Ldap in solaris 11-11-11
Does ldap works in solaris 11 ?
I am configuring a solaris 11 system to connect with ldap. But i am finding out that the configuration files "nsswitch.conf" cant be edit. edits will be lost.
Can you help me seting up the ldap client on this system "solaris11 x86 11-11-11"
Our ldap server is a solaris 10 sparc.
Thank-you
I didn't have the problem in solaris 11.11.11
However i have this problem is solaris 11.11.11.1
In solaris 5.11 11.1
the ldap client is in maintanance mode
i disable the ldap client,
enable it..
still goes in maintenance mode
I dont understand what is going on.
# svcs
STATE STIME FMRI
legacy_run 13:29:11 lrc:/etc/rc2_d/S40llc2
legacy_run 13:29:11 lrc:/etc/rc2_d/S47pppd
legacy_run 13:29:11 lrc:/etc/rc2_d/S81dodatadm_udaplt
legacy_run 13:29:11 lrc:/etc/rc2_d/S89PRESERVE
disabled 13:29:00 svc:/system/tsol-zones:default
online 13:28:51 svc:/system/early-manifest-import:default
online 13:28:51 svc:/system/svc/restarter:default
online 13:28:53 svc:/network/sctp/congestion-control:cubic
online 13:28:53 svc:/network/sctp/congestion-control:vegas
online 13:28:53 svc:/network/tcp/congestion-control:newreno
online 13:28:53 svc:/network/tcp/congestion-control:vegas
online 13:28:53 svc:/network/tcp/congestion-control:highspeed
online 13:28:53 svc:/network/tcp/congestion-control:cubic
online 13:28:53 svc:/network/sctp/congestion-control:newreno
online 13:28:53 svc:/network/sctp/congestion-control:highspeed
online 13:28:54 svc:/network/netcfg:default
online 13:28:54 svc:/network/tnctl:default
online 13:28:54 svc:/network/socket-config:default
online 13:28:54 svc:/network/smb:default
online 13:28:54 svc:/system/metainit:default
online 13:28:55 svc:/network/datalink-management:default
online 13:28:55 svc:/system/filesystem/root:default
online 13:28:55 svc:/system/resource-controls:default
online 13:28:55 svc:/system/scheduler:default
online 13:28:56 svc:/system/cryptosvc:default
online 13:28:56 svc:/network/ipsec/ipsecalgs:default
online 13:28:56 svc:/system/boot-archive:default
online 13:28:56 svc:/system/name-service/upgrade:default
online 13:28:58 svc:/network/ip-interface-management:default
online 13:28:58 svc:/network/loopback:default
online 13:28:58 svc:/network/ipmp:default
online 13:28:59 svc:/system/filesystem/usr:default
online 13:28:59 svc:/system/pfexec:default
online 13:28:59 svc:/system/device/local:default
online 13:28:59 svc:/system/devchassis:cleanstart
online 13:29:00 svc:/system/filesystem/minimal:default
online 13:29:00 svc:/system/vbiosd:default
online 13:29:00 svc:/system/metasync:default
online 13:29:00 svc:/system/logadm-upgrade:default
online 13:29:00 svc:/system/rmtmpfiles:default
online 13:29:00 svc:/system/pkgserv:default
online 13:29:00 svc:/network/uucp-lock-cleanup:default
online 13:29:00 svc:/system/security/security-extensions:default
online 13:29:00 svc:/system/rbac:default
online 13:29:00 svc:/system/hostid:default
online 13:29:00 svc:/system/environment:init
online 13:29:00 svc:/system/ca-certificates:default
online 13:29:00 svc:/system/utmp:default
online 13:29:00 svc:/system/resource-mgmt:default
online 13:29:00 svc:/system/filesystem/uvfs-instclean:default
online 13:29:00 svc:/system/zones-monitoring:default
online 13:29:00 svc:/application/opengl/ogl-select:default
online 13:29:00 svc:/application/desktop-cache/docbook-style-xsl-update:default
online 13:29:00 svc:/system/postrun:default
online 13:29:00 svc:/milestone/unconfig:default
online 13:29:00 svc:/milestone/config:default
online 13:29:00 svc:/application/desktop-cache/mime-types-cache:default
online 13:29:01 svc:/application/desktop-cache/pixbuf-loaders-installer:default
online 13:29:01 svc:/application/desktop-cache/input-method-cache:default
online 13:29:01 svc:/system/dbus:default
online 13:29:01 svc:/system/sysevent:default
online 13:29:01 svc:/application/desktop-cache/desktop-mime-cache:default
online 13:29:01 svc:/system/devfsadm:default
online 13:29:01 svc:/application/desktop-cache/gconf-cache:default
