Watson, Dan wrote: > Hi Rob, > > Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem > to like the netgroup option: > -bash-3.2# getent netgroup test1 > Unknown database: netgroup > usage: getent database [ key ... ] > -bash-3.2# uname -a > SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc > SUNW,SPARC-Enterprise-T5120 > -bash-3.2# cat /etc/release > Solaris 10 10/09 s10s_u8wos_08a SPARC > Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. > Use is subject to license terms. > Assembled 16 September 2009 > -bash-3.2#
Sorry, my Solaris is very rusty. You need to add a service descriptor to the DUA profile if you haven't already, something like: serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com Then re-init the client. getent is still not going to work but ldaplist will: # ldaplist netgroup rob > > Thanks! > Dan > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: January 02, 2015 10:15 AM > To: Watson, Dan; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Integration with Solaris 10 > > Watson, Dan wrote: >> Hi All, >> >> I've lurked in the list history and cannot find anyone saying they have >> gotten login restrictions working with Solaris 10 u8. Has anyone on here >> successfully configured login restrictions on Solaris 10 u8 through u11? I'm >> looking for specific instructions from someone who has gotten this to work >> before. >> >> The two main routes to login restrictions I could find online are Netgroups >> or conditional ldap queries in ldapclient >> >> I initially tried netgroups but wasn't sure how to trouble shoot when it >> didn't work. There don't seem to be any user-land tools to query netgroups >> and further investigation turned up an issue with OpenLDAP. It seems the >> built-in Solaris 10 ldap client expects schema RFC2307bis and not the >> OpenLDAP standard RFC2307 (explanation here >> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does >> anyone know if this issue applies to IPA? Or how I check? >> >> The alternative of passing a restrictive query to ldapclient seems like a >> good route but doesn't seem to work. The common solution when using the old >> SunOne directory server was to pass the ldapclient (command line ldap >> configuration tool) an option like >> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" >> (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) >> which is supposed to restrict account checking to only people in >> ou=people,p=myorg,c=de who are also members of >> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to >> work in IPA, first of all because there is no "isMemberof" attribute to a >> user, but also doesn't work on other attributes like uid or uidNumber. One >> possible explanation I've found is that these attributes are not indexed, >> but I have no idea if this is correct or how to add them to be indexed. >> >> Has anyone else solved this? I just need to be able to allow only a specific >> user group to log in to the host, unfortunately the ssh directive >> "AllowGroups" is not good enough, this has to be system wide as we also have >> samba and some other services that rely on system authentication. >> >> Can anyone be of some help? >> >> Thanks! >> Dan >> > > You can use getent netgroup <name> to get a specific netgroup. > > Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project