[Freeipa-users] openindiana ldap client

Sigbjorn Lie sigbjorn at nixtra.com
Sun Sep 2 19:20:22 UTC 2012 

On 09/02/2012 08:21 PM, Natxo Asenjo wrote:
> On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie <sigbjorn at nixtra.com 
> <mailto:sigbjorn at nixtra.com>> wrote:
>
>     On 09/02/2012 04:37 PM, Natxo Asenjo wrote:
>>     One thing I have not yet gotten to work is that these changes are
>>     not persistent accross reboots. The ldapclient config stays, but
>>     the service ldap/client does not start (stays disabled) and
>>     nsswitch.conf missess the ldap entries. So far I am fixing this
>>     from cfengine (gotta love it).
>>
>>     So apparently, for solaris 10 and newer versions, the procedure
>>     outlined in http://freeipa.com/page/ConfiguringSolarisClients is
>>     no longer necessary as far as the ldap client is concerned.
>>
>
>     I'm using Nexenta as an IPA client, another derivative of
>     OpenSolaris. I use a DUAProfile with ldapclient. This stays
>     configured and the ldap/client service is enabled across reboots.
>
>
>     There is a DUAProfile included by default with IPA, but it
>     requires some tweaking to support more than just the basic
>     features. See this bugzilla for a more comprehensive example:
>
>     https://bugzilla.redhat.com/show_bug.cgi?id=815515
>
> ok, looks nice. I did not know about this automatic config tool. So If 
> run ldapclient init -a profileName=default kdc.ipa.asenjo.nx it should 
> work. Yes it does, awesome.
>
> Unfortunately, it keeps stopping after a reboot:
>
> Sep  2 20:05:19 Enabled. ]
> [ Sep  2 20:05:31 Executing start method ("/lib/svc/method/ldap-client 
> start"). ]
> [ Sep  2 20:05:38 Method "start" exited with status 0. ]
> [ Sep  2 20:05:38 Stopping because service disabled. ]
> [ Sep  2 20:05:38 Executing stop method ("/lib/svc/method/ldap-client 
> stop"). ]
> [ Sep  2 20:05:38 Method "stop" exited with status 0. ]
>
>
>
>
>     There is also some more info about configuring Solaris clients in
>     this bugzilla:
>
>     https://bugzilla.redhat.com/show_bug.cgi?id=815533
>
>
>     The ldap/client service is enabled when you run the ldapclient
>     script. There should be no need for doing this manually.  When you
>     run ldapclient, run it with the -v flag and look for errors.
>
>
> I have rerun ldapclient after running ldapclient uninit and saw no errors.
>
>     After a reboot, what does "svcs -xv ldap/client" output?
>
>
> # svcs -xv ldap/client
> svc:/network/ldap/client:default (LDAP client)
>  State: disabled since September  2, 2012 08:05:38 PM CEST
> Reason: Temporarily disabled by an administrator.
>    See: http://illumos.org/msg/SMF-8000-1S
>    See: man -M /usr/share/man -s 1M ldap_cachemgr
>    See: /var/svc/log/network-ldap-client:default.log
> Impact: This service is not running.
>
> But I have not temporarily disabled it (option -t to svcadm, I believe).
>
>     Is the services is depend on in online state? "svcs -d ldap/client"
>
>  # svcs -d ldap/client
> STATE          STIME    FMRI
> online         19:51:58 svc:/system/filesystem/minimal:default
> online         19:51:59 svc:/network/initial:default
> online         19:52:10 svc:/network/location:default
>
>     What does /var/svc/log/network-ldap-client:default.log display
>     after a reboot?
>
> see above.
>
>     What files do you have in /var/ldap?
>
>  ls -l /var/ldap/
> total 7
> -rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log
> -r-------- 1 root root  100 2012-09-02 11:16 ldap_client_cred
> -r-------- 1 root root  371 2012-09-02 11:16 ldap_client_file
> drwxr-xr-x 2 root root    4 2012-09-02 11:16 restore
>
>     What is the content of the /var/ldap/ldap_client_file?
>
>
> #
> # Do not edit this file manually; your changes will be lost.Please use 
> ldapclient (1M) instead.
> #
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= kdc.ipa.asenjo.nx
> NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx
> NS_LDAP_AUTH= none
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_TIME= 15
> NS_LDAP_PROFILE= default
> NS_LDAP_SERVICE_SEARCH_DESC= 
> passwd:cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx
> NS_LDAP_SERVICE_SEARCH_DESC= 
> group:cn=groups,cn=compat,dc=ipa,dc=asenjo,dc=nx
> NS_LDAP_BIND_TIME= 5
> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>
> Thank for your tips. I think there might just be something broken with 
> the ldap/client service in openindiana. This DUAProfile thing is 
> really nice to use
>
Agreed, it sounds like a bug in OpenIndiana.

That's odd. A service becomes temporarily disabled usually when a 
service it depends on cannot start due to failed depedencies or fails to 
start. On the SPARC platform you can boot with "boot -v" to get a 
verbose startup. Adding "-v" to the $kernel line in GRUB manually at 
startup will display a verbose startup on the X86 platform. Be aware, it 
will get really verbose.

Are you using a static IP or DHCP?


Rgds,
Siggi


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120902/659a22c7/attachment.htm>

More information about the Freeipa-users mailing list