<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 09/02/2012 04:37 PM, Natxo Asenjo wrote: </div> <blockquote cite="mid:CAHBEJzU64GJLYUwpJxUw7eqC6zc0A7cnGp0j4rUD3E3q3tY-Vg@mail.gmail.com" type="cite">hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=dc=ipa,dc=asenjo,dc=nx \ -a domainName=ipa.asenjo.nx \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) # getent passwd admin admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in <a moz-do-not-send="true" href="http://freeipa.com/page/ConfiguringSolarisClients">http://freeipa.com/page/ConfiguringSolarisClients</a> is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: <a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=815515">https://bugzilla.redhat.com/show_bug.cgi?id=815515</a> There is also some more info about configuring Solaris clients in this bugzilla: <a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=815533">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a> The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually. When you run ldapclient, run it with the -v flag and look for errors. After a reboot, what does "svcs -xv ldap/client" output? Is the services is depend on in online state? "svcs -d ldap/client" What does /var/svc/log/network-ldap-client:default.log display after a reboot? What files do you have in /var/ldap? What is the content of the /var/ldap/ldap_client_file? Regards, Siggi </body> </html>