Netgroupis in solaris
can any one knows...
what is a netgroup......and how do we configure netgroups for the solaris o.s.
appreciated for the help.
thanks,
sunsuse
man netgroup would give you that information
Similar Messages
-
Sudo with LDAP NetGroups Solaris 10
Hi All,
Can some one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
I am using "sudo 1.7.2p6 " right now.
I am able to authenticate using the Netgroups , but not able to using sudo.
Thanks,
DDI have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
Can you provide the following details?
1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
4) Content of /var/ldap/ldap_client_file.
5) Content of /etc/ldap.conf, you should have this file.
6) Sample ldif showing some sudoRole entries in LDAP
7) Can you perform these commands?
ldaplist -l sudoers
ldaplist -l sudoers root
ldaplist -l sudoers some_sudoRole
8) Content of /etc/pam.conf
9) Any other relevant details, like err in /var/adm/messages.
Gary -
Problem while creating a new user on solaris
I have a SUN ultra machine. Solaris 2.6 is installed on this machine.
I have successfully created a new user in this machine using "admintool"
Problem is I'm getting error messages when I'm trying to update NIS DATABASE.
I'm doing-
#cd /var/yp
#/usr/ccs/bin/make
and the response is----
updated passwd
pushed passwd
make:Warning:Don't know how to make target /etc/ethers
Current working directory /var/yp
make:Warning:Don't know how to make target /etc/netgroup
Current working directory /var/yp
make:Warning:Don't know how to make target /etc/bootparams
Current working directory /var/yp
updated netid
pushed netid
Couldn't find /etc/timezone
make:Warning:Target all not remade because of errors.
Current working directory /var/ypI had the a similar problem with new users on sloaris 8.
I wasn't able to add new users and change the shell variable while using admintool.
Login back into the console would simply not happen.
All i've been able to find is that changing the users' variable - i.e. .login or .profile to match that of a working existing user (root),
would skip over the problems.
Other variables in the skeleton files were helpful. I suggest you take a look at them. -
DNS and Static IP Address Question on Solaris v10 X86
I�ve recently installed Solaris v10 X86 and have two questions. The system is a Dell E521 with 4GB RAM and 1GB SysKonnect NIC, and internet is provided via a cable modem, that�s plugged into a Netgear router, and the Solaris 10 box is plugged into the Netgear router via a CAT5 ethernet cable.
1. I can connect to my router login page using the following URL:
http://192.168.1.1/start.htm and I can also connect to various web pages such as yahoo, if I first "ping yahoo.com" (on another machine that�s internet enabled) and then plug the web site�s ip address into the Solaris/Mozilla browser. So it appears that I haven�t been successful at pointing the Solaris x86 at a DNS server to resolve the DNS name.
2. I've purchased a commercially available software package and it requires a static ip address for this Solaris x86 server. If the ip address changes, it�ll stop working by design and require that I reacquire the license file. When connecting through this Netgear router, how do I lock this Solaris v10 x86 server into a specific ip address? (the ip address floats presently when cycling my PC�s on/off) presently, and assume the Solaris box will too, usually through an ip range of 192.168.1.<1 through 5>
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
skge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255
ether 0:0:5a:9b:1f:10
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
192.168.1.0 192.168.1.3 U 1 1 skge0
224.0.0.0 127.0.0.1 U 1 0 lo0
default 192.168.1.1 UG 1 0
127.0.0.1 127.0.0.1 UH 8 163 lo0
Some of the present Netgear router settings:
Internet IP Address
Get Dynamically From ISP (yes)
Use Static IP Address (no)
IP Address 75.185. CROSSED-OUT3
IP Subnet Mask 255.255.248.0
Gateway IP Address 75.185.CROSSED-OUT4
Domain Name Server (DNS) Address
Get Automatically From ISP (yes)
Use These DNS Servers (blank)
Primary DNS ... (blank)
Secondary DNS ... (blank)
Netgear Router Status Page:
Account Name WGT624v3
Hardware Version V3H1
Firmware Version V2.0.16_1.0.1NA
Internet Port
MAC Address 00:40:ca:a8:CROSSED-OUT2
IP Address 75.185.CROSSED-OUT3
DHCP DHCPClient
IP Subnet Mask 255.255.248.0
Domain Name Server 65.24.7.3
65.24.7.6
LAN Port
MAC Address 00:18:4D:85:CROSSED-OUT1
IP Address 192.168.1.1
DHCP ON
IP Subnet Mask 255.255.255.0
Excerpt from doing a prtconf -D command:
pci10de,26f, instance #0 (driver name: pci_pci)
pci1028,8010, instance #0 (driver name: hci1394)
pci1148,5021, instance #0 (driver name: skge)
pci1028,1ed
pci1022,1100
The NIC is a SysKonnect 9821 1GB Ethernet card. The drivers in Solaris 10 were apparently very old and didn't install drivers or configure/plumb when I installed Solaris 10, so I downloaded the
latest drivers (hard to find!), followed the instructions and got the NIC drivers installed and then plumbed.
My router's ip address appears to be 192.168.1.1 and in one of the articles I've read, there is a recommendation to create a file (touch) within /etc named defaultrouter and enter the router's ip address. I did this, and the file now contains:
192.168.1.1
I also read where another file called resolv.conf needed to be pointed to a DNS server, which in this case, according to my Netgear router, and according to ipconfig/all on another WinBox on the same network, also shows the same 192.168.1.1 address for the DNS, so I created that file too (wasn't there) and it contains:
nameserver 192.168.1.1
There is a host name file called hostname.skge0 and it contains one line:
INTHOST
There is a hosts file, and it contains:
127.0.0.1 localhost loghost homex86
192.168.1.3 INTHOST
There is a netmasks file, and other than the commented out lines, it appears to contain one relevant line:
192.168.1.0 255.255.255.0
There is a nsswitch.conf file and other than the commented out lines, it contains:
passwd: files
group: files
hosts: files
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
There is an nsswitch.dns file:
passwd: files
group: files
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
Finally, I've also seen some advice using the folling command (and I tried it):
"route add default 192.168.1.1" as an alternative method of setting up route table
The only other command I've tried is:
"ifconfig skge0 192.168.1.1 netmask 255.255.255.0 up" but I suspect that was redundant as the plumb command I used to get the NIC functioning earlier probably already provided what was needed.
Finally, on this small network, I ran an ipconfig/all on a Windows based PC, to see what network settings were reported through the wireless connection, and this is an excerpt of that information:
C:\Documents and Settings\mark_burke>ipconfig/all
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : (withheld)
Ethernet adapter {xxxxxxxx}:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Nortel IPSECSHM Adapter - Packet Scheduler Min
iport
Physical Address. . . . . . . . . : (withheld)
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1370 WLAN Mini-PCI Card
Physical Address. . . . . . . . . : (withheld)
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1I�ve recently installed Solaris v10 X86 and have two
questions. The system is a Dell E521 with 4GB RAM
and 1GB SysKonnect NIC, and internet is provided via
a cable modem, that�s plugged into a Netgear router,
and the Solaris 10 box is plugged into the Netgear
router via a CAT5 ethernet cable.
