[OpenIndiana-discuss] openindiana ldap client

Mike La Spina mike.laspina at laspina.ca
Sun May 6 05:01:12 UTC 2012 

Hi Tim,

Try the following change to the nsswitch.conf file

# consult /etc "files" only if ldap is down.
hosts:      files dns mdns ldap


This will set the resolution order to; 1 local hosts file, 2 dns, 3 multicast dns, 4 ldap lookup

Regards,
Mike

-----Original Message-----
From: Tim Dunphy [mailto:bluethundr at gmail.com] 
Sent: Saturday, May 05, 2012 9:43 PM
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] openindiana ldap client

Thanks!

That really did the trick!

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=Manager,dc=example,dc=com -a proxyPassword=secret -a defaultSearchBase=dc=example,dc=com  -a domainName=example.com -a defaultServerList=192.168.1.44


Grep ldap for ldap user:


root at openindiana:/var/ldap# getent passwd | grep walbs walbs:x:1002:1003:Walkiria Soares-Dunphy:/home/walbs:/bin/bash


However I notice that now dns resolution seems mixed up, but only since running ldapclient:

root at openindiana:/var/ldap# ping yahoo.com
ping: unknown host yahoo.com

Here's what nsswitch.conf is looking like:

root at openindiana:/var/ldap# cat /etc/nsswitch.conf # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions # and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
#

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled # and online.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down.
hosts:      files ldap

# Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases.
ipnodes:    files ldap

networks:   files ldap
protocols:  files ldap
rpc:        files ldap
ethers:     files ldap
netmasks:   files ldap
bootparams: files ldap
publickey:  files ldap

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

If I revert the file to pre-ldapclient I can ping yahoo and external hosts again:

root at openindiana:/var/ldap# cat /etc/nsswitch.conf.bak > /etc/nsswitch.conf

root at openindiana:/var/ldap# ping yahoo.com yahoo.com is alive

And of course I can't find ldap users in the directory again.

root at openindiana:/var/ldap# getent passwd | grep walbs root at openindiana:/var/ldap#

Is there any way to have my cake and eat it too?

thanks
tim

On Sat, May 5, 2012 at 9:57 PM, Joshua M. Clulow <josh at sysmgr.org> wrote:
> On 6 May 2012 11:15, Tim Dunphy <bluethundr at gmail.com> wrote:
>> I've also tried using ldapclient, but am having no luck there either:
>
> I would definitely suggest that you'll want to use the native LDAP 
> bits, not the PADL stuff.
>
>> root at openindiana:~/nss_ldap-265# ldapclient init -v -a 
>> profileName=default \
>>> -a domainname=example.com \
>>> -a proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com \ -a 
>>> proxyPassword=secret \
>>> 192.168.1.44
>> Parsing profileName=default
>> Parsing domainname=example.com
>> Parsing proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com
>> Parsing proxyPassword=secret
>> Arguments parsed:
>>        domainName: example.com
>>        proxyDN: cn=uid=proxy,ou=People,dc=example,dc=com
>>        profileName: default
>>        proxyPassword: secret
>>        defaultServerList: 192.168.1.44 Handling init option About to 
>> configure machine by downloading a profile Can not find the 
>> nisDomainObject for domain example.com
>
> So you're specifying a profileName here.  Have you created a profile 
> object in your directory with the name "default"?  The "init" mode of 
> ldapclient uses a profile object in the directory for configuration.
>
> If you don't have or don't want to have a profile object, you could 
> try using "ldapclient manual" rather than "ldapclient init".  I 
> believe the manual mode of ldapclient is described in the man page for 
> the tool.  There are also documents out on the Internet for 
> configuring the Solaris 10 (or 11) Native LDAP Naming Service client 
> which are mostly, if not entirely, applicable to the bits on 
> OpenIndiana.
>
>
> Cheers.
>
> --
> Joshua M. Clulow
> UNIX Admin/Developer
> http://blog.sysmgr.org
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss



--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list