online 13:29:01 svc:/network/npiv_config:default
online 13:29:01 svc:/system/manifest-import:default
online 13:29:01 svc:/system/device/fc-fabric:default
online 13:29:01 svc:/system/rad:local
online 13:29:01 svc:/milestone/devices:default
online 13:29:01 svc:/system/coreadm:default
online 13:29:01 svc:/system/config-user:default
online 13:29:01 svc:/system/timezone:default
online 13:29:01 svc:/network/physical:upgrade
online 13:29:01 svc:/system/device/audio:default
online 13:29:01 svc:/network/location:upgrade
online 13:29:02 svc:/application/desktop-cache/docbook-dtds-update:default
online 13:29:03 svc:/application/desktop-cache/docbook-style-dsssl-update:default
online 13:29:03 svc:/system/keymap:default
online 13:29:04 svc:/network/physical:default
online 13:29:04 svc:/system/identity:node
online 13:29:05 svc:/system/picl:default
online 13:29:05 svc:/network/ipsec/policy:default
online 13:29:05 svc:/network/location:default
online 13:29:05 svc:/milestone/network:default
online 13:29:05 svc:/network/iptun:default
online 13:29:05 svc:/network/nis/domain:default
online 13:29:05 svc:/system/fcoe_initiator:default
online 13:29:05 svc:/network/dns/client:default
online 13:29:05 svc:/system/identity:domain
online 13:29:05 svc:/milestone/single-user:default
online 13:29:05 svc:/network/initial:default
online 13:29:05 svc:/network/nfs/fedfs-client:default
online 13:29:05 svc:/network/service:default
online 13:29:05 svc:/network/netmask:default
online 13:29:05 svc:/network/iscsi/initiator:default
online 13:29:06 svc:/system/auditset:default
online 13:29:06 svc:/system/filesystem/local:default
online 13:29:06 svc:/system/cron:default
online 13:29:06 svc:/system/boot-loader-update:default
online 13:29:06 svc:/system/filesystem/ufs/quota:default
online 13:29:07 svc:/network/shares:default
online 13:29:07 svc:/system/power:default
online 13:29:07 svc:/system/consolekit:default
online 13:29:08 svc:/system/boot-archive-update:default
online 13:29:09 svc:/application/desktop-cache/icon-cache:default
online 13:29:09 svc:/system/hal:default
online 13:29:09 svc:/network/rpc/bind:default
online 13:29:09 svc:/network/routing/ndp:default
online 13:29:09 svc:/system/filesystem/rmvolmgr:default
online 13:29:09 svc:/network/nfs/status:default
online 13:29:09 svc:/network/routing-setup:default
online 13:29:09 svc:/network/inetd:default
online 13:29:09 svc:/network/nfs/nlockmgr:default
online 13:29:10 svc:/application/font/fc-cache:default
online 13:29:10 svc:/network/rpc/gss:default
online 13:29:10 svc:/network/rpc/smserver:default
online 13:29:10 svc:/application/x11/xvnc-inetd:default
online 13:29:10 svc:/network/security/ktkt_warn:default
online 13:29:10 svc:/network/rpc/cde-ttdbserver:tcp
online 13:29:10 svc:/network/rpc/cde-calendar-manager:default
online 13:29:10 svc:/system/filesystem/autofs:default
online 13:29:10 svc:/application/cups/scheduler:default
online 13:29:10 svc:/system/dumpadm:default
online 13:29:10 svc:/network/ssh:default
online 13:29:10 svc:/milestone/self-assembly-complete:default
online 13:29:11 svc:/system/system-log:default
online 13:29:11 svc:/application/pkg/update:default
online 13:29:11 svc:/system/auditd:default
online 13:29:11 svc:/system/console-login:default
online 13:29:11 svc:/system/vtdaemon:default
online 13:29:11 svc:/system/console-login:vt4
online 13:29:11 svc:/system/console-login:vt3
online 13:29:11 svc:/system/console-login:vt2
online 13:29:11 svc:/system/console-login:vt6
online 13:29:11 svc:/system/console-login:vt5
online 13:29:11 svc:/milestone/multi-user:default
online 13:29:11 svc:/application/man-index:default
online 13:29:11 svc:/application/graphical-login/gdm:default
online 13:29:11 svc:/milestone/multi-user-server:default
online 13:29:11 svc:/system/intrd:default
online 13:29:11 svc:/system/zones:default
online 13:29:11 svc:/system/zones-install:default
online 13:29:12 svc:/application/stosreg:default
online 13:29:12 svc:/system/boot-config:default
