getting solaris 8 to talk to FDS

Gary_Tay at platts.com (Tay, Gary) · Thu, 25 Aug 2005 22:57:17 +0800

===
Do you still think I need to change my defaultSearchDN?  Also, must those ACLs be added
still?  Because it looks like you're doing a manual config, right?
===
Yes I think you should set baseDN (defaultSearchBase) to dc=composers,dc=foo,dc=com, NOT dc=foo,dc=com, it should correspond LDAP domain (nisdomain) name, i.e. composers.foo.com, which you set in the rootDN entry nisDomainObject.

Yes set the ACLs to allow proxyAgent to read LDAP DIT. Yes "ldapclient -i" is manul config, I use it as "ldapclient -P" failed me when I tried to use TLS. If "ldapclient -P" works for you with or without TLS, by all mean use this syntax.

You passwd SSD should then be ou=People,dc=composers,dc=foo,dc=com?one
You shadow SSD should then be ou=People,dc=composers,dc=foo,dc=com?one
You group SSD should then be ou=group,dc=composers,dc=foo,dc=com?one
(SSD = serviceSearchDescriptor)

Please re-install FDS7.1 using baseDN=dc=composers,dc=foo,dc=com, and create ldif file to re-populate your LDAP data using this baseDN, including needed DUACongProfile, proxyAgent and sample People/group entries, the proxyAgent DN in your ldif file should be cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com.

# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com

# tls_profile, profile, composers.foo.com
dn: cn=tls_profile,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: tls_profile
defaultSearchScope: one
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com

Read Solaris8 "man ldapclient" page, there is no such valid value "default" for "-a" option, please use "-a simple" and rerun "ldapclient -v -i ...", if you omit "-a", it defaults to "none", so proxyDN/PW are not really needed, that was why you have this msg in "ldapclient" result: No proxyDN/proxyPassword required.

/usr/sbin/ldapclient -v -i -a simple -b dc=composers,dc=foo,dc=com -c proxy \
   -D cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com -w password \
   -S "passwd: ou=People,dc=composers,dc=foo,dc=com?one" \
   -S "shadow: ou=People,dc=composers,dc=foo,dc=com?one" \
   -S "group: ou=group,dc=composers,dc=foo,dc=com?one" \
   -S "netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one" \
   149.85.70.17

You seemed to jump very fast, before checking "id testdba" or "getent passwd testdba", first check these step-by-step:

# ldapclient -l
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com
NS_LDAP_BINDPASSWD= {NS1}...
NS_LDAP_SERVERS= 149.85.70.17
NS_LDAP_SEARCH_BASEDN= dc=composers,dc=foo,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one

# /usr/lib/ldap/ldap_cachemgr -g
Does it say LDAP cache manager is UP and running?

# cat /var/ldap/cachemgr.log
Any critical error?

# ldaplist -l passwd testdba", it should display something like:
dn: uid=testdba,ou=People,dc=composers,dc=foo,dc=com
        givenName: Test
        sn: DBA
        loginShell: /bin/sh
        uidNumber: 1111
        gidNumber: 111
        objectClass: top
        objectClass: person
        objectClass: organizationalPerson
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: shadowAccount
        uid: testdba
        cn: Test DBA
        homeDirectory: /home/testdba

If "ldaplist -l passwd testdba" fails, don't expect "id testdba" and "getent passwd testdba" to work.

Gary

-----Original Message----- 
From: fedora-directory-users-bounces at redhat.com on behalf of Igor 
Sent: Thu 8/25/2005 9:39 PM 
To: General discussion list for the Fedora Directory server project. 
Cc: 
Subject: RE: getting solaris 8 to talk to FDS

	Gary, thank you for the replies.  (I do have the patch you mentioned:)

	bash-2.03# showrev -p | grep "^Patch: 108993-48"
	Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03, 111641-0
	[...]

