[OpenIndiana-discuss] openindiana ldap client
Tim Dunphy
bluethundr at gmail.com
Sun May 6 15:38:54 UTC 2012
Hi Mike,
> Try the following change to the nsswitch.conf file
>
> # consult /etc "files" only if ldap is down.
> hosts: files dns mdns ldap
That worked! Now ldap and dns are happy! very cool.
thanks to both of you guys!
best regards,
Tim
On Sun, May 6, 2012 at 1:01 AM, Mike La Spina <mike.laspina at laspina.ca> wrote:
> Hi Tim,
>
> Try the following change to the nsswitch.conf file
>
> # consult /etc "files" only if ldap is down.
> hosts: files dns mdns ldap
>
>
> This will set the resolution order to; 1 local hosts file, 2 dns, 3 multicast dns, 4 ldap lookup
>
> Regards,
> Mike
>
> -----Original Message-----
> From: Tim Dunphy [mailto:bluethundr at gmail.com]
> Sent: Saturday, May 05, 2012 9:43 PM
> To: Discussion list for OpenIndiana
> Subject: Re: [OpenIndiana-discuss] openindiana ldap client
>
> Thanks!
>
> That really did the trick!
>
> ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=Manager,dc=example,dc=com -a proxyPassword=secret -a defaultSearchBase=dc=example,dc=com -a domainName=example.com -a defaultServerList=192.168.1.44
>
>
> Grep ldap for ldap user:
>
>
> root at openindiana:/var/ldap# getent passwd | grep walbs walbs:x:1002:1003:Walkiria Soares-Dunphy:/home/walbs:/bin/bash
>
>
> However I notice that now dns resolution seems mixed up, but only since running ldapclient:
>
> root at openindiana:/var/ldap# ping yahoo.com
> ping: unknown host yahoo.com
>
> Here's what nsswitch.conf is looking like:
>
> root at openindiana:/var/ldap# cat /etc/nsswitch.conf # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License").
> # You may not use this file except in compliance with the License.
> #
> # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing.
> # See the License for the specific language governing permissions # and limitations under the License.
> #
> # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
> # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
> #
>
> #
> # /etc/nsswitch.ldap:
> #
> # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files.
> #
> # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
>
> # LDAP service requires that svc:/network/ldap/client:default be enabled # and online.
>
> # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
> passwd: files ldap
> group: files ldap
>
> # consult /etc "files" only if ldap is down.
> hosts: files ldap
>
> # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases.
> ipnodes: files ldap
>
> networks: files ldap
> protocols: files ldap
> rpc: files ldap
> ethers: files ldap
> netmasks: files ldap
> bootparams: files ldap
> publickey: files ldap
>
> netgroup: ldap
>
> automount: files ldap
> aliases: files ldap
>
> # for efficient getservbyname() avoid ldap
> services: files ldap
>
> printers: user files ldap
>
> auth_attr: files ldap
> prof_attr: files ldap
>
> project: files ldap
>
> tnrhtp: files ldap
> tnrhdb: files ldap
>
> If I revert the file to pre-ldapclient I can ping yahoo and external hosts again:
>
> root at openindiana:/var/ldap# cat /etc/nsswitch.conf.bak > /etc/nsswitch.conf
>
> root at openindiana:/var/ldap# ping yahoo.com yahoo.com is alive
>
> And of course I can't find ldap users in the directory again.
>
> root at openindiana:/var/ldap# getent passwd | grep walbs root at openindiana:/var/ldap#
>
> Is there any way to have my cake and eat it too?
>
> thanks
> tim
>
> On Sat, May 5, 2012 at 9:57 PM, Joshua M. Clulow <josh at sysmgr.org> wrote:
>> On 6 May 2012 11:15, Tim Dunphy <bluethundr at gmail.com> wrote:
>>> I've also tried using ldapclient, but am having no luck there either:
>>
>> I would definitely suggest that you'll want to use the native LDAP
>> bits, not the PADL stuff.
>>
>>> root at openindiana:~/nss_ldap-265# ldapclient init -v -a
>>> profileName=default \
>>>> -a domainname=example.com \
>>>> -a proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com \ -a
>>>> proxyPassword=secret \
>>>> 192.168.1.44
>>> Parsing profileName=default
>>> Parsing domainname=example.com
>>> Parsing proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com
>>> Parsing proxyPassword=secret
>>> Arguments parsed:
>>> domainName: example.com
>>> proxyDN: cn=uid=proxy,ou=People,dc=example,dc=com
>>> profileName: default
>>> proxyPassword: secret
>>> defaultServerList: 192.168.1.44 Handling init option About to
>>> configure machine by downloading a profile Can not find the
>>> nisDomainObject for domain example.com
>>
>> So you're specifying a profileName here. Have you created a profile
>> object in your directory with the name "default"? The "init" mode of
>> ldapclient uses a profile object in the directory for configuration.
>>
>> If you don't have or don't want to have a profile object, you could
>> try using "ldapclient manual" rather than "ldapclient init". I
>> believe the manual mode of ldapclient is described in the man page for
>> the tool. There are also documents out on the Internet for
>> configuring the Solaris 10 (or 11) Native LDAP Naming Service client
>> which are mostly, if not entirely, applicable to the bits on
>> OpenIndiana.
>>
>>
>> Cheers.
>>
>> --
>> Joshua M. Clulow
>> UNIX Admin/Developer
>> http://blog.sysmgr.org
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
More information about the OpenIndiana-discuss
mailing list