0) As mentioned in previous email, use "ldapclient -i", not "ldapclient -P". Make sure you have the following TWO ACLs assigned to the baseDN, dc=comosers,dc=foo,dc=com, actually FIRST ONE is needed, SECOND ONE is to secure naming service. Note that these two ACLs are NOT my creation, they exist in any normal installation of SUN ONE DS5.2, for the FIRST ONE, it was "allow (compare,read,search)", I removed "read" so that userPasswords WILL BE MASKED OFF while running "ldaplist" or "ldapaddent -D" commands. 1) (target="ldap:///dc=composers,dc=foo,dc=com";)(targetattr="userPassword") (version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";;) 2) (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag|| memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";;) 3) Also I noticed you have: === dn: cn=default,ou=profile,dc=foo,dc=com ... defaultSearchBase: dc=foo,dc=com ... === IIRC it should be set to: dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com ... defaultSearchBase: dc=composers,dc=foo,dc=com ... 4) Don't forget to add IP address for cnyitlin02.composers.foo.com in /etc/hosts, on top of DNS, or replace it with IP address in the default profile. HTH. Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Igor Sent: Thursday, August 25, 2005 1:18 AM To: General discussion list for the Fedora Directory server project. Subject: Re: getting solaris 8 to talk to FDS --- Justin Albstmeijer <justin at VLAMea.nl> wrote: > > My 2 cents > > - test with: ldapsearch -h ldapserver.domain.nl -s > base -b "" > "objectclass=*" , to see if you can queuery the > server. I went ahead and got the ldapsearch. It worked. ldaplist is just busted, I guess. > - make sure the posix account has the > "shadowAccount" attribute Added it. I went to user, properties, posixAccount, advanced, add value -> shadowAccount. Not sure if that's the right way of doing it or not... > - SSHA is default used by FDS for password > encyption.. this should be CRYPT. Done -- thank you! > - make sure to use "simple" instead of "tls:simple" > for your initial tests > - use : ldapclient -v -P default -D > "cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w > proxy_password {ipnumber_ldap_server} , to create the ldap_file & > ldap_cred files Yea -- that's where I hit another problem: Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: Stopping ldap findBaseDN: calling __ns_ldap_default_config() found 2 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))" rootDN[0] dc=foo,dc=com found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain composers.foo.com The download of the profile failed. Could not read the profile 'default'. Perhaps it does not exist or you don't have sufficient rights to read it. However, from the FDS server itself, ldapsearch -x shows this: (snipped) # default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: default defaultSearchScope: one So, the profile is there but what's this about the rights??? > - make sure you run te latest recommended patch > cluster. Did that already. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