online 13:29:15 svc:/system/fmd:default
online 13:29:15 svc:/system/fm/smtp-notify:default
online 13:29:16 svc:/system/fm/asr-notify:default
online 13:29:25 svc:/system/devchassis:daemon
online 13:29:32 svc:/network/ilomconfig-interconnect:default
online 13:29:32 svc:/system/ocm:default
online 13:29:41 svc:/system/console-reset:default
online 13:29:53 svc:/application/texinfo-update:default
online 13:58:19 svc:/system/name-service/switch:default
online 13:58:19 svc:/milestone/name-services:default
online 13:58:19 svc:/network/sendmail-client:default
online 13:58:19 svc:/network/smtp:sendmail
online 13:58:19 svc:/network/nfs/client:default
online 13:58:35 svc:/system/name-service/cache:default
maintenance 13:38:48 svc:/network/ldap/client:default
Edited by: 1502 on Dec 5, 2012 2:45 PM
Similar Messages
-
Problems setting up ldap on solaris 10.
when trying to set up LDAP on Solaris 10 I am asked for an LDAP profile and the address of the ldap server. I know the address of the LDAP server but what is the profile, and how do I set it up with active directory?
Hi,
The profile defines how the client will interact with the server. On a Solaris server, you set this file up with the /usr/lib/ldap/idsconfig command. On the client, you use ldapclient init -a profileName=xyz -a domainName=your.domain <server.ip.adderss.here:portno> portno not necessary if you are using port 389 on server. I'm not sure how you duplicate the functionality of that file from a Windows server. Maybe if you look at man page on idsconfig, it may help identify what needs to be done on Windows server to create a profile the Solaris client can use. I went to MS TechNet and searched for "ldap server for solaris client" A lot of hits. Hope this helps.
John -
Sudo with LDAP NetGroups Solaris 10
Hi All,
Can some one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
I am using "sudo 1.7.2p6 " right now.
I am able to authenticate using the Netgroups , but not able to using sudo.
Thanks,
DDI have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
Can you provide the following details?
1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
4) Content of /var/ldap/ldap_client_file.
5) Content of /etc/ldap.conf, you should have this file.
6) Sample ldif showing some sudoRole entries in LDAP
7) Can you perform these commands?
ldaplist -l sudoers
ldaplist -l sudoers root
ldaplist -l sudoers some_sudoRole
8) Content of /etc/pam.conf
9) Any other relevant details, like err in /var/adm/messages.
Gary -
LDAP and Solaris Authorization.
Hi,
Need some help. Can we do authorization of users with LDAP using PAM on Solaris. I am aware that we can use netgroups with LDAP for restricting access but is there any generic facility that can be used directly with PAM itself to restrict the users?
All ideas are appreciated.
Regards,
AbrarI wonder anyone had successfully compiled pam_listfile.so (part of LinuxPAM) on Solaris8/9 and use it successfully in /etc/pam.conf as a mean of Authorization Control?
===
# cat /usr/share/doc/pam-0.77/txts/README.pam_listfile
SUMMARY:
pam_listfile:
Checks a specified item against a list in a file.
Options:
* item=tty
* sense=allow (action to take if found in file,
if the item is NOT found in the file, then
the opposite action is requested)
* file=/the/file/to/get/the/list/from
* onerr=succeed (if something weird happens
such as unable to open the file, what to do?)
* apply=user
restrict the user class for which the restriction
apply. Note that with item=user this
does not make sense, but for item=tty
it have a meaning. (Cristian Gafton)
Also checks to make sure that the list file is a plain
file and not world writable.
- Elliot Lee <[email protected]>, Red Hat Software.
v0.9 August 16, 1996.
===
Gary -
LDAP native solaris 10 server - client
Hi,
Can someone give me some link or instructions on how to configure a solaris 10 to be a Native Ldap server and i need also to have a client that will run on solaris 10 also.
