From: rob.de.langhe@belgacom.be
Date: Wed Jun 15 2005 - 03:59:29 EDT
Found it myself :
1) since the Active-Directory doesn't have the right definition for the
ObjectClass "DUAConfigProfile", I could not use it to store
configuration profiles as typically done with an iPlanet directory
server.
Instead I ran "ldapclient manual ..." with all the attributes listed on
the command line to generate files "/var/ldap/ldap_client_file" and
"/var/ldap/ldap_client_cred"
The resulting file "ldap_client_file" contains :
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 45.34.54.69
NS_LDAP_SEARCH_BASEDN= dc=r2-bgc,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=unix,dc=r2-bgc,dc=net
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
Warning : the "ldapclient" command reworks your nsswitch.conf file,
(re-)launches sendmail and (re-)launches automounter. So, edit
nsswitch.conf so that it contains
passwd: files ldap
group: files ldap
hosts: files dns
(the rest points to "files" only)
and stop auto-mounter (if you don't need it)
The "ldap_cachmgr" will be started, and will complain about the missing
profile in the LDAP server :
Jun 15 09:14:13 ecarsf ldap_cachemgr[2393]: [ID 722288 daemon.error]
Error: Unable to refresh from profile:__default_config. (error=2)
(I have SUN now searching on how to avoid that)
Finally, tweak /etc/pam.conf to have it as follows (mind you that we
also integrated with Kerberos-authentication from the Windows-based KDC)
:
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
passwd auth required pam_passwd_auth.so.1
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
And off you go !!
Rob
________________________________
From: DE LANGHE Rob (ITD/OSD)
Sent: 14 June 2005 15:34
To: sunmanagers@sunmanagers.org
Subject: Solaris-9 acting as LDAP-client from Win-2003 AD
next step in our UNIX/Windows integration efforts for user accounts:
having the Solaris-9 server find out correctly user attributes via LDAP
from a Windows-2003 SP3 based Active Directory :
the use of a proxy-account works fine to bind itself with the AD-server
for querying about a user.
However, the LDAP-query which is sent by the SUN to the AD when I do,
for example, the command
id testaccount
or
finger testaccount
contains stuff like
SolarisUserAttr SolarisUserQualifier SikarusAttrReserved1
SolarisAttrReserved2 SolarisAttrKeyValue
which -of course- is happily rejected by the AD as unknown thingies.
Any ideas ?
Rob
**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:54 EDT