[Freeipa-users] Solaris 10 as IPA Client?

Sigbjorn Lie sigbjorn at nixtra.com
Mon Dec 5 20:40:50 UTC 2011 

Use Base DN: dc=unix,dc=vuw,dc=ac,dc=nz. Make sure you've configured 
bluecoat to do search sub, and not search one.

You should really speak to Bluecoat support about how to configure your 
appliance. IPA merely provides a LDAP server. There is loads of 
different ways applications is configured to use LDAP.

Some appliances wants just a true/false, such as using a LDAP search, if 
a result is found the search is true, if a result is not found the 
search is considered false. Such as: 
'(&(objectclass=person)(memberOf=cn=internet-access,cn=groups,cn=accounts,dc=test,dc=com)(uid=username))' 
will return a record if the requested user is a member of the group, and 
return nothing if the user is not a member of the group. I just used a 
similar configuration for Squid.

Other appliances want to be pointed at a group or a set of groups, where 
the appliance contains the required logic for searching for users within 
the group or groups. If you do this, you need to configure the 
objectclasses and attributes it's looking for, as this varies between 
different LDAP servers. This is usually configurable within the appliance.

Run "ldapsearch -Y GSSAPI -b dc=unix,dc=vuw,dc=ac,dc=nz 
cn=internet-access" on your IPA server to see what object classes and 
attributes is associated with your internet-access group. This should 
give you some hints for how to configure your appliances.

What you need is some knowledge of LDAP, and to work with your vendors 
to figure out how they should be configured to work with IPA.

BTW, for a proxy appliance I believe you want Kerberos authentication to 
provide single sign on, and use LDAP merely to do the authorization.



Regards,
Siggi






On 12/05/2011 08:42 PM, Steven Jones wrote:
> Hi,
>
> If I wanted a specific internet access group where the IPA group is  "internet-users"
>
> What would the baseDN be?
>
> I have been using dc=unix,dc=vuw,dc=ac,dc=nz  but I have tried a few combos, none worked....also I need to bind to the IPA?  or will anonymous work?  I cant search the tree as anonymous inside the bluecoat gui so I cant pick the group I want....which would make life easy.
>
> This goes back to my request to see the dc= stuff inside the gui.....the gui "speaks" one way and everything else "speaks" differently, a translation is needed. So really you have succeeded in making the gui very easy to use, sure but not with other products.
>
> If I have to bind with a user so I can pick the group I want in the bluecoat gui I assume I need to create a user for that?  with limited permissions?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 6 December 2011 3:40 a.m.
> To: Steven Jones
> Cc:freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Solaris 10 as IPA Client?
>
> Steven Jones wrote:
>> 8><-----------
>>
>> Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis.
>> So you need to enable compat tree on ipa side and point your Solaris
>> nss_ldap to the compat tree.
>>
>> 8><----------
>>
>> We have a Sun solar storage SAN.....uses Solaris I cant get it to work....maybe that's what I need to do to get them to talk....how to I enable "compat tree"?
>>
>> Also would other hardware vendors be similar?  Im trying to get a bluecoat proxy server to talk to IPA and it cant....
> compat is enabled by default, to double check run: ipa-compat-manage status
>
> For authentication typically all you need is the basedn of users
> (cn=users,cn=accounts,dc=example,dc=com). For SSL you can get a copy of
> the CA cert fromhttp://ipa.example.com/ipa/config/ca.crt.
>
> The 389-ds access logs can be found in
> /var/log/dirsrv/slapd-YOURINSTANCE/access. These are buffered for up to
> 30 seconds. The error log by default tends to only log catastrophic
> problems. You can enable server debugging, details are in the FAQ in the
> 389-ds wiki.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list