[Freeipa-users] Solaris 10 client configuration using profile
sipazzo
sipazzo at yahoo.com
Mon Oct 27 21:00:13 UTC 2014
okay so this is working with the secure profile, thank you all, but I am getting a ton of errors in my logs on the solaris clients like this:
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to idm1.ipadomain.com
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to idm2.ipadomain.com
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP server
Oct 27 13:08:51 dc2.ipadomain.com last message repeated 1 time
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server
Oct 27 13:08:51 dc2.ipadomain.com ldap_cachemgr[15004]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to idm1-corp.ipadomain.com
Oct 27 13:08:51 dc2-io.ipadomain.com ldap_cachemgr[15004]: [ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple bind failed - Can't contact LDAP server
I think this might be related to trying to use tls:simple for authentication so I went back over the steps for the cert set up and I am unable to generate or import the ca.pem cert into the nssdb database
certutil -N -d /var/ldap
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
ldap_cachemgr is online and we can authenticate but errors are filling logs. ldaplist and ldapclient list look fine. When I try to use ssl with ldapsearch I get the followin:
ldapsearch -D "uid=auth,cn=users,cn=accounts,dc=ipadomain,dc=com" -w secret -h idm2.ipadomain.com -b "dc=ipadomain,dc=com" -s sub -x -ZZ "(objectclass=*)"
SSL initialization failed: error -8174 (security library: bad database.)
This is solaris 10 client and redhat 6.5 servers running version 3.0.0-37. I am unsure of the next step to troubleshoot this issue.
--------------------------------------------
On Sat, 10/11/14, Alexander Bokovoy <abokovoy at redhat.com> wrote:
Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
To: "Rob Crittenden" <rcritten at redhat.com>
Cc: "sipazzo" <sipazzo at yahoo.com>, "Freeipa-users at redhat.com" <Freeipa-users at redhat.com>
Date: Saturday, October 11, 2014, 10:54 AM
On Sat, 11 Oct 2014, Rob
Crittenden wrote:
>sipazzo wrote:
>> Thank you,I know where the profile is
in the directory tree and how I would invoke it were it
there...I don't know how to get it into the directory
tree so that it is available to clients. I see posts giving
examples of different profilesthat could be used but no post
as to how to add it to the directory. Sorry if I am missing
something obvious.
>>
>>
>>
--------------------------------------------
>> On Fri, 10/10/14, Rob Crittenden
<rcritten at redhat.com>
wrote:
>>
>>
Subject: Re: [Freeipa-users] Solaris 10 client configuration
using profile
>> To:
"sipazzo" <sipazzo at yahoo.com>,
freeipa-users at redhat.com
>> Date: Friday, October 10, 2014, 4:53
PM
>>
>>
sipazzo wrote:
>> >
>> Hello, I am trying to set up a
default profile for my
>> Solaris 10
IPA clients as recommended. I generated a profile
>> on a Solaris with the attributes I
needed except I got an
>>
"invalid parameter" error when specifying the
>> domainName attribute like this -a
domainName=example.com
>> even
though this parameter works when I use it in
>> ldapclient manual. More of an issue
though is I have been
>> unable to
find documentation on getting the profile
>> incorporated into the ipa server.
How do I get this profile
>> on the
ipa server and make it available to my Solaris
>> clients? Also, my understanding is
the clients periodically
>> check
this profile so they stay updated with the latest
>> configuration information. What
generates this check? Is it
>> time
based, a restart of a service or ??
>> >
>> >
Thank you for any
>> assistance.
