Re: [OpenIndiana-discuss] Setting up Ldap client
I think you're going to want to try and get "ldapclient" to setup your service for you. if you have a profile (which we do here) then you are well off using the "init" method, from the man page: /usr/sbin/ldapclient [-v | -q] init [-a profileName=profileName] [-a domainName=domain] [-a proxyDN=proxyDN] [-a proxyPassword=password] [-a authenticationMethod=authenticationMethod] [-a enableShadowUpdate=true | false] [-a adminDN=adminDN] [-a adminPassword=adminPassword] [-a certificatePath=path] [-d bindDN] [-w bindPassword] [-j passwdFile] [-y passwdFile] [-z adminrPasswdFile] LDAP_server[:port_number] our command looks like this: ldapclient init -v -a profileName=default \ -a domainname=company.co.uk \ -a proxyDN=cn=proxyadmin,ou=People,dc=company,dc=co,dc=uk \ -a proxyPassword=secret \ ldaphost once that is done I guess you need to setup the nwam ... my config: root@jadlaptop:~# nwamcfg nwamcfg> list -a loc Automatic loc:Automatic activation-mode system conditions enabled true nameservicesdns,ldap nameservices-config-file"/etc/nsswitch.jon" dns-nameservice-configsrc dhcp dns-nameservice-domain dns-nameservice-servers dns-nameservice-search nis-nameservice-configsrc nis-nameservice-servers ldap-nameservice-configsrc manual ldap-nameservice-servers"127.0.0.1" default-domain "company.co.uk" nfsv4-domain ipfilter-config-file ipfilter-v6-config-file ipnat-config-file ippool-config-file ike-config-file ipsecpolicy-config-file nwamcfg> exit I guess you would use nwamcfg to set those parameters nsswitch.jon is a modified nsswitch.conf that has "files ldap dns" for hosts and "files ldap" for the others (none of that "NOTFOUND=return" nonsense ... not sure if that will help you, but I hope it does. Jon On 4 January 2012 14:03, Ram Chander wrote: > Sorry for late reply. I tried configuring ldapclient manually but no luck. > I guess am missing something. Below is what I have. > > 1) ldap server IP = a.b.c.d > 2) uri - ldaps://ldap.xx.Mycompany.com > 3) I have cert file to authenticate to server - /etc/ssl/certs/cert.pem > > On debian clients, below are the files where ldap works fine. Pls guide on > how to configure ldap client on OpenIndiana. I dono where to specify the > cert,etc. > > > $ cat /etc/ldap/ldap.conf > BASE dc=Mycompany,dc=com > URI ldaps://ldap.xx.Mycompany.com > TLS_CACERT /etc/ssl/certs/cert.pem > > $ cat /etc/nss-ldapd.conf > > uid nslcd > gid nslcd > base dc=Mycompany,dc=com > uri ldaps://ldap.xx.Mycompany.com > > $ cat /etc/pam_ldap.conf > > base dc=Mycompany,dc=com > uri ldaps://ldap.xx.Mycompany.com > ldap_version 3 > pam_password crypt > > > On Sun, Dec 25, 2011 at 5:47 PM, Chris Ridd wrote: > >> >> On 25 Dec 2011, at 09:27, Ram Chander wrote: >> >> > Hi, >> > >> > I am trying to setup ldap client and authentication on OpenIndiana but >> > no success. I searched on internet but couldnt get proper steps. >> > Can someone pls provide detailed steps on how to setup the same and >> which >> > packages to install ? >> >> Is your directory server already running with all the right entries in? If >> not, get that working first. >> >> Once the server's working, I have a shell script I run on each Solaris >> client that sets up ldapclient in "manual" mode. Before running it make >> sure your /etc/nsswitch.ldap file contains a good value for hosts. It'll >> automatically get copied to /etc/nsswitch.conf by ldapclient. The shell >> script just runs: >> >> ldapclient -v manual \ >> -a defaultServerList=127.0.0.1 \ >> -a defaultSearchBase=o=MyCompany \ >> -a authenticationMethod=simple \ >> -a proxyDN=cn=Dummy,ou=System,o=MyCompany \ >> -a proxyPassword=dummy >> >> The last two "proxy" lines are necessary but not used. (A longstanding >> upstream misfeature.) This sets up the client to do anonymous searches for >> user/group/etc details. >> >> To test that config works, run things like /usr/bin/id and >> /usr/bin/getent. You should find that data is being returned from your LDAP >> server. It helps if you can set up some LDAP-only groups or something so >> that testing shows something "obviously" from LDAP. If not, run "ldapclient >> uninit", and try "ldapclient -v manual" again with different args. >> >> Setting up authentication is a little more fiddly. Don't start this until >> you have ldapclient configured properly. >> >> You have to edit /etc/pam.conf and append " auth required >> pam_ldap.so.1" to each section. I think you al
Re: [OpenIndiana-discuss] Setting up Ldap client
