[Fedora-directory-users] Solaris Native LDAP Client against FDS7.1Server

Tay, Gary Gary_Tay at platts.com
Fri Jul 15 18:32:59 UTC 2005 

Thanks George and Rich for correcting me, now I understand why there seems to be some "extra" stuffs there in 99user.ldif like the many "aci:" lines and so forth.
 
DUAConfigProfile.schema + solaris.schema != 99user.ldif
 
DUAConfigProfile.schema + solaris.schema ~= 61duaconfigprofile.ldif + 61solaris.ldif
 
Rgds
Gary

	-----Original Message----- 
	From: fedora-directory-users-bounces at redhat.com on behalf of Rich Megginson 
	Sent: Sat 7/16/2005 2:08 AM 
	To: General discussion list for the Fedora Directory server project. 
	Cc: 
	Subject: Re: [Fedora-directory-users] Solaris Native LDAP Client against FDS7.1Server
	
	

	George Holbert wrote:
	
	>>
	>>
	>> So if there is an existing Solaris8/9 DS5.2 server, simply copy
	>> 99user.ldif from DS5.2 over to FDS7.1.
	>>
	>
	> One caution about this:  99user.ldif stores ALL schema changes you
	> make to the directory server via ldapmodify.  This is not necessarily
	> just DUAConfigProfile and other Solaris client schema updates.
	>
	>> DUAConfigProfile.schema + solaris.schema = 99user.ldif
	>>
	> This is true if you install a fresh SunDS 5.2 or FDS 7.1 directory
	> server, and then add the schema changes in DUAConfigProfile.schema and
	> solaris.schema via ldapmodify.  Sun's favorite way of making these
	> changes is the Solaris script: /usr/lib/ldap/idsconfig
	
	Right.  So you could just use this script
	http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl
	and do perl ol-schema-migrate.pl DUAConfigProfile.schema >
	slapd-foo/config/schema/61duaconfigprofile.ldif
	and
	perl ol-schema-migrate.pl solaris.schema >
	slapd-foo/config/schema/61solaris.ldif
	
