Configuring Solaris Natiive LDAP Client for Fedora
Directory Server
(SimpleBind)
(See also related documents
at http://web.singnet.com.sg/~garyttt/)
History of Updates:
26-Aug-2005, first draft.
Purpose:
This document describes the steps involved in configuring
a SUN Solaris8/9 Native LDAP Client to work against RedHat/Fedora Directory
Server (FDS 7.1) using "simple
bind authentication" on Soalris8/9.
Fedora Directory Server is the OpenSource version
(without support) of the commercial RedHat
Directory Server. It is previously called Netscape Directory Server 7.1 prior to the products being bought
over by RedHat, It is not a surprise that FDS/RDS (or NDS 7.1) and SUN ONE Directiry
Server 5.2 (which is said to be based on NDS 6.X) share many similarities.
Please visit the following URLs for more information.
Home:
http://directory.fedora.redhat.com/wiki/Main_Page
Features:
http://directory.fedora.redhat.com/wiki/Features
FAQ:
http://directory.fedora.redhat.com/wiki/FAQ
Download:
http://directory.fedora.redhat.com/wiki/Download
Commercial Support is NOT
FREE,
however the following web sites provide ?FREE?
issue reportings and discussions, for LDAP directory server products, the first
one is FDS specific.
https://www.redhat.com/mailman/listinfo/fedora-directory-users
http://lists.fini.net/mailman/listinfo/ldap-interop
http://supportforum.sun.com
http://www.ldapguru.com
http://www.dbforums.com (comp.unix.solaris)
GUI Based LDAP account management and data export tools
other than
·
LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
·
JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
·
Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
·
Other LDAP GUI based Tools: http://www.ldapguru.com
(check the Top Download links and so on)
·
LDAP Expoter: http://www.novell.com/coolsolutions/tools/14287.html
(export LDAP data to csv format)
Example used:
·
RedHat EL4 MASTER LDAP Server: ldap1.example.com,
192.168.1.168
·
Solaris8 LDAP Client: client2.example.com,
192.168.1.198
·
Solaris9 LDAP Client: client3.example.com,
192.168.1.208
Assumptions: A Fedora Directory Server has been installed with
sample data (ou=People and ou=Groups, some sample Groups entries), its "slapd"
and admin server have been successfully started.
Preparation Steps:
Please
ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
Please
ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain
"example.com" as the LDAP domain, "domainname `cat /etc/defaultdomain`" could be run to change
the domainname with immediate effect.
Please also complete these VERY ESSENTIAL Preparation Steps:
P1) For Solaris8 client, latest kernel patch and LDAP patch 108993
must be applied.
P2) For Solaris9 client, latest kernel patch and LDAP patch 112960
must be applied.
Please refer to Appendix for a useful script to check multiple patches,
modify to suit your need.
P3) At the FDS7.1 Server, copy 61DUAConfigProfile.ldif (see
Appendix) to $FDS7_ROOT/slapd-`hostname`/config/schema directory, and restart
FDS to activate this customized schema.
P4) Change default password storage scheme in Fedora Management Console,
open directory server, click Directory TAB, click "config (XXX
acis)", right click and edit its properties, change
"passwordStorageScheme" from the default "SSHA" to
"CRYPT", this is to facilitate the migration of UNIX /etc/shadow and
NIS CRYPTed passwords into LDAP DIT.
P5) Add TWO Access Control Instructioins (ACIs) to the rootDN in
Fedora Management Console, click "dc=example,dc=com", click "Set
Access Permissions", add new entry by copying and pasting the followings.
(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn =
"ldap:///self";)
and
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search)
userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
Step 1: Populate the directory
server with People, group, proxyAgent and profile data
This step is for LDAP Server,
it is intended to add some testing users/groups, and add DUAConfigProfile based
LDAP profiles for subsequent Solaris LDAP Client "initialization".
Prepare People.ldif
and group.ldif and add them into
directory data. You may also manually add directory data using Fedora
Management Console.
