[OpenIndiana-discuss] openindiana ldap client

Jim Klimov jimklimov at cos.ru
Sun May 6 11:58:06 UTC 2012 

2012-05-06 9:01, Mike La Spina wrote:
> Hi Tim,
>
> Try the following change to the nsswitch.conf file
>
> # consult /etc "files" only if ldap is down.
> hosts:      files dns mdns ldap
>
>
> This will set the resolution order to; 1 local hosts file, 2 dns, 3 multicast dns, 4 ldap lookup

You can also define the policies regarding the name-service
client's actions in case of LDAP inaccessibility or lack of
entries you need, i.e. in our nsswitch.conf we have examples:

auth_attr: files ldap [TRYAGAIN=continue]
prof_attr: files ldap [TRYAGAIN=continue]

### Default ipnodes/hosts definitions
#ipnodes:    ldap [NOTFOUND=return] files
#hosts:      ldap [NOTFOUND=return] files



Also you may want to use a "compat" setting for user accounts
and the "netgroups" to basically define on LDAP server's side
which accounts would be DEFINED at the clients (see docs):
group:          files ldap
passwd:         compat
passwd_compat:  ldap
netgroup:   ldap

# tail /etc/passwd
admin:x:100:100:Admin for remote login:/home/admin:/usr/bin/bash
+ at usr-lan-admins:x:::::

# tail /etc/shadow
admin:*LK*:::::::
+ at usr-lan-admins:x:14068::::::

# tail /etc/group
admin::100:


In the example above, "usr-lan-admins" is a netgroup which
in the LDAP catalog defines triplets (host,user,domain).
All users mentioned in the netgroup (with the host and/or
domain, including wildcards if undefined, matching your
current client host) are "defined" for this client and
can try to login. Other UIDs and names are not even
"defined" and can not be broken into (by password cracking,
sudo or such), for example.

This allows to limit access to certain hosts (including
individual local zones) for only certain people, according
to their job in your net. You may need to reconfigure PAM
however (pam_ldap, pam_unix) and there are several different
options down that path.

Finally note, that netgroups can be nested - i.e.
"group of webservers" + "group of java developers" =
"group of java devs with access to appservers" :)

On a side note, you might want to add "ou-sudoers" to
define SUDO access details into LDAP (also possible to
configure per-host - i.e. if your java devs need to
be able to reboot their webapp server). The sudo
command in OI has LDAP support by default (I had to
compile it in for older Solarises).

I did a very rough description here, you're encouraged
to see good docs and blogs on the internet about all this.
I don't have my links ready to point you at good ones
right now, sorry. And they'd be some 3-5 years old anyway.


>> There are also documents out on the Internet for
>> configuring the Solaris 10 (or 11) Native LDAP Naming Service client
>> which are mostly, if not entirely, applicable to the bits on
>> OpenIndiana.

+1 certainly

HTH,
//Jim

More information about the OpenIndiana-discuss mailing list