[Freeipa-users] Solaris 10 client configuration using profile
Rob Crittenden
rcritten at redhat.com
Sat Oct 11 17:10:06 UTC 2014
sipazzo wrote:
> Thank you,I know where the profile is in the directory tree and how I would invoke it were it there...I don't know how to get it into the directory tree so that it is available to clients. I see posts giving examples of different profilesthat could be used but no post as to how to add it to the directory. Sorry if I am missing something obvious.
>
>
> --------------------------------------------
> On Fri, 10/10/14, Rob Crittenden <rcritten at redhat.com> wrote:
>
> Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
> To: "sipazzo" <sipazzo at yahoo.com>, freeipa-users at redhat.com
> Date: Friday, October 10, 2014, 4:53 PM
>
> sipazzo wrote:
> >
> Hello, I am trying to set up a default profile for my
> Solaris 10 IPA clients as recommended. I generated a profile
> on a Solaris with the attributes I needed except I got an
> "invalid parameter" error when specifying the
> domainName attribute like this -a domainName=example.com
> even though this parameter works when I use it in
> ldapclient manual. More of an issue though is I have been
> unable to find documentation on getting the profile
> incorporated into the ipa server. How do I get this profile
> on the ipa server and make it available to my Solaris
> clients? Also, my understanding is the clients periodically
> check this profile so they stay updated with the latest
> configuration information. What generates this check? Is it
> time based, a restart of a service or ??
> >
> > Thank you for any
> assistance.
> >
>
> It's been forever since I configured a
> Solaris anything client but I can
> tell you
> where the profile gets stored:
> cn=profilename,cn=default,ou=profile,$SUFFIX
>
> IPA ships with a default
> profile of:
>
> dn:
> cn=default,ou=profile,$SUFFIX
> ObjectClass:
> top
> ObjectClass: DUAConfigProfile
> defaultServerList: $FQDN
> defaultSearchBase: $SUFFIX
> authenticationMethod: none
> searchTimeLimit: 15
> cn:
> default
> serviceSearchDescriptor:
> passwd:cn=users,cn=accounts,$SUFFIX
> serviceSearchDescriptor:
> group:cn=groups,cn=compat,$SUFFIX
> bindTimeLimit: 5
> objectClassMap:
> shadow:shadowAccount=posixAccount
> followReferrals:TRUE
>
> The full schema can be found at
> http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
>
> So if your profile is named
> foo you'd invoke it with something like:
>
> # ldapclient init -a
> profileName=foo ipa.example.com
>
> rob
>
>
Here is an example inspired by
https://bugzilla.redhat.com/show_bug.cgi?id=815515
$ ldapmodify -x -D 'cn=Directory Manager' -W
dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl_test
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
preferredServerList: ipa01.example.com ipa02.example.com
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor:
auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com
serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com
<blank line>
^D
You may want to check out
https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.
rob
More information about the Freeipa-users
mailing list