>> >
>>
>> It's been forever since I
configured a
>> Solaris anything
client but I can
>> tell you
>> where the profile gets stored:
>>
cn=profilename,cn=default,ou=profile,$SUFFIX
>>
>> IPA ships
with a default
>> profile of:
>>
>> dn:
>> cn=default,ou=profile,$SUFFIX
>> ObjectClass:
>> top
>>
ObjectClass: DUAConfigProfile
>>
defaultServerList: $FQDN
>>
defaultSearchBase: $SUFFIX
>>
authenticationMethod: none
>>
searchTimeLimit: 15
>> cn:
>> default
>>
serviceSearchDescriptor:
>>
passwd:cn=users,cn=accounts,$SUFFIX
>> serviceSearchDescriptor:
>> group:cn=groups,cn=compat,$SUFFIX
>> bindTimeLimit: 5
>> objectClassMap:
>> shadow:shadowAccount=posixAccount
>> followReferrals:TRUE
>>
>> The full
schema can be found at
>> http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
>>
>> So if your
profile is named
>> foo you'd
invoke it with something like:
>>
>> # ldapclient init -a
>> profileName=foo ipa.example.com
>>
>> rob
>>
>>
>
>Here is an example
inspired by
>https://bugzilla.redhat.com/show_bug.cgi?id=815515
>
>$ ldapmodify -x -D
'cn=Directory Manager' -W
>dn:
cn=solaris_authssl_test,ou=profile,dc=example,dc=com
>objectClass: top
>objectClass: DUAConfigProfile
>cn: solaris_authssl_test
>authenticationMethod: tls:simple
>bindTimeLimit: 5
>credentialLevel: proxy
>defaultSearchBase: dc=example,dc=com
>defaultSearchScope: one
>defaultServerList: ipa01.example.com
ipa02.example.com ipa03.example.com
>followReferrals: TRUE
>objectclassMap:
shadow:shadowAccount=posixAccount
>objectclassMap:
printers:sunPrinter=printerService
>preferredServerList: ipa01.example.com
ipa02.example.com
>profileTTL: 6000
>searchTimeLimit: 10
>serviceSearchDescriptor:
passwd:cn=users,cn=accounts,dc=example,dc=com
>serviceSearchDescriptor:
group:cn=groups,cn=compat,dc=example,dc=com
>serviceSearchDescriptor:
netgroup:cn=ng,cn=compat,dc=example,dc=com
>serviceSearchDescriptor:
ethers:cn=computers,cn=accounts,dc=example,dc=com
>serviceSearchDescriptor:
automount:cn=default,cn=automount,dc=example,dc=com
>serviceSearchDescriptor:
>auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com
>serviceSearchDescriptor:
aliases:ou=aliases,ou=test,dc=example,dc=com
>serviceSearchDescriptor:
printers:ou=printers,ou=test,dc=example,dc=com
><blank line>
>^D
>
>You may want to check out
>https://bugzilla.redhat.com/show_bug.cgi?id=815533
as well.
Should the profile be available
anonymously? It is not in 4.x:
$ ldapsearch
-x -b ou=profile,dc=ipacloud,dc=test
#
extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test>
with scope subtree
# filter:
(objectclass=*)
# requesting: ALL
#
# search
result
search: 2
result: 0
Success
# numResponses:
1
$ kinit admin
Password for
admin at IPACLOUD.TEST:
$ ldapsearch -Y GSSAPI -b
ou=profile,dc=ipacloud,dc=test
SASL/GSSAPI
authentication started
SASL username: admin at IPACLOUD.TEST
SASL SSF: 56
SASL data security
layer installed.
# extended LDIF
#
# LDAPv3
#
base <ou=profile,dc=ipacloud,dc=test> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#
# profile, ipacloud.test
dn: ou=profile,dc=ipacloud,dc=test
objectClass: top
objectClass:
organizationalUnit
ou: profiles
ou: profile
#
default, profile, ipacloud.test
dn:
cn=default,ou=profile,dc=ipacloud,dc=test
defaultServerList: cc21.ipacloud.test
defaultSearchBase: dc=ipacloud,dc=test
objectClass: top
objectClass:
DUAConfigProfile
serviceSearchDescriptor:
passwd:cn=users,cn=accounts,dc=ipacloud,dc=test
serviceSearchDescriptor:
group:cn=groups,cn=compat,dc=ipacloud,dc=test
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap:
shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod:
none
cn: default
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries:
2
I think
it should be available anonymously too, so we need to add
a
specialized ACI for that.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list