1. I can connect to my router login page using the
following URL:
http://192.168.1.1/start.htm and I can also connect
to various web pages such as yahoo, if I first "ping
yahoo.com" (on another machine that�s internet
enabled) and then plug the web site�s ip address into
the Solaris/Mozilla browser. So it appears that I
haven�t been successful at pointing the Solaris x86
at a DNS server to resolve the DNS name.You can either copy nsswitch.dns to nsswitch.conf, or you can modify nsswitch.conf so that 'dns' is used for hostname lookups.
2. I've purchased a commercially available software
package and it requires a static ip address for this
Solaris x86 server. If the ip address changes, it�ll
stop working by design and require that I reacquire
the license file. When connecting through this
Netgear router, how do I lock this Solaris v10 x86
server into a specific ip address? (the ip address
floats presently when cycling my PC�s on/off)
presently, and assume the Solaris box will too,
usually through an ip range of 192.168.1.<1 through
5>One method is setting the router so that the server's MAC address is tied to a specific IP.
Otherwise you can edit /etc/hostname.<interface> and place a static address there, forgoing DHCP services from the router. You may want the address to appear outside the router's DHCP range.
Darren -
Conection from Solaris is not working with Proxy (RedHat Linux is)
We have a physical box running Solaris 10 with two zones. One zone is running the Sun LDAP DS (Directory Server) and the second zone is running Sun LDAP DPS (Directory Proxy Server). Sun LDAP EE version is 6.3.1.
From the RedHat Linux client box (which in fact is an IFL guest running on Z-series IBM Mainframe) its possible to authenticate user accounts via the DPS zone.
From the Solaris client box, we can only authenticate the accounts when connecting directly to the DS zone.
We see in messages:
Jun 4 15:29:00 wgtzgh2 sshd[4076]: [ID 293258 auth.error] libsldap: Status: 32 Mesg: openConnection: simple bind failed - No such object
Jun 4 15:29:00 wgtzgh2 last message repeated 3 times
Jun 4 15:29:00 wgtzgh2 sshd[4076]: [ID 293258 auth.warning] libsldap: Status: 7 Mesg: Session error no available conn.
Jun 4 15:29:00 wgtzgh2 sshd[4070]: [ID 800047 auth.error] error: PAM: No account present for user for illegal user l618320 from wgwlgaz.nz.thenational.comBelow are the configuration used for the Solaris and Linux boxes, along with a bad drawing of our network.
Any ideas why we can't authenticate from our Solaris client using the Proxy (DPS) connection?
Thank you
-- Andreas
. 10.64.6.x
+----------------------+ |
| directory server |----+
+----------------------+ |
|
|
+----------------------+ |
|directory proxy server|----+
+----------------------+ |
|
+--------+
| router |
+--------+
| |
+------------+ 10.69.193.x | |
|RedHat Linux|--------------+ |
+------------+ | |
|
+----------+ 10.64.28.x |
| Solaris |------------------+
+----------+ |
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
NS_LDAP_SERVERS= wgpsdps01.nz.thenational.com, akpsdps01.nz.thenational.com
NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SERVER_PREF= wgpsdps01.nz.thenational.com
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
NS_LDAP_BIND_TIME= 30
NS_LDAP_HOST_CERTPATH= /var/ldap/cacerts
wgtitts3:~ # cat /etc/ldap.conf
base dc=nz,dc=thenational,dc=com
## Search Scope
scope sub
## Bind Policies
bind_timelimit 1
bind_policy soft
idle_timelimit 3600
pam_filter objectclass=posixaccount
pam_login_attribute uid
#pam_password md5
nss_base_passwd ou=people,dc=nz,dc=thenational,dc=com?one
nss_base_shadow ou=people,dc=nz,dc=thenational,dc=com?one
nss_base_group ou=group,dc=nz,dc=thenational,dc=com?one
nss_base_netgroup ou=netgroup,dc=nz,dc=thenational,dc=com?sub
nss_initgroups_ignoreusers root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, dbus, avahi, nscd, vcsa, pcap, mailnull, smmsp, haldaemon, rpc, ntp, rpcuser, sshd, rpm, xfs, gdm,
## Finally some SSL configuration
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
host akpsdps01.nz.thenational.com wgpsdps01.nz.thenational.comEdited by: Bank_Of_New_Zealand on 4/06/2009 16:33Hello,
The DPS log output for that time:
[04/Jun/2009:15:29:00 +1200] - CONNECT - INFO - conn=211417 client=10.64.28.106:55111 server=wgpsdps01:636 protocol=LDAPS
[04/Jun/2009:15:29:00 +1200] - PROFILE - INFO - conn=211417 assigned to connection handler cn=default connection handler, cn=connection handlers, cn=config
[04/Jun/2009:15:29:00 +1200] - OPERATION - INFO - conn=211417 op=0 BIND dn="cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com" method
="SIMPLE" version=3
[04/Jun/2009:15:29:00 +1200] - SERVER_OP - INFO - conn=211417 op=0 BIND dn="cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com" method
="SIMPLE"" version=3 s_msgid=7230 s_conn=data source wgpsds01:6
[04/Jun/2009:15:29:00 +1200] - SERVER_OP - INFO - conn=211417 op=0 BIND RESPONSE err=32 msg="" s_conn=data source wgpsds01:6
[04/Jun/2009:15:29:00 +1200] - OPERATION - INFO - conn=211417 op=0 BIND RESPONSE err=32 msg="" etime=0
[04/Jun/2009:15:29:00 +1200] - DISCONNECT - INFO - conn=211417 reason="other" msg="Exception caught while polling client connection LDAPS
.10.64.28.106.55111 -- java.io.IOException: Received CLOSED during initial handshaking" {code}
Cheers
Edited by: Bank_Of_New_Zealand on 5/06/2009 11:30 -
Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1 server_policy debug
login auth required /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1 use_first_pass
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1 server_policy
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient pam_passwd_auth.so.1 server_policy
passwd auth required /usr/lib/security/pam_ldap.so.1 debug
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1 server_policy
other account required /usr/lib/security/pam_ldap.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
Managing LDAP users with Solaris Management Console
I'm using Solaris Management Console (SMC) to manage users in our Directory Server. Unfortunately, the default "user manager" in SMC does not have a tab to manage netgroups. Does anybody else use SMC to manage users and have you created a custom tool to manage netgroups? If so, how did you do it?
Hello Senthilkumar,
Here are the outputs from the commands. The other ones that I left out (/var/adm/messages and showrev -p) had a lot of output and I wasn't sure what you needed. Please let me know what to post or if you want me to post the whole things.