I did follow PeterVG post, but have tried so many times that i need to do a clean install and get it from scratch.
anyway, what i did:
on the server:
a. set domain, add hots, install pkgs, and run directoryserver setup (it gives me some warning saying that i have an already installed instance, but i keep on trying).
b. run idsconfig => this part goes without problem.
when i go to try to add a client with hostA.ldif as:
dn: cn=hou-sol-dev,ou=hosts,dc=qatestit,dc=com
changetype: add
cn: qates001
iphostnumber: 10.38.133.124
objectclass: top
objectclass: device
objectclass: ipHost
goes and gives me ldap_add: No such object.
and of course, when i go to the client and try to run
ldapclient -v init ... with the server information gives me a fail, with some old dc=domain (which i have changed later).
if anybody can help, i really appreciate.
thank you,
./antonio/.I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
for the pam.conf, got things working.
Note: ensure that your user has the shadowAccount value set in the objectClass -
Issues with LDAP Server | Solaris 8
Hi All,
In my project we are using Solaris 8 as LDAP server for authentication. Some folders owner and group is assigned to LDAP user by default. I think it should be root and others.
Please find the below example:
*8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 .
*8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 ..
6 -rw-rw-r-- 1 gip_admin ampm_retail_english_author 2062 Jan 22 14:03 archive
2 drwxr-xr-x 2 root nobody 512 Aug 6 2003 cdrom
2 drwx--l--- 3 gip_admin set_investors_author 512 Dec 9 07:33 data
2 drwxr-x--- 2 root other 512 Nov 12 16:20 data1
Can you please help me to solve this issue.....
Thanks in Advance
ManjuHi,
Its is not mounted on NFS. It is local disk only.
Its is Solaris 8 server.
# ls -lan
drwxr-xr-x 18 0 0 1536 Dec 11 05:00 .
drwxr-xr-x 46 91550 94293 2560 Jan 11 10:37 ..
-rw-rw-rw- 1 0 1 524204 Aug 2 2006 110951-06.jar
drwxr-xr-x 2 0 1 512 Dec 11 05:01 Backup_files
-rw------- 1 0 1 17 Apr 22 2005 DBVERSION
drwxrwxr-x 2 101 2000 512 Oct 18 2004 DD
drwxr-xr-x 2 0 1 512 Sep 19 2006 J2SEPatch-13092006
#cat /etc/passwd
root:x:0:1:Super-User:/:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
basant:x:1001:10::/apps/basant:/bin/sh
tis:x:1003:1::/apps/tis/:/usr/bin/bash
ldap:x:1004:100::/home/ldap:/bin/sh
iwui:x:100001:60001:Interwoven TeamSite UI Daemons User:/apps/iw-home:/bin/sh
oracle:x:1002:101: Oracle user:/apps/oracle:/bin/sh
vadmin:x:100002:1::/apps/vadmin/:/bin/sh
sshd:x:100003:2003:sshd privsep:/var/empty:/bin/false
temp:x:111112:1::/home/temp:/bin/sh
verity:x:111113:1::/apps/verity/:/usr/bin/bash
test1:x:12312311:1::/home/test1:/bin/sh
hai:x:12312312:1::/home/hai:/bin/sh
#cat /etc/group
[root@sun5-/opt]# cat /etc/group
root::0:root,tomcat
other::1:bpeditor,lpg_admin,lpg_author,lpg_publisher
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
nobody::60001:
noaccess::60002:
nogroup::65534:
iplanet::100:
dba::101:
sshd::2003:
apps::94356:
testa::12312323:
oat_users_test::12312325:
Thanks -
Hi All,
i have very simple and short query, Is Sun Directory comes bundled with Solaris 10 ? or we need to download explicitely.
If we download that is a free version or we need to procure.
Thanks
AvninderHi Avninder,
No it does not come with Solaris 10, nor Solaris 10 current license gives you entitlement with support for it.
Please go and download from www.sun.com/dsee
Etienne -
I setup iplanet directory server in the Solaris 9. Solaris 9 client can get user account, automount data from LDAP, but , Solaris 8 can't get automount data,
If cd /test4 , error message : permittion denied.