Sorry for late reply. I tried configuring ldapclient manually but no luck. I guess am missing something. Below is what I have. 1) ldap server IP = a.b.c.d 2) uri - ldaps://ldap.xx.Mycompany.com 3) I have cert file to authenticate to server - /etc/ssl/certs/cert.pem On debian clients, below are the files where ldap works fine. Pls guide on how to configure ldap client on OpenIndiana. I dono where to specify the cert,etc. $ cat /etc/ldap/ldap.conf BASE dc=Mycompany,dc=com URI ldaps://ldap.xx.Mycompany.com TLS_CACERT /etc/ssl/certs/cert.pem $ cat /etc/nss-ldapd.conf uid nslcd gid nslcd base dc=Mycompany,dc=com uri ldaps://ldap.xx.Mycompany.com $ cat /etc/pam_ldap.conf base dc=Mycompany,dc=com uri ldaps://ldap.xx.Mycompany.com ldap_version 3 pam_password crypt On Sun, Dec 25, 2011 at 5:47 PM, Chris Ridd wrote: > > On 25 Dec 2011, at 09:27, Ram Chander wrote: > > > Hi, > > > > I am trying to setup ldap client and authentication on OpenIndiana but > > no success. I searched on internet but couldnt get proper steps. > > Can someone pls provide detailed steps on how to setup the same and > which > > packages to install ? > > Is your directory server already running with all the right entries in? If > not, get that working first. > > Once the server's working, I have a shell script I run on each Solaris > client that sets up ldapclient in "manual" mode. Before running it make > sure your /etc/nsswitch.ldap file contains a good value for hosts. It'll > automatically get copied to /etc/nsswitch.conf by ldapclient. The shell > script just runs: > > ldapclient -v manual \ >-a defaultServerList=127.0.0.1 \ >-a defaultSearchBase=o=MyCompany \ >-a authenticationMethod=simple \ >-a proxyDN=cn=Dummy,ou=System,o=MyCompany \ >-a proxyPassword=dummy > > The last two "proxy" lines are necessary but not used. (A longstanding > upstream misfeature.) This sets up the client to do anonymous searches for > user/group/etc details. > > To test that config works, run things like /usr/bin/id and > /usr/bin/getent. You should find that data is being returned from your LDAP > server. It helps if you can set up some LDAP-only groups or something so > that testing shows something "obviously" from LDAP. If not, run "ldapclient > uninit", and try "ldapclient -v manual" again with different args. > > Setting up authentication is a little more fiddly. Don't start this until > you have ldapclient configured properly. > > You have to edit /etc/pam.conf and append " auth required > pam_ldap.so.1" to each section. I think you also have to edit the previous > line to " auth binding pam_unix_auth.so.1 server_policy", but I > don't have a stock OI pam.conf file to hand to check. > > Here's the section for the login service in mine: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth bindingpam_unix_auth.so.1 server_policy > login auth required pam_ldap.so.1 > > Changes to pam.conf take immediate effect. You may need to tweak > sshd_config as well. > > Cheers, > > Chris > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
In OpenIndiana I setup LDAP on my laptop using NWAM. I installed an OpenLDAP replica server on the local machine, and modified the default nsswitch.conf to point at one that always uses LDAP, and setup the LDAP server to be localhost ... I don't have my computer turned on atm, so I can't give you the complete details of how I did it, but I can get them if you need them. Jon On 25 December 2011 09:27, Ram Chander wrote: > Hi, > > I am trying to setup ldap client and authentication on OpenIndiana but > no success. I searched on internet but couldnt get proper steps. > Can someone pls provide detailed steps on how to setup the same and which > packages to install ? > > Thank You. > > -Ram > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
Chris, Chris Ridd píše v ne 25. 12. 2011 v 19:22 +: > On 25 Dec 2011, at 19:16, Milan Jurik wrote: > > > Chris, > > > > Chris Ridd píše v ne 25. 12. 2011 v 18:31 +: > >> On 25 Dec 2011, at 17:41, Milan Jurik wrote: > >> > >>> Hi, > >>> > >>> Chris Ridd píše v ne 25. 12. 2011 v 12:17 +: > > The last two "proxy" lines are necessary but not used. (A longstanding > upstream misfeature.) > >>> > >>> why do you think they are not necessary? > >> > >> ldapclient required them to be set on the command-line even for a > >> configuration that didn't use a specially authorized "proxy" user. I > >> verified with tcpdump that there were no binds as the proxy user. > >> > > > > in case you are using only anonymous credential level? In such case you > > should fill bug. > > Indeed. There was a project in Opensolaris to modernize/replace this code > IIRC - did it ever complete? I may have been waiting for that. > do you mean Duckwater? Never finished as you can see on opensolaris.org. If you look at Solaris 11 release you will find the configuration of naming stack is different but ldapclient params did not change (maybe your issue was fixed). I have no idea what is the future in case of Solaris. Best regards, Milan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