# more /etc/release
Solaris 8 7/01 s28x_u5wos_08 INTEL
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved.
Assembled 06 June 2001
# java -version
java version "1.2.2"
Solaris VM (build Solaris_JDK_1.2.2_07a, native threads, sunwjit)
Here are the errors that come back when /etc/init.d/init.wbem fails.
Exception in thread "main" java.lang.NoClassDefFoundError: com/sun/management/viperimpl/server/ViperServer
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:495)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:110)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:252)
at java.net.URLClassLoader.access$1(URLClassLoader.java:218)
at java.net.URLClassLoader$1.run(URLClassLoader.java:199)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:193)
at java.lang.ClassLoader.loadClass(ClassLoader.java:300)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:290)
at java.lang.ClassLoader.loadClass(ClassLoader.java:256)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:316) -
Managing ldap sub tree with Solaris Mnagement Console
Hi,
I'm using Sun ONE Directory Server 5.2 in Solaris 9 envronment.
I want to use Solaris Management Console to manage my Ldap Name Service.
On my ldap server I can display two scopes :
Scope 1 file:/example/example
Scope 2 ldap:/example/dc=example,dc=com
With SMC Editor I've created a toolbox to manage my ldap domain and I can manage users and groups only on trunk tree but not on the sub tree.
Does someone can tell me please if it's possible to display the ldap sub tree with SMC and if it's possible to manage other cotainers than people or group containers with SMC (for ex. netgroup container) ?
Thanks.
DraBy try and error I found out that even when I upgraded my
Sun ONE Directory Server 5.2 to patch level 2, the configuration
in the administration directory was not changed to the new
version. So one couldn't connect with the new console
version 5.2pl2 but used and needed the old one effectively.
To use the 5.2 pl 2 console there need to be the following
files in the client directory:
<root of sun ldap console>/java/jars/
ds522.jar (main console application)
ds522_en.jar (english language resources)
ds522_de.jar (german language resources, in my case, optional)
ds522.icon (icon used in the console)
and for the administration console:
admserv522.jar
admserv522_en.jar
admserv522_de.jar
admserv522.icon
The old file with the '52' in their name may stay where they
are to connect to unpatched 5.2 Servers and 5.2pl2 Servers
without updated configuration.
The configuration is under:
cn=ResourceEditorExtension, ou=4.0, ou=Admin, ou=Global Preferences, ou=zentrale.edekanet.de, o=NetscapeRoot
Search for the attribute 'nsclassname' in all subentries where there
is a substring '@ds52.jar' and change it to '@ds522.jar'.
With newer versions of the Sun Directory Server there are
even jar files with names like 'ds523.jar'. Proceed like above.
After the next start of the console you are using the new 5.2pl2
Versions with all bugfixes and enhancements. To verify you may
move the '52' files away, start and connect. If the directory server
is configured the right way it won't try to download the '52' files
to your local computer.
Frerk -
Trying to install solaris 10 on sun file v210
Rebooting with command: boot net - install nowin
Boot device: /pci@1f,700000/network@2 File and args: - install nowin
1000 Mbps FDX Link up
Timeout waiting for ARP/RARP packet
Timeout waiting for ARP/RARP packet
Timeout waiting for ARP/RARP packet
Timeout waiting for ARP/RARP packet
Timeout waiting for ARP/RARP packet
4000 1000 Mbps FDX Link up
Requesting Internet address for 0:3:ba:60:36:d
I am trying to install solaris 10 (sparc) on a sun fire v210 and I get kernel dump and
the following crash messages:
Any suggestion would be very welcome indeed as this the first of 250 systems...
Lydia
SunOS Release 5.10 Version Generic_118833-33 64-bit
Copyright 1983-2006 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
WARNING: Cannot find /system/contract
/kernel/fs/sparcv9/procfs: undefined symbol 'default_copyops'
/kernel/fs/sparcv9/procfs: undefined symbol 'cpu_decay'
WARNING: mod_load: cannot load module 'procfs'
WARNING: Cannot mount /proc
WARNING: file system 'mntfs' version mismatch
WARNING: Cannot mount /etc/mnttab
WARNING: Cannot find /etc/svc/volatile
WARNING: Cannot find /system/object
/kernel/fs/sparcv9/procfs: undefined symbol 'default_copyops'
/kernel/fs/sparcv9/procfs: undefined symbol 'cpu_decay'
WARNING: mod_load: cannot load module 'procfs'
WARNING: Failed to process interrupt for ali1535d+-power0 due to down-rev nexus driver isa0
WARNING: power_attach: failed to add high-level interrupt handler.
WARNING: power button driver failed to install
WARNING: Failed to process interrupt for rmc_comm0 due to down-rev nexus driver isa0
WARNING: rmc_comm failed to install
WARNING: Could not install rmclomv driver
WARNING: Failed to process interrupt for pcf85840 due to down-rev nexus driver isa0
WARNING: i2c_0 failed to retrieve iblock cookie. Operating in POLL MODE only
fs/sockfs:sock_getfasync() not defined properly
/kernel/sys/sparcv9/c2audit: undefined symbol 'sogetpeername'
/kernel/sys/sparcv9/c2audit: undefined symbol 'sogetsockname'
WARNING: mod_load: cannot load module 'c2audit'
WARNING: c2audit: unable to resolve dependency, module 'fs/sockfs' not found
misc/consconfig:consconfig_get_usb_kb_path() not defined properly
panic[cpu1]/thread=180e000: mod_hold_stub: Couldn't load stub module misc/consconfig
000000000180b890 genunix:mod_hold_stub+1f0 (0, 185f800, 18ac878, 60000c44fb0, 1817328, 0)
%l0-3: 0000000001843ac8 000006000136e000 0000000001811cf8 0000000000000000
%l4-7: 0000000000000000 0000000000000064 0000000000000064 0000000000000001
000000000180b940 unix:stubs_common_code+30 (21dead78c0, 960010, 53555554, 0, 31f400, 0)
%l0-3: 000000000180b209 000000000180b2e1 000000123e000000 0000000000000001
%l4-7: 0000000000000000 0000000001817338 0000000000000000 0000060000c1abc0
000000000180ba10 genunix:main+134 (18accd0, 18a8800, 18364c0, 1861400, 183b400, 1814000)
%l0-3: 0000000070002000 0000000000000001 0000000000000000 0000000000000002
%l4-7: 00000000018afef8 00000000018afc00 00000000018acce0 00000000018acc00I am using jet to do the jumpstart and the config file for jet is list below.
