[Freeipa-users] Integration with Solaris 10
Dmitri Pal
dpal at redhat.com
Sat Jan 3 19:17:06 UTC 2015
On 01/03/2015 03:26 AM, Ben .T.George wrote:
> Hi Dmitri
>
>
> i was trying this from last 3 weeks. can you please give us more
> details about this. I tried ldapclient and i got lot of dependency
> service related error. can you please give me list of services and
> configuration file need to change/enable before trying ldapclient ?
>
> once again thanks for your effort.
>
Hi Ben,
I am a bit confused. My last suggestion was for you to add a wiki page
to FreeIPA.org becuase you indicated that you got it working.
Rob, may be this is the comment for you.
Thanks
Dmitri
>
>
> Thanks & Regards,
> Ben
>
>
>
> On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 01/02/2015 03:17 PM, Watson, Dan wrote:
>
> I finally got it working, the default setup of "ldapclient
> init" missed the special mapping for netgroups, so I had to do
> a manual setup that included the mapping.
>
> ldapclient manual \
> -a credentialLevel=anonymous \
> -a authenticationMethod=none \
> -a defaultSearchBase=dn=domain,dn=name \
> -a domainName=domain.name <http://domain.name> \
> -a defaultServerList=server.domain.name
> <http://server.domain.name> \
> -a objectClassMap=shadow:shadowAccount=posixaccount \
> -a
> serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp'
> \
> -a
> serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp
> \
> -a
> serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp
> \
> -a
> serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp
>
> It's the last line that forces the OS level ldap client to
> look in the rich location for the netgroup information. I hope
> this helps the next person.
>
>
> Would you mind creating a wiki page with the solution on the wiki?
>
>
>
> Thanks for all the help!
> Dan
> -----Original Message-----
> From: Watson, Dan
> Sent: January 02, 2015 11:41 AM
> To: 'Rob Crittenden'; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> Subject: RE: [Freeipa-users] Integration with Solaris 10
>
> Hi Rob,
>
> Thanks for the reply. Unfortunately /usr/bin/getent on my
> system doesn't seem to like the netgroup option:
> -bash-3.2# getent netgroup test1
> Unknown database: netgroup
> usage: getent database [ key ... ]
> -bash-3.2# uname -a
> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc
> SUNW,SPARC-Enterprise-T5120
> -bash-3.2# cat /etc/release
> Solaris 10 10/09 s10s_u8wos_08a SPARC
> Copyright 2009 Sun Microsystems, Inc. All Rights
> Reserved.
> Use is subject to license terms.
> Assembled 16 September 2009
> -bash-3.2#
>
> Thanks!
> Dan
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>]
> Sent: January 02, 2015 10:15 AM
> To: Watson, Dan; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] Integration with Solaris 10
>
> Watson, Dan wrote:
>
> Hi All,
>
> I've lurked in the list history and cannot find anyone
> saying they have gotten login restrictions working with
> Solaris 10 u8. Has anyone on here successfully configured
> login restrictions on Solaris 10 u8 through u11? I'm
> looking for specific instructions from someone who has
> gotten this to work before.
>
> The two main routes to login restrictions I could find
> online are Netgroups or conditional ldap queries in ldapclient
>
> I initially tried netgroups but wasn't sure how to trouble
> shoot when it didn't work. There don't seem to be any
> user-land tools to query netgroups and further
> investigation turned up an issue with OpenLDAP. It seems
> the built-in Solaris 10 ldap client expects schema
> RFC2307bis and not the OpenLDAP standard RFC2307
> (explanation here
> http://www.openldap.org/lists/openldap-software/200501/msg00309.html).
> does anyone know if this issue applies to IPA? Or how I check?
>
> The alternative of passing a restrictive query to
> ldapclient seems like a good route but doesn't seem to
> work. The common solution when using the old SunOne
> directory server was to pass the ldapclient (command line
> ldap configuration tool) an option like
> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
> (from here
> https://community.oracle.com/thread/2014224?start=0&tstart=0)
> which is supposed to restrict account checking to only
> people in ou=people,p=myorg,c=de who are also members of
> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this
> doesn't seem to work in IPA, first of all because there is
> no "isMemberof" attribute to a user, but also doesn't work
> on other attributes like uid or uidNumber. One possible
> explanation I've found is that these attributes are not
> indexed, but I have no idea if this is correct or how to
> add them to be indexed.
>
> Has anyone else solved this? I just need to be able to
> allow only a specific user group to log in to the host,
> unfortunately the ssh directive "AllowGroups" is not good
> enough, this has to be system wide as we also have samba
> and some other services that rely on system authentication.
>
> Can anyone be of some help?
>
> Thanks!
> Dan
>
> You can use getent netgroup <name> to get a specific netgroup.
>
> Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com
>
> rob
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150103/0bfaa001/attachment.htm>
More information about the Freeipa-users
mailing list