[OpenIndiana-discuss] openindiana ldap client

Tim Dunphy bluethundr at gmail.com
Sun May 6 02:42:36 UTC 2012 

Thanks!

That really did the trick!

ldapclient manual -a credentialLevel=proxy -a
authenticationMethod=simple -a proxyDN=cn=Manager,dc=example,dc=com -a
proxyPassword=secret -a defaultSearchBase=dc=example,dc=com  -a
domainName=example.com -a defaultServerList=192.168.1.44


Grep ldap for ldap user:


root at openindiana:/var/ldap# getent passwd | grep walbs
walbs:x:1002:1003:Walkiria Soares-Dunphy:/home/walbs:/bin/bash


However I notice that now dns resolution seems mixed up, but only
since running ldapclient:

root at openindiana:/var/ldap# ping yahoo.com
ping: unknown host yahoo.com

Here's what nsswitch.conf is looking like:

root at openindiana:/var/ldap# cat /etc/nsswitch.conf
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
#

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down.
hosts:      files ldap

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    files ldap

networks:   files ldap
protocols:  files ldap
rpc:        files ldap
ethers:     files ldap
netmasks:   files ldap
bootparams: files ldap
publickey:  files ldap

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

If I revert the file to pre-ldapclient I can ping yahoo and external
hosts again:

root at openindiana:/var/ldap# cat /etc/nsswitch.conf.bak > /etc/nsswitch.conf

root at openindiana:/var/ldap# ping yahoo.com
yahoo.com is alive

And of course I can't find ldap users in the directory again.

root at openindiana:/var/ldap# getent passwd | grep walbs
root at openindiana:/var/ldap#

Is there any way to have my cake and eat it too?

thanks
tim

On Sat, May 5, 2012 at 9:57 PM, Joshua M. Clulow <josh at sysmgr.org> wrote:
> On 6 May 2012 11:15, Tim Dunphy <bluethundr at gmail.com> wrote:
>> I've also tried using ldapclient, but am having no luck there either:
>
> I would definitely suggest that you'll want to use the native LDAP
> bits, not the PADL stuff.
>
>> root at openindiana:~/nss_ldap-265# ldapclient init -v -a profileName=default \
>>> -a domainname=example.com \
>>> -a proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com \
>>> -a proxyPassword=secret \
>>> 192.168.1.44
>> Parsing profileName=default
>> Parsing domainname=example.com
>> Parsing proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com
>> Parsing proxyPassword=secret
>> Arguments parsed:
>>        domainName: example.com
>>        proxyDN: cn=uid=proxy,ou=People,dc=example,dc=com
>>        profileName: default
>>        proxyPassword: secret
>>        defaultServerList: 192.168.1.44
>> Handling init option
>> About to configure machine by downloading a profile
>> Can not find the nisDomainObject for domain example.com
>
> So you're specifying a profileName here.  Have you created a profile
> object in your directory with the name "default"?  The "init" mode of
> ldapclient uses a profile object in the directory for configuration.
>
> If you don't have or don't want to have a profile object, you could
> try using "ldapclient manual" rather than "ldapclient init".  I
> believe the manual mode of ldapclient is described in the man page for
> the tool.  There are also documents out on the Internet for
> configuring the Solaris 10 (or 11) Native LDAP Naming Service client
> which are mostly, if not entirely, applicable to the bits on
> OpenIndiana.
>
>
> Cheers.
>
> --
> Joshua M. Clulow
> UNIX Admin/Developer
> http://blog.sysmgr.org
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

More information about the OpenIndiana-discuss mailing list