How to fix it , or to get more information about it.
as following is solaris 8 setting :
Solaris 8 profile:
dn: cn=sun8,ou=profile,dc=test,dc=com,dc=tw
cn: sun8
ObjectClass: top
ObjectClass: SolarisNamingProfile
SolarisBindDN: cn=proxyagent,ou=profile,dc=test,dc=com,dc=tw
SolarisBindPassword: {NS1}c58916dc7d61179f7f
SolarisLDAPServers: 172.20.100.103
SolarisSearchBaseDN: dc=test,dc=com,dc=tw
SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
Solaris 9 profile :
dn: cn=sun9v1,ou=profile,dc=test,dc=com,dc=tw
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: 172.20.100.103
defaultSearchBase: dc=test,dc=com,dc=tw
authenticationMethod: simple
defaultSearchScope: one
searchTimeLimit: 30
cn: sun9v1
credentialLevel: proxy
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountKey=cn
attributeMap: automount:automountMapName=nisMapName
objectClassMap: automount:automount=nisObject
objectClassMap: automount:automountMap=nisMap
AutoMount Entry:
cn=/net,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/net
nisMapEntry=-hosts -nosuid,nobrowse
nisMapName=auto_master
cn=/home,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/home
nisMapEntry=auto_home -nobrowse
nisMapName=auto_master
cn=/xfn,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/xfn
nisMapEntry=-xfn
nisMapName=auto_master
cn=/-,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/-
nisMapEntry=auto_direct
nisMapName=auto_master
cn=/test4,nismapname=auto_direct,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/test4
nismapentry=sun1:/export/test
nismapname=auto_directI just checked my schema and I've also converted 'NisMapEntry' to lower case.
So when you do an 'ldaplist -l auto_home name' you get:
dn: cn=name,nismapname=auto_home,o=org
objectClass: top
objectClass: nisobject
nismapname: auto_home
nismapentry: server:/export/home/&
cn: name
You can see where it's failing by running automountd in debug mode:
/usr/lib/autofs/automountd -v -TT &
# cd /home/name
t1 LOOKUP REQUEST: Wed Sep 4 14:37:53 2002
t1 name=name[] map=auto_home opts= path=/home direct=0
t1 PUSH /etc/auto_home
t1 getmapent_ldap called
t1 getmapent_ldap: key=[ name ]
t1 ldap_match called
t1 ldap_match: key =[ name ]
t1 ldap_match: ldapkey =[ name ]
t1 ldap_match: searchfilter =[ (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name)) ]
t1 ldap_match: Requesting list for (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name))
t1 ldap_match: __ns_ldap_list OK
t1 getmapent_ldap: exiting ...
t1 POP /etc/auto_home
t1 mapline: server:/export/home/&
t1 do_lookup1: action=2 wildcard=FALSE error=0
t1 LOOKUP REPLY : status=0
t6 MOUNT REQUEST: Wed Sep 4 14:37:53 2002
t6 name=name[] map=auto_home opts= path=/home direct=0
t6 PUSH /etc/auto_home
t6 getmapent_ldap called
t6 getmapent_ldap: key=[ name ]
t6 ldap_match called
t6 ldap_match: key =[ name ]
t6 ldap_match: ldapkey =[ name ]
t6 ldap_match: searchfilter =[ (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name)) ]
t6 ldap_match: Requesting list for (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name))
t6 ldap_match: __ns_ldap_list OK
t6 getmapent_ldap: exiting ...
t6 POP /etc/auto_home
t6 mapline: server:/export/home/&
t6 do_mount1:
t6 (nfs,nfs) /home/name
server:/export/home/name penalty=0
t6 nfsmount: standard mount on /home/name :
t6 server:/export/home/name
t6 ping: server timeout=15 request vers=3 min=2
t6 pingnfs OK: nfs version=3
t6 nfsmount: Get mount version: request vers=3 min=3
t6 nfsmount: mount version=3
t6 mount server:/export/home/name /home/name ()
t6 mount server:/export/home/name dev=44c0006 rdev=0 OK
t6 MOUNT REPLY : status=0, AUTOFS_DONE -
Solaris 10 + Samba + LDAP/PAM?
