Sorry, one correction on the content of /var/ldap/ldap_client_cred. NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 -----Original Message----- From: Tay, Gary Sent: Friday, July 15, 2005 7:53 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: Solaris Native LDAP Client againstFDS7.1 Server FDS folks, I just tried my procedures on a Solaris8 Native LDAP Client, It works!!! I forgot to mention ONE IMPORTANT point, APPLY the latest kernel and LDAP patches prior to anything, otherwise some error in /etc/pam.conf may render your LDAP client "un-loginable" due to unrecognizable keywords/options/flags. Solaris8: kernel patch + 108993 Solaris9: kernel patch + 112960 Solaris10: I don't know, I have not touched one such yet, check sunsolve patches info. Some modifications to 99user.ldif is done by me, I am not sure if they are really needed, anyway I list them here as FYI: I removed these lines from 99user.ldif - modifiersName: cn=directory manager - mModifyTimestamp: 20050427082543Z - All "aci:" lines - nsSchemaCSN: 429ddf1d000000000000 Note that after setting up 99user.ldif in $LDAP_ROOT/slapd-`hostname`/config/schema directory, you have to restart slapd to load the new schema definitions, as Rich have said earlier. You may use this sample ldif to create proxyAgent and sample ldapclient profiles.ldif, it assumes password of proxyAgent is "password", if you want to use a different password for proxyAgent, you may use /opt/fedora-ds/slapd-`hostname`/getpwenc to find the {CRYPT} hash, for the {NS1} hash, there is a trick to get a generated on a Solaris8 machine, read my post at http://forum.sun.com/thread.jspa?threadID=25436&tstart=0 # cat proxyAgent_and_sample_profiles.ldif dn: ou=profile,dc=example,dc=com ou: profile objectClass: top objectClass: organizationalUnit dn: cn=proxyagent,ou=profile,dc=example,dc=com cn: proxyagent sn: proxyagent objectClass: top objectClass: person userPassword: {CRYPT}l14aeXtphVSUg dn: cn=default,ou=profile,dc=example,dc=com objectClass: top objectClass: DUAConfigProfile defaultServerList: ldap1.example.com defaultSearchBase: dc=example,dc=com authenticationMethod: simple followReferrals: TRUE defaultSearchScope: one searchTimeLimit: 30 profileTTL: 43200 cn: default credentialLevel: proxy bindTimeLimit: 2 dn: cn=tls_profile,ou=profile,dc=example,dc=com objectClass: top objectClass: DUAConfigProfile defaultServerList: ldap1.example.com defaultSearchBase: dc=example,dc=com authenticationMethod: tls:simple followReferrals: FALSE defaultSearchScope: one searchTimeLimit: 30 profileTTL: 43200 bindTimeLimit: 10 cn: tls_profile credentialLevel: proxy serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com serviceSearchDescriptor: group: ou=group,dc=example,dc=com serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com FDS seems to check tightly on objectClasses, if I omit "objectClass: top" from the profile definitions, it will complain that "objectClass: DUAConfigProfile" is not a valid "attribute" during ldapadd. This is the /var/ldap/ldap_client_file I used: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= ldap1.example.com NS_LDAP_SEARCH_BASEDN= dc=example,dc=com NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 43200 NS_LDAP_PROFILE= default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_BIND_TIME= 2 And /var/ldap/ldap_client_cred, it assumes proxyAgent password is "password" NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=platts,dc=mhm,dc=mhc NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 Make sure you "chmod 400 /var/ldap/ldap_client_???" Copy /etc/nsswitch.ldap to /etc/nsswitch.conf, edit nsswitch.conf and make sure that these lines exist: passwd: files ldap group: files ldap shadow: files ldap hosts: files dns Set Solaris LDAP domain name, this is a one time execution only # echo "example.com" >/etc/defaultdomain # domainname `cat /etc/defaultdomain` Now try to refresh ldap_cachemgr and nscd # /etc/init.d/ldap.client stop # /etc/init.d/ldap.client start # ps -ef | grep ldap # /usr/lib/ldap/ldap_cachemgr -g # /etc/init.d/nscd stop # /etc/init.d/nscd start # ps -ef | grep nscd Note that I DID NOT EVEN BOTHER to run "ldapclient init ..." or "ldapclient manual ...", if I DO run it, I have to press CTRL-C to break it so it runs to completion. IMPORTANT NOTE: One side effect of running "ldapclient" is that it resets "hosts: files dns" in /etc/nsswitch.conf to "hosts: ldap files" and this affects the DNS names lookup, it is always advisable to double check the "hosts:" entry in /etc/nsswitch.conf and adjust it back to the desired "files dns" setting. I used the sample pam.conf from this URL with all "pam_unix_cred.so.1" lines commenting out as they are meant for Solaris10, do not comment them out if you are using Solaris10. http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view Have funs and good lucks! Rgds Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tay, Gary Sent: Friday, July 15, 2005 12:39 PM To: General discussion list for the Fedora Directory server project. Subject: **Caution-External**: RE: Solaris Native LDAP Client againstFDS7.1 Server IIRC the two .schema files in my OpenLDAP HOW-TO is actually equivalent to the 99user.ldif (residing in $LDAP_ROOT/slapd-`hostname`/config/schema) file provided by SUN ONE DS5.2, i.e. DUAConfigProfile.schema + solaris.schema = 99user.ldif. So if there is an existing Solaris8/9 DS5.2 server, simply copy 99user.ldif