Note that as FDS default installation does not create an
"ou=group" which is more commonly used for group data than
"ou=Groups" in setting up UNIX name service, the group.ldif should
take care of ou=group creation.
Tips 1: When you use Fedora Management
Console to add "People" entry, remember to check the ?posix? user
(posixAccount) option, so that uidNumber and gidNumber could be entered.
Tips 2: Use $FDS7_ROOT/slapd-`hostname`/getpwenc command to find
the encrypted format of LDAP userPassword.
# cd /opt/fedora-ds/slapd-ldap1
# ./getpwenc CRYPT
testpassword
{crypt}GFOZa/ZLlDdng
A
sample People.ldif with only two
entries is shown here
dn: uid=gtay,
ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell:
/bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
objectClass:
shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory:
/home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
userPassword:
{CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser,
ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell:
/bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
objectClass:
shadowAccount
uid: tuser
cn: Test User
homeDirectory:
/home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
userPassword:
{SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with
only one entry is shown here
dn: ou=group,dc=example,dc=com
objectClass:
organizationalUnit
objectClass: top
ou: group
dn:
cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass:
posixGroup
memberUid: gtay
memberUid: tuser
A
sample proxyAgent_and_profile.ldif
containing ou=profile, proxyAgent and "default" (using simple bind
authentication method) DUAConfigProfile based profile is show below:
dn: ou=profile,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: profile
dn: cn=proxyAgent,ou=profile,dc=example,dc=com
objectClass: top
objectClass: person
cn: proxyAgent
sn: proxyAgent
userPassword: {CRYPT}l14aeXtphVSUg
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: top
objectClass:
DUAConfigProfile
defaultServerList:
192.168.1.168
defaultSearchBase:
dc=example,dc=com
authenticationMethod:
simple
followReferrals:
TRUE
defaultSearchScope:
one
searchTimeLimit:
30
profileTTL: 43200
cn: default
credentialLevel:
proxy
bindTimeLimit: 2
serviceSearchDescriptor:
passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor:
group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor:
shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor:
netgroup: ou=netgroup,dc=example,dc=com?one
# /usr/bin/ldapadd -c -D
"cn=Directory Manager" -f People.ldif
# /usr/bin/ldapadd -c -D
"cn=Directory Manager" -f group.ldif
# /usr/bin/ldapadd -c -D "cn=Directory
Manager" -f proxyAgent_and_profile.ldif
For massive import of People and group entries, you may use ?/usr/sbin/ldapaddent?
command, see ?man ldapaddent? for more details, or you may use PADL?s
MigrationTools.
http://www.padl.com/OSS/MigrationTools.html
Examples
of ldapaddent are listed below, note the sequences, passwd DB first then
shadow, note also the use of ?-p? to create userPassword attribute and the
CRYPT password is only added when the DB is shadow.
# cat test.txt
test9991:x:9991:102:test9991:/var/tmp:/bin/sh
# ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwd
Enter password:
SERVICE = passwd
Adding entry : test9991
1 entries added
# cat tests.txt
test9991:ElnMr/iU805dA:12881::::::
# ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadow
Enter password:
SERVICE = shadow
Adding entry : test9991
1 entries added
#
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif,
or any other .ldif files from this document for preparation of LDAP data import using ldapadd command,
please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif
files be removed or else ?ldapadd? command will throw errors.
Try to list the LDAP content at the Solaris client by
binding "anonymous"ly (without "-D" option), note that userPassword never
get listed due to the ACI we have set at the server end.
