Solaris 8 with OpenLDAP: Configuring Solaris
Configuring Solaris
You'll be happy to know that this is the easy part. Before we get started, do the following:- Make sure ldap_cachemgr is NOT running. Kill it if it is
running by executing:
# /etc/init.d/ldap.client stop
- To make sure it doesn't start up when we're not looking, issue
the following command:
# chmod 444 /usr/lib/ldap/ldap_cachemgr
- Before re-enabling ldap_cachemgr, you should read the Notes about ldap_cachemgr
For now, we're going to rebel against Sun and edit this file manually. Here is a sample file:
# # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 1.0 NS_LDAP_SERVERS= 127.0.0.1:389 NS_LDAP_SEARCH_BASEDN= dc=viawest,dc=net NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF NS_LDAP_DOMAIN= viawest.net NS_LDAP_EXP= 987802213 NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ViaWest,dc=Net) NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ViaWest,dc=Net) NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE NS_LDAP_SEARCH_TIME= 30In order, these mean:
- NS_LDAP_FILE_VERSION= 1.0: Just the version number of the config file
- NS_LDAP_SERVERS= 127.0.0.1:389: This is the IP address and port of the LDAP server
that Solaris should use to look up NIS information. You can specify multiple servers
by adding additional NS_LDAP_SERVERS lines. For example:
NS_LDAP_SERVERS= 127.0.0.1:389 NS_LDAP_SERVERS= 192.168.0.1:389
- NS_LDAP_BASEDN= dc=viawest,dc=net: This specifies the BaseDN of the search
which Solaris uses when looking up NIS domain information.
- NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE: This is the bind authentication method that
Solaris will use to bind to the LDAP server. If you're not sure what this means, don't
change it. Available options are:
- NS_LDAP_AUTH_NONE
- NS_LDAP_AUTH_SIMPLE
- NS_LDAP_AUTH_SASL_CRAM_MD5
- NS_LDAP_AUTH_SASL_GSSAPI
- NS_LDAP_AUTH_SASL_SPNEGO
- NS_LDAP_AUTH_TLS
- NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE: This specifies that you will not be using
any type of Transport Layer Security (TLS) for your directory service lookups. Configuring SSL
queries is beyond the scope of this document. Available options are:
- NS_LDAP_SEC_NONE
- NS_LDAP_SEC_TLS
- NS_LDAP_SEC_SASL_INTEGRITY
- NS_LDAP_SEC_SASL_PRIVACY
- NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF: This tells the Solaris that it should follow
referrals. If you don't know what this means, don't change this option. Available options are:
- NS_LDAP_FOLLOWREF
- NS_LDAP_NOREF
- NS_LDAP_DOMAIN= viawest.net: This represents the NIS domain of the server. This MUST
be the same as the nisDomain object which you have in your base.ldif file.
- NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ViaWest,dc=Net): This tells Solaris which
BaseDN it should use when looking up "passwd" entries. Before changing this search from ou=People,
be sure to read Notes about ldap_cachemgr.
- NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ViaWest,dc=Net): This tells Solaris which
BaseDN it should use when looking up "shadow" entries. Before changing this search from ou=People,
be sure to read Notes about ldap_cachemgr.
NOTE: you can also specify things such as "group," "hosts," "ipnodes," and almost any other type of NIS information found in the nsswitch.conf file. This configuration is beyond the scope of this document.
- NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE: This tells Solaris to use an LDAP search
scope of "subtree." Available options are:
- NS_LDAP_SCOPE_BASE
- NS_LDAP_SCOPE_ONELEVEL
- NS_LDAP_SCOPE_SUBTREE
- NS_LDAP_SEARCH_TIME= 30: This is the maximum amount of time that Solaris will wait for
a search to return. I haven't fully tested the redundancy in Solaris' nss_ldap, but so far it seems
to work as expected. There will be more on redundancy later.
Here is a sample ldap_client_cred file:
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=solaris,ou=ldapusers,dc=viawest,dc=net
NS_LDAP_BINDPASSWD= {NS1}a1ee08dc7d61
The NS_LDAP_BINDDN is the DN that Solaris will use to bind to the directory sever. NS_LDAP_BINDPASSWD
is an ENCRYPTED password that Solaris uses when binding. To generate this password, issue the
following command:
# ldap_gen_profile -P profile -b dc=viawest,dc=net -w abc123 127.0.0.1That will print out:
dn: cn=profile,ou=profile,dc=viawest,dc=net
SolarisBindPassword: {NS1}a1ee08dc7d61
SolarisLDAPServers: 127.0.0.1
SolarisSearchBaseDN: dc=viawest,dc=net
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: profile
ObjectClass: top
ObjectClass: SolarisNamingProfile
All you need is the "SolarisBindPassword" value for now. This is the "encrypted" version of "abc123" which
we used in our previous example.
Finally, we need to add ldap to the /etc/nsswitch.conf file. Open up /etc/nsswitch.conf, and modify the line for passwd to:
passwd: files ldap
Now, restart nscd:
# /etc/init.d/nscd stop # /etc/init.d/nscd startOk, now you should be able to look up POSIX accounts from your LDAP directory. To test this, try to id a user that is not in your local passwd file. Another way to test this is with the Solaris listusers. Just type:
# /usr/bin/listusersAnd you should see a full list of users from the passwd and the ldap directory.
Previous: Populating OpenLDAP | Next: LDAP Cache Manager