	--- "Tay, Gary" <Gary_Tay at platts.com> wrote:

	> 0) As mentioned in previous email, use "ldapclient -i", not "ldapclient
	> -P".
	>

	I did.  It kept failing until I got rid of "-a default"

	Handling manual option
	Unable to set value: invalid authenticationMethod (default)

	Getting rid of -a default:

	bash-2.03# /usr/sbin/ldapclient -v -i -b dc=foo,dc=com -c proxy -D uid=proxyA
	gent,ou=profile,dc=foo,dc=com -w password -S "passwd: ou=People,dc=foo,dc=
	com?one" -S "shadow: ou=People,dc=foo,dc=com?one" -S "group: ou=group,dc=caxt
	on,dc=com?one" -S "netgroup: ou=netgroup,dc=foo,dc=com?one" 149.85.70.17
	Arguments parsed:
	        defaultSearchBase: dc=foo,dc=com
	        credentialLevel: proxy
	        proxyDN: uid=proxyAgent,ou=profile,dc=foo,dc=com
	        serviceSearchDescriptor:
	                arg[0]: passwd: ou=People,dc=foo,dc=com?one
	                arg[1]: shadow: ou=People,dc=foo,dc=com?one
	                arg[2]: group: ou=group,dc=foo,dc=com?one
	                arg[3]: netgroup: ou=netgroup,dc=foo,dc=com?one
	        proxyPassword: password
	        defaultServerList: 149.85.70.17
	Handling manual option
	Proxy DN: uid=proxyAgent,ou=profile,dc=foo,dc=com
	Proxy password: {NS1}ecfa88f3a945c411
	Credential level: 1
	Authentication method: 0
	Authentication method: 0
	No proxyDN/proxyPassword required
	About to modify this machines configuration by writing the files
	Stopping network services
	Stopping sendmail
	Stopping nscd
	Stopping autofs
	Stopping ldap
	nisd not running
	nis_cache not running
	nispasswd not running
	nis(yp) not running
	Removing existing restore directory
	file_backup: stat(/etc/nsswitch.conf)=0
	file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
	file_backup: stat(/etc/defaultdomain)=0
	file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
	file_backup: stat(/var/nis/NIS_COLD_START)=-1
	file_backup: No /var/nis/NIS_COLD_START file.
	file_backup: nis domain is "composers.foo.com"
	file_backup: stat(/var/yp/binding/composers.foo.com)=-1
	file_backup: No /var/yp/binding/composers.foo.com directory.
	file_backup: stat(/var/ldap/ldap_client_file)=0
	file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
	file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
	Starting network services
	start: /usr/bin/domainname composers.foo.com... success
	start: /usr/lib/ldap/ldap_cachemgr... success
	start: /etc/init.d/autofs start... success
	start: /etc/init.d/nscd start... success
	System successfully configured
	bash-2.03# id testdba
	id: invalid user name: "testdba"
	bash-2.03#

	So, looks like it worked but I can't authenticate any users.  id testdba produces traffic
	on the FDS server, so it's definitely trying to query it but can't resolve anything.

	Also, I have two profiles:

	# default, profile, foo.com
	dn: cn=default,ou=profile,dc=foo,dc=com
	defaultSearchBase: dc=foo,dc=com
	authenticationMethod: simple
	followReferrals: TRUE
	bindTimeLimit: 2
	profileTTL: 43200
	searchTimeLimit: 30
	objectClass: top
	objectClass: DUAConfigProfile
	defaultServerList: 149.85.70.17
	credentialLevel: proxy
	cn: default
	defaultSearchScope: one

	# tls_profile, profile, foo.com
	dn: cn=tls_profile,ou=profile,dc=foo,dc=com
	defaultSearchBase: dc=foo,dc=com
	authenticationMethod: tls:simple
	followReferrals: FALSE
	bindTimeLimit: 10
	profileTTL: 43200
	searchTimeLimit: 30
	objectClass: top
	objectClass: DUAConfigProfile
	defaultServerList: cnyitlin02.composers.foo.com
	credentialLevel: proxy
	cn: tls_profile
	serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com
	serviceSearchDescriptor: group: ou=group,dc=foo,dc=com
	serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com
	defaultSearchScope: one

	My default profile doesn't have those 3 searchDescriptors.  Or we are not using profiles
	anymore?  Just curious...

	Do you still think I need to change my defaultSearchDN?  Also, must those ACLs be added
	still?  Because it looks like you're doing a manual config, right?

	Thank you for your help, Gary.

	__________________________________________________
	Do You Yahoo!?
	Tired of spam?  Yahoo! Mail has the best spam protection around
	http://mail.yahoo.com

	--
	Fedora-directory-users mailing list
	Fedora-directory-users at redhat.com
	https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 13610 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050825/40f6341f/attachment.bin 