# /usr/bin/ldapsearch ?h
ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"
dn:
dc=example,dc=com
dc:
example
objectClass:
top
objectClass:
domain
objectClass:
nisDomainObject
nisDomain:
example.com
dn:
cn=Directory Administrators, dc=example,dc=com
objectClass:
top
objectClass:
groupofuniquenames
cn:
Directory Administrators
dn:
ou=Groups, dc=example,dc=com
objectClass:
top
objectClass:
organizationalunit
ou:
Groups
dn:
ou=People, dc=example,dc=com
objectClass:
top
objectClass:
organizationalunit
ou:
People
dn:
ou=Special Users,dc=example,dc=com
objectClass:
top
objectClass:
organizationalUnit
ou:
Special Users
description:
Special Administrative Accounts
dn:
cn=Accounting Managers,ou=groups,dc=example,dc=com
objectClass:
top
objectClass:
groupOfUniqueNames
cn:
Accounting Managers
ou:
groups
description:
People who can manage accounting entries
dn:
cn=HR Managers,ou=groups,dc=example,dc=com
objectClass:
top
objectClass:
groupOfUniqueNames
cn:
HR Managers
ou:
groups
description:
People who can manage HR entries
dn:
cn=QA Managers,ou=groups,dc=example,dc=com
objectClass:
top
objectClass:
groupOfUniqueNames
cn:
QA Managers
ou:
groups
description:
People who can manage QA entries
dn:
cn=PD Managers,ou=groups,dc=example,dc=com
objectClass:
top
objectClass:
groupOfUniqueNames
cn:
PD Managers
ou:
groups
description:
People who can manage engineer entries
dn:
ou=group,dc=example,dc=com
ou:
group
objectClass:
top
objectClass:
organizationalUnit
dn:
ou=profile,dc=example,dc=com
ou:
profile
objectClass:
top
objectClass:
organizationalUnit
dn:
cn=proxyagent,ou=profile,dc=example,dc=com
cn:
proxyagent
sn:
proxyagent
objectClass:
top
objectClass:
person
dn:
cn=default,ou=profile,dc=example,dc=com
objectClass:
top
objectClass:
DUAConfigProfile
defaultServerList:
192.168.1.168
defaultSearchBase:
dc=example,dc=com
authenticationMethod:
simple
followReferrals:
TRUE
defaultSearchScope:
one
searchTimeLimit:
30
profileTTL: 43200
cn:
default
credentialLevel:
proxy
serviceSearchDescriptor:
passwd:ou=People,dc=example,dc=com?one
serviceSearchDescriptor:
group:ou=group,dc=example,dc=com?one
serviceSearchDescriptor:
shadow:ou=People,dc=example,dc=com?one
serviceSearchDescriptor:
netgroup:ou=netgroup,dc=example,dc=com?one
bindTimeLimit:
10
dn:
uid=gtay, ou=People, dc=example,dc=com
givenName:
Gary
sn:
Tay
loginShell:
/bin/bash
uidNumber:
6167
gidNumber:
102
objectClass:
top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
objectClass:
shadowAccount
uid: gtay
cn:
Gary Tay
homeDirectory:
/home/gtay
dn:
uid=tuser, ou=People, dc=example,dc=com
givenName:
Test
sn:
User
loginShell:
/bin/bash
uidNumber:
9999
gidNumber:
102
objectClass:
top
objectClass:
person
objectClass: organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
objectClass:
shadowAccount
uid:
tuser
cn:
Test User
homeDirectory:
/home/tuser
dn:
cn=Users,ou=group,dc=example,dc=com
cn:
Users
gidNumber:
102
objectClass:
top
objectClass:
posixGroup
memberUid:
gtay
memberUid:
tuser
Congratulation!!! You have
populated a LDAP server that is capable for answering name service (uid) lookup
requests from any LDAP Client.
Step 2: Configure Solaris Native LDAP Client (SUN Native LDAP libraries)
This step is for Solaris8 and
Solaris9 Native LDAP Clients.
Assuming client2.example.com
and client3.example.com
are Solaris8 and Solaris9 Native LDAP Clients respectively.
Please note that for Solaris8 LDAP Client, lastest kernel patch
and LDAP VERSION 2 Patch 108993-XX must be applied, for Solaris9 LDAP Client,
latest kernel patch and LDAP Patch 112960-XX must be applied.
Log
in to client2 or client3 as ?root?.
There are two
files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred, the first
contain all parameters and the second the password of ?proxyAgent?.
