<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/02/2012 08:21 PM, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzVmiQ-QLEeAsqK=Dhx7yEm6r1Y=h6qwC4qY_nSvOkGOjw@mail.gmail.com"
type="cite">
<div class="gmail_quote">On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn
Lie <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sigbjorn@nixtra.com" target="_blank">sigbjorn@nixtra.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 09/02/2012 04:37 PM, Natxo Asenjo wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">One thing I have not yet gotten to work
is that these changes are not persistent accross
reboots. The ldapclient config stays, but the service
ldap/client does not start (stays disabled) and
nsswitch.conf missess the ldap entries. So far I am
fixing this from cfengine (gotta love it).<br>
<br>
So apparently, for solaris 10 and newer versions, the
procedure outlined in <a moz-do-not-send="true"
href="http://freeipa.com/page/ConfiguringSolarisClients"
target="_blank">http://freeipa.com/page/ConfiguringSolarisClients</a>
is no longer necessary as far as the ldap client is
concerned.<br>
<br>
</div>
</div>
</blockquote>
<br>
I'm using Nexenta as an IPA client, another derivative of
OpenSolaris. I use a DUAProfile with ldapclient. This stays
configured and the ldap/client service is enabled across
reboots.<br>
<br>
<br>
There is a DUAProfile included by default with IPA, but it
requires some tweaking to support more than just the basic
features. See this bugzilla for a more comprehensive
example:<br>
<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815515"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=815515</a><br>
<br>
</div>
</blockquote>
<div>ok, looks nice. I did not know about this automatic config
tool. So If run ldapclient init -a profileName=default
kdc.ipa.asenjo.nx it should work. Yes it does, awesome.<br>
<br>
Unfortunately, it keeps stopping after a reboot:<br>
<br>
Sep 2 20:05:19 Enabled. ]<br>
[ Sep 2 20:05:31 Executing start method
("/lib/svc/method/ldap-client start"). ]<br>
[ Sep 2 20:05:38 Method "start" exited with status 0. ]<br>
[ Sep 2 20:05:38 Stopping because service disabled. ]<br>
[ Sep 2 20:05:38 Executing stop method
("/lib/svc/method/ldap-client stop"). ]<br>
[ Sep 2 20:05:38 Method "stop" exited with status 0. ]<br>
<br>
<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
There is also some more info about configuring Solaris
clients in this bugzilla:<br>
<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815533"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a><br>
<br>
<br>
The ldap/client service is enabled when you run the
ldapclient script. There should be no need for doing this
manually. When you run ldapclient, run it with the -v flag
and look for errors.<br>
<br>
</div>
</blockquote>
<div><br>
I have rerun ldapclient after running ldapclient uninit and
saw no errors.<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> After a reboot, what
does "svcs -xv ldap/client" output? <br>
</div>
</blockquote>
<div><br>
# svcs -xv ldap/client<br>
svc:/network/ldap/client:default (LDAP client)<br>
State: disabled since September 2, 2012 08:05:38 PM CEST<br>
Reason: Temporarily disabled by an administrator.<br>
See: <a moz-do-not-send="true"
href="http://illumos.org/msg/SMF-8000-1S">http://illumos.org/msg/SMF-8000-1S</a><br>
See: man -M /usr/share/man -s 1M ldap_cachemgr<br>
See: /var/svc/log/network-ldap-client:default.log<br>
Impact: This service is not running.<br>
<br>
But I have not temporarily disabled it (option -t to svcadm, I
believe).<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div> Is the services is depend on in online state? "svcs -d
ldap/client"<br>
<br>
</div>
</blockquote>
<div> # svcs -d ldap/client<br>
STATE STIME FMRI<br>
online 19:51:58 svc:/system/filesystem/minimal:default<br>
online 19:51:59 svc:/network/initial:default<br>
online 19:52:10 svc:/network/location:default<br>
<br>
</div>
</div>
</blockquote>
<blockquote
cite="mid:CAHBEJzVmiQ-QLEeAsqK=Dhx7yEm6r1Y=h6qwC4qY_nSvOkGOjw@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div> What does /var/svc/log/network-ldap-client:default.log
display after a reboot?<br>
<br>
</div>
</blockquote>
see above.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What files do you have
in /var/ldap?<br>
</div>
</blockquote>
<div> </div>
<div> ls -l /var/ldap/<br>
total 7<br>
-rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log<br>
-r-------- 1 root root 100 2012-09-02 11:16 ldap_client_cred<br>
-r-------- 1 root root 371 2012-09-02 11:16 ldap_client_file<br>
drwxr-xr-x 2 root root 4 2012-09-02 11:16 restore<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What is the content of
the /var/ldap/ldap_client_file? <br>
</div>
</blockquote>
<div bgcolor="#FFFFFF" text="#000000"><br>
#<br>
# Do not edit this file manually; your changes will be
lost.Please use ldapclient (1M) instead.<br>
#<br>
NS_LDAP_FILE_VERSION= 2.0<br>
NS_LDAP_SERVERS= kdc.ipa.asenjo.nx<br>
NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx<br>
NS_LDAP_AUTH= none<br>
NS_LDAP_SEARCH_REF= TRUE<br>
NS_LDAP_SEARCH_TIME= 15<br>
NS_LDAP_PROFILE= default<br>
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx<br>
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=groups,cn=compat,dc=ipa,dc=asenjo,dc=nx<br>
NS_LDAP_BIND_TIME= 5<br>
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount<br>
<br>
Thank for your tips. I think there might just be something
broken with the ldap/client service in openindiana. This
DUAProfile thing is really nice to use<br>
<br>
</div>
</div>
</blockquote>
Agreed, it sounds like a bug in OpenIndiana. <br>
<br>
That's odd. A service becomes temporarily disabled usually when a
service it depends on cannot start due to failed depedencies or
fails to start. On the SPARC platform you can boot with "boot -v" to
get a verbose startup. Adding "-v" to the $kernel line in GRUB
manually at startup will display a verbose startup on the X86
platform. Be aware, it will get really verbose.<br>
<br>
Are you using a static IP or DHCP?<br>
<br>
<br>
Rgds,<br>
Siggi<br>
<br>
<br>
</body>
</html>