[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] openindiana ldap client

On 09/02/2012 12:58 PM, Sigbjorn Lie wrote:
On 09/02/2012 04:37 PM, Natxo Asenjo wrote:

Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code.

I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command:

 # ldapclient manual \
-a authenticationMethod=none \
-a defaultSearchBase=dc=ipa,dc=asenjo,dc=nx \
-a domainName=ipa.asenjo.nx \
-a defaultServerList=kdc.ipa.asenjo.nx \
-a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \
-a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter]

you need to enable the ldap/client service:

# svcadm enable ldap/client:default [enter]

After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group:

passwd:     files ldap
group:      files ldap

That's it, test it:

# id admin
uid=642800000(admin) gid=642800000(admins) groups=642800000(admins)

# getent passwd admin

So it works. The kerberos stuff will be next ...

One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it).

So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned.


Freeipa-users mailing list
Freeipa-users redhat com

I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots.

There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example:


There is also some more info about configuring Solaris clients in this bugzilla:


Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest?

If you find some inconsistency would mind filing a fedora doc bug?

The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually.  When you run ldapclient, run it with the -v flag and look for errors.

After a reboot, what does "svcs -xv ldap/client" output?

Is the services is depend on in online state? "svcs -d ldap/client"

What does /var/svc/log/network-ldap-client:default.log display after a reboot?

What files do you have in /var/ldap?

What is the content of the /var/ldap/ldap_client_file?


_______________________________________________ Freeipa-users mailing list Freeipa-users redhat com https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]