12:29 AM -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:
--On Wednesday, March 26, 2003 9:14 AM +0100 Ramon Corominas
<rcorominas@citec.es> wrote:
Hi,
Where can I get documentation about configuring solaris clients ?
Thanks in advance,
Ramon,
I got it working in Solaris 9 in the following fashion:
To set up a Solaris 9 machine for LDAP instead of NIS, one simply needs to do the following:
edit /etc/nsswitch.ldap
Change the hosts: line from
hosts: ldap [blah.....] files
to
hosts: files dns
and then run this command:
ldapclient manual -a authenticationMethod=none -a defaultSearchBase=dc=stanford,dc=edu -a defaultServerList="ldap-test1.Stanford.EDU" -a domainName="stanford.edu" -a followReferrals=false -a serviceSearchDescriptor=passwd:cn=accounts,dc=stanford,dc=edu\?sub -a serviceSearchDescriptor=group:cn=accounts,dc=stanford,dc=edu\?sub

Of course, this only works for Stanford, but it gives you an idea how to configure it.
For Solaris 8:
1. Create /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use
# ldapclien
t (1M) instead.
#
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 172.24.14.237:389
NS_LDAP_SEARCH_BASEDN= dc=stanford,dc=edu
NS_LDAP_AUTH= NS_LDAP_AUTH_NONE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_NOREF
NS_LDAP_DOMAIN= stanford.edu
NS_LDAP_EXP= 1045640377
NS_LDAP_SEARCH_DN= passwd:(cn=accounts,dc=stanford,dc=edu),
group:(cn=accounts,d c=stanford,dc=edu)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30
2.Create /var/ldap/ldap_client_cred:
#
# Do not edit this file manually; your changes will be lost.Please use
# ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=accounts,dc=stanford,dc=edu
3. Edit /etc/nsswitch.conf so the passwd: line to read:
passwd: file ldap
4. tests:
/usr/bin/listuser
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
__________________________________________________________________
                       Matthew W. Mauzy
                     Systems Administrator
                     Applied Math @ UNC-CH
email : mauzy@amath.unc.edu           pager : mpager@amath.unc.edu
(W) 919.962.9819   www.amath.unc.edu/~mauzy/   (P) 919.347.0390
__________________________________________________________________


John Kloss <jkloss@sapiens.wustl.edu>
System Administrator, Database Administrator, Programmer

Gish Lab, Genome Sequencing Center
Washington University . . . in St. Louis

References:
- RE: Configuring Solaris 8 clients
  - From: Matthew Mauzy <matthew_mauzy@unc.edu>

Prev by Date: Solaris 9, sasl suport
Next by Date: Re: simple Authentication
Index(es):
- Chronological
- Thread