Thanks George and Rich for correcting me, now I understand why there seems to be some "extra" stuffs there in 99user.ldif like the many "aci:" lines and so forth. DUAConfigProfile.schema + solaris.schema != 99user.ldif DUAConfigProfile.schema + solaris.schema ~= 61duaconfigprofile.ldif + 61solaris.ldif Rgds Gary -----Original Message----- From: fedora-directory-users-bounces at redhat.com on behalf of Rich Megginson Sent: Sat 7/16/2005 2:08 AM To: General discussion list for the Fedora Directory server project. Cc: Subject: Re: Solaris Native LDAP Client against FDS7.1Server George Holbert wrote: >> >> >> So if there is an existing Solaris8/9 DS5.2 server, simply copy >> 99user.ldif from DS5.2 over to FDS7.1. >> > > One caution about this: 99user.ldif stores ALL schema changes you > make to the directory server via ldapmodify. This is not necessarily > just DUAConfigProfile and other Solaris client schema updates. > >> DUAConfigProfile.schema + solaris.schema = 99user.ldif >> > This is true if you install a fresh SunDS 5.2 or FDS 7.1 directory > server, and then add the schema changes in DUAConfigProfile.schema and > solaris.schema via ldapmodify. Sun's favorite way of making these > changes is the Solaris script: /usr/lib/ldap/idsconfig Right. So you could just use this script http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl and do perl ol-schema-migrate.pl DUAConfigProfile.schema > slapd-foo/config/schema/61duaconfigprofile.ldif and perl ol-schema-migrate.pl solaris.schema > slapd-foo/config/schema/61solaris.ldif > > > > Tay, Gary wrote: > >> IIRC the two .schema files in my OpenLDAP HOW-TO is actually equivalent >> to the 99user.ldif (residing in >> $LDAP_ROOT/slapd-`hostname`/config/schema) file provided by SUN ONE >> DS5.2, i.e. >> >> DUAConfigProfile.schema + solaris.schema = 99user.ldif. >> >> So if there is an existing Solaris8/9 DS5.2 server, simply copy >> 99user.ldif from DS5.2 over to FDS7.1. >> >> Someone who is using Oracle Internet Directory had asked me in >> supportforum.sun.com how to configure Solaris Native LDAP Client to >> authenticate against OID, I had some brief instructions given there, I >> reproduced and modified a bit as a quick notes here. >> >> PLEASE NOTE that I haven't tried these steps but believe it should work >> as FDS7.1 is similar to DS5.2, anyone has tried these please feel free >> to comment and add. >> >> === >> To make a Solaris Native LDAP Clients (Solaris8 or Solaris9) worked >> against FDS7.1 Server, you would have to do a little hackings to make >> FDS7.1 Server acts like a SUN DS5.2 ldapclient profile(s) provider, >> described as in the following notes, >> >> - Add "nisDomain" to rootDN object (eg: object is dc=example,dc=com) so >> that "ldapclient" will be able to find this nisDomainObject, using >> ldapmodify or GUI based tools. >> >> objectClass: nisDomainObject >> nisDomain: example.com >> >> - Copy schema 99user.ldif from DS5.2 to FDS7.1 >> >> - Create ou=profile OU object and add cn=ProxyAgent as a proxy >> credentials proxy user under it >> >> - Create "default" or "customized" ldapclient profile(s) under the >> ou=profile subtree for simple bind or simple bind + TLS or whatever, >> using manually prepared ldif file or ldif generated by "ldapclient >> genprofile" command, read "man ldapclient" for more details. >> >> - Setup two ACLs under dc=example,dc=com object, ACL1 should appear >> before ACL2, they are actually present in any typical SUN ONE DS5.2 >> >> 1. LDAP_Naming_Services_deny_write_access >> (targetattr = >> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM >> in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag|| >> memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access; >> deny (write) userdn = "ldap:///self";) >> >> 2.LDAP_Naming_Services_proxy_password_read >> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version >> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow >> (compare,read,search) userdn = >> "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";) >> >> Tips: delete the word "read" if you do not want "ldaplist -l passwd" to >> list userPassword(s), i.e. it becomes: >> >> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version >> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow >> (compare,search) userdn = >> "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";) >> >> - It is advisable to set password hash scheme to CRYPT in FDS7.1. >> >> - It is advisable to add "shadowAccount" objectclass to your user >> entries, on top of "posixAccount". >> >> - Note that Solaris "ldapclient" has an irritating act that it will >> reset the "hosts:" entry to "hosts: files ldap" or something that puts >> "ldap" in front of "dns", this should be adjusted back to "hosts: files >> dns", otherwise something like telnet/ftp/ssh will break on hostname >> lookup as the hosts lookup using "ldap" goes recursive. >> >> Rgds >> Gary >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Friday, July 15, 2005 3:21 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: Solaris Client >> >> >> Brian Martinez wrote: >> >> >> >>> George, >>> >>> That is correct, we are attempting to use the FDS7 as a central >>> authentication system for Solaris 10 NSS Clients with a PAM backend. >>> >>> We believe that we are missing the proper schemas on the server >>> (DUAConfigProfile and Solaris) to support the Solaris Clients. The >>> ones on Tay's website seem to be in the wrong format (schema instead >>> of ldif)...or we just dont know how to import them! >>> >> >> >> You can use this script >> http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl >> found on this page >> http://directory.fedora.redhat.com/wiki/Howto:OpenLDAPMigration >> to convert .schema files to .ldif schema files. e.g. >> perl ol-schema-migrate.pl solaris.schema > >> slapd-myhost/config/schema/61solaris.ldif >> Then restart slapd >> >> >> >>> We have been scrounging his site for clues/ideas...developers on the >>> client side are convinced the server is the issue...developers on >>> the server side believe it is the client. My take is that we >>> already have >>> >> >> >> >> >>> the server "most" of the way, because we are successfully >>> authenticating Linux clients securely to the FDS7 server and we are >>> missing some essential piece on the server side to solve the Solaris >>> puzzle. >>> >>> If you have any further thoughts, ideas, or prayers...feel free to >>> send them our way. >>> >>> >>> >>>> From: "George Holbert" <gholbert at broadcom.com> >>>> Reply-To: "General discussion list for the Fedora Directory server >>>> project." <fedora-directory-users at redhat.com> >>>> To: "General discussion list for the Fedora Directory server >>>> project." <fedora-directory-users at redhat.com> >>>> Subject: Re: Solaris Client >>>> Date: Thu, 14 Jul 2005 11:08:06 -0700 >>>> >>>> Hi Brian, >>>> >>>> By "Solaris Clients", I assume you mean Solaris naming service (for >>>> passwd, group, etc.). >>>> >>>> The answer is yes. Any modern, properly configured LDAP server, >>>> including Fedora DS, can support Solaris naming service. However, >>>> getting the server "properly configured" can be tricky. >>>> >>>> However, since Sun's own directory server ("Sun Java Enterprise >>>> System Directory Server") is so very similar to Fedora DS, much of >>>> the same preparation methods and documentation regarding SunDS will >>>> apply directly to Fedora DS. >>>> >>>> A good starting point would be Gary Tay's fine documentation at: >>>> http://web.singnet.com.sg/~garyttt/ >>>> >>>> Gary's docs were written around iPlanet/Sun DS, but as I mentioned, >>>> pretty much all of this should also apply to Fedora DS. >>>> >>>> Good luck! >>>> -- George >>>> >>>> >>>> Brian Martinez wrote: >>>> >>>> >>>> >>>>> All, >>>>> >>>>> Does the Fedora DS support Solaris Clients? If so, where can I find >>>>> information, schema examples, etc.... >>>>> >>>>> Thanks in advance, >>>>> Brian >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users