To
generate them for Solaris8 LDAP Client, as root run ldapclient_init_defaultprofile_sol8.sh
Content
of ldapclient_init_defaultprofile_sol8.sh:
/usr/sbin/ldapclient
-v -i -a simple -b dc=example,dc=com -c proxy \
-D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
-S "passwd: ou=People,dc=example,dc=com?one" \
-S "shadow: ou=People,dc=example,dc=com?one" \
-S "group: ou=group,dc=example,dc=com?one" \
-S "netgroup: ou=netgroup,dc=example,dc=com?one" \
192.168.1.168
echo ...
echo As
ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which
contains a bug in "hosts:" entry, we need to repair it
sed -e
'/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow:
files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp
/etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh
Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd
stop
/etc/init.d/nscd
start
echo Done.
# ./ ldapclient_init_defaultprofile_sol8.sh
Arguments parsed:
domainName: example.com
proxyDN:
cn=proxyagent,ou=profile,dc=example,dc=com
profileName: tls_profile
proxyPassword: password
defaultServerList: 192.168.1.168
Handling
init option
About
to configure machine by downloading a profile
findBaseDN:
begins
findBaseDN:
Stopping ldap
findBaseDN:
calling __ns_ldap_default_config()
found
2 namingcontexts
findBaseDN:
__ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[0]
dc=example,dc=com
found
baseDN dc=example,dc=com for domain example.com
Proxy
DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy
password: {NS1}ecfa88f3a945c411
Credential
level: 1
Authentication
method: 3
About
to modify this machines configuration by writing the files
Stopping
network services
Stopping
sendmail
Stopping
nscd
autofs
not running
ldap
not running
nisd
not running
nis_cache
not running
nispasswd
not running
nis(yp) not running
Removing
existing restore directory
file_backup:
stat(/etc/nsswitch.conf)=0
file_backup:
(/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup:
stat(/etc/defaultdomain)=0
file_backup:
(/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup:
stat(/etc/.rootkey)=-1
file_backup:
No /etc/.rootkey file.
file_backup:
stat(/var/nis/NIS_COLD_START)=-1
file_backup:
No /var/nis/NIS_COLD_START file.
file_backup:
nis domain is "example.com"
file_backup:
stat(/var/yp/binding/example.com)=-1
file_backup:
No /var/yp/binding/example.com directory.
file_backup:
stat(/var/ldap/ldap_client_file)=0
file_backup:
(/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup:
(/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting
network services
start:
/usr/bin/domainname example.com... success
start:
/usr/lib/ldap/ldap_cachemgr... success
start:
/etc/init.d/autofs start... success
start:
/etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
...
As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
which contains a bug in "hosts:" entry, we need to repair it
...
Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
...
Done.
To
generate them for Solaris9 LDAP Client, as root run "ldapclient_init_defaultprofile_sol9.sh"
Content
of ldapclient_init_defaultprofile_sol9.sh:
/usr/sbin/ldapclient -v init \
-a profileName=default \
-a domainName=example.com \
-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \
-a proxyPassword=password 192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with
/etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to
repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap
>/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing
/etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
# ./
ldapclient_init_defaultprofile_sol9.sh
Parsing
profileName=default
Parsing
domainName=example.com
Parsing
proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com
Parsing
proxyPassword=password
Arguments
parsed:
domainName: example.com
proxyDN: cn=proxyagent,ou=profile, dc=example,dc=com
profileName: default
proxyPassword: password
defaultServerList: 192.168.1.168
Handling
init option
About
to configure machine by downloading a profile
findBaseDN:
begins
findBaseDN:
Stopping ldap
findBaseDN:
calling __ns_ldap_default_config()
found
2 namingcontexts
findBaseDN:
__ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain= example.com))"
rootDN[0]
dc=example,dc=com
found
baseDN dc=example,dc=com for domain example.com
Proxy
DN: cn=proxyagent,ou=profile, dc=example,dc=com
Proxy
password: {NS1}ecfa88f3a945c411
Credential
level: 1
Authentication
method: 1
About
to modify this machines configuration by writing the files
Stopping
network services
Stopping
sendmail
Stopping
nscd
Stopping
autofs
ldap
not running
nisd
not running
nis_cache
not running
nispasswd
not running
nis(yp) not running
Removing
existing restore directory
file_backup:
stat(/etc/nsswitch.conf)=0
file_backup:
(/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup:
stat(/etc/defaultdomain)=0
file_backup:
(/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup:
stat(/var/nis/NIS_COLD_START)=-1
file_backup:
No /var/nis/NIS_COLD_START file.
