[Freeipa-users] openindiana ldap client
Dmitri Pal
dpal at redhat.com
Fri Sep 7 18:38:02 UTC 2012
On 09/02/2012 12:58 PM, Sigbjorn Lie wrote:
> On 09/02/2012 04:37 PM, Natxo Asenjo wrote:
>> hi,
>>
>> Recently I have been playing with the zfs for its native nfs4 acl
>> capabilities. I have used openindiana for this. For those wondering
>> about openindiana, it is a distribution of the former opensolaris code.
>>
>> I got the ldap client to work for retrieveing user/group info from
>> ipa using the ldapclient command:
>>
>> # ldapclient manual \
>> -a authenticationMethod=none \
>> -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \
>> -a domainName=*ipa.asenjo.nx* \
>> -a defaultServerList=kdc.ipa.asenjo.nx \
>> -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \
>> -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter]
>>
>> you need to enable the ldap/client service:
>>
>> # svcadm enable ldap/client:default [enter]
>>
>> After which, modify /etc/nsswitch.conf to add the ldap provider for
>> passwd and group:
>>
>> passwd: files ldap
>> group: files ldap
>>
>> That's it, test it:
>>
>> # id admin
>> uid=642800000(admin) gid=642800000(admins) groups=642800000(admins)
>>
>> # getent passwd admin
>> admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash
>>
>> So it works. The kerberos stuff will be next ...
>>
>> One thing I have not yet gotten to work is that these changes are not
>> persistent accross reboots. The ldapclient config stays, but the
>> service ldap/client does not start (stays disabled) and nsswitch.conf
>> missess the ldap entries. So far I am fixing this from cfengine
>> (gotta love it).
>>
>> So apparently, for solaris 10 and newer versions, the procedure
>> outlined in http://freeipa.com/page/ConfiguringSolarisClients is no
>> longer necessary as far as the ldap client is concerned.
>>
>>
>> --
>> Groeten,
>> natxo
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Hi,
>
> I'm using Nexenta as an IPA client, another derivative of OpenSolaris.
> I use a DUAProfile with ldapclient. This stays configured and the
> ldap/client service is enabled across reboots.
>
>
> There is a DUAProfile included by default with IPA, but it requires
> some tweaking to support more than just the basic features. See this
> bugzilla for a more comprehensive example:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=815515
>
>
> There is also some more info about configuring Solaris clients in this
> bugzilla:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=815533
Siggi, can you please review
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
and confirm that this is correct and has the latest?
If you find some inconsistency would mind filing a fedora doc bug?
>
>
> The ldap/client service is enabled when you run the ldapclient script.
> There should be no need for doing this manually. When you run
> ldapclient, run it with the -v flag and look for errors.
>
> After a reboot, what does "svcs -xv ldap/client" output?
>
> Is the services is depend on in online state? "svcs -d ldap/client"
>
> What does /var/svc/log/network-ldap-client:default.log display after a
> reboot?
>
> What files do you have in /var/ldap?
>
> What is the content of the /var/ldap/ldap_client_file?
>
>
>
> Regards,
> Siggi
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120907/cc94c86e/attachment.htm>
More information about the Freeipa-users
mailing list