The install server is solaris 10 sparc
SunOS nereid 5.10 Generic_125100-10 sun4u sparc SUNW,Sun-Blade-1500
The version I am trying to install is 118855-33 (sol10-u3 - i believe). I have downloaded
the latest recommended patchset which should bring me to 118855-36 plus the latest
minor kernel patches.
nereid-root (482)>cat m1001
# Client template file
# Client: m1001 (derived from quintor.js)
# Created: Wed Mar 8 14:38:51 GMT 2006
# This file was automatically generated using 'make_template'
# Product: base_config
# Synopsys: Basic host information
# Architecture type:
# sun4c : e.g. SS1, SS2, SS IPX
# sun4d : e.g. SS1000, SS2000
# sun4e : ?
# sun4m : e.g. SS LX, SS4, SS5, SS10, SS20
# sun4u : UltraSparc - U1, U2, E3x00, E4x00 etc
# sun4u1 : E10K
# i86pc : Intel X86
# Ethernet can be obtained from the 'banner' command at OBP
# OS is one of the values you used to register the solaris media using
# the add_solaris_location command
base_config_ClientArch="sun4u"
base_config_ClientEther=00:03:ba:60:36:0d
base_config_ClientOS="sol10_u3"
# Client allocation
# The mechanism used to build this client; by default, the options listed
# in /opt/jet/etc/jumpstart.conf will be tried; you should only set this
# if this particular client needs to do something different.
base_config_client_allocation="newboot"
# products is the set of products to install after base_config; this
# should be updated automatically by make_template, so you
# will only need to change it, if you wish to omit certain
# modules when testing/debugging.
base_config_products=" custom"
# JumpStart sysidcfg information
# The sysidcfg file provides information at initial boot time so that the
# system can properly identify itself. The interface and ip address defined
# here MUST be on the same subnet as the JumpStart server. The root password
# is set here also and must be written in encrypted format. The default value
# shown here is "newroot". The timeserver is normally the IP address of the
# JumpStart server.
# nameservice examples:
# NONE
# NIS { domain_name=uk.sun.com name_server=nis.uk.sun.com(129.159.91.1) }
# or for DNS
# DNS { domain_name=uk.sun.com name_server=192.168.1.1 search=uk.sun.com }
# network_interface:
# le0, hme0
# or PRIMARY (the default interface - net in OBP)
# N.B. PRIMARY is only valid from Solaris 7 upwards
# locale:
# en_UK for Solaris 2.6
# en_GB for Solaris 7 and above
# timeserver: Where the client gets the current time from.
# Leave blank to default the the JumpStart server
# Alternatively, set to 'localhost' to trust the current
# hardware clock on the client
# terminal: terminal type (vt100/vt220/sun etc)
# security_policy: Kerberos policy (Solaris 8 +)
# protocol_ipv6: Use ipv6 or not (Solaris 8 +)
# default_route: Solaris 9 allows a default route to be set
# (ignored on all other versions of Solaris, less than 9)
base_config_sysidcfg_nameservice=NONE
base_config_sysidcfg_network_interface=PRIMARY
base_config_sysidcfg_ip_address=172.17.3.1
base_config_sysidcfg_netmask=255.255.0.0
base_config_sysidcfg_root_password="xxxxxxxxxxxx"
base_config_sysidcfg_system_locale="en_GB.ISO8859-15"
base_config_sysidcfg_timeserver=
base_config_sysidcfg_timezone="GB"
base_config_sysidcfg_terminal=vt100
base_config_sysidcfg_security_policy=NONE
base_config_sysidcfg_protocol_ipv6=no
base_config_sysidcfg_default_route=
# X86, X64 specific settings. If this is an x86 client, then you may need
# to configure these settings. They are ignored for SPARC builds.
# base_config_x86_nowin:
# This stops Solaris from trying to run windows during the install.
# the default value is yes.
# base_config_x86_console:
# Set the console to the correct tty port. This is used for doing installs
# via the serial port or the SP. b1600,v20z and v40z use ttya. lx50, v60x,
# and v65x use ttyb. NOTE: you only need to set this if you are NOT going
# to connect a keyboard and monitor to the client.
# base_config_disable_acpi:
# Disable ACPI - sometimes disabling ACPI makes the install go
# better due to how the interrupts are handled. Non-Null disables ACPI.
# base_config_x86_safetoreboot:
# The Solaris installer can't control the BIOS, therefore does not
# know if its safe to reboot the client as it may simply jumpstart
# again. If your PXE boot is a one time option, and the next reboot
# will attempt to boot from disk, then you probably want to set this
# option to "yes". Otherwise, leave it as it is so that it won't reboot
# and therefore allow you to manually change your BIOS to boot from disk.
base_config_x86_nowin=""
base_config_x86_console=""
base_config_x86_disable_acpi=""
base_config_x86_safetoreboot=""
# Want to create your own custom profile ? if so, use this variable to
# reference a file relative to the Clients/<clientname> directory, otherwise
# fill in the other details below to get toolkit to create one for you.
base_config_profile=""
# JumpStart profile information
# A limited profile can be automatically generated here. If further
# customisation is required, then you can manually create a profile in the
# client directory and reference it in the base_config_profile variable.
# Cluster:
# SUNWCrnet : Minimal. Solaris 10 only
# SUNWCreq : Required - really basic, good for testing
# SUNWCuser : User collection
# SUNWCprog : User + Developers collection
# SUNWCall : All packages
# SUNWCXall : All + OEM packages (mandatory for E10K)
# usedisk: defines the disk that the OS will be loaded on to - bootdisk
# (if this is set to rootdisk. , then the current boot disk will
# be used)
# dontuse: defines disks that should not be used..
# ** N.B. This will only be used if 'usedisk' is NOT set
# Space seperated list of disks of the form c?t?d?
# partition sizes:
# if partitions are not required simply leave blank. In order to maintain
# consistency the partitions will always use the same slice number:
# / s0
# swap s1
# /var s5
# /usr s6
# /opt s7
# at most one partition can have the size 'free' which denotes all the
# unallocated/spare space on a disk.
base_config_profile_cluster=SUNWCall
base_config_profile_usedisk=rootdisk.
