Am 13.10.2011 12:49, schrieb NetNinja: > This is an example of the error I was talking about. > > bash-3.00# ldapclient manual -v -a defaultSearchBase="dc=test,dc=net" \
> Invalid use of option > Usage: ldapclient [-v | -q] init | manual | mod | list | uninit [<args>] > > ldapclient [-v | -q] [-z adminPasswordFile] init [<args>] You have to put '-v' before the 'manual' keyword, I believe. > Also I noticed on many of the websites with how to's on this. There > user accounts have a lot more stuff in them. What about your stuff. > Can you post an example user, profile and proxy entry in LDAP? See RFC 2307 for example: <http://www.faqs.org/rfcs/rfc2307.html> That's for basic UNIX accounts and what you already had in your example ldapsearch output. > I will add make the changes you suggested when I get into work today. > I have not been able to work on this much because I have been working > with contrators on a thin client solution. > > Thanks for your help. After I get this working I will wright up a > document explaining how to do this. I have run into at least 2 other > people on the forums with the same problem I have. > > On Wed, Oct 12, 2011 at 3:18 AM, Christian Manal > <[email protected]> wrote: >> Am 11.10.2011 22:12, schrieb NetNinja: >>> I tryed your command today. I still can't get it to work. I listed all >>> the files I have edited. Can you look over it and tell if I'm missing >>> anything. Thanks for your help. >> >> Please keep your replies on the list. Others might run into similar >> problems and find this helpful. >> >> >>> I ran this: >>> ldapclient manual -v >>> -a defaultSearchBase="dc=test,dc=net" >>> -a domainName="test.net" >>> -a authenticationMethod="simple" >>> -a defaultServerList="10.0.0.2" >>> -a preferredServerList="10.0.0.2" >>> -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" >>> -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" >>> 10.0.0.2 >>> >>> I don't have TLS, automount or netgroups setup yet. >>> >>> bash-3.00# ldapclient list >>> NS_LDAP_FILE_VERSION= 2.0 >>> NS_LDAP_SERVERS= 10.0.0.2 >>> NS_LDAP_SEARCH_BASEDN= dc=test,dc=net >>> NS_LDAP_CACHETTL= 0 >>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net >>> NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net >>> >>> I tried to add more lines but I was getting a lot of errors. >> >> What kind of errors? >> >> >>> /etc/nsswitch.conf >>> passwd: files ldap >>> group: files ldap >>> host: files ldap >> >> Are you sure you want to resolve hostnames via LDAP and not DNS? >> >> >>> what i have running on RHEL >>> ldapsearch -x >> >> <snip> >> >>> ---------------- I have added a proxy entry before I have not done so >>> yet. Do I still need one if I'm useing manual and not init? >> >> If your data can be accessed anonymously, you don't need proxy credentials. >> >> >>> My PAM file >>> >>> # login service (explicit because of pam_dial_auth) >>> # >>> login auth requisite pam_authtok_get.so.1 >>> login auth required pam_dhkeys.so.1 >>> login auth required pam_unix_cred.so.1 >>> login auth sufficient pam_unix_auth.so.1 >>> login auth required pam_dial_auth.so.1 >>> login auth required pam_ldap.so.1 >> >> My "auth" blocks look like this: >> >> login auth requisite pam_authtok_get.so.1 >> login auth required pam_dhkeys.so.1 >> login auth required pam_unix_cred.so.1 >> login auth required pam_dial_auth.so.1 >> login auth sufficient pam_ldap.so.1 use_first_pass >> ignore_unknown_user >> login auth required pam_unix_auth.so.1 >> >> >>> # >>> # rlogin service (explicit because of pam_rhost_auth) >>> # >>> rlogin auth sufficient pam_rhosts_auth.so.1 >>> rlogin auth requisite pam_authtok_get.so.1 >>> rlogin auth required pam_dhkeys.so.1 >>> rlogin auth required pam_unix_cred.so.1 >>> rlogin auth sufficient pam_unix_auth.so.1 >>> rlogin auth required pam_ldap.so.1 >>> # >>> # Kerberized rlogin service >>> # >>> krlogin auth required pam_unix_cred.so.1 >>> krlogin auth required pam_krb5.so.1 >>> # >>> # rsh service (explicit because of pam_rhost_auth, >>> # and pam_unix_auth for meaningful pam_setcred) >>> # >>> rsh auth sufficient pam_rhosts_auth.so.1 >>> rsh auth required pam_unix_cred.so.1 >>> # >>> # Kerberized rsh service >>> # >>> krsh auth required pam_unix_cred.so.1 >>> krsh auth required pam_krb5.so.1 >>> # >>> # Kerberized telnet service >>> # >>> ktelnet auth required pam_unix_cred.so.1 >>> ktelnet auth required pam_krb5.so.1 >>> # >>> # PPP service (explicit because of pam_dial_auth) >>> # >>> ppp auth requisite pam_authtok_get.so.1 >>> ppp auth required pam_dhkeys.so.1 >>> ppp auth required pam_unix_cred.so.1 >>> ppp auth sufficient pam_unix_auth.so.1 >>> ppp auth required pam_dial_auth.so.1 >>> ppp auth required pam_ldap.so.1 >>> # >>> # Default definitions for Authentication management >>> # Used when service name is not explicitly mentioned for authentication >>> # >>> other auth requisite pam_authtok_get.so.1 >>> other auth required pam_dhkeys.so.1 >>> other auth required pam_unix_cred.so.1 >>> other auth sufficient pam_unix_auth.so.1 >>> other auth required pam_dial_auth.so.1 >>> other auth required pam_ldap.so.1 >>> # >>> # passwd command (explicit because of a different authentication module) >>> # >>> passwd auth sufficient pam_passwd_auth.so.1 >>> passwd auth required pam_ldap.so.1 >>> # >>> # cron service (explicit because of non-usage of pam_roles.so.1) >>> # >>> cron account required pam_unix_account.so.1 >>> # >>> # Default definition for Account management >>> # Used when service name is not explicitly mentioned for account management >>> # >>> other account sufficient pam_ldap.so.1 >>> other account requisite pam_roles.so.1 >>> other account required pam_unix_account.so.1 >> >> You can omit pam_ldap