[Fedora-directory-users] Solaris Native LDAP Client against FDS7.1 Server
Rich Megginson
rmeggins at redhat.com
Fri Jul 15 18:08:03 UTC 2005
George Holbert wrote:
>>
>>
>> So if there is an existing Solaris8/9 DS5.2 server, simply copy
>> 99user.ldif from DS5.2 over to FDS7.1.
>>
>
> One caution about this: 99user.ldif stores ALL schema changes you
> make to the directory server via ldapmodify. This is not necessarily
> just DUAConfigProfile and other Solaris client schema updates.
>
>> DUAConfigProfile.schema + solaris.schema = 99user.ldif
>>
> This is true if you install a fresh SunDS 5.2 or FDS 7.1 directory
> server, and then add the schema changes in DUAConfigProfile.schema and
> solaris.schema via ldapmodify. Sun's favorite way of making these
> changes is the Solaris script: /usr/lib/ldap/idsconfig
Right. So you could just use this script
http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl
and do perl ol-schema-migrate.pl DUAConfigProfile.schema >
slapd-foo/config/schema/61duaconfigprofile.ldif
and
perl ol-schema-migrate.pl solaris.schema >
slapd-foo/config/schema/61solaris.ldif
>
>
>
> Tay, Gary wrote:
>
>> IIRC the two .schema files in my OpenLDAP HOW-TO is actually equivalent
>> to the 99user.ldif (residing in
>> $LDAP_ROOT/slapd-`hostname`/config/schema) file provided by SUN ONE
>> DS5.2, i.e.
>>
>> DUAConfigProfile.schema + solaris.schema = 99user.ldif.
>>
>> So if there is an existing Solaris8/9 DS5.2 server, simply copy
>> 99user.ldif from DS5.2 over to FDS7.1.
>>
>> Someone who is using Oracle Internet Directory had asked me in
>> supportforum.sun.com how to configure Solaris Native LDAP Client to
>> authenticate against OID, I had some brief instructions given there, I
>> reproduced and modified a bit as a quick notes here.
>>
>> PLEASE NOTE that I haven't tried these steps but believe it should work
>> as FDS7.1 is similar to DS5.2, anyone has tried these please feel free
>> to comment and add.
>>
>> ===
>> To make a Solaris Native LDAP Clients (Solaris8 or Solaris9) worked
>> against FDS7.1 Server, you would have to do a little hackings to make
>> FDS7.1 Server acts like a SUN DS5.2 ldapclient profile(s) provider,
>> described as in the following notes,
>>
>> - Add "nisDomain" to rootDN object (eg: object is dc=example,dc=com) so
>> that "ldapclient" will be able to find this nisDomainObject, using
>> ldapmodify or GUI based tools.
>>
>> objectClass: nisDomainObject
>> nisDomain: example.com
>>
>> - Copy schema 99user.ldif from DS5.2 to FDS7.1
>>
>> - Create ou=profile OU object and add cn=ProxyAgent as a proxy
>> credentials proxy user under it
>>
>> - Create "default" or "customized" ldapclient profile(s) under the
>> ou=profile subtree for simple bind or simple bind + TLS or whatever,
>> using manually prepared ldif file or ldif generated by "ldapclient
>> genprofile" command, read "man ldapclient" for more details.
>>
>> - Setup two ACLs under dc=example,dc=com object, ACL1 should appear
>> before ACL2, they are actually present in any typical SUN ONE DS5.2
>>
>> 1. LDAP_Naming_Services_deny_write_access
>> (targetattr =
>> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
>> in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||
>> memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;
>> deny (write) userdn = "ldap:///self";)
>>
>> 2.LDAP_Naming_Services_proxy_password_read
>> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
>> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
>> (compare,read,search) userdn =
>> "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
>>
>> Tips: delete the word "read" if you do not want "ldaplist -l passwd" to
>> list userPassword(s), i.e. it becomes:
>>
>> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
>> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
>> (compare,search) userdn =
>> "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
>>
>> - It is advisable to set password hash scheme to CRYPT in FDS7.1.