from DS5.2 over to FDS7.1. Someone who is using Oracle Internet Directory had asked me in supportforum.sun.com how to configure Solaris Native LDAP Client to authenticate against OID, I had some brief instructions given there, I reproduced and modified a bit as a quick notes here. PLEASE NOTE that I haven't tried these steps but believe it should work as FDS7.1 is similar to DS5.2, anyone has tried these please feel free to comment and add. === To make a Solaris Native LDAP Clients (Solaris8 or Solaris9) worked against FDS7.1 Server, you would have to do a little hackings to make FDS7.1 Server acts like a SUN DS5.2 ldapclient profile(s) provider, described as in the following notes, - Add "nisDomain" to rootDN object (eg: object is dc=example,dc=com) so that "ldapclient" will be able to find this nisDomainObject, using ldapmodify or GUI based tools. objectClass: nisDomainObject nisDomain: example.com - Copy schema 99user.ldif from DS5.2 to FDS7.1 - Create ou=profile OU object and add cn=ProxyAgent as a proxy credentials proxy user under it - Create "default" or "customized" ldapclient profile(s) under the ou=profile subtree for simple bind or simple bind + TLS or whatever, using manually prepared ldif file or ldif generated by "ldapclient genprofile" command, read "man ldapclient" for more details. - Setup two ACLs under dc=example,dc=com object, ACL1 should appear before ACL2, they are actually present in any typical SUN ONE DS5.2 1. LDAP_Naming_Services_deny_write_access (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag|| memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access; deny (write) userdn = "ldap:///self";) 2.LDAP_Naming_Services_proxy_password_read (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";) Tips: delete the word "read" if you do not want "ldaplist -l passwd" to list userPassword(s), i.e. it becomes: (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";) - It is advisable to set password hash scheme to CRYPT in FDS7.1. - It is advisable to add "shadowAccount" objectclass to your user entries, on top of "posixAccount". - Note that Solaris "ldapclient" has an irritating act that it will reset the "hosts:" entry to "hosts: files ldap" or something that puts "ldap" in front of "dns", this should be adjusted back to "hosts: files dns", otherwise something like telnet/ftp/ssh will break on hostname lookup as the hosts lookup using "ldap" goes recursive. Rgds Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Friday, July 15, 2005 3:21 AM To: General discussion list for the Fedora Directory server project. Subject: Re: Solaris Client Brian Martinez wrote: > George, > > That is correct, we are attempting to use the FDS7 as a central > authentication system for Solaris 10 NSS Clients with a PAM backend. > > We believe that we are missing the proper schemas on the server > (DUAConfigProfile and Solaris) to support the Solaris Clients. The > ones on Tay's website seem to be in the wrong format (schema instead > of ldif)...or we just dont know how to import them! You can use this script http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl found on this page http://directory.fedora.redhat.com/wiki/Howto:OpenLDAPMigration to convert .schema files to .ldif schema files. e.g. perl ol-schema-migrate.pl solaris.schema > slapd-myhost/config/schema/61solaris.ldif Then restart slapd > > We have been scrounging his site for clues/ideas...developers on the > client side are convinced the server is the issue...developers on the > server side believe it is the client. My take is that we already have > the server "most" of the way, because we are successfully > authenticating Linux clients securely to the FDS7 server and we are > missing some essential piece on the server side to solve the Solaris > puzzle. > > If you have any further thoughts, ideas, or prayers...feel free to > send them our way. > >> From: "George Holbert" <gholbert at broadcom.com> >> Reply-To: "General discussion list for the Fedora Directory server >> project." <fedora-directory-users at redhat.com> >> To: "General discussion list for the Fedora Directory server >> project." <fedora-directory-users at redhat.com> >> Subject: Re: Solaris Client >> Date: Thu, 14 Jul 2005 11:08:06 -0700 >> >> Hi Brian, >> >> By "Solaris Clients", I assume you mean Solaris naming service (for >> passwd, group, etc.). >> >> The answer is yes. Any modern, properly configured LDAP server, >> including Fedora DS, can support Solaris naming service. However, >> getting the server "properly configured" can be tricky. >> >> However, since Sun's own directory server ("Sun Java Enterprise >> System Directory Server") is so very similar to Fedora DS, much of >> the same preparation methods and documentation regarding SunDS will >> apply directly to Fedora DS. >> >> A good starting point would be Gary Tay's fine documentation at: >> http://web.singnet.com.sg/~garyttt/ >> >> Gary's docs were written around iPlanet/Sun DS, but as I mentioned, >> pretty much all of this should also apply to Fedora DS. >> >> Good luck! >> -- George >> >> >> Brian Martinez wrote: >> >>> All, >>> >>> Does the Fedora DS support Solaris Clients? If so, where can I find >>> information, schema examples, etc.... >>> >>> Thanks in advance, >>> Brian >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> -- >> Fedora-directory-users mailing list Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users