here. It only produces error messages in the logs >> for me. >> >> >>> # >>> # Default definition for Session management >>> # Used when service name is not explicitly mentioned for session management >>> # >>> other session required pam_unix_session.so.1 >>> # >>> # Default definition for Password management >>> # Used when service name is not explicitly mentioned for password management >>> # >>> other password required pam_dhkeys.so.1 >>> other password requisite pam_authtok_get.so.1 >>> other password requisite pam_authtok_check.so.1 >>> other password required pam_authtok_store.so.1 >>> # >>> >>> >>> On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal >>> <[email protected]> wrote: >>>> Am 09.10.2011 14:33, schrieb NetNinja: >>>>> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal >>>>> <[email protected]> wrote: >>>>>> Am 07.10.2011 23:58, schrieb NetNinja: >>>>>>> Ok that's good to know. >>>>>>> I was reading in the book "Solaris 10 System Administration Essential" >>>>>>> and it says on pg 365 that the openldap server needs to be patched so >>>>>>> that the ldapclient init utility will configure properly. >>>>>>> >>>>>>> Do you happen to remeber how you setup the Solaris Native client? This >>>>>>> my current issue, I installed openldap on a RHEL 5.5 server and have all >>>>>>> the Linux servers working with the ldap server but the Solaris servers >>>>>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and >>>>>>> get info on ldap users. I am in the process of troubleshooting the issue >>>>>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, >>>>>>> uatomount or replication. I will add these later when I know what i'm >>>>>>> doing. >>>>>>> >>>>>>> Anyway thanks for your help. If you have any advice on ldapclient setup >>>>>>> let me know. >>>>>>> >>>>>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal >>>>>>> <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Am 07.10.2011 20:25, schrieb NetNinja: >>>>>>> > Hello, >>>>>>> > I have been reading up on OpenLDAP. I have installed it on RHEL >>>>>>> 5.5 but >>>>>>> > I have seen documention saying that openldap needs to be patched >>>>>>> to work >>>>>>> > with Solaris. Can someone tell me if this still the case and if so >>>>>>> where >>>>>>> > to get the patch. If not any info you can provide wold be great. >>>>>>> > >>>>>>> > Thanks >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I've been running OpenLDAP on Solaris 10 for years now. It works >>>>>>> out of >>>>>>> the tarball, no patches needed. >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Christian Manal >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> Here's an example of an ldapclient invocation that works for me: >>>>>> >>>>>> ldapclient manual \ >>>>>> -a authenticationMethod="tls:simple" \ >>>>>> -a credentialLevel="proxy" \ >>>>>> -a defaultSearchBase="dc=example,dc=org" \ >>>>>> -a defaultSearchScope="sub" \ >>>>>> -a defaultServerList="ldap1.example.org,ldap2.example.org" \ >>>>>> -a domainName="example.org" \ >>>>>> -a preferredServerList="ldap1.example.org,ldap2.example.org" \ >>>>>> -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ >>>>>> -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ >>>>>> -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ >>>>>> -a >>>>>> serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" >>>>>> \ >>>>>> -a attributeMap="auto_home:automountMapName=ou" \ >>>>>> -a attributeMap="auto_home:automountKey=cn" \ >>>>>> -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ >>>>>> -a proxyPassword="foobar" >>>>>> >>>>>> >>>>>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your >>>>>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need >>>>>> to put your TLS certs into /var/ldap in NSS format (you can >>>>>> generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP >>>>>> authentication. >>>>>> >>>>>> >>>>>> Regards, >>>>>> Christian Manal >>>>>> >>>>>> >>>>>> [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html >>>>>> >>>>> >>>>> Thanks, >>>>> >>>>> I will try your command. Since you used ldapclient manual and not >>>>> ldapclient init I don't need to add a profile of proxy ldif file to >>>>> the ldap server, right? >>>> >>>> Right. It's possible to deposit most of those infos in a profile in the >>>> DIT, but since I have a script for configuring LDAP clients it doesn't >>>> make any difference for me. I have only one set of settings for Solaris >>>> boxes. Though, it might be worth looking into for you, if you have >>>> different setups. >>>> >>>> >>>>> I have been using examples like the one you >>>>> just gave me and I can only get the info from the server. The password >>>>> seems to not work. I get the same erros on the prompt that I would get >>>>> if the password or username where wrong. Though I have not tried the >>>>> command with the serviceSearchDescriptor before maybe this is what I'm >>>>> missing. >>>> >>>> You replaced the credentials with existing ones from your DIT, right? Do >>>> they work with ldapsearch? Does the DN have read access to the user and >>>> group data in your DIT? >>>> >>>> You might want to call ldapclient with '-v' to get some debugging info. >>>> >>>> >>>>> I'm also not using TLS or automount can I leave these out, for now? >>>>> Sotls:simple would be simple, right. >>>> >>>> Right. >>>> >>>> >>>>> Also could Solaris 10 not want to >>>>> work because I'm not using TLS? >>>> >>>> I don't think so. It shouldn't make any difference. Though, I'd >>>> recommend adding TLS support before putting anything in production. >>>> >>>> >>>>> Anyway thanks for your time. I will let you know if it works. >>>>> >>>> >>>> >>>> Regards, >>>> Christian Manal >>>> >>>> >>> >>> >>> >> >> >