	>
	>
	>
	> Tay, Gary wrote:
	>
	>> IIRC the two .schema files in my OpenLDAP HOW-TO is actually equivalent
	>> to the 99user.ldif (residing in
	>> $LDAP_ROOT/slapd-`hostname`/config/schema) file provided by SUN ONE
	>> DS5.2, i.e.
	>>
	>> DUAConfigProfile.schema + solaris.schema = 99user.ldif.
	>>
	>> So if there is an existing Solaris8/9 DS5.2 server, simply copy
	>> 99user.ldif from DS5.2 over to FDS7.1.
	>>
	>> Someone who is using Oracle Internet Directory had asked me in
	>> supportforum.sun.com how to configure Solaris Native LDAP Client to
	>> authenticate against OID, I had some brief instructions given there, I
	>> reproduced and modified a bit as a quick notes here.
	>>
	>> PLEASE NOTE that I haven't tried these steps but believe it should work
	>> as FDS7.1 is similar to DS5.2, anyone has tried these please feel free
	>> to comment and add.
	>>
	>> ===
	>> To make a Solaris Native LDAP Clients (Solaris8 or Solaris9) worked
	>> against FDS7.1 Server, you would have to do a little hackings to make
	>> FDS7.1 Server acts like a SUN DS5.2 ldapclient profile(s) provider,
	>> described as in the following notes,
	>>
	>> - Add "nisDomain" to rootDN object (eg: object is dc=example,dc=com) so
	>> that "ldapclient" will be able to find this nisDomainObject, using
	>> ldapmodify or GUI based tools.
	>>
	>> objectClass: nisDomainObject
	>> nisDomain: example.com
	>>
	>> - Copy schema 99user.ldif from DS5.2 to FDS7.1
	>>
	>> - Create ou=profile OU object and add cn=ProxyAgent as a proxy
	>> credentials proxy user under it
	>>
	>> - Create "default" or "customized" ldapclient profile(s) under the
	>> ou=profile subtree for simple bind or simple bind + TLS or whatever,
	>> using manually prepared ldif file or ldif generated by "ldapclient
	>> genprofile" command, read "man ldapclient" for more details.
	>>
	>> - Setup two ACLs under dc=example,dc=com object, ACL1 should appear
	>> before ACL2, they are actually present in any typical SUN ONE DS5.2
	>>
	>> 1. LDAP_Naming_Services_deny_write_access
	>> (targetattr =
	>> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
	>> in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||
	>> memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;
	>> deny (write) userdn = "ldap:///self";)
	>>
	>> 2.LDAP_Naming_Services_proxy_password_read
	>> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
	>> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
	>> (compare,read,search) userdn =
	>> "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
	>>
	>> Tips: delete the word "read" if you do not want "ldaplist -l passwd" to
	>> list userPassword(s), i.e. it becomes:
	>>
	>> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version
	>> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
	>> (compare,search) userdn =
	>> "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)
	>>
	>> - It is advisable to set password hash scheme to CRYPT in FDS7.1.
	>>
	>> - It is advisable to add "shadowAccount" objectclass to your user
	>> entries, on top of "posixAccount".
	>>
	>> - Note that Solaris "ldapclient" has an irritating act that it will
	>> reset the "hosts:" entry to "hosts: files ldap" or something that puts
	>> "ldap" in front of "dns", this should be adjusted back to "hosts: files
	>> dns", otherwise something like telnet/ftp/ssh will break on hostname
	>> lookup as the hosts lookup using "ldap" goes recursive.
	>>
	>> Rgds
	>> Gary
	>>
	>> -----Original Message-----
	>> From: fedora-directory-users-bounces at redhat.com
	>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich
	>> Megginson
	>> Sent: Friday, July 15, 2005 3:21 AM
	>> To: General discussion list for the Fedora Directory server project.
	>> Subject: Re: [Fedora-directory-users] Solaris Client
	>>
	>>
	>> Brian Martinez wrote:
	>>
	>> 
	>>
	>>> George,
	>>>
	>>> That is correct, we are attempting to use the FDS7 as a central
	>>> authentication system for Solaris 10 NSS Clients with a PAM backend.
	>>>
	>>> We believe that we are missing the proper schemas on the server
	>>> (DUAConfigProfile and Solaris) to support the Solaris Clients.  The
	>>> ones on Tay's website seem to be in the wrong format (schema instead
	>>> of ldif)...or we just dont know how to import them!
	>>>  
	>>
	>>
	>> You can use this script
	>> http://www.directory.fedora.redhat.com/download/ol-schema-migrate.pl
	>> found on this page
	>> http://directory.fedora.redhat.com/wiki/Howto:OpenLDAPMigration
	>> to convert .schema files to .ldif schema files. e.g.
	>> perl ol-schema-migrate.pl solaris.schema >
	>> slapd-myhost/config/schema/61solaris.ldif
	>> Then restart slapd
	>>
	>> 
	>>
	>>> We have been scrounging his site for clues/ideas...developers on the
	>>> client side are convinced the server is the issue...developers on
	>>> the server side believe it is the client.  My take is that we
	>>> already have
	>>>  
	>>
	>>
	>> 
	>>
	>>> the server "most" of the way, because we are successfully
	>>> authenticating Linux clients securely to the FDS7 server and we are
	>>> missing some essential piece on the server side to solve the Solaris
	>>> puzzle.
	>>>
	>>> If you have any further thoughts, ideas, or prayers...feel free to
	>>> send them our way.
	>>>
	>>>  
	>>>
	>>>> From: "George Holbert" <gholbert at broadcom.com>
	>>>> Reply-To: "General discussion list for the Fedora Directory server
	>>>> project." <fedora-directory-users at redhat.com>
	>>>> To: "General discussion list for the Fedora Directory server
	>>>> project." <fedora-directory-users at redhat.com>
	>>>> Subject: Re: [Fedora-directory-users] Solaris Client
	>>>> Date: Thu, 14 Jul 2005 11:08:06 -0700
	>>>>
	>>>> Hi Brian,
	>>>>
	>>>> By "Solaris Clients", I assume you mean Solaris naming service (for
	>>>> passwd, group, etc.).
	>>>>
	>>>> The answer is yes.  Any modern, properly configured LDAP server,
	>>>> including Fedora DS, can support Solaris naming service.  However,
	>>>> getting the server "properly configured" can be tricky.
	>>>>
	>>>> However, since Sun's own directory server ("Sun Java Enterprise
	>>>> System Directory Server") is so very similar to Fedora DS, much of
	>>>> the same preparation methods and documentation regarding SunDS will
	>>>> apply directly to Fedora DS.
	>>>>
	>>>> A good starting point would be Gary Tay's fine documentation at:
	>>>> http://web.singnet.com.sg/~garyttt/
	>>>>
	>>>> Gary's docs were written around iPlanet/Sun DS, but as I mentioned,
	>>>> pretty much all of this should also apply to Fedora DS.
	>>>>
	>>>> Good luck!
	>>>> -- George
	>>>>
	>>>>
	>>>> Brian Martinez wrote:
	>>>>
	>>>>    
	>>>>
	>>>>> All,
	>>>>>
	>>>>> Does the Fedora DS support Solaris Clients?  If so, where can I find
	>>>>> information, schema examples, etc....
	>>>>>
	>>>>> Thanks in advance,
	>>>>> Brian
	>>>>>
	>>>>>
	>>>>> --
	>>>>> Fedora-directory-users mailing list
	>>>>> Fedora-directory-users at redhat.com
	>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
	>>>>>
	>>>>>      
	>>>>
	>>>>
	>>>> --
	>>>> Fedora-directory-users mailing list
	>>>> Fedora-directory-users at redhat.com
	>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
	>>>>    
	>>>
	>>>
	>>> --
	>>> Fedora-directory-users mailing list
	>>> Fedora-directory-users at redhat.com
	>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
	>>>  
	>>
	>>
	>> --
	>> Fedora-directory-users mailing list
	>> Fedora-directory-users at redhat.com
	>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
	>>
	>>
	>> 
	>>
	>
	>
	>
	> --
	> Fedora-directory-users mailing list
	> Fedora-directory-users at redhat.com
	> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list