Hi all,
I've got a long standing question that I need answered with relation to setup of Samba + LDAP on Solaris 10. Here is the general gist:
1. I've got a Solaris 10 host that is currently communicating with an OpenLDAP (OpenDirectory) master to provide user identity information. The Solaris 10 host simply acts as a place to have disk mounted via some large storage subsystems, which is then shared out via NFS to different places. Because I have used the ldapclient manual commands on the Solaris host, it understands UID's and GUID's from the OpenLDAP master
2. I want to change things a little bit. What I'd like to do, is have samba sharing out disk/exports/shares from the Solaris 10 host, but use my OpenLDAP credentials for users to log into the system with
What I'd like to know how to do is set up Samba on my Solaris 10 (x86) host so that a client can connect to it using their credentials stored on the OpenLDAP host, access their home directory etc.
I don't think it will be too hard - as most of the work is done in terms of the LDAP binds. I have used the following binding technique to make the Solaris 10 host aware of the OpenLDAP directory:
ldapclient -v manual -a credentialLevel=anonymous -a defaultSearchBase=dc=od-master,dc=example,dc=com -a serviceSearchDescriptor=passwd:cn=users,dc=od-master,dc=example,dc=com -a attributeMap=passwd:gecos=cn -a serviceSearchDescriptor=group:cn=groups,dc=od-master,dc=example,dc=com 192.168.0.1Because I've done this, I can now finger/id any UID or GUID that exists on the OpenLDAP host, and the Solaris host will know about it. The question is, how do I make samba aware of such things, let alone configure it to do so. I want users on their windows systems to simply be able to \\some.server.here.there\ and on their Mac OS X systems to smb://some.server.here.there with the credentials that are in the OpenLDAP master. There must be some simple way of telling samba where to get credential information from, right?
Thanks for your time!
zUpdate 2 is pretty old, especially if you are talking about ZFS. There's been a variety of problems fixed in ZFS since U2. Were I to just guess out of the blue, you might be running into the ZFS eats all of RAM bug.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6505658
If this is the case, it won't be just the samba server that's slow on the server. You should check this by doing the FTP after your samba server slows down and see if you get fast throughputs.
-r -
Hi,
Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
Thanking you,
Narenhi mukherjee,
you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
PATEL -
Solaris 9 10 - pam.conf - LDAP - su - user login - DS 6.3.1
We are trying to configure our Solaris clients to use LDAP for authentication. We have modified the nsswitch.conf and pam.conf. The pam.conf looks like this:
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass debug
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth binding pam_unix_cred.so.1
dtlogin auth binding pam_unix_auth.so.1 server_policy
dtlogin auth required pam_ldap.so.1 use_first_pass debug
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1 use_first_pass debug
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1 use_first_pass debug
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth binding pam_unix_auth.so.1 server_policy
dtsession auth required pam_ldap.so.1 debug
other auth requisite pam_authtok_get.so.1 debug
other auth sufficient pam_dhkeys.so.1 debug
other auth binding pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
passwd auth required pam_passwd_auth.so.1 debug server_policy
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account binding pam_unix_account.so.1 server_policy
dtlogin account required pam_ldap.so.1 debug
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1 server_policy
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
ppp session required pam_unix_session.so.1
other session required pam_unix_session.so.1
other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password sufficient pam_authtok_store.so.1 server_policy debug
other password required pam_ldap.so.1 debug
The issue we are having is that the DS is configured to force a password change after an administrator reset. If we change the lines:
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
to
other account binding pam_ldap.so.1 debug
other account required pam_unix_account.so.1 server_policy
we get the prompt to change the password. But at that point a non-root user can not su to any other user.
Does anyone have any ideas? Also, we are trying to configure a Linux client to do the same thing, but can't get the system-auth file correct either.
Edited by: jason.hershcopf on Apr 2, 2009 6:32 PMHi Jason,
Wondering if you got an answer for this. I am having similiar issues with LDAP on Solaris 10.
Any feedback will be of great help.
Thanks! -
Native ldap client doesn't work with an openldap Server : No root DSE data
Hello!
My configuration :
- an openldap 2.2.23 server (linux debian) (server name = serv_annu)
- a ldap client (solaris 10) (server name = client_annu)
I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
FROM CLIENT_ANNU:
+# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
version: 1
dn: dc=mydomain,dc=fr
dc: mydomain
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: nisDomainObject
nisDomain: mydomain.fr
o: mydomain
LOG FROM SERVER_ANNU:
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
3) I Add ACL in slapd.conf to allow reading of rootDSE.
access to dn.base="" by ssf=128 * read
4) I launch on my solaris client
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64
5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
+# ldapclient list+
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
+NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
NS_LDAP_SERVERS= server_annu
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
NS_LDAP_AUTH= tls:simple
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
FROM CLIENT_ANNU:
svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
+/etc/init.d/nscd stop;/etc/init.d/nscd start+
LOG FROM SERVER_ANNU:
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
FROM CLIENT ANNU :
+# /usr/lib/ldap/ldap_cachemgr -g+
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 2
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2008/04/02 09:58:12
Next refresh time: 2008/04/02 21:58:12
Server information:
Previous refresh time: 2008/04/02 09:58:32
Next refresh time: 2008/04/02 09:58:33
server: server_annu, status: ERROR
error message: No root DSE data returned.*
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
My problem is why I get the following error message : No root DSE data returned.