file_backup:
nis domain is "example.com"
file_backup:
stat(/var/yp/binding/example.com)=-1
file_backup:
No /var/yp/binding/example.com directory.
file_backup:
stat(/var/ldap/ldap_client_file)=0
file_backup:
(/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup:
(/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting
network services
start:
/usr/bin/domainname example.com... success
start:
/usr/lib/ldap/ldap_cachemgr... success
start:
/etc/init.d/autofs start... success
start:
/etc/init.d/nscd start... success
start:
/etc/init.d/sendmail start... success
System
successfully configured
#
Now
that /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred are generated,
do take a look at their contents.
Coment of /var/ldap/ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.1.168
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:
ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
Coment of
/var/ldap/ldap_client_cred:
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
(Tips: see Appendix for a script called
cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of
proxyAgent, this script can only be run on Solaris8)
Check
and change the file permission of BOTH ldap_client_file and ldap_client_cred if
needed
# cd /var/ldap
# chmod 400 ldap_client_file
ldap_client_cred
Edit
/etc/nsswitch.conf, make sure that these lines exist:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
Now
try refreshing ldap_cachemgr and nscd
# /etc/init.d/ldap.client
stop
# /etc/init.d/ldap.client
start
# ps -ef | grep ldap
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
# ps -ef | grep nscd
Make sure also
that ldap1.example is defined in BOTH "/etc/hosts" files and DNS, and
that "hosts: files dns" instead of "host: files ldap" is
defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there
will be error messages during login, i.e. "unknown host or invalid literal
address".
To
test the name service, on top of using "id" and "getent",
there is also "ldaplist"
command
#
/usr/lib/ldap/ldap_cachemgr -g
# id tuser
uid=9999(tuser)
gid=102(Users)
# getent passwd tuser
tuser::9999:102::/home/tuser:/bin/bash
# ldaplist -l passwd tuser
dn:
uid=tuser,ou=People,dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
Tips 1: If there
is problem looking up the LDAP entries, try to look for errors in
/var/adm/messages and/or /var/log/syslog. The LDAP Server log files are also
good source to pick up clues.
Tips 2: How could we prevent ?userPassword? from being listed by
?ldaplist -l? or ?ldapaddent -d??
In Fedora Managemant Console, open Directory Server, select
defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs,
which is usually named ?LDAP_Naming_Services_proxy_password_read?:
Change it.
From:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
To:
(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
Congratulation!!! You have
successfully configured a Solaris Native LDAP Client that is capable for
querying name service (uid) from the LDAP Server.
Appendix:
Appendix
1: Content of chk_patches_sjes_ds52.sh:
#! /bin/sh
#
# chk_patches_sjes_ds52.sh
#
# Gary Tay, 1-Apr-2005 written
#
# Pls customize the patches you are checking, use blank to separate
# multiple patch ids, eg: 5.9:112345 113456
#
# Pls refer to:
# http://docs.sun.com/source/817-7611/index.html#wp33336
#
#114677-08 SunOS 5.9: International Components for Unicode Patch
#117724-10 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0
#115342-01 SunOS 5.9: Simple Authentication and Security Layer (2.01)
#115610-18 SunOS 5.9_sparc: Administration Server 5.2 patch
#115614-20 SunOS 5.9: Directory Server 5.2 patch
#117015-16 Patch for localized Solaris packages
#116837-02 LDAP CSDK - SUNWldk, SUNWldkx
#
# Solaris 8: (DS 5.2 Patch3 for the package version)
#115610 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (Adminserv)
#115614 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (DS)
#117722 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0...
