[Fedora-directory-users] Solaris Native LDAP Client against FDS7.1 Server
George Holbert
gholbert at broadcom.com
Fri Jul 15 18:03:18 UTC 2005
>
>
>So if there is an existing Solaris8/9 DS5.2 server, simply copy
>99user.ldif from DS5.2 over to FDS7.1.
>
One caution about this: 99user.ldif stores ALL schema changes you make
to the directory server via ldapmodify. This is not necessarily just
DUAConfigProfile and other Solaris client schema updates.
>DUAConfigProfile.schema + solaris.schema = 99user.ldif
>
This is true if you install a fresh SunDS 5.2 or FDS 7.1 directory
server, and then add the schema changes in DUAConfigProfile.schema and
solaris.schema via ldapmodify. Sun's favorite way of making these
changes is the Solaris script: /usr/lib/ldap/idsconfig
Tay, Gary wrote:
>IIRC the two .schema files in my OpenLDAP HOW-TO is actually equivalent
>to the 99user.ldif (residing in
>$LDAP_ROOT/slapd-`hostname`/config/schema) file provided by SUN ONE
>DS5.2, i.e.
>
>DUAConfigProfile.schema + solaris.schema = 99user.ldif.
>
>So if there is an existing Solaris8/9 DS5.2 server, simply copy
>99user.ldif from DS5.2 over to FDS7.1.
>
>Someone who is using Oracle Internet Directory had asked me in
>supportforum.sun.com how to configure Solaris Native LDAP Client to
>authenticate against OID, I had some brief instructions given there, I
>reproduced and modified a bit as a quick notes here.
>
>PLEASE NOTE that I haven't tried these steps but believe it should work
>as FDS7.1 is similar to DS5.2, anyone has tried these please feel free
>to comment and add.
>
>===
>To make a Solaris Native LDAP Clients (Solaris8 or Solaris9) worked
>against FDS7.1 Server, you would have to do a little hackings to make
>FDS7.1 Server acts like a SUN DS5.2 ldapclient profile(s) provider,
>described as in the following notes,
>
>- Add "nisDomain" to rootDN object (eg: object is dc=example,dc=com) so
>that "ldapclient" will be able to find this nisDomainObject, using
>ldapmodify or GUI based tools.
>
>objectClass: nisDomainObject
>nisDomain: example.com
>
>- Copy schema 99user.ldif from DS5.2 to FDS7.1
>
>- Create ou=profile OU object and add cn=ProxyAgent as a proxy
>credentials proxy user under it
>
>- Create "default" or "customized" ldapclient profile(s) under the
>ou=profile subtree for simple bind or simple bind + TLS or whatever,
>using manually prepared ldif file or ldif generated by "ldapclient
>genprofile" command, read "man ldapclient" for more details.
>
>- Setup two ACLs under dc=example,dc=com object, ACL1 should appear
>before ACL2, they are actually present in any typical SUN ONE DS5.2
>
>1. LDAP_Naming_Services_deny_write_access
>(targetattr =
>"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
>in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||
>memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;
>deny (write) userdn = "ldap:///self";)
>
>2.LDAP_Naming_Services_proxy_password_read
>(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
>3.0; acl LDAP_Naming_Services_proxy_password_read; allow
>(compare,read,search) userdn =
>"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
>
>Tips: delete the word "read" if you do not want "ldaplist -l passwd" to
>list userPassword(s), i.e. it becomes:
>
>(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
>3.0; acl LDAP_Naming_Services_proxy_password_read; allow
>(compare,search) userdn =
>"ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
>
>- It is advisable to set password hash scheme to CRYPT in FDS7.1.
>
>- It is advisable to add "shadowAccount" objectclass to your user
>entries, on top of "posixAccount".
>
>- Note that Solaris "ldapclient" has an irritating act that it will
>reset the "hosts:" entry to "hosts: files ldap" or something that puts
>"ldap" in front of "dns", this should be adjusted back to "hosts: files
>dns", otherwise something like telnet/ftp/ssh will break on hostname
>lookup as the hosts lookup using "ldap" goes recursive.
>
>Rgds
>Gary
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich
>Megginson
>Sent: Friday, July 15, 2005 3:21 AM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Solaris Client
>
>
>Brian Martinez wrote:
>
>
>
>>George,
>>
>>That is correct, we are attempting to use the FDS7 as a central
>>authentication system for Solaris 10 NSS Clients with a PAM backend.
>>
>>We believe that we are missing the proper schemas on the server
>>(DUAConfigProfile and Solaris) to support the Solaris Clients. The
>>ones on Tay's website seem to be in the wrong format (schema instead
>>of ldif)...or we just dont know how to import them!
>>
>>
>
>You can use this script
>http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl
>found on this page
>http://directory.fedora.redhat.com/wiki/Howto:OpenLDAPMigration
>to convert .schema files to .ldif schema files. e.g.
>perl ol-schema-migrate.pl solaris.schema >
>slapd-myhost/config/schema/61solaris.ldif
>Then restart slapd
>
>
>
>>We have been scrounging his site for clues/ideas...developers on the
>>client side are convinced the server is the issue...developers on the
>>server side believe it is the client. My take is that we already have
>>
>>
>
>
>
>>the server "most" of the way, because we are successfully
>>authenticating Linux clients securely to the FDS7 server and we are
>>missing some essential piece on the server side to solve the Solaris
>>puzzle.
>>
>>If you have any further thoughts, ideas, or prayers...feel free to
>>send them our way.
>>
>>
>>
>>>From: "George Holbert" <gholbert at broadcom.com>
>>>Reply-To: "General discussion list for the Fedora Directory server
>>>project." <fedora-directory-users at redhat.com>
>>>To: "General discussion list for the Fedora Directory server
>>>project." <fedora-directory-users at redhat.com>
>>>Subject: Re: [Fedora-directory-users] Solaris Client
>>>Date: Thu, 14 Jul 2005 11:08:06 -0700
>>>
>>>Hi Brian,
>>>
>>>By "Solaris Clients", I assume you mean Solaris naming service (for
>>>passwd, group, etc.).
>>>
>>>The answer is yes. Any modern, properly configured LDAP server,
>>>including Fedora DS, can support Solaris naming service. However,
>>>getting the server "properly configured" can be tricky.
>>>
>>>However, since Sun's own directory server ("Sun Java Enterprise
>>>System Directory Server") is so very similar to Fedora DS, much of
>>>the same preparation methods and documentation regarding SunDS will
>>>apply directly to Fedora DS.
>>>
>>>A good starting point would be Gary Tay's fine documentation at:
>>>http://web.singnet.com.sg/~garyttt/
>>>
>>>Gary's docs were written around iPlanet/Sun DS, but as I mentioned,
>>>pretty much all of this should also apply to Fedora DS.
>>>
>>>Good luck!
>>>-- George
>>>
>>>
>>>Brian Martinez wrote:
>>>
>>>
>>>
>>>>All,
>>>>
>>>>Does the Fedora DS support Solaris Clients? If so, where can I find
>>>>information, schema examples, etc....
>>>>
>>>>Thanks in advance,
>>>>Brian
>>>>
>>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
More information about the Fedora-directory-users
mailing list