[OpenIndiana-discuss] Setting up Ldap client

Jonathan Adams t12nslookup at gmail.com
Wed Jan 4 17:35:15 UTC 2012 

I think you're going to want to try and get "ldapclient" to setup your
service for you.

if you have a profile (which we do here) then you are well off using
the "init" method, from the man page:

     /usr/sbin/ldapclient [-v | -q] init [-a profileName=profileName]
          [-a domainName=domain] [-a proxyDN=proxyDN]
          [-a proxyPassword=password]
          [-a authenticationMethod=authenticationMethod]
          [-a enableShadowUpdate=true | false]
          [-a adminDN=adminDN]
          [-a adminPassword=adminPassword]
          [-a certificatePath=path] [-d bindDN] [-w bindPassword]
          [-j passwdFile] [-y passwdFile]
          [-z adminrPasswdFile] LDAP_server[:port_number]

our command looks like this:

ldapclient init -v -a profileName=default \
-a domainname=company.co.uk \
-a proxyDN=cn=proxyadmin,ou=People,dc=company,dc=co,dc=uk \
-a proxyPassword=secret \
ldaphost

once that is done I guess you need to setup the nwam ... my config:

root at jadlaptop:~# nwamcfg
nwamcfg> list -a loc Automatic
loc:Automatic
	activation-mode          	system
	conditions               	
	enabled                  	true
	nameservices             	dns,ldap
	nameservices-config-file 	"/etc/nsswitch.jon"
	dns-nameservice-configsrc	dhcp
	dns-nameservice-domain   	
	dns-nameservice-servers  	
	dns-nameservice-search   	
	nis-nameservice-configsrc	
	nis-nameservice-servers  	
	ldap-nameservice-configsrc	manual
	ldap-nameservice-servers 	"127.0.0.1"
	default-domain           	"company.co.uk"
	nfsv4-domain             	
	ipfilter-config-file     	
	ipfilter-v6-config-file  	
	ipnat-config-file        	
	ippool-config-file       	
	ike-config-file          	
	ipsecpolicy-config-file  	
nwamcfg> exit

I guess you would use nwamcfg to set those parameters

nsswitch.jon is a modified nsswitch.conf that has "files ldap dns" for
hosts and "files ldap" for the others (none of that "NOTFOUND=return"
nonsense ...

not sure if that will help you, but I hope it does.

Jon

On 4 January 2012 14:03, Ram Chander <ramquick at gmail.com> wrote:
> Sorry for late reply.  I tried configuring ldapclient manually but no luck.
> I guess am missing something. Below is what I have.
>
> 1) ldap server IP = a.b.c.d
> 2)  uri -  ldaps://ldap.xx.Mycompany.com
> 3)  I have cert file to authenticate to server - /etc/ssl/certs/cert.pem
>
> On debian clients, below are the files where ldap works fine. Pls guide on
> how to configure  ldap client on OpenIndiana. I dono where to specify the
> cert,etc.
>
>
> $ cat  /etc/ldap/ldap.conf
> BASE dc=Mycompany,dc=com
> URI ldaps://ldap.xx.Mycompany.com
> TLS_CACERT  /etc/ssl/certs/cert.pem
>
> $ cat /etc/nss-ldapd.conf
>
> uid nslcd
> gid nslcd
> base dc=Mycompany,dc=com
> uri ldaps://ldap.xx.Mycompany.com
>
> $ cat /etc/pam_ldap.conf
>
> base dc=Mycompany,dc=com
> uri ldaps://ldap.xx.Mycompany.com
> ldap_version 3
> pam_password crypt
>
>
> On Sun, Dec 25, 2011 at 5:47 PM, Chris Ridd <chrisridd at mac.com> wrote:
>
>>
>> On 25 Dec 2011, at 09:27, Ram Chander wrote:
>>
>> > Hi,
>> >
>> > I am trying to setup ldap client   and authentication on OpenIndiana  but
>> > no success. I searched on internet but couldnt get proper steps.
>> > Can someone pls  provide detailed steps on how to setup the same and
>> which
>> > packages to install ?
>>
>> Is your directory server already running with all the right entries in? If
>> not, get that working first.
>>
>> Once the server's working, I have a shell script I run on each Solaris
>> client that sets up ldapclient in "manual" mode. Before running it make
>> sure your /etc/nsswitch.ldap file contains a good value for hosts. It'll
>> automatically get copied to /etc/nsswitch.conf by ldapclient. The shell
>> script just runs:
>>
>> ldapclient -v manual \
>>        -a defaultServerList=127.0.0.1 \
>>        -a defaultSearchBase=o=MyCompany \
>>        -a authenticationMethod=simple \
>>        -a proxyDN=cn=Dummy,ou=System,o=MyCompany \
>>        -a proxyPassword=dummy
>>
>> The last two "proxy" lines are necessary but not used. (A longstanding
>> upstream misfeature.) This sets up the client to do anonymous searches for
>> user/group/etc details.
>>
>> To test that config works, run things like /usr/bin/id and
>> /usr/bin/getent. You should find that data is being returned from your LDAP
>> server. It helps if you can set up some LDAP-only groups or something so
>> that testing shows something "obviously" from LDAP. If not, run "ldapclient
>> uninit", and try "ldapclient -v manual" again with different args.
>>
>> Setting up authentication is a little more fiddly. Don't start this until
>> you have ldapclient configured properly.
>>
>> You have to edit /etc/pam.conf and append "<service> auth required
>> pam_ldap.so.1" to each section. I think you also have to edit the previous
>> line to "<service> auth binding pam_unix_auth.so.1 server_policy", but I
>> don't have a stock OI pam.conf file to hand to check.
>>
>> Here's the section for the login service in mine:
>>
>> login   auth requisite          pam_authtok_get.so.1
>> login   auth required           pam_dhkeys.so.1
>> login   auth required           pam_unix_cred.so.1
>> login   auth binding            pam_unix_auth.so.1 server_policy
>> login   auth required           pam_ldap.so.1
>>
>> Changes to pam.conf take immediate effect. You may need to tweak
>> sshd_config as well.
>>
>> Cheers,
>>
>> Chris
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list