[OpenIndiana-discuss] Setting up Ldap client
Ram Chander
ramquick at gmail.com
Wed Jan 4 14:03:06 UTC 2012
Sorry for late reply. I tried configuring ldapclient manually but no luck.
I guess am missing something. Below is what I have.
1) ldap server IP = a.b.c.d
2) uri - ldaps://ldap.xx.Mycompany.com
3) I have cert file to authenticate to server - /etc/ssl/certs/cert.pem
On debian clients, below are the files where ldap works fine. Pls guide on
how to configure ldap client on OpenIndiana. I dono where to specify the
cert,etc.
$ cat /etc/ldap/ldap.conf
BASE dc=Mycompany,dc=com
URI ldaps://ldap.xx.Mycompany.com
TLS_CACERT /etc/ssl/certs/cert.pem
$ cat /etc/nss-ldapd.conf
uid nslcd
gid nslcd
base dc=Mycompany,dc=com
uri ldaps://ldap.xx.Mycompany.com
$ cat /etc/pam_ldap.conf
base dc=Mycompany,dc=com
uri ldaps://ldap.xx.Mycompany.com
ldap_version 3
pam_password crypt
On Sun, Dec 25, 2011 at 5:47 PM, Chris Ridd <chrisridd at mac.com> wrote:
>
> On 25 Dec 2011, at 09:27, Ram Chander wrote:
>
> > Hi,
> >
> > I am trying to setup ldap client and authentication on OpenIndiana but
> > no success. I searched on internet but couldnt get proper steps.
> > Can someone pls provide detailed steps on how to setup the same and
> which
> > packages to install ?
>
> Is your directory server already running with all the right entries in? If
> not, get that working first.
>
> Once the server's working, I have a shell script I run on each Solaris
> client that sets up ldapclient in "manual" mode. Before running it make
> sure your /etc/nsswitch.ldap file contains a good value for hosts. It'll
> automatically get copied to /etc/nsswitch.conf by ldapclient. The shell
> script just runs:
>
> ldapclient -v manual \
> -a defaultServerList=127.0.0.1 \
> -a defaultSearchBase=o=MyCompany \
> -a authenticationMethod=simple \
> -a proxyDN=cn=Dummy,ou=System,o=MyCompany \
> -a proxyPassword=dummy
>
> The last two "proxy" lines are necessary but not used. (A longstanding
> upstream misfeature.) This sets up the client to do anonymous searches for
> user/group/etc details.
>
> To test that config works, run things like /usr/bin/id and
> /usr/bin/getent. You should find that data is being returned from your LDAP
> server. It helps if you can set up some LDAP-only groups or something so
> that testing shows something "obviously" from LDAP. If not, run "ldapclient
> uninit", and try "ldapclient -v manual" again with different args.
>
> Setting up authentication is a little more fiddly. Don't start this until
> you have ldapclient configured properly.
>
> You have to edit /etc/pam.conf and append "<service> auth required
> pam_ldap.so.1" to each section. I think you also have to edit the previous
> line to "<service> auth binding pam_unix_auth.so.1 server_policy", but I
> don't have a stock OI pam.conf file to hand to check.
>
> Here's the section for the login service in mine:
>
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth binding pam_unix_auth.so.1 server_policy
> login auth required pam_ldap.so.1
>
> Changes to pam.conf take immediate effect. You may need to tweak
> sshd_config as well.
>
> Cheers,
>
> Chris
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the OpenIndiana-discuss
mailing list