Solaris 8 with OpenLDAP: Configuring Solaris

Configuring Solaris

You'll be happy to know that this is the easy part. Before we get started, do the following:
  1. Make sure ldap_cachemgr is NOT running. Kill it if it is running by executing:
    # /etc/init.d/ldap.client stop
    
  2. To make sure it doesn't start up when we're not looking, issue the following command:
    # chmod 444 /usr/lib/ldap/ldap_cachemgr
    
  3. Before re-enabling ldap_cachemgr, you should read the Notes about ldap_cachemgr
There are really only two files to create to set up Solaris to query LDAP. The first file is /var/ldap/ldap_client_file. All of the Solaris documentation says not to edit the ldap_client_file manually. Don't worry about that too much for now. See the Notes about ldap_cachemgr. Notice how much i'm trying to force the ldap_cachemgr information on you. If you haven't read it by now, you may want to consider it.

For now, we're going to rebel against Sun and edit this file manually. Here is a sample file:

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 127.0.0.1:389
NS_LDAP_SEARCH_BASEDN= dc=viawest,dc=net
NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
NS_LDAP_DOMAIN= viawest.net
NS_LDAP_EXP= 987802213
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ViaWest,dc=Net)
NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ViaWest,dc=Net)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30
In order, these mean:
  • NS_LDAP_FILE_VERSION= 1.0: Just the version number of the config file

  • NS_LDAP_SERVERS= 127.0.0.1:389: This is the IP address and port of the LDAP server that Solaris should use to look up NIS information. You can specify multiple servers by adding additional NS_LDAP_SERVERS lines. For example:
    NS_LDAP_SERVERS= 127.0.0.1:389
    NS_LDAP_SERVERS= 192.168.0.1:389
    
  • NS_LDAP_BASEDN= dc=viawest,dc=net: This specifies the BaseDN of the search which Solaris uses when looking up NIS domain information.

  • NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE: This is the bind authentication method that Solaris will use to bind to the LDAP server. If you're not sure what this means, don't change it. Available options are:
    • NS_LDAP_AUTH_NONE
    • NS_LDAP_AUTH_SIMPLE
    • NS_LDAP_AUTH_SASL_CRAM_MD5
    • NS_LDAP_AUTH_SASL_GSSAPI
    • NS_LDAP_AUTH_SASL_SPNEGO
    • NS_LDAP_AUTH_TLS

  • NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE: This specifies that you will not be using any type of Transport Layer Security (TLS) for your directory service lookups. Configuring SSL queries is beyond the scope of this document. Available options are:
    • NS_LDAP_SEC_NONE
    • NS_LDAP_SEC_TLS
    • NS_LDAP_SEC_SASL_INTEGRITY
    • NS_LDAP_SEC_SASL_PRIVACY

  • NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF: This tells the Solaris that it should follow referrals. If you don't know what this means, don't change this option. Available options are:
    • NS_LDAP_FOLLOWREF
    • NS_LDAP_NOREF

  • NS_LDAP_DOMAIN= viawest.net: This represents the NIS domain of the server. This MUST be the same as the nisDomain object which you have in your base.ldif file.

  • NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ViaWest,dc=Net): This tells Solaris which BaseDN it should use when looking up "passwd" entries. Before changing this search from ou=People, be sure to read Notes about ldap_cachemgr.

  • NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ViaWest,dc=Net): This tells Solaris which BaseDN it should use when looking up "shadow" entries. Before changing this search from ou=People, be sure to read Notes about ldap_cachemgr.

    NOTE: you can also specify things such as "group," "hosts," "ipnodes," and almost any other type of NIS information found in the nsswitch.conf file. This configuration is beyond the scope of this document.

  • NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE: This tells Solaris to use an LDAP search scope of "subtree." Available options are:
    • NS_LDAP_SCOPE_BASE
    • NS_LDAP_SCOPE_ONELEVEL
    • NS_LDAP_SCOPE_SUBTREE

  • NS_LDAP_SEARCH_TIME= 30: This is the maximum amount of time that Solaris will wait for a search to return. I haven't fully tested the redundancy in Solaris' nss_ldap, but so far it seems to work as expected. There will be more on redundancy later.

The next file to create and edit is the /var/ldap/ldap_client_cred file. Again, Sun warns us not to edit this file manually, and yet again, we're not going to heed their warnings (for now).

Here is a sample ldap_client_cred file:

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=solaris,ou=ldapusers,dc=viawest,dc=net
NS_LDAP_BINDPASSWD= {NS1}a1ee08dc7d61
The NS_LDAP_BINDDN is the DN that Solaris will use to bind to the directory sever. NS_LDAP_BINDPASSWD is an ENCRYPTED password that Solaris uses when binding. To generate this password, issue the following command:
# ldap_gen_profile -P profile -b dc=viawest,dc=net -w abc123 127.0.0.1
That will print out:
dn: cn=profile,ou=profile,dc=viawest,dc=net
        SolarisBindPassword: {NS1}a1ee08dc7d61
        SolarisLDAPServers: 127.0.0.1
        SolarisSearchBaseDN: dc=viawest,dc=net
        SolarisAuthMethod: NS_LDAP_AUTH_NONE
        SolarisTransportSecurity: NS_LDAP_SEC_NONE
        SolarisSearchReferral: NS_LDAP_FOLLOWREF
        SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
        SolarisSearchTimeLimit: 30
        SolarisCacheTTL: 43200
        cn: profile
        ObjectClass: top
        ObjectClass: SolarisNamingProfile
All you need is the "SolarisBindPassword" value for now. This is the "encrypted" version of "abc123" which we used in our previous example.

Finally, we need to add ldap to the /etc/nsswitch.conf file. Open up /etc/nsswitch.conf, and modify the line for passwd to:

passwd:     files ldap

Now, restart nscd:

# /etc/init.d/nscd stop
# /etc/init.d/nscd start
Ok, now you should be able to look up POSIX accounts from your LDAP directory. To test this, try to id a user that is not in your local passwd file. Another way to test this is with the Solaris listusers. Just type:
# /usr/bin/listusers
And you should see a full list of users from the passwd and the ldap directory.

Previous: Populating OpenLDAP | Next: LDAP Cache Manager