Thanks in advance for your help!Hi
Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
Regards,
Ludovic. -
Able to su from root to ldap accounts but account passwords come back as incorrect otherwise?
Hi,
I've installed DSEE 11.1.1.7.2 and I set up a few test ldap clients, Solaris 10, Solaris 11, and Oracle Linux. From root on any of these boxes I can su to the ldap accounts but if I try to ssh or su - from one test account to another I get a incorrect password.
I also have a test Sun 7.0 Directory Server running and using the same Solaris 10 client I can do a ldapinit to it and authenticate fine with the test accounts. I'm using the same scripts to create accounts and passwords on both versions. I looked through the default password policies between the two and don't see any differences and I'm not getting anything showing up in the logs. Has anyone seen this type of issue before?
ThanksHello,
This post http://serverfault.com/questions/576265/solaris-pam-ldap-authentication-using-sshd-kbdint-and-failing might be useful.
-Sylvain
Please mark the response as helpful or correct when appropriate to make it easier for others to find it -
Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail
Hello all,
We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
That is, if we just take strings like these:
usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
usecrypt:DD2kEwCD8nies:10220::::::
Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
Thanks,
//JimJust to reclarify or throw more information:
a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
{crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
I used below command :
pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
Thanks,
Gaurav -
LDAP Mobile Users & Password (not) Syncing
Hi folks, we are starting to enable LDAP for our notebook users and have one issue that hopefully someone has some advice on.
We're using a Linux based LDAP server, 389 Directory Server.
Our users can authenticate, login, we make them admins, and enable the mobile user account.
It works well until they change their password on LDAP via our web interface.
Their new password works for Lion so long as they are on our network. Once they take their notebook away and can't reach our ldap anymore, the mobile user account will only accept their original ldap password.
It seems as if the passwords are not being synced/cached locally. I just discovered this before coming home for the weekend and hope to have a few hints to get going on Monday if anyone has a suggestion.
One last thought is that we turn off Home Directory Sync because we're not using network based home directories yet (set it to manual in Mobile Accounts). Would that also disable password syncing except when a manual sync happens?
Thanks folks!Hi Steve.
We have mobile accounts turned on, but we do not have home directory synching. Faculty/Staff, must at least once, login with their mac while on our campus network. This authenticates the faculty/staff against our LDAP server (Solaris) and "caches" their credentials using the Mobile user feature of Lion. Once they login in once the can then go off campus and use that password to log into their machine, do updates, whatever.
The issue we have is when someone changes their LDAP password from our "web account tools" page it is spotty on the LDAP Snyc with the machine.
Hope that helps
-DK
Maybe you are looking for
-
How to invoke a java webservices in flex
hi people.I am new to ths flex.How to invoke java web service in flex .please reply .Thanks in advance.
-
Windows Phone - Hybrid Sencha App Issue
We are building a hybrid app using Sencha Touch 2.4.0 targeting iOS, Android and Windows Phone. Although we are able to package and run the app for windows phone 8.1 using stub data but we are not able to make any calls to the web service(services ar
-
Reloading one of the forum pages, I suddenly had the following message on the screen. A moment later I could get to the forum. I like the note. Temporarily Unavailable We're sorry. This site is not available at this time. (Mar 16) Note: Please wait a
-
grrrr just lost all my music 2800 songs itunes said i had 2 librarys and i needed to delete 1 in order to put new songs on and it deleted everything except 18 new ones i bought >>>>crying ..my computer wont recognie my ipod to even try some software
-
Itunes burnign and windows xp 64bit
I was curious if anyone else here runing xp pro 64bit is having a problem with burning a cd from itunes.. Also it has problems picking up my iPOD if i disconnect it and reconnect it later on that day without moving the ipod cable to a new usb port. I