[Freeipa-users] openindiana ldap client

Natxo Asenjo natxo.asenjo at gmail.com
Sun Sep 2 14:37:33 UTC 2012


hi,

Recently I have been playing with the zfs for its native nfs4 acl
capabilities. I have used openindiana for this. For those wondering about
openindiana, it is a distribution of the former opensolaris code.

I got the ldap client to work for retrieveing user/group info from ipa
using the ldapclient command:

 # ldapclient manual \
-a authenticationMethod=none \
-a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \
-a domainName=*ipa.asenjo.nx* \
-a defaultServerList=kdc.ipa.asenjo.nx \
-a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \
-a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter]

you need to enable the ldap/client service:

# svcadm enable ldap/client:default [enter]

After which, modify /etc/nsswitch.conf to add the ldap provider for passwd
and group:

passwd:     files ldap
group:      files ldap

That's it, test it:

# id admin
uid=642800000(admin) gid=642800000(admins) groups=642800000(admins)

# getent passwd admin
admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash

So it works. The kerberos stuff will be next ...

One thing I have not yet gotten to work is that these changes are not
persistent accross reboots. The ldapclient config stays, but the service
ldap/client does not start (stays disabled) and nsswitch.conf missess the
ldap entries. So far I am fixing this from cfengine (gotta love it).

So apparently, for solaris 10 and newer versions, the procedure outlined in
http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as
far as the ldap client is concerned.


--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120902/c565217d/attachment.htm>


More information about the Freeipa-users mailing list