Ulrich Hiller wrote:
Dear all,
I have problems connecting an open solaris 10 box to a novell linux ldap
server (or better say: I am a newbie on this stuff and am confused about
the right configuration).
First I made a normal installation as a standalone box. I installed
openssh and openldap via csw.
Now I want to connect it to our ldap server. The nsswitch.conf looks
like this:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
The pam.conf is this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
Since we don't have a proxy, I left /var/ldap/ldap_client_cred empty.
The /var/ldap/ldap_client_file looks:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap
NS_LDAP_SEARCH_BASEDN= o=mpia
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 3600
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,o=mpia
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=people,o=mpia
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,o=mpia
(Do I need these two files since I have /opt/csw/etc/ldap.conf ?)
Yes of course you do, Solaris knows nothing about anything in /opt/csw.
'svcs -a | grep ldap' gives this:
offline 11:23:08 svc:/network/cswopenldap:default
maintenance 11:23:11 svc:/network/ldap/client:default
That second one is your problem.
svcadm enable svc:/network/cswopenldap:default
and
svcadm restart svc:/network/cswopenldap:default
don't give a different result on 'svcs -a'
Ignore all the openldap stuff it just isn't relevant to using
LDAP as the nameservice.
How did you create the files in /var/ldap ?
Does a simple ldapsearch against the directory server work from
Solaris - this doesn't use the config in /var/ldap but at least
ensures that the LDAP protocol can work between your Solaris machine and
the directory server.
You might also want to look at
http://opensolaris.org/os/project/duckwater/ as a way to contact the
people best in a position to help you out with LDAP config.
--
Darren J Moffat
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
