Thanks for some really good answers, I'm up and running. The original problem: On 19/06/2009 15:04, Rob McMahon wrote: > I have a need to set up some servers to authenticate against Novell's > eDirectory via LDAP.... > The problem is `ldapclient', which seems to be the only > approved way of setting this up, likes to change everything to be LDAP. > I really want most services to still use NIS so that I don't have to > persuade people to extend schemas, migrate all my data into eDir, and > change all my administration procedures ... All I really want is > authentication to go via LDAP, although I have the rest of the POSIX > passwd attributes in eDir for the use of a bunch of Linux clients. > > The documents say > > "A NIS client and a Native LDAP client cannot co-exist on the same > client machine." > > What ?? Why ? > Peter Winterflood recommends using kerberos rather than LDAP for authentication, but it's not really an option here. He also warned me that NIS is going away in Solaris 10+. Is this true ? I haven't seen any warnings. Alper Suner sent me the link http://www.rodrickbrown.com/docs/Beginners_Guide_to_SunONE_DS.pdf, which looks pretty comprehensive, but is really for people using Sun's Directory Server and moving en-masse to LDAP, which I'm not quite yet. Brian Miller pointed out that Novell have a product which can make the eDirectory effectively a slave NIS server, though I don't really want to add all the data to eDirectory just yet. Maybe soon. He also pointed me at www.padl.com for an LDAP client that works. Indeed that looks like a good option for people who can't get the native client to work, or just want to be consistent across platform. Milan Jurik gave me the comfort that, despite the documents, it should be doable on Solaris 10+, and Ryan Anderson said it should work if the NIS and LDAP domains are the same. To be honest, I haven't actually worked out what the LDAP "domain" is used for ... He also suggested PADL. Thanks to Peter van Gemert too for his input. Andrew Laden sent me a really good cookbook, and between that and the hints from the above, I got there. I won't post it here without his permission, he might want to put it on the web somewhere. Basically Get the eDirectory CA certificate, which you can get using openssl s_client -showcerts -connect /server/:636 and grabbing the last certificate, as a .pem file. Convert to a .der file: openssl x509 -in serverca.pem -out serverca.der -outform der Teach Solaris about it: /usr/sfw/bin/certutil -N -d /etc/ssl /usr/sfw/bin/certutil -A -n ServerCA -t C,C,C -i serverca.der -d /etc/ssl Test with ldapsearch -b /base/ -P /etc/ssl -D /proxydn/ -h /server/ cn=/user/ uid uidNumber The hostnames on the command line and returned by the server must match! Take a copy of nsswitch.ldap, and copy nsswitch.conf to nsswitch.ldap. ldapclient will trash your nsswitch.conf and change everything to use ldap. Run ldapclient -v manual -a certificatePath=/etc/ssl -a authenticationMethod=tls:simple \ -a credentialLevel=proxy -a proxyDN=... -a proxyPassword=... \ -a defaultServerList="..." -a preferredServerList="..." \ -a defaultSearchBase=/base/ -a defaultSearchScope=sub svcadm restart nis/client ldapclient helpfully stops nis/client. You won't be needing that after all, will you ... When searching the directory, it appears to helpfully prepend ou=people to the default search base, so ldapclient mod -a serviceSearchDescriptor=passwd:/base/ -a serviceSearchDescriptor=shadow:/base/ svcadm restart nis/client We don't set the gecos attribute in our directory, we have fullName, so ldapclient mod -a attributeMap=passwd:gecos=fullName svcadm restart nis/client The Solaris client, unlike PADL, wants users to have objectClass shadowAccount in addition to posixAccount, but the attributes don't really matter if you can do without the password aging, which apparently only works with Sun's directory anyway, so: ldapclient mod -a objectclassMap=passwd:shadowAccount=posixAccount -a objectclassMap=shadow:shadowAccount=posixAccount svcadm restart nis/client Test with ldaplist passwd /user/ Once again, the hostnames must match. We have a load sharer in front of the authentication servers, and adding that didn't work, I had to add the list of servers explicitly. If it doesn't work, and you're on a reasonably secure bit of the network, change -a authenticationMethod=simple, so you can see the LDAP traffic, dig out snoop and ethereal, and have fun. Don't forget to change it back, thish will reveal the proxy user's password. In the next section, if you want to run like this, but hide "real" passwords, you can add -a serviceAuthenticationMethod=pam_ldap:tls:simple, to override the default. Change /etc/pam.conf so that all the pam_unix_auth lines are made binding instead of required, and add the server_policy option, and add the pam_ldap lines after. This is documented in pam_ldap(5). That's it. Freely mix ldap and nis in nsswitch.conf! Yeh. The only thing I've found that doesn't work is the combination of passwd: compat ldap with the name service switch running. It works fine if you stop it. It may seem a perverse thing to do, but was handy for testing by using NIS normally, but excluding test users with `/-user/' in the password file, forcing just that user to use LDAP. I just wish there was a less brutal command than ldapclient to configure this. Thanks again to all. Rob -- E-Mail: Rob.McMahon@warwick.ac.uk PHONE: +44 24 7652 3037 Rob McMahon, IT Services, Warwick University, Coventry, CV4 7AL, England _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Jun 24 06:54:18 2009
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:14 EST