[OpenIndiana-discuss] Amnesiac LDAP Configuration
chrisridd at mac.com
Thu Nov 18 10:34:22 UTC 2010
On 18 Nov 2010, at 10:27, Tom Kranz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 18 Nov 2010, at 02:41, Patrick O'Sullivan wrote:
>> I've gotten a config working where I have Kerberos auth to AD and
>> passwd lookups via LDAP to AD. I enable it, and it works fine, but on
>> a reboot, it stops working. Please let me know if you have any
>> thoughts as to why this happens. (This behavior is common to both
>> oi147 and Solaris 11 Express.)
> At this stage (after you've run ldapclient) /var/ldap/ldap_client_file should be populated with the correct values - is that the case?
> There were a couple of long standing bugs in Solaris 10 - one of them was where the LDAP client couldn't contact an LDAP server when it came to update it's configuration, it would write down a zero byte ldap_client_file - with predictable results.
> The other one was when /var filled up, even for a moment, ldap_client_file would be zeroed out when doing a profile refresh. Both partly stem from LDAP client profile updates moving ldap_client_file before getting an update, and then not being able/willing to move it back again if something goes wrong.
> However, I think the problem here is - are you storing this LDAP profile in AD? The LDAP client will do a refresh of the config from the profile on the LDAP server - I suspect on boot it's trying to do a refresh, not finding a profile, and the zeroing out ldap_client_file.
> You need to keep an LDAP client profile in the right container in the tree because clients will poll and refresh from that profile.
FWIW another possibility is that nwam is getting involved - getting the DHCP response and from the options set in that response, deciding to ignore the local nsswitch LDAP settings.
A grub through the NWAM changes between 133 and 147 might bear fruit.
More information about the OpenIndiana-discuss