<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/07/2012 08:38 PM, Dmitri Pal
wrote:<br>
</div>
<blockquote cite="mid:504A3F0A.4090402@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 09/02/2012 12:58 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:50439019.8080804@nixtra.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 09/02/2012 04:37 PM, Natxo
Asenjo wrote:<br>
</div>
<blockquote
cite="mid:CAHBEJzU64GJLYUwpJxUw7eqC6zc0A7cnGp0j4rUD3E3q3tY-Vg@mail.gmail.com"
type="cite">hi,<br>
<br>
Recently I have been playing with the zfs for its native nfs4
acl capabilities. I have used openindiana for this. For those
wondering about openindiana, it is a distribution of the
former opensolaris code.<br>
<br>
I got the ldap client to work for retrieveing user/group info
from ipa using the ldapclient command:<br>
<br>
<span style="color: rgb(0, 0, 0);"> </span># ldapclient manual
\<br>
-a authenticationMethod=none \<br>
-a defaultSearchBase=<strong><span style="color: rgb(0, 0,
0);">dc=ipa,dc=asenjo,dc=nx</span></strong> \<br>
-a domainName=<strong>ipa.asenjo.nx</strong> \<br>
-a defaultServerList=kdc.ipa.asenjo.nx \<br>
-a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub'
\<br>
-a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub'
[enter]<br>
<br>
you need to enable the ldap/client service:<br>
<br>
# svcadm enable ldap/client:default [enter]<br>
<br>
After which, modify /etc/nsswitch.conf to add the ldap
provider for passwd and group:<br>
<br>
passwd: files ldap<br>
group: files ldap<br>
<br>
That's it, test it:<br>
<br>
# id admin<br>
uid=642800000(admin) gid=642800000(admins)
groups=642800000(admins)<br>
<br>
# getent passwd admin<br>
admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash<br>
<br>
So it works. The kerberos stuff will be next ...<br>
<br>
One thing I have not yet gotten to work is that these changes
are not persistent accross reboots. The ldapclient config
stays, but the service ldap/client does not start (stays
disabled) and nsswitch.conf missess the ldap entries. So far I
am fixing this from cfengine (gotta love it).<br>
<br>
So apparently, for solaris 10 and newer versions, the
procedure outlined in <a moz-do-not-send="true"
href="http://freeipa.com/page/ConfiguringSolarisClients">http://freeipa.com/page/ConfiguringSolarisClients</a>
is no longer necessary as far as the ldap client is concerned.<br>
<br>
<br clear="all">
--<br>
Groeten,<br>
natxo<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
Hi,<br>
<br>
I'm using Nexenta as an IPA client, another derivative of
OpenSolaris. I use a DUAProfile with ldapclient. This stays
configured and the ldap/client service is enabled across
reboots.<br>
<br>
<br>
There is a DUAProfile included by default with IPA, but it
requires some tweaking to support more than just the basic
features. See this bugzilla for a more comprehensive example:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815515">https://bugzilla.redhat.com/show_bug.cgi?id=815515</a><br>
<br>
<br>
There is also some more info about configuring Solaris clients
in this bugzilla:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815533">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a><br>
</blockquote>
<br>
Siggi, can you please review <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html</a>
and confirm that this is correct and has the latest?<br>
<br>
If you find some inconsistency would mind filing a fedora doc bug?<br>
</blockquote>
<br>
There are some issues in that document.<br>
<br>
I have been working with Rob with regards to the previous 2 bugzilla
doc bug's I opened:<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=815533">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a><br>
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=815515">https://bugzilla.redhat.com/show_bug.cgi?id=815515</a><br>
<br>
These BZ covers configuring a DUA profile and configuring Solaris 10
as an IPA client.<br>
<br>
I presume Rob's work will become the new Solaris 10 IPA Client
documentation for both Fedora and RHEL?<br>
<br>
<br>
Rgds,<br>
Siggi<br>
<br>
</body>
</html>