[Freeipa-users] Solaris 10 client configuration using profile

Rob Crittenden rcritten at redhat.com
Sat Oct 11 17:10:06 UTC 2014

sipazzo wrote:
> Thank you,I know where the profile is in the directory tree and how I would invoke it were it there...I don't know how to get it into the directory tree so that it is available to clients. I see posts giving examples of different profilesthat could be used but no post as to how to add it to the directory. Sorry if I am missing something obvious.
> --------------------------------------------
> On Fri, 10/10/14, Rob Crittenden <rcritten at redhat.com> wrote:
>  Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
>  To: "sipazzo" <sipazzo at yahoo.com>, freeipa-users at redhat.com
>  Date: Friday, October 10, 2014, 4:53 PM
>  sipazzo wrote:
>  >
>  Hello, I am trying to set up a default profile for my
>  Solaris 10 IPA clients as recommended. I generated a profile
>  on a Solaris with the attributes I needed except I got an
>  "invalid parameter" error when specifying the
>  domainName attribute like this -a domainName=example.com
>  even though this parameter works when I use it in 
>  ldapclient manual. More of an issue though is I have been
>  unable to find documentation on getting the profile
>  incorporated into the ipa server. How do I get this profile
>  on the ipa server and make it available to my Solaris
>  clients? Also, my understanding is the clients periodically
>  check this profile so they stay updated with the latest
>  configuration information. What generates this check? Is it
>  time based, a restart of a service or ??
>  > 
>  > Thank you for any
>  assistance.
>  > 
>  It's been forever since I configured a
>  Solaris anything client but I can
>  tell you
>  where the profile gets stored:
>  cn=profilename,cn=default,ou=profile,$SUFFIX
>  IPA ships with a default
>  profile of:
>  dn:
>  cn=default,ou=profile,$SUFFIX
>  ObjectClass:
>  top
>  ObjectClass: DUAConfigProfile
>  defaultServerList: $FQDN
>  defaultSearchBase: $SUFFIX
>  authenticationMethod: none
>  searchTimeLimit: 15
>  cn:
>  default
>  serviceSearchDescriptor:
>  passwd:cn=users,cn=accounts,$SUFFIX
>  serviceSearchDescriptor:
>  group:cn=groups,cn=compat,$SUFFIX
>  bindTimeLimit: 5
>  objectClassMap:
>  shadow:shadowAccount=posixAccount
>  followReferrals:TRUE
>  The full schema can be found at
>  http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
>  So if your profile is named
>  foo you'd invoke it with something like:
>  # ldapclient init -a
>  profileName=foo ipa.example.com
>  rob

Here is an example inspired by

$ ldapmodify -x -D 'cn=Directory Manager' -W
dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl_test
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
preferredServerList: ipa01.example.com ipa02.example.com
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com
<blank line>

You may want to check out
https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.


More information about the Freeipa-users mailing list