base_config_profile_dontuse=""
base_config_profile_root=8192
base_config_profile_swap=4096
# If you are using VxVM and want your boot disk to look like the mirror, then
# leave slices 3 and 4 empty. If you do not care about keeping the two disks
# looking cosmetically the same, please just make sure you have two free slices
# somewhere on the disk for VxVM!
# If you are not using VxVM, then you can use s3 and s4 for whatever you wish!
base_config_profile_s3_mtpt=""
base_config_profile_s3_size=""
base_config_profile_s4_mtpt=""
base_config_profile_s4_size=""
base_config_profile_s5_mtpt=""
base_config_profile_s5_size=""
base_config_profile_s6_mtpt=""
base_config_profile_s6_size=""
# If you are using DiskSuite, the default behaviour is to use slice 7 as a
# location for metastate databases. If you are using DiskSuites default config,
# please avoid using s7 for data!
base_config_profile_s7_mtpt="/export/disk/1"
base_config_profile_s7_size="free"
# You can specify additional disks to use/configure here
# additional_disks is a space separated list of c?t?d? type disk names
# For each disk listed in additional_disks, a pair of variables of the form
# base_config_profile_disk_c?t?d?s?_mtpt="...."
# base_config_profile_disk_c?t?d?s?_size="...."
# should be defined for each slice required on the disk.
# N.B. DO NOT SET THE BOOT DISK UP HERE !
base_config_profile_additional_disks=""
base_config_profile_disk_c0t3d0s0_mtpt=""
base_config_profile_disk_c0t0d0s0_size=
# Additional locales/geos e.g. N_Europe, C_Europe
base_config_profile_add_locales=""
base_config_profile_del_locales=""
base_config_profile_add_geos=""
base_config_profile_del_geos=""
# UFS Logging
# Solaris 7 and above support UFS+, which allows for a logging filesystem
# under UFS. If you want to use this feature on any of the UFS mount points,
# please specify the mount points here, as a space seperated list, or enter
# the keyword "all" to enable logging on all UFS filesystems.
# Solaris 9 09/04 enables logging by default. You can also specify mountpoints
# preceded by a - sign to say that you DON'T want logging enabled on that
# filesystem, or you can use the keyword "none" to say you don't want any
# ufs logging turned on at all.
# N.B. root (/) can be included in the list, and is included by default if
# using either the "all" or "none" keyword.
# Finally, you can't mix keywords and mountpoints. i.e. "all -/" is NOT
# valid.
# e.g. base_config_ufs_logging_filesys="all" : log all filesystems
# base_config_ufs_logging_filesys="none" : log no filesystems
# base_config_ufs_logging_filesys="-/ /var -/usr" : log /var, but not / and /usr.
base_config_ufs_logging_filesys="all"
# Packages to add to/remove from the selected cluster
# Use this to populate the profile with package <pkg> <add|delete> entries
base_config_profile_add_packages=""
base_config_profile_del_packages="SFWrpm SFWexpct SUNWzebrar SUNWa2psr SUNWmysqlr SUNWffiltersr SUNWopensslr SUNWserr SUNWsmbar SUNWa2psu SUNWant SUNWbison SUNWflexlex SUNWfreetype2 SUNWggrp SUNWgimpprint SUNWgm4 SUNWgnome-a11y-gok SUNWgnome-a11y-reader SUNWgnome-camera SUNWgnome-games SUNWgnome-img-editor SUNWgnome-img-viewer SUNWgnome-media-player SUNWgnome-project SUNWgscr SUNWgtar SUNWGtku SUNWhpijs SUNWimagick SUNWmozilla SUNWmoznspr-devel SUNWmysqlt SUNWmysqlu SUNWncft SUNWopenjade SUNWopensp SUNWopenssl-commands SUNWpsutils SUNWPython SUNWsmbac SUNWsmbau SUNWsmcmd SUNWTcl SUNWtexi SUNWTk SUNWwebminu SUNWwgetu SUNWzsh SUNWjavaapps SUNWmozapoc-adapter SUNWmozchat SUNWmozdom-inspector SUNWmozgm SUNWmozilla-devel SUNWmozjs-debugger SUNWmozmail SUNWmoznspr SUNWmoznss SUNWmoznss-devel SUNWmozpsm SUNWmozspell SUNWopenjade-devel SUNWopenjade-root SUNWopenjade-share SUNWopensp-devel SUNWopensp-root SUNWopensp-share SUNWseru SUNWserweb SUNWsfinf SUNWsfman SUNWsmdoc SUNWzebrau SUNWpostgr SUNWpostgr-contrib SUNWpostgr-docs SUNWpostgr-jdbc SUNWpostgr-libs SUNWpostgr-pl SUNWpostgr-server SUNWpostgr-server-data SUNWpostgr-tcl"
# Clusters to add to/remove
# Use this to populate the profile with cluster <cluster> <add|delete> entries
base_config_profile_add_clusters=""
base_config_profile_del_clusters="SUNWCpm SUNWCpmx SUNWCdial SUNWCdialx"
# Remote file systems (NFS)
# Specify these as space seperated list of pairs as follows, using ? as
# the seperator (as : has special meanings with nfs!)
# e.g. to mount 1.1.1.1:/fs on /fs you would create the entry
# base_config_nfs_mounts="fs?1.1.1.1:/fs"
base_config_nfs_mounts=""
# Host information
# This section defines most things network related etc.
# In addtion, if the machine will be JumpStarted as one name/address and
# needs to have a different name/address once installed, this is where you
# can set that information.
# nodename: the value for /etc/nodename if it's not the default
# hostname
# defaultrouter: the value for /etc/defaultrouter.
# notrouter: if this is set, the file /etc/notrouter will be created
# dns_domain: domain entry for /etc/resolv.conf
# dns_nameservers: nameserver entries for /etc/resolv.conf
# (list of ip addresses, space separated)
# dns_searchpath: list of entries to go in the search line
# dns_disableforbuild: If there is no DNS available in the build
# environment, set this to delay the configuration
# of DNS until later on.
base_config_nodename=""
base_config_defaultrouter=""
base_config_notrouter=""
base_config_dns_domain=""
base_config_dns_nameservers=""
base_config_dns_searchpath=""
base_config_dns_disableforbuild="yes"
# NTP configuration
# Specify a list of names or ip addresses for the NTP servers. The first
# one will be given a 'prefer' tag. This section will only place lines
# of the form: server <ipaddress/name> [prefer]
# into the /etc/inet/ntp.conf file. If you require more control of ntp,
# please use the custom module to deploy your own custom ntp.conf file.
# N.B. If you do use names, they must be resolvable in your name service.
base_config_ntp_servers=""
# Network Interface information
# networkifs: a list of interfaces to be defined,
# space seperated "le0 hme0".
# N.B. the sysidcfg interface will already be configured
# Logical interfaces should be defined using _'s rather
# than :'s.
# networkif_<ifname>: the details of the interface <if>
# "netname netmask hostname address"
# netname: arbritrary name for /etc/networks
# netmask: netmask of this if (e.g. 255.255.255.0)
# hostname: unique hostname (N.B. not multihomed)
# address: IP address of this interface
# For example:
# base_config_networkifs="ge0 ge0_1"
# base_config_networkif_ge0="bkp 255.255.255.0 me-bkp 192.168.1.0"
# base_config_networkif_ge0_1="bkp2 255.255.255.0 me-bkp2 192.168.2.0"
base_config_networkifs="beg1"
base_config_networkif_beg1="data 255.255.0.0 d1001 172.18.3.1"
# N.B. Logical interfaces MUST use _ rather than : as illustrated below
base_config_networkif_le0_1=""