On 25 Dec 2011, at 19:16, Milan Jurik wrote: > Chris, > > Chris Ridd píše v ne 25. 12. 2011 v 18:31 +: >> On 25 Dec 2011, at 17:41, Milan Jurik wrote: >> >>> Hi, >>> >>> Chris Ridd píše v ne 25. 12. 2011 v 12:17 +: The last two "proxy" lines are necessary but not used. (A longstanding upstream misfeature.) >>> >>> why do you think they are not necessary? >> >> ldapclient required them to be set on the command-line even for a >> configuration that didn't use a specially authorized "proxy" user. I >> verified with tcpdump that there were no binds as the proxy user. >> > > in case you are using only anonymous credential level? In such case you > should fill bug. Indeed. There was a project in Opensolaris to modernize/replace this code IIRC - did it ever complete? I may have been waiting for that. Chris ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
Chris, Chris Ridd píše v ne 25. 12. 2011 v 18:31 +: > On 25 Dec 2011, at 17:41, Milan Jurik wrote: > > > Hi, > > > > Chris Ridd píše v ne 25. 12. 2011 v 12:17 +: > >> > >> The last two "proxy" lines are necessary but not used. (A longstanding > >> upstream misfeature.) > > > > why do you think they are not necessary? > > ldapclient required them to be set on the command-line even for a > configuration that didn't use a specially authorized "proxy" user. I verified > with tcpdump that there were no binds as the proxy user. > in case you are using only anonymous credential level? In such case you should fill bug. Best regards, Milan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
On 25 Dec 2011, at 17:41, Milan Jurik wrote: > Hi, > > Chris Ridd píše v ne 25. 12. 2011 v 12:17 +: >> >> The last two "proxy" lines are necessary but not used. (A longstanding >> upstream misfeature.) > > why do you think they are not necessary? ldapclient required them to be set on the command-line even for a configuration that didn't use a specially authorized "proxy" user. I verified with tcpdump that there were no binds as the proxy user. Chris ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
Hi Ram, Ram Chander píše v ne 25. 12. 2011 v 14:57 +0530: > Hi, > > I am trying to setup ldap client and authentication on OpenIndiana but > no success. I searched on internet but couldnt get proper steps. > Can someone pls provide detailed steps on how to setup the same and which > packages to install ? > which LDAP server do you use? Does it contain needed schemas from RFC2307bis? Which auth method do you use? Any info about your LDAP profile? Best regards, Milan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
Hi, Chris Ridd píše v ne 25. 12. 2011 v 12:17 +: > > The last two "proxy" lines are necessary but not used. (A longstanding > upstream misfeature.) why do you think they are not necessary? Best regards, Milan ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Setting up Ldap client
On 25 Dec 2011, at 09:27, Ram Chander wrote: > Hi, > > I am trying to setup ldap client and authentication on OpenIndiana but > no success. I searched on internet but couldnt get proper steps. > Can someone pls provide detailed steps on how to setup the same and which > packages to install ? Is your directory server already running with all the right entries in? If not, get that working first. Once the server's working, I have a shell script I run on each Solaris client that sets up ldapclient in "manual" mode. Before running it make sure your /etc/nsswitch.ldap file contains a good value for hosts. It'll automatically get copied to /etc/nsswitch.conf by ldapclient. The shell script just runs: ldapclient -v manual \ -a defaultServerList=127.0.0.1 \ -a defaultSearchBase=o=MyCompany \ -a authenticationMethod=simple \ -a proxyDN=cn=Dummy,ou=System,o=MyCompany \ -a proxyPassword=dummy The last two "proxy" lines are necessary but not used. (A longstanding upstream misfeature.) This sets up the client to do anonymous searches for user/group/etc details. To test that config works, run things like /usr/bin/id and /usr/bin/getent. You should find that data is being returned from your LDAP server. It helps if you can set up some LDAP-only groups or something so that testing shows something "obviously" from LDAP. If not, run "ldapclient uninit", and try "ldapclient -v manual" again with different args. Setting up authentication is a little more fiddly. Don't start this until you have ldapclient configured properly. You have to edit /etc/pam.conf and append " auth required pam_ldap.so.1" to each section. I think you also have to edit the previous line to " auth binding pam_unix_auth.so.1 server_policy", but I don't have a stock OI pam.conf file to hand to check. Here's the section for the login service in mine: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth bindingpam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 Changes to pam.conf take immediate effect. You may need to tweak sshd_config as well. Cheers, Chris ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Setting up Ldap client
Hi, I am trying to setup ldap client and authentication on OpenIndiana but no success. I searched on internet but couldnt get proper steps. Can someone pls provide detailed steps on how to setup the same and which packages to install ? Thank You. -Ram ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
