Found it myself : 1) since the Active-Directory doesn't have the right definition for the ObjectClass "DUAConfigProfile", I could not use it to store configuration profiles as typically done with an iPlanet directory server. Instead I ran "ldapclient manual ..." with all the attributes listed on the command line to generate files "/var/ldap/ldap_client_file" and "/var/ldap/ldap_client_cred" The resulting file "ldap_client_file" contains : NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= 45.34.54.69 NS_LDAP_SEARCH_BASEDN= dc=r2-bgc,dc=net NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 3600 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=unix,dc=r2-bgc,dc=net NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user Warning : the "ldapclient" command reworks your nsswitch.conf file, (re-)launches sendmail and (re-)launches automounter. So, edit nsswitch.conf so that it contains passwd: files ldap group: files ldap hosts: files dns (the rest points to "files" only) and stop auto-mounter (if you don't need it) The "ldap_cachmgr" will be started, and will complain about the missing profile in the LDAP server : Jun 15 09:14:13 ecarsf ldap_cachemgr[2393]: [ID 722288 daemon.error] Error: Unable to refresh from profile:__default_config. (error=2) (I have SUN now searching on how to avoid that) Finally, tweak /etc/pam.conf to have it as follows (mind you that we also integrated with Kerberos-authentication from the Windows-based KDC) : other auth requisite pam_authtok_get.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_krb5.so.1 use_first_pass passwd auth required pam_passwd_auth.so.1 cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account sufficient pam_unix_account.so.1 other account required pam_ldap.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 And off you go !! Rob ________________________________ From: DE LANGHE Rob (ITD/OSD) Sent: 14 June 2005 15:34 To: sunmanagers@sunmanagers.org Subject: Solaris-9 acting as LDAP-client from Win-2003 AD next step in our UNIX/Windows integration efforts for user accounts: having the Solaris-9 server find out correctly user attributes via LDAP from a Windows-2003 SP3 based Active Directory : the use of a proxy-account works fine to bind itself with the AD-server for querying about a user. However, the LDAP-query which is sent by the SUN to the AD when I do, for example, the command id testaccount or finger testaccount contains stuff like SolarisUserAttr SolarisUserQualifier SikarusAttrReserved1 SolarisAttrReserved2 SolarisAttrKeyValue which -of course- is happily rejected by the AD as unknown thingies. Any ideas ? Rob **** DISCLAIMER **** http://www.belgacom.be/maildisclaimer _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Jun 15 05:45:17 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:48 EST