#118615 LDAP Java Development Kit 4.17 SunOS 5.8 5.9 _x86: genesis patch
#
# Solaris 8: LDAP-Client
#108993 LDAP-Client for Solaris 8 (phase II)
#108808 LDAP-Client for Solaris 8 (man-pages)
#
# And at your option for for JES 114045
cat >/tmp/chk_patches$$.tmp <<EOF
5.8:108993 115610 115614 117722 118615 108808 114045
5.9:114677 117724 115342 115610 115614 117015 116837
EOF
SOLARIS_VER=`uname -r`
PATCH_IDS=`grep "$SOLARIS_VER" /tmp/chk_patches$$.tmp | cut -d: -f2`
for i in `echo $PATCH_IDS`
do
RESULT=`showrev -p | grep "^Patch: $i-"`
[ -n "$RESULT" ] && echo $RESULT
[ -z "$RESULT" ] && echo PATCH $i not found...
done
/bin/rm -f /tmp/chk_patches$$.tmp
Example of running chk_patches_sjes_ds52.sh:
# ./chk_patches_sjes_ds52.sh
Patch: 114677-08 Obsoletes:
Requires: Incompatibles: Packages: SUNWicu, SUNWicux
Patch: 117724-10 Obsoletes:
115926-10 Requires: Incompatibles: Packages: SUNWtls, SUNWtlsx, SUNWpr,
SUNWjss, SUNWprx
Patch: 115342-01 Obsoletes:
Requires: Incompatibles: Packages: SUNWsasl, SUNWsaslx
Patch: 115610-17 Obsoletes:
Requires: Incompatibles: Packages: SUNWasvc, SUNWasvu, SUNWasvr, SUNWasvcp
Patch: 115614-19 Obsoletes:
117907-02 Requires: 115610-17 Incompatibles: Packages: SUNWdsvr, SUNWdsvcp,
SUNWdsvh, SUNWdsvhx, SUNWdsvu, SUNWdsvx, SUNWdsvpl
PATCH
117015 not found...
Patch: 116837-02 Obsoletes: Requires: Incompatibles: Packages: SUNWldk
#
Appendix
2: Troubleshooting LDAP Search issue in access log
(From
Fedora Directory Server mail list archive)
Look in the access log on the FDS server for connections from that
workstation (grep on the IP of that workstations, or one of the user
id's that are trying to auth, etc). When you find it, grep out conn=xxx
(where xxx is the connection # from that IP) so you get the complete
connection from start to finish.
- Look at the BIND lines to see what that workstation is binding as.
- Look at the SRCH lines, to see what basedn and filter is being used.
- Look at the result line (right after the SRCH line) to see what the
results are (though you'll probably just see err=32, which is no such
object). If there are multiple SRCH lines, check each one.
- Check the ACI's set on your suffix - in console, click on the
Directory tab then right click on the top entry in your tree, and select
"set permissions" (something like that - doing this from memory). Make
sure the appropriate access is set.
You may have to look throughout your tree for aci's to be sure you find everything.
(ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)"
"aci" to find 'em all.)
Appendix 3: Content of
cr_proxyAgent_pw_in_NS1_format.sh (Solaris8 specific ldap_gen_profile command)
# cat
cr_proxyAgent_pw_in_NS1_format.sh
/usr/sbin/ldap_gen_profile -P testprofile -b
"dc=example,dc=com" \
-D "cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w
password \
192.168.1.168
# ./cr_proxyAgent_pw_in_NS1_format.sh
dn: cn=testprofile,ou=profile,dc=example,dc=com
SolarisBindDN:
cn=proxyAgent,ou=profiLe,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisLDAPServers: 192.168.1.168
SolarisSearchBaseDN:
dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity:
NS_LDAP_SEC_NONE
SolarisSearchReferral:
NS_LDAP_FOLLOWREF
SolarisSearchScope:
NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: testprofile
SolarisBindTimeLimit: 30
ObjectClass: top
ObjectClass: SolarisNamingProfile
Appendix
4: Content of 61DUAConfigProfile.ldif:
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )
---
End-of-Doc ---
