[Freeipa-users] IPA client installation for Solaris 11.
Dmitri Pal
dpal at redhat.com
Thu Apr 10 16:30:32 UTC 2014
On 04/10/2014 12:18 PM, quest monger wrote:
> Sorry about that. So I am Looking at the Solaris 10 client
> documentation here -
> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>
>
> It says do the following on Solaris client -
>
> ldapclient manual
> ...
> -a proxyPassword={NS1}fbc123a92116812
> ...
>
>
> Whats that proxyPassword for?
>
I suspect that it is a password that corresponds to the proxy user.
The client component on Solaris (pure speculation on my side) seems to
use proxy user to connect to LDAP server and do some operations for the
host. It is similar to SSSD but SSSD does not use passwords, it uses
keytabs if talks to IPA.
Solaris uses passwords but to prevent them from being stored in
configuration in clear the are "obfuscated" with the NS1 method
http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/
I suspect there should be some tool on Solaris that takes password and
creates an obfuscated string like this.
Thanks
Dmitri
> Thanks.
>
>
>
> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 04/10/2014 11:41 AM, quest monger wrote:
>> Thanks Rob, those bug reports help.
>> One more question, in the official Solaris 10 documentation, i
>> see this stuff -
>>
>> -aproxyPassword={NS1}*fbc123a92116812*
>> userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*=
>>
>> Is there a way to generate that password hash for a new password.
>> I think that should be part of the documentation, dont want all
>> Solaris IPA users to be using the same password and corresponding
>> hash.
>>
> Can you rephrase the question?
> It is unclear what hash you are asking about.
> If you are using IPA you do not need local password hashes.
>
>
>> Thanks.
>>
>>
>>
>>
>> On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>> quest monger wrote:
>>
>>
>> I have read through the official documentation here for
>> Solaris-10 -
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>> I have found a few web posts on how to make it work for
>> Solaris-11.
>> Have any of you tried adding a Solaris-11 host to an
>> existing IPA
>> server? If so, do you have any
>> documentation/how-tos/instructions that i
>> could use to do the same. Any help is appreciated.
>> I am trying to do this to so I can centralize SSH
>> authentication for all
>> my Solaris-11 and Linux hosts.
>>
>>
>> That is pretty much all we've got. There is a bug open with
>> some documentation updates,
>> https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some
>> more in https://bugzilla.redhat.com/show_bug.cgi?id=801883
>>
>> We use sssd to help with centralized SSH auth so it probably
>> won't work as smoothly on Solaris as it does on sssd-based
>> Linux systems. See sss_ssh_authorizedkeys(1) and
>> sss_ssh_knownhostsproxy(8).
>>
>> This document describes how it works in IPA
>> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>>
>> rob
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140410/445330e9/attachment.htm>
More information about the Freeipa-users
mailing list