>>
>> - It is advisable to add "shadowAccount" objectclass to your user
>> entries, on top of "posixAccount".
>>
>> - Note that Solaris "ldapclient" has an irritating act that it will
>> reset the "hosts:" entry to "hosts: files ldap" or something that puts
>> "ldap" in front of "dns", this should be adjusted back to "hosts: files
>> dns", otherwise something like telnet/ftp/ssh will break on hostname
>> lookup as the hosts lookup using "ldap" goes recursive.
>>
>> Rgds
>> Gary
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich
>> Megginson
>> Sent: Friday, July 15, 2005 3:21 AM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] Solaris Client
>>
>>
>> Brian Martinez wrote:
>>
>>
>>
>>> George,
>>>
>>> That is correct, we are attempting to use the FDS7 as a central
>>> authentication system for Solaris 10 NSS Clients with a PAM backend.
>>>
>>> We believe that we are missing the proper schemas on the server
>>> (DUAConfigProfile and Solaris) to support the Solaris Clients. The
>>> ones on Tay's website seem to be in the wrong format (schema instead
>>> of ldif)...or we just dont know how to import them!
>>>
>>
>>
>> You can use this script
>> http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl
>> found on this page
>> http://directory.fedora.redhat.com/wiki/Howto:OpenLDAPMigration
>> to convert .schema files to .ldif schema files. e.g.
>> perl ol-schema-migrate.pl solaris.schema >
>> slapd-myhost/config/schema/61solaris.ldif
>> Then restart slapd
>>
>>
>>
>>> We have been scrounging his site for clues/ideas...developers on the
>>> client side are convinced the server is the issue...developers on
>>> the server side believe it is the client. My take is that we
>>> already have
>>>
>>
>>
>>
>>
>>> the server "most" of the way, because we are successfully
>>> authenticating Linux clients securely to the FDS7 server and we are
>>> missing some essential piece on the server side to solve the Solaris
>>> puzzle.
>>>
>>> If you have any further thoughts, ideas, or prayers...feel free to
>>> send them our way.
>>>
>>>
>>>
>>>> From: "George Holbert" <gholbert at broadcom.com>
>>>> Reply-To: "General discussion list for the Fedora Directory server
>>>> project." <fedora-directory-users at redhat.com>
>>>> To: "General discussion list for the Fedora Directory server
>>>> project." <fedora-directory-users at redhat.com>
>>>> Subject: Re: [Fedora-directory-users] Solaris Client
>>>> Date: Thu, 14 Jul 2005 11:08:06 -0700
>>>>
>>>> Hi Brian,
>>>>
>>>> By "Solaris Clients", I assume you mean Solaris naming service (for
>>>> passwd, group, etc.).
>>>>
>>>> The answer is yes. Any modern, properly configured LDAP server,
>>>> including Fedora DS, can support Solaris naming service. However,
>>>> getting the server "properly configured" can be tricky.
>>>>
>>>> However, since Sun's own directory server ("Sun Java Enterprise
>>>> System Directory Server") is so very similar to Fedora DS, much of
>>>> the same preparation methods and documentation regarding SunDS will
>>>> apply directly to Fedora DS.
>>>>
>>>> A good starting point would be Gary Tay's fine documentation at:
>>>> http://web.singnet.com.sg/~garyttt/
>>>>
>>>> Gary's docs were written around iPlanet/Sun DS, but as I mentioned,
>>>> pretty much all of this should also apply to Fedora DS.
>>>>
>>>> Good luck!
>>>> -- George
>>>>
>>>>
>>>> Brian Martinez wrote:
>>>>
>>>>
>>>>
>>>>> All,
>>>>>
>>>>> Does the Fedora DS support Solaris Clients? If so, where can I find
>>>>> information, schema examples, etc....
>>>>>
>>>>> Thanks in advance,
>>>>> Brian
>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050715/a34e26b9/attachment.bin>
More information about the Fedora-directory-users
mailing list