[Freeipa-users] Integration with Solaris 10

Ben .T.George bentech4you at gmail.com
Sat Jan 3 20:07:59 UTC 2015 

Hi

Oops sorry. i wrongly addressed you. Actually that question i asked is to
Mr. Watson.

Regards,
Ben

On Sat, Jan 3, 2015 at 10:17 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 01/03/2015 03:26 AM, Ben .T.George wrote:
>
> Hi Dmitri
>
>
>  i was trying this from last 3 weeks. can you please give us more details
> about this. I tried ldapclient and i got lot of dependency service
> related error. can you please give me  list of services and configuration
> file need to change/enable before trying ldapclient ?
>
>  once again thanks for your effort.
>
>
> Hi Ben,
>
> I am a bit confused. My last suggestion was for you to add a wiki page to
> FreeIPA.org becuase you indicated that you got it working.
> Rob, may be this is the comment for you.
>
> Thanks
> Dmitri
>
>
>
>
>  Thanks & Regards,
> Ben
>
>
>
> On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 01/02/2015 03:17 PM, Watson, Dan wrote:
>>
>>> I finally got it working, the default setup of "ldapclient init" missed
>>> the special mapping for netgroups, so I had to do a manual setup that
>>> included the mapping.
>>>
>>> ldapclient manual \
>>> -a credentialLevel=anonymous \
>>> -a authenticationMethod=none \
>>> -a defaultSearchBase=dn=domain,dn=name \
>>> -a domainName=domain.name \
>>> -a defaultServerList=server.domain.name \
>>> -a objectClassMap=shadow:shadowAccount=posixaccount \
>>> -a
>>> serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \
>>> -a
>>> serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \
>>> -a
>>> serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \
>>> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp
>>>
>>> It's the last line that forces the OS level ldap client to look in the
>>> rich location for the netgroup information. I hope this helps the next
>>> person.
>>>
>>
>>  Would you mind creating a wiki page with the solution on the wiki?
>>
>>
>>
>>> Thanks for all the help!
>>> Dan
>>> -----Original Message-----
>>> From: Watson, Dan
>>> Sent: January 02, 2015 11:41 AM
>>> To: 'Rob Crittenden'; freeipa-users at redhat.com
>>> Subject: RE: [Freeipa-users] Integration with Solaris 10
>>>
>>> Hi Rob,
>>>
>>> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't
>>> seem to like the netgroup option:
>>> -bash-3.2# getent netgroup test1
>>> Unknown database: netgroup
>>> usage: getent database [ key ... ]
>>> -bash-3.2# uname -a
>>> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc
>>> SUNW,SPARC-Enterprise-T5120
>>> -bash-3.2# cat /etc/release
>>>                        Solaris 10 10/09 s10s_u8wos_08a SPARC
>>>             Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
>>>                          Use is subject to license terms.
>>>                             Assembled 16 September 2009
>>> -bash-3.2#
>>>
>>> Thanks!
>>> Dan
>>>
>>> -----Original Message-----
>>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>>> Sent: January 02, 2015 10:15 AM
>>> To: Watson, Dan; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Integration with Solaris 10
>>>
>>> Watson, Dan wrote:
>>>
>>>> Hi All,
>>>>
>>>> I've lurked in the list history and cannot find anyone saying they have
>>>> gotten login restrictions working with Solaris 10 u8. Has anyone on here
>>>> successfully configured login restrictions on Solaris 10 u8 through u11?
>>>> I'm looking for specific instructions from someone who has gotten this to
>>>> work before.
>>>>
>>>> The two main routes to login restrictions I could find online are
>>>> Netgroups or conditional ldap queries in ldapclient
>>>>
>>>> I initially tried netgroups but wasn't sure how to trouble shoot when
>>>> it didn't work. There don't seem to be any user-land tools to query
>>>> netgroups and further investigation turned up an issue with OpenLDAP. It
>>>> seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not
>>>> the OpenLDAP standard RFC2307 (explanation here
>>>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html).
>>>> does anyone know if this issue applies to IPA?  Or how I check?
>>>>
>>>> The alternative of passing a restrictive query to ldapclient seems like
>>>> a good route but doesn't seem to work. The common solution when using the
>>>> old SunOne directory server was to pass the ldapclient (command line ldap
>>>> configuration tool) an option like
>>>> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
>>>> (from here https://community.oracle.com/thread/2014224?start=0&tstart=0)
>>>> which is supposed to restrict account checking to only people in
>>>> ou=people,p=myorg,c=de who are also members of
>>>> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to
>>>> work in IPA, first of all because there is no "isMemberof" attribute to a
>>>> user, but also doesn't work on other attributes like uid or uidNumber. One
>>>> possible explanation I've found is that these attributes are not indexed,
>>>> but I have no idea if this is correct or how to add them to be indexed.
>>>>
>>>> Has anyone else solved this? I just need to be able to allow only a
>>>> specific user group to log in to the host, unfortunately the ssh directive
>>>> "AllowGroups" is not good enough, this has to be system wide as we also
>>>> have samba and some other services that rely on system authentication.
>>>>
>>>> Can anyone be of some help?
>>>>
>>>> Thanks!
>>>> Dan
>>>>
>>>>  You can use getent netgroup <name> to get a specific netgroup.
>>>
>>> Or ldapsearch -x -b  cn=usertest,cn=ng,cn=compat,dc=example,dc=com
>>>
>>> rob
>>>
>>>
>>
>> --
>>  Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150103/eff825bc/attachment.htm>

More information about the Freeipa-users mailing list