<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 09/02/2012 12:58 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:50439019.8080804@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 09/02/2012 04:37 PM, Natxo Asenjo
wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzU64GJLYUwpJxUw7eqC6zc0A7cnGp0j4rUD3E3q3tY-Vg@mail.gmail.com"
type="cite">hi,<br>
<br>
Recently I have been playing with the zfs for its native nfs4
acl capabilities. I have used openindiana for this. For those
wondering about openindiana, it is a distribution of the former
opensolaris code.<br>
<br>
I got the ldap client to work for retrieveing user/group info
from ipa using the ldapclient command:<br>
<br>
<span style="color: rgb(0, 0, 0);"> </span># ldapclient manual \<br>
-a authenticationMethod=none \<br>
-a defaultSearchBase=<strong><span style="color: rgb(0, 0, 0);">dc=ipa,dc=asenjo,dc=nx</span></strong>
\<br>
-a domainName=<strong>ipa.asenjo.nx</strong> \<br>
-a defaultServerList=kdc.ipa.asenjo.nx \<br>
-a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \<br>
-a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub'
[enter]<br>
<br>
you need to enable the ldap/client service:<br>
<br>
# svcadm enable ldap/client:default [enter]<br>
<br>
After which, modify /etc/nsswitch.conf to add the ldap provider
for passwd and group:<br>
<br>
passwd: files ldap<br>
group: files ldap<br>
<br>
That's it, test it:<br>
<br>
# id admin<br>
uid=642800000(admin) gid=642800000(admins)
groups=642800000(admins)<br>
<br>
# getent passwd admin<br>
admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash<br>
<br>
So it works. The kerberos stuff will be next ...<br>
<br>
One thing I have not yet gotten to work is that these changes
are not persistent accross reboots. The ldapclient config stays,
but the service ldap/client does not start (stays disabled) and
nsswitch.conf missess the ldap entries. So far I am fixing this
from cfengine (gotta love it).<br>
<br>
So apparently, for solaris 10 and newer versions, the procedure
outlined in <a moz-do-not-send="true"
href="http://freeipa.com/page/ConfiguringSolarisClients">http://freeipa.com/page/ConfiguringSolarisClients</a>
is no longer necessary as far as the ldap client is concerned.<br>
<br>
<br clear="all">
--<br>
Groeten,<br>
natxo<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
Hi,<br>
<br>
I'm using Nexenta as an IPA client, another derivative of
OpenSolaris. I use a DUAProfile with ldapclient. This stays
configured and the ldap/client service is enabled across reboots.<br>
<br>
<br>
There is a DUAProfile included by default with IPA, but it
requires some tweaking to support more than just the basic
features. See this bugzilla for a more comprehensive example:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815515">https://bugzilla.redhat.com/show_bug.cgi?id=815515</a><br>
<br>
<br>
There is also some more info about configuring Solaris clients in
this bugzilla:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815533">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a><br>
</blockquote>
<br>
Siggi, can you please review
<a class="moz-txt-link-freetext" href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html</a>
and confirm that this is correct and has the latest?<br>
<br>
If you find some inconsistency would mind filing a fedora doc bug?<br>
<br>
<blockquote cite="mid:50439019.8080804@nixtra.com" type="cite"> <br>
<br>
The ldap/client service is enabled when you run the ldapclient
script. There should be no need for doing this manually. When you
run ldapclient, run it with the -v flag and look for errors.<br>
<br>
After a reboot, what does "svcs -xv ldap/client" output? <br>
<br>
Is the services is depend on in online state? "svcs -d
ldap/client"<br>
<br>
What does /var/svc/log/network-ldap-client:default.log display
after a reboot?<br>
<br>
What files do you have in /var/ldap?<br>
<br>
What is the content of the /var/ldap/ldap_client_file? <br>
<br>
<br>
<br>
Regards,<br>
Siggi<br>
<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>