<div dir="ltr">Hi<div><br></div><div>Oops sorry. i wrongly addressed you. Actually that question i asked is to Mr. Watson.</div><div><br></div><div>Regards,</div><div>Ben<br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 3, 2015 at 10:17 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 01/03/2015 03:26 AM, Ben .T.George
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi <span style="font-size:13px">Dmitri </span>
<div><br>
<div><span style="font-size:13px"><br>
</span></div>
<div><font color="#000000"><span style="font-size:13px">i was
trying this from last 3 weeks. can you please give us
more details about this. I tried </span><span style="font-size:13px">ldapclient</span><span style="font-size:13px"> and i got lot of dependency
service related error. can you please give me list of
services and configuration file need to change/enable
before trying </span><span style="font-size:13px">ldapclient</span><span style="font-size:13px"> ?</span></font></div>
<div><span style="font-size:13px"><font color="#000000"><br>
</font></span></div>
<div><span style="font-size:13px"><font color="#000000">once
again thanks for your effort.</font></span></div>
<div><span style="font-size:13px"><font color="#000000"><br>
</font></span></div>
</div>
</div>
</blockquote>
<br></span>
Hi Ben,<br>
<br>
I am a bit confused. My last suggestion was for you to add a wiki
page to FreeIPA.org becuase you indicated that you got it working.<br>
Rob, may be this is the comment for you.<br>
<br>
Thanks<span class="HOEnZb"><font color="#888888"><br>
Dmitri</font></span><div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><span style="font-size:13px"><font color="#000000"><br>
</font></span></div>
<div><span style="font-size:13px"><font color="#000000"><br>
</font></span></div>
<div><span style="font-size:13px"><font color="#000000">Thanks
& Regards,</font></span></div>
<div><span style="font-size:13px"><font color="#000000">Ben</font></span></div>
<div><span style="color:rgb(80,0,80);font-size:13px"><br>
</span></div>
<div><span style="color:rgb(80,0,80);font-size:13px"><br>
</span></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, Jan 3, 2015 at 12:11 AM,
Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 01/02/2015 03:17 PM, Watson, Dan wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I finally got it working, the default setup of
"ldapclient init" missed the special mapping for
netgroups, so I had to do a manual setup that
included the mapping.<br>
<br>
ldapclient manual \<br>
-a credentialLevel=anonymous \<br>
-a authenticationMethod=none \<br>
-a defaultSearchBase=dn=domain,dn=name \<br>
-a domainName=<a href="http://domain.name" target="_blank">domain.name</a>
\<br>
-a defaultServerList=<a href="http://server.domain.name" target="_blank">server.domain.name</a>
\<br>
-a objectClassMap=shadow:shadowAccount=posixaccount
\<br>
-a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp'
\<br>
-a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp
\<br>
-a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp
\<br>
-a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp<br>
<br>
It's the last line that forces the OS level ldap
client to look in the rich location for the netgroup
information. I hope this helps the next person.<br>
</blockquote>
<br>
</span>
Would you mind creating a wiki page with the solution on
the wiki?
<div>
<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Thanks for all the help!<br>
Dan<br>
-----Original Message-----<br>
From: Watson, Dan<br>
Sent: January 02, 2015 11:41 AM<br>
To: 'Rob Crittenden'; <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br>
Subject: RE: [Freeipa-users] Integration with
Solaris 10<br>
<br>
Hi Rob,<br>
<br>
Thanks for the reply. Unfortunately
/usr/bin/getent on my system doesn't seem to like
the netgroup option:<br>
-bash-3.2# getent netgroup test1<br>
Unknown database: netgroup<br>
usage: getent database [ key ... ]<br>
-bash-3.2# uname -a<br>
SunOS vdcudantest01 5.10 Generic_147440-27 sun4v
sparc SUNW,SPARC-Enterprise-T5120<br>
-bash-3.2# cat /etc/release<br>
Solaris 10 10/09
s10s_u8wos_08a SPARC<br>
Copyright 2009 Sun Microsystems, Inc.
All Rights Reserved.<br>
Use is subject to license
terms.<br>
Assembled 16 September
2009<br>
-bash-3.2#<br>
<br>
Thanks!<br>
Dan<br>
<br>
-----Original Message-----<br>
From: Rob Crittenden [mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>]<br>
Sent: January 02, 2015 10:15 AM<br>
To: Watson, Dan; <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br>
Subject: Re: [Freeipa-users] Integration with
Solaris 10<br>
<br>
Watson, Dan wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi All,<br>
<br>
I've lurked in the list history and cannot find
anyone saying they have gotten login
restrictions working with Solaris 10 u8. Has
anyone on here successfully configured login
restrictions on Solaris 10 u8 through u11? I'm
looking for specific instructions from someone
who has gotten this to work before.<br>
<br>
The two main routes to login restrictions I
could find online are Netgroups or conditional
ldap queries in ldapclient<br>
<br>
I initially tried netgroups but wasn't sure how
to trouble shoot when it didn't work. There
don't seem to be any user-land tools to query
netgroups and further investigation turned up an
issue with OpenLDAP. It seems the built-in
Solaris 10 ldap client expects schema RFC2307bis
and not the OpenLDAP standard RFC2307
(explanation here <a href="http://www.openldap.org/lists/openldap-software/200501/msg00309.html" target="_blank">http://www.openldap.org/lists/openldap-software/200501/msg00309.html</a>).
does anyone know if this issue applies to IPA?
Or how I check?<br>
<br>
The alternative of passing a restrictive query
to ldapclient seems like a good route but
doesn't seem to work. The common solution when
using the old SunOne directory server was to
pass the ldapclient (command line ldap
configuration tool) an option like
"passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
(from here <a href="https://community.oracle.com/thread/2014224?start=0&tstart=0" target="_blank">https://community.oracle.com/thread/2014224?start=0&tstart=0</a>)
which is supposed to restrict account checking
to only people in ou=people,p=myorg,c=de who are
also members of cn=unixadmins,ou=groups,o=myorg,c=de.
Unfortunately this doesn't seem to work in IPA,
first of all because there is no "isMemberof"
attribute to a user, but also doesn't work on
other attributes like uid or uidNumber. One
possible explanation I've found is that these
attributes are not indexed, but I have no idea
if this is correct or how to add them to be
indexed.<br>
<br>
Has anyone else solved this? I just need to be
able to allow only a specific user group to log
in to the host, unfortunately the ssh directive
"AllowGroups" is not good enough, this has to be
system wide as we also have samba and some other
services that rely on system authentication.<br>
<br>
Can anyone be of some help?<br>
<br>
Thanks!<br>
Dan<br>
<br>
</blockquote>
You can use getent netgroup <name> to get a
specific netgroup.<br>
<br>
Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com<br>
<br>
rob<br>
<br>
</blockquote>
<br>
<br>
-- <br>
</div>
</div>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IdM portfolio<br>
Red Hat, Inc.
<div>
<div><br>
<br>
-- <br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
<div>
<div dir="ltr">
<div><span style="border-collapse:collapse"><font size="1" face="'courier new', monospace"><font color="#ff9900"><br>
</font></font></span></div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>
</div></div></div>