[Freeipa-users] Solaris 10 client configuration using profile
Alexander Bokovoy
abokovoy at redhat.com
Sat Oct 11 17:54:49 UTC 2014
On Sat, 11 Oct 2014, Rob Crittenden wrote:
>sipazzo wrote:
>> Thank you,I know where the profile is in the directory tree and how I would invoke it were it there...I don't know how to get it into the directory tree so that it is available to clients. I see posts giving examples of different profilesthat could be used but no post as to how to add it to the directory. Sorry if I am missing something obvious.
>>
>>
>> --------------------------------------------
>> On Fri, 10/10/14, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
>> To: "sipazzo" <sipazzo at yahoo.com>, freeipa-users at redhat.com
>> Date: Friday, October 10, 2014, 4:53 PM
>>
>> sipazzo wrote:
>> >
>> Hello, I am trying to set up a default profile for my
>> Solaris 10 IPA clients as recommended. I generated a profile
>> on a Solaris with the attributes I needed except I got an
>> "invalid parameter" error when specifying the
>> domainName attribute like this -a domainName=example.com
>> even though this parameter works when I use it in
>> ldapclient manual. More of an issue though is I have been
>> unable to find documentation on getting the profile
>> incorporated into the ipa server. How do I get this profile
>> on the ipa server and make it available to my Solaris
>> clients? Also, my understanding is the clients periodically
>> check this profile so they stay updated with the latest
>> configuration information. What generates this check? Is it
>> time based, a restart of a service or ??
>> >
>> > Thank you for any
>> assistance.
>> >
>>
>> It's been forever since I configured a
>> Solaris anything client but I can
>> tell you
>> where the profile gets stored:
>> cn=profilename,cn=default,ou=profile,$SUFFIX
>>
>> IPA ships with a default
>> profile of:
>>
>> dn:
>> cn=default,ou=profile,$SUFFIX
>> ObjectClass:
>> top
>> ObjectClass: DUAConfigProfile
>> defaultServerList: $FQDN
>> defaultSearchBase: $SUFFIX
>> authenticationMethod: none
>> searchTimeLimit: 15
>> cn:
>> default
>> serviceSearchDescriptor:
>> passwd:cn=users,cn=accounts,$SUFFIX
>> serviceSearchDescriptor:
>> group:cn=groups,cn=compat,$SUFFIX
>> bindTimeLimit: 5
>> objectClassMap:
>> shadow:shadowAccount=posixAccount
>> followReferrals:TRUE
>>
>> The full schema can be found at
>> http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
>>
>> So if your profile is named
>> foo you'd invoke it with something like:
>>
>> # ldapclient init -a
>> profileName=foo ipa.example.com
>>
>> rob
>>
>>
>
>Here is an example inspired by
>https://bugzilla.redhat.com/show_bug.cgi?id=815515
>
>$ ldapmodify -x -D 'cn=Directory Manager' -W
>dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
>objectClass: top
>objectClass: DUAConfigProfile
>cn: solaris_authssl_test
>authenticationMethod: tls:simple
>bindTimeLimit: 5
>credentialLevel: proxy
>defaultSearchBase: dc=example,dc=com
>defaultSearchScope: one
>defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com
>followReferrals: TRUE
>objectclassMap: shadow:shadowAccount=posixAccount
>objectclassMap: printers:sunPrinter=printerService
>preferredServerList: ipa01.example.com ipa02.example.com
>profileTTL: 6000
>searchTimeLimit: 10
>serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
>serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
>serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
>serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
>serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
>serviceSearchDescriptor:
>auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com
>serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
>serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com
><blank line>
>^D
>
>You may want to check out
>https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.
Should the profile be available anonymously? It is not in 4.x:
$ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test
# extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
$ kinit admin
Password for admin at IPACLOUD.TEST:
$ ldapsearch -Y GSSAPI -b ou=profile,dc=ipacloud,dc=test
SASL/GSSAPI authentication started
SASL username: admin at IPACLOUD.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# profile, ipacloud.test
dn: ou=profile,dc=ipacloud,dc=test
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile
# default, profile, ipacloud.test
dn: cn=default,ou=profile,dc=ipacloud,dc=test
defaultServerList: cc21.ipacloud.test
defaultSearchBase: dc=ipacloud,dc=test
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=ipacloud,dc=test
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=ipacloud,dc=test
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
I think it should be available anonymously too, so we need to add a
specialized ACI for that.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list