# IP Multipathing (Solaris 8+)
# IPMP default mode is automatic failback.
# To change this mode edit /etc/default/mpathd
# ipmp_networkifs: a list of interfaces to be defined under ipmp control
# a space separated list of pairs only
# e.g. "qfe0_qfe4 qfe1_qfe5"
# N.B. If the primary interface is used in an ipmp group, the
# system must be rebooted manually after installation to
# activate ipmp.
# N.B. Can only setup ipmp group with pairs of interfaces in one
# of the following configurations:
# active-standby failover:
# Set ipmp mode = s, and specify one logical
# hostname/ip address pair.
# failover with outbound load spreading:
# Set ipmp mode = l, and specify one logical
# hostname/ip address pair.
# active-active with outbound load spreading:
# Set ipmp mode = l, specify a second logical
# hostname/ip address pair for the second interface.
# ipmp_networkif_<if>_<if>: "netgroup mode test1 test2 mask hostname log-ip hostname2 log-ip2"
# details of the interfaces in the ipmp group
# e.g. networkif_ipmp_qfe0_qfe4
# netgroup: ipmp interface group name
# e.g. database-net
# ipmp mode: s = standby (failover only)
# ** test addresses are allocated last,
# ** first test address will be on the
# ** first virtual interface of the
# ** first physical adapter. Second
# ** test address will be on the second
# ** physical adapter.
# l = load spreading / active-active
# ** test addresses are allocated on
# ** first virtual interfaces on both
# ** the first and second physical
# ** adapters.
# To force the test addresses onto the physical
# adapters, use the suffix 'p' to the above
# modes, i.e. 'sp' or 'lp'. This is not
# recommended and may break certain applications.
# test1: ipmp test address1
# test2: ipmp test address2
# N.B. these addresses must not be used or
# placed in the hosts file
# mask: netmask for ipmp pair
# hostname: unique hostname for logical ip
# log-ip: logical ip address for first i/f of pair
# N.B. The following two parameters are for active-active
# configurations only. Do not specify them for an
# active-standby configuration.
# hostname2: unique hostname for logical ip
# log-ip2: logical ip address for second i/f
# of pair
# Example:
# base_config_ipmp_networkifs="qfe0_qfe1"
# base_config_ipmp_networkif_qfe0_qfe1="database-net l 10.0.0.1 10.0.0.2 24 oracle-db 10.0.0.3 apache 10.0.0.4"
base_config_ipmp_networkifs=""
base_config_ipmp_networkif_qfe0_qfe1=""
# Misc options
# this section is a catchall for other options not included above
# update_terminal: if set, put the sysidcfg terminal type into inittab
# enable_savecore: if set to any value, enable save core (Solaris 2.6 only)
# dumpadm_minfree: set a limit so that crash dumps don't fill up the
# dump filesystem. See dumpadm(1M) -m option for
# possible values.
# noautoshutdown: if set to any value, disable power management
# enable_rootlogin: if set to any value, enable network root login
# from both telnet/rsh and ssh
# enable_rootftp: if set to any value, enable root ftp access
# shutup_sendmail: if set, create an alias hostname. to shut up sendmail
# poweroff_afterbuild: if set, shut the machine down once it has been built
# base_config_dedicated_dump_device:
# if set, dumpadm will configure the partition as a
# Dedicated Dump Device. See dumpadm(1M) for supported
# Operating Environments.
# (Device path e.g. /dev/dsk/c?t?d?s?)
# N.B. This partition is for the SOLE use of the crashdump utility !
# enable_altbreak: if set, enable alternate break sequence
# disable_sysid_probe: if set, skip the sysid stuff on the first reboot; this
# usually just tries to rarp ip addresses for additional
# interfaces and takes ages on machines with lots
# of unused network adapters.
base_config_update_terminal="yes"
base_config_enable_savecore="yes"
base_config_dumpadm_minfree="20000k"
base_config_noautoshutdown="pm_disabled"
base_config_enable_rootlogin="yes"
base_config_enable_rootftp=""
base_config_shutup_sendmail=""
base_config_poweroff_afterbuild=""
base_config_dedicated_dump_device=""
base_config_enable_altbreak=""
base_config_disable_sysid_probe="yes"
# NFSv4
# Set up the NFSv4 domain to prevent being prompted at first reboot.
# If not set, this will default to the entry in base_config_dns_domain,
# and if that is not set, to the value 'domain', which is the default
# in /etc/default/nfs
base_config_nfsv4_domain=""
# N.B. Unless you need to point this client at alternate media for patches
# and packages that is not held on this server, please skip this section!
# productdir is where to find the products. This should be an NFS style
# path, i.e. 192.168.1.1:/export/install but if the server
# is the JumpStart server, then it should just be specified
# as a normal path.
# patchdir is where to find the patches. Same format as productdir.
# Leaving the following blank means they will be populated using jumpstart.conf
# and the JumpStart servers ip address. This is the default behaviour
# and should only be changed if your patch/package repository is not held
# on this server.
base_config_productdir=""
base_config_patchdir=""
# Last one - mainly for developing JumpStart scripts!
# If you set this, the rc3.d/S99jumpstart script will be disabled
# (set to rc3.d/s99jumpstart) every time it is processed - this allows you
# to run it by hand and invoke each reboot step
base_config_debug_jumpstart_postinstall=""
# Product: Custom
# Synopsis: The custom product can install packages and patches that
# would not otherwise be included by the standard
# installation products.
# Which additional packages are to be installed
# (by default, these get added during the main Solaris installation phase)
# O.S. Specific versions:
# as a side effect, if a directory exists under the package dir named
# after the OS, (uname -r), the subdirectory will be used instead of the
# main package directory
# i.e /export/install/pkgs/custom/sparc/5.8 takes preference over
# /export/install/pkgs/custom/sparc for a Solaris 8 box
# Package Response files:
# If a custom package needs a response file, create a directory called
# /opt/jet/Clients/<clientname>/responses
# and put the response file in to it, named the same as the package.
# i.e. for a package called Fred, on client1, use pkgask to create
# pkgask -r /opt/jet/Clients/client1/responses/Fred Fred
# (Space seperated list of packages)
custom_packages=""
# Custom packages at subsequent boots
custom_packages_1=""
custom_packages_n=""
# Which additional patches are to be installed
# (by default, these get added during the main Solaris installation phase)
# (Space seperated list of patches)
custom_patches=""
# Custom patches at subsequent boots
custom_patches_1=""
custom_patches_n=""
