Oh...you'll also have to add the SolarisUserAttr objectclass to the user entry before you can add the SolarisAttrKeyValue.
-J On Mon, Mar 10, 2008 at 1:57 PM, Jason J. W. Williams <[EMAIL PROTECTED]> wrote: > Hi Y'all, > > Thank you for all of your pointers. After banging at it for awhile, I > seem to have a working solution (this assumes you already have > configured OpenLDAP to work with the Solaris LDAP client): > > 1.) Update the solaris.schema to this version: > http://www.bolthole.com/solaris/new.solaris.schema > 2.) Add SolarisAttrKeyValue as an attribute to the user entries who > need root access. > 3.) Set the value of SolarisAttrKeyValue to: profiles=Primary > Administrator;roles=root > > Hope this is helpful to someone else. > > Best Regards, > Jason > > > > On Mon, Mar 10, 2008 at 1:13 PM, Dave Miner <[EMAIL PROTECTED]> wrote: > > > > Jason J. W. Williams wrote: > > > Hi All, > > > > > > Has anyone gotten Indiana LDAP authentication working against an > > > OpenLDAP server? We have a setup that is currently working with all of > > > our SXCE boxes, but the required RBAC profile enforcement on Indiana > > > allows our users to login to an Indiana system but not pfexec to root > > > permissions or su. Under Linux we have a sudo attribute we set, but > > > I'm having a heck of time figuring out which attribute to set to > > > assign a Solaris profile in LDAP. Any help is greatly appreciated. > > > > > > > Well, the RBAC configuration is not required, it's just the default. > > You can configure Indiana the same as you have on SXCE, just remove the > > "type=role;" token from the root entry in /etc/user_attr and remove any > > "roles=root" tokens from other users in that file. > > > > I don't have any background on setting up RBAC with LDAP, but the system > > administrator's guide on docs.sun.com implies that there are several > > schemas related to RBAC that need to be loaded into LDAP. You might > > have better luck asking the question over in the security community. > > > > Dave > > > _______________________________________________ indiana-discuss mailing list indiana-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
