[Freeipa-users] openindiana ldap client

Dmitri Pal dpal at redhat.com
Mon Sep 10 12:42:46 UTC 2012 

On 09/09/2012 04:25 PM, Sigbjorn Lie wrote:
> On 09/07/2012 08:38 PM, Dmitri Pal wrote:
>> On 09/02/2012 12:58 PM, Sigbjorn Lie wrote:
>>> On 09/02/2012 04:37 PM, Natxo Asenjo wrote:
>>>> hi,
>>>>
>>>> Recently I have been playing with the zfs for its native nfs4 acl
>>>> capabilities. I have used openindiana for this. For those wondering
>>>> about openindiana, it is a distribution of the former opensolaris code.
>>>>
>>>> I got the ldap client to work for retrieveing user/group info from
>>>> ipa using the ldapclient command:
>>>>
>>>>  # ldapclient manual \
>>>> -a authenticationMethod=none \
>>>> -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \
>>>> -a domainName=*ipa.asenjo.nx* \
>>>> -a defaultServerList=kdc.ipa.asenjo.nx \
>>>> -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \
>>>> -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter]
>>>>
>>>> you need to enable the ldap/client service:
>>>>
>>>> # svcadm enable ldap/client:default [enter]
>>>>
>>>> After which, modify /etc/nsswitch.conf to add the ldap provider for
>>>> passwd and group:
>>>>
>>>> passwd:     files ldap
>>>> group:      files ldap
>>>>
>>>> That's it, test it:
>>>>
>>>> # id admin
>>>> uid=642800000(admin) gid=642800000(admins) groups=642800000(admins)
>>>>
>>>> # getent passwd admin
>>>> admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash
>>>>
>>>> So it works. The kerberos stuff will be next ...
>>>>
>>>> One thing I have not yet gotten to work is that these changes are
>>>> not persistent accross reboots. The ldapclient config stays, but
>>>> the service ldap/client does not start (stays disabled) and
>>>> nsswitch.conf missess the ldap entries. So far I am fixing this
>>>> from cfengine (gotta love it).
>>>>
>>>> So apparently, for solaris 10 and newer versions, the procedure
>>>> outlined in http://freeipa.com/page/ConfiguringSolarisClients is no
>>>> longer necessary as far as the ldap client is concerned.
>>>>
>>>>
>>>> --
>>>> Groeten,
>>>> natxo
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Hi,
>>>
>>> I'm using Nexenta as an IPA client, another derivative of
>>> OpenSolaris. I use a DUAProfile with ldapclient. This stays
>>> configured and the ldap/client service is enabled across reboots.
>>>
>>>
>>> There is a DUAProfile included by default with IPA, but it requires
>>> some tweaking to support more than just the basic features. See this
>>> bugzilla for a more comprehensive example:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=815515
>>>
>>>
>>> There is also some more info about configuring Solaris clients in
>>> this bugzilla:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=815533
>>
>> Siggi, can you please review
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>> and confirm that this is correct and has the latest?
>>
>> If you find some inconsistency would mind filing a fedora doc bug?
>
> There are some issues in that document.
>
> I have been working with Rob with regards to the previous 2 bugzilla
> doc bug's I opened:
> https://bugzilla.redhat.com/show_bug.cgi?id=815533
> https://bugzilla.redhat.com/show_bug.cgi?id=815515
>
> These BZ covers configuring a DUA profile and configuring Solaris 10
> as an IPA client.
>
> I presume Rob's work will become the new Solaris 10 IPA Client
> documentation for both Fedora and RHEL?

Thanks for update. We might ask you for a final review.
The Fedora and RHEL documentation is a bit different in this regard.
For Fedora we can easily document the information you provided.
For RHEL we need to find some other avenue to deliver the information
because Red Hat support organization can't be responsible for proper
configuration of the non RHEL operating systems so we can't have it in
the Red Hat documentation. But we will figure it out.

>
>
> Rgds,
> Siggi
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120910/8738c3df/attachment.htm>

More information about the Freeipa-users mailing list