# Custom patch sets... create a directory in the patch directory named after
# the set, and put a patch_order file in it, along with the patches...
# (Space seperated list of patch set names)
# N.B. as a side effect, if a directory exists under the patch set dir named
# after the OS, (uname -r), the subdirectory will be used instead of the
# main patchset directory
# i.e /export/install/patches/patchset/5.8 takes preference over
# /export/install/patches/patchset
custom_patchsets=""
# Custom patchsets at subsequent boots
custom_patchsets_1=""
custom_patchsets_n=""
# Search paths
# The files and scripts sections below will look for source files relative
# to the Clients/<clientname> directory. If you wish to look in other places
# for files, please fill out the search path option below. Items in the
# search path are relative to the Clients/<clientname> directory, since the
# client has no knowledge of the filesystem layout of the server
# e.g. for a client 'fred', the default location for all custom files/scripts
# is /opt/jet/Clients/fred
# if the search path was set to "../common" then the installation routines
# would look first in Clients/fred then
# Clients/fred/../common (or Clients/common in this case)
# Search path is a space separated list of places to search
# THE SEARCHPATH IS ONLY VALID FOR files & scripts. NOT PACKAGES/PATCHES!
custom_search_path="../common.files"
# Files to be copied to the client. The filenames must be of the form
# filename1:a:filename2
# Where filename1 is the name of the source file in the
# /opt/jet/Clients/<clientname> directory
# filename2 is the full path of the file on the installed client
# and the middle option is whether to a - append, or o - overwrite the file
# (by default, these get added during the main Solaris installation phase)
# (Space seperated list of tuples)
# N.B. Please see section above regarding where to place the source files
# N.B. (2):
# appending to /etc/hosts is a special case; instead of just appending
# the file, the module will do an 'intelligent merge' of the new hosts
# file with the existing one.
# custom_files="hosts:a:/etc/hosts"
#custom_files="system:a:/etc/system"
custom_files=""
custom_files_1="NISHost:a:/etc/inet/hosts QuintorNFS:a:/etc/vfstab authorized_keys:o:/.ssh/authorized_keys SGEServices:a:/etc/services"
# Custom files at subsequent boots
custom_files_n=""
# Scripts to be run on the client at the end of the build
# The scripts must be placed in the directory
# /opt/jet/Clients/<clientname>
# and will be copied to the client.
# Note: we don't allow you to run custom scripts during the Jumpstart
# phase because its kinda dangerous.
# If you need to do this, the best way is to create
# your own custom module to do this.
# Custom scripts at subsequent boots
custom_scripts_1="DurhamUni_PostInstall.ksh fixup_ssh"
custom_scripts_n=""
# Special JumpStart 'Begin' phase scripts
# If you need to run scripts in the 'begin' phase of the JumpStart, you
# can supply them here. Please note, that in the 'begin' phase, the
# new OS has not been installed and the majority of the OS running will
# be read-only from the JumpStart server.
custom_scripts_b=""
nereid-root (483)> -
Solaris 10 ldapclient setup question
Hi all,
I'm setting up ldap authentication for ssh logins on a Solaris 10 system.
Up to now, I've been successful in finding my answers in:
1 this forum
2 http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp
3 http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenLDAP%20for%20Solaris9.htm
Unfortunately time is running short and I find myself bothering you guys.
The openldap server is running (on RHEL 3) and populated in the fashion described in (2).
Solaris 10 ldapclient file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com, ldap2.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com
NS_LDAP_BIND_TIME= 10
The user info of the test account can be queried from the Solaris 10 client.
bash-3.00# ldaplist -l passwd tuser
dn: uid=tuser,ou=People,dc=example,dc=com
uid: tuser
sn: user
cn: test user
uidNumber: 1002
gidNumber: 100
shadowMax: 99999
shadowFlag: 0
shadowLastChange: 14077
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: home/tuser
gecos: test user
Passwords in the ldap db are {SSHA} encrypted.
Encountered behaviour:
When attempting a login to the Solaris 10 system through ssh, I'm asked three times to provide the user's password, which I diligently do without typos, after which I am again queried three times for the password:
[root@tartaros ~]# ssh tuser@ceres
Password:
Password:
Password:
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 10.224.183.40: 2: Too many authentication failures for tuser
I feel it is going wrong somewhere in the password encryption (or lack thereof?) by the ldapclient. How can I debug this or better yet, fix this?
Kind regards,
JoostCorrection on the above: The openldap server is running (on RHEL 3) and populated in the fashion described in 3 (Gary Tay's doc).
The logging on the ldap side (entire sequence of repeated login attempts) shows the following:
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=67 SRCH base="ou=protocols,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=ipProtocol)(cn=ip))"
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=67 SRCH attr=cn ipprotocolnumber
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=67 SEARCH RESULT tag=101 err=32 nentries=0 text=
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=68 SRCH base="ou=group,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixGroup)(memberUid=tuser))"
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=68 SRCH attr=cn gidnumber userpassword memberuid
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=68 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 17 11:45:58 ceres slapd[17842]: conn=39 fd=21 ACCEPT from IP=10.224.183.40:36016 (IP=0.0.0.0:636)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 fd=21 TLS established tls_ssf=128 ssf=128
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=0 BIND dn="cn=proxyagent,ou=profile,dc=example,dc=com" method=128
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=0 BIND dn="cn=proxyagent,ou=profile,dc=example,dc=com" mech=SIMPLE ssf=0
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=0 RESULT tag=97 err=0 text=
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=1 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=2 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=3 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=4 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=5 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=6 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=7 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: do_search: invalid dn (automountMapName=auto_home,dc=example,dc=com)
Jul 17 11:45:58 ceres slapd[17842]: conn=39 op=8 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=69 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=69 SRCH attr=uid userpassword shadowflag
Jul 17 11:45:58 ceres slapd[17842]: conn=23 op=69 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=70 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=70 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=70 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=71 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=71 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=71 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=72 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=72 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=72 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=73 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=73 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=73 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=74 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(?=undefined)(uid=tuser))"
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=74 SRCH attr=uid SolarisUserQualifier SolarisAttrReserved1 SolarisAttrReserved2 SolarisAttrKeyValue
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=74 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=75 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=75 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:06 ceres slapd[17842]: conn=23 op=75 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=76 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=76 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=76 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=77 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=77 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=77 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=78 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=78 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=78 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=79 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=79 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=79 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=80 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=80 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:08 ceres slapd[17842]: conn=23 op=80 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=81 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=81 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=81 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=82 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=82 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=82 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=83 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=83 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=83 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=84 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=84 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:11 ceres slapd[17842]: conn=23 op=84 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=85 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=85 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=85 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=86 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=86 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=86 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=87 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=87 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=87 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=88 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=88 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=88 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=89 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=89 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=89 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=90 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(?=undefined)(uid=tuser))"
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=90 SRCH attr=uid SolarisUserQualifier SolarisAttrReserved1 SolarisAttrReserved2 SolarisAttrKeyValue
Jul 17 11:46:13 ceres slapd[17842]: conn=23 op=90 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=91 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=91 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=91 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=92 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=92 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=92 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=93 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=93 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=93 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=94 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=94 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=94 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=95 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=95 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:16 ceres slapd[17842]: conn=23 op=95 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=96 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=96 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=96 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=97 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=97 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=97 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=98 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=98 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=98 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=99 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=tuser))"
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=99 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=99 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=100 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=shadowAccount)(uid=tuser))"
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=100 SRCH attr=uid userpassword shadowflag
Jul 17 11:46:18 ceres slapd[17842]: conn=23 op=100 SEARCH RESULT tag=101 err=0 nentries=1 text= -
Solaris 10 LDAP Client: libsldap: Status: 4
Hi everybody.
