[Freeipa-users] Solaris 10 client configuration using profile

Alexander Bokovoy abokovoy at redhat.com
Sat Oct 11 17:54:49 UTC 2014

On Sat, 11 Oct 2014, Rob Crittenden wrote:
>sipazzo wrote:
>> Thank you,I know where the profile is in the directory tree and how I would invoke it were it there...I don't know how to get it into the directory tree so that it is available to clients. I see posts giving examples of different profilesthat could be used but no post as to how to add it to the directory. Sorry if I am missing something obvious.
>> --------------------------------------------
>> On Fri, 10/10/14, Rob Crittenden <rcritten at redhat.com> wrote:
>>  Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
>>  To: "sipazzo" <sipazzo at yahoo.com>, freeipa-users at redhat.com
>>  Date: Friday, October 10, 2014, 4:53 PM
>>  sipazzo wrote:
>>  >
>>  Hello, I am trying to set up a default profile for my
>>  Solaris 10 IPA clients as recommended. I generated a profile
>>  on a Solaris with the attributes I needed except I got an
>>  "invalid parameter" error when specifying the
>>  domainName attribute like this -a domainName=example.com
>>  even though this parameter works when I use it in
>>  ldapclient manual. More of an issue though is I have been
>>  unable to find documentation on getting the profile
>>  incorporated into the ipa server. How do I get this profile
>>  on the ipa server and make it available to my Solaris
>>  clients? Also, my understanding is the clients periodically
>>  check this profile so they stay updated with the latest
>>  configuration information. What generates this check? Is it
>>  time based, a restart of a service or ??
>>  >
>>  > Thank you for any
>>  assistance.
>>  >
>>  It's been forever since I configured a
>>  Solaris anything client but I can
>>  tell you
>>  where the profile gets stored:
>>  cn=profilename,cn=default,ou=profile,$SUFFIX
>>  IPA ships with a default
>>  profile of:
>>  dn:
>>  cn=default,ou=profile,$SUFFIX
>>  ObjectClass:
>>  top
>>  ObjectClass: DUAConfigProfile
>>  defaultServerList: $FQDN
>>  defaultSearchBase: $SUFFIX
>>  authenticationMethod: none
>>  searchTimeLimit: 15
>>  cn:
>>  default
>>  serviceSearchDescriptor:
>>  passwd:cn=users,cn=accounts,$SUFFIX
>>  serviceSearchDescriptor:
>>  group:cn=groups,cn=compat,$SUFFIX
>>  bindTimeLimit: 5
>>  objectClassMap:
>>  shadow:shadowAccount=posixAccount
>>  followReferrals:TRUE
>>  The full schema can be found at
>>  http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
>>  So if your profile is named
>>  foo you'd invoke it with something like:
>>  # ldapclient init -a
>>  profileName=foo ipa.example.com
>>  rob
>Here is an example inspired by
>$ ldapmodify -x -D 'cn=Directory Manager' -W
>dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
>objectClass: top
>objectClass: DUAConfigProfile
>cn: solaris_authssl_test
>authenticationMethod: tls:simple
>bindTimeLimit: 5
>credentialLevel: proxy
>defaultSearchBase: dc=example,dc=com
>defaultSearchScope: one
>defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com
>followReferrals: TRUE
>objectclassMap: shadow:shadowAccount=posixAccount
>objectclassMap: printers:sunPrinter=printerService
>preferredServerList: ipa01.example.com ipa02.example.com
>profileTTL: 6000
>searchTimeLimit: 10
>serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
>serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
>serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
>serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
>serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
>serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
>serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com
><blank line>
>You may want to check out
>https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.
Should the profile be available anonymously? It is not in 4.x:
$ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test
# extended LDIF
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 2
result: 0 Success

# numResponses: 1
$ kinit admin
Password for admin at IPACLOUD.TEST:
$ ldapsearch -Y GSSAPI -b ou=profile,dc=ipacloud,dc=test
SASL/GSSAPI authentication started
SASL username: admin at IPACLOUD.TEST
SASL data security layer installed.
# extended LDIF
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# profile, ipacloud.test
dn: ou=profile,dc=ipacloud,dc=test
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile

# default, profile, ipacloud.test
dn: cn=default,ou=profile,dc=ipacloud,dc=test
defaultServerList: cc21.ipacloud.test
defaultSearchBase: dc=ipacloud,dc=test
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=ipacloud,dc=test
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=ipacloud,dc=test
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

I think it should be available anonymously too, so we need to add a
specialized ACI for that.
/ Alexander Bokovoy

More information about the Freeipa-users mailing list