I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
What I have done is changed the value:
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
Where <hostname> is the respective hostname.
After that, everything works as I expect, but I get a lot of these messages:
sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
Should I ignore the messages? This is the nsswitch.conf file:
/etc/nsswitch.conf
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
# /etc/nsswitch.files:
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: files ldap
group: files ldap
hosts: cluster files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: cluster files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
user_attr: files
I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
Any suggestions?What would I do without google?
http://prefetch.net/blog/index.php/2005/01/
I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com. -
I am planning to intergrate LDAP netgroup to SSH in Solaris 10 (SUN native SSH SUNWsshxx) in order to restrict unauthorized users to ssh in. Any advice?
i've only done this with java directory server - dscc (or whatever it's called) and opends. only real troubles i've had are when i've done something wrong in pam.conf or the compat line in nsswitch.conf.
works pretty well here -
LDAP and Solaris Authorization.
Hi,
Need some help. Can we do authorization of users with LDAP using PAM on Solaris. I am aware that we can use netgroups with LDAP for restricting access but is there any generic facility that can be used directly with PAM itself to restrict the users?
All ideas are appreciated.
Regards,
AbrarI wonder anyone had successfully compiled pam_listfile.so (part of LinuxPAM) on Solaris8/9 and use it successfully in /etc/pam.conf as a mean of Authorization Control?
===
# cat /usr/share/doc/pam-0.77/txts/README.pam_listfile
SUMMARY:
pam_listfile:
Checks a specified item against a list in a file.
Options:
* item=tty
* sense=allow (action to take if found in file,
if the item is NOT found in the file, then
the opposite action is requested)
* file=/the/file/to/get/the/list/from
* onerr=succeed (if something weird happens
such as unable to open the file, what to do?)
* apply=user
restrict the user class for which the restriction
apply. Note that with item=user this
does not make sense, but for item=tty
it have a meaning. (Cristian Gafton)
Also checks to make sure that the list file is a plain
file and not world writable.
- Elliot Lee <[email protected]>, Red Hat Software.
v0.9 August 16, 1996.
===
Gary -
i have some trouble configuring a solaris 10 clients to use netgroups.
if i change my nsswitch.conf to:
passwd: compat
passwd_compat: files ldap
shadow: files ldap
and add a netgroup to /etc/passwd, i can not see any ldap users on my system.
if i change it to:
passwd: files ldap
the ldap users are there, and can log in.
we have several solaris 9 boxes that work with this configuration.
any hints are welcome.
thankssorry it was a typo, the entries in my nsswitch are:
passwd: compat
passwd_compat: ldap [tryagain=continue]
shadow: files ldap
group: files ldap
hosts: files dns
netgroup: ldap
.........Looks valid to me (although I don't think 'tryagain' is valid in the passwd_compat field, I also don't think it'll cause too many problems).
You might want to start looking through the ldap server logs and see what requests are coming in. Is the machine doing queries for the netgroup and getting answers, or is it not even bothering to look?
Darren -
Sparc DS5.2p4 NFS netgroup performance problem
We recently setup our NFS server as an LDAP client. We use netgroups to provide a list of clients for each shared FS. Since moving to LDAP (from NIS+) the performance has been abysmal. I've created all the indices, VLV and regular, per the Sun instructions.
I've always known that netgroups in LDAP was poorly handled, from a client point of view. I even made my own access mechanism for users because netgroups for user access was slow. Today, I did some searching on Sunsolve and found Bug ID 4734259. Here's an excerpt:
The comment about these lookups being done in clusters may have
been true back in the old days. But now the in-kernel NFS code
asks mountd questions like this all the time rather than only
at mount time.
Bug4176752 is (partly) about the fact that nscd does not cache netgroups.
Now with LDAP in the nsswitch.conf, caching these things becomes
more important. Here we find mountd has a cache, but it keeps it
for a very short period. That period was long enough initially,
but now the the kernel NFS code checks this info at access time
instead of mount time, the cache timeout should be longer, if not configurable
[email protected] 2003-03-14Sun has known about this for TWO YEARS and has not addressed the problem!!! At the same time, they're pushing LDAP as the be-all naming service. To put this in perspective, our NIS+ server was running on a V120. The LDAP server is running on a 3800 (4x750Mhz) and it gets routinely pegged with the slapd processing taking 70% of the CPU.
Also, one of our NFS servers is under cluster control and it doesn't even seem to understand the LDAP-based netgroups. We had to modify nsswitch.conf to check NIS+.
Has anyone else encountered performance issues with netgroups in LDAP and NFS?
In the near future, I'll be rebuilding the VLV indices. I'm hoping that will correct our problems.
Thanks,
Roger S.Thanks.
I think it may be one of the issue. But looking at ldd command output I think much more libarary getting called for a simple command in Solaris 10 (production env) then to the Solaris 9 (Test env).
Production Server:
Prompt> ldd /usr/bin/ls
libsec.so.1 => /lib/libsec.so.1
libc.so.1 => /lib/libc.so.1
libavl.so.1 => /lib/libavl.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Sun-Fire-T200/lib/libc_psr.so.1
Test Server:
prompt> ldd /usr/bin/ls
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
/usr/platform/SUNW,Sun-Fire-V440/lib/libc_psr.so.1
In solaris 10, I can see two library has been added to call ls command itself.
I have done truss on the program (In my original post) and observed that the times is taking after the system call fork abd it returns from it. And at the sample test environment does not take time.
Does this mean Solaris 10 (production env) trying to do something extra then test environment while forking the child process?
Regards,
Aminul Haque
Maybe you are looking for
-
When I switched from windows vista to windows 7 on a new computer my ipod doesnt play songs from itunes fully it cuts them off before they play out entirely. Any suggestions?
-
HTTP 500 internal server error in HTTP - RFC
Hi, I configured for HTTP-RFC and when i send data from 3rd party system with the help of url for http sender, it gives HTTP 500 internal server error. I am getting this error on 3rd party system. I am using the following url http://SAPDEV03:8000/sap
-
Up top. Thanks, Jeremy
-
DB02 information is inaccurate
We are running SAP BW on SQL Server 2005. After deleting some rows from a table, DB02 is showing Total Rows = 0. However SE16 shows there are thousands of rows in the table. What causes this incorrect reporting in DB02 and how can I get it resolv
-
How to make firefox enable my 3rd party extension by default?
I am developing an extension for firefox. This extension is installed on a Windows operating system using registry key entries (). These registry keys are created by our global application installer (Not manually by the user). However, firefox disabl