SUMMARY (update-2): Solaris-9 acting as LDAP-client from Win-2003 AD

From: rob.de.langhe@belgacom.be
Date: Wed Jun 15 2005 - 12:51:07 EDT

• Next message: Karl.Rossing@Federated.CA: "StorEdge 6130 or EMC Cx300"
• Previous message: Michael Segale: "Summary: urgent: cfgadm configure problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Still forgot one final thing to mention:

our AD-administrators loaded the schema-extensions into their AD to make
it RFC2307 compliant. Otherwise queries for attributes like
"homeDirectory" or "loginShell" would get no results. And that's exactly
what your UNIX client will be asking for when you login with an account
defined in AD.

Rob

-----Original Message-----
From: DE LANGHE Rob (ITD/OSD)
Sent: 15 June 2005 12:41
To: sunmanagers@sunmanagers.org
Subject: SUMMARY (update): Solaris-9 acting as LDAP-client from Win-2003
AD

To get rid of the error messages from "ldap_cachemgr" complaining that
it cannot refresh from a profile, install patch 112960-30

case closed.

-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of
rob.de.langhe@belgacom.be
Sent: 15 June 2005 09:59
To: sunmanagers@sunmanagers.org
Subject: SUMMARY: Solaris-9 acting as LDAP-client from Win-2003 AD

Found it myself :

1) since the Active-Directory doesn't have the right definition for the
ObjectClass "DUAConfigProfile", I could not use it to store
configuration profiles as typically done with an iPlanet directory
server.
Instead I ran "ldapclient manual ..." with all the attributes listed on
the command line to generate files "/var/ldap/ldap_client_file" and
"/var/ldap/ldap_client_cred"

The resulting file "ldap_client_file" contains :

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 45.34.54.69
NS_LDAP_SEARCH_BASEDN= dc=r2-bgc,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=unix,dc=r2-bgc,dc=net
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user

Warning : the "ldapclient" command reworks your nsswitch.conf file,
(re-)launches sendmail and (re-)launches automounter. So, edit
nsswitch.conf so that it contains

passwd: files ldap
group: files ldap
hosts: files dns
(the rest points to "files" only)

and stop auto-mounter (if you don't need it)

The "ldap_cachmgr" will be started, and will complain about the missing
profile in the LDAP server :

Jun 15 09:14:13 ecarsf ldap_cachemgr[2393]: [ID 722288 daemon.error]
Error: Unable to refresh from profile:__default_config. (error=2)

(I have SUN now searching on how to avoid that)

Finally, tweak /etc/pam.conf to have it as follows (mind you that we
also integrated with Kerberos-authentication from the Windows-based KDC)
:

other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
passwd auth required pam_passwd_auth.so.1
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

And off you go !!

Rob

________________________________

From: DE LANGHE Rob (ITD/OSD)
Sent: 14 June 2005 15:34
To: sunmanagers@sunmanagers.org
Subject: Solaris-9 acting as LDAP-client from Win-2003 AD

next step in our UNIX/Windows integration efforts for user accounts:
having the Solaris-9 server find out correctly user attributes via LDAP
from a Windows-2003 SP3 based Active Directory :

the use of a proxy-account works fine to bind itself with the AD-server
for querying about a user.

However, the LDAP-query which is sent by the SUN to the AD when I do,
for example, the command

id testaccount

or

finger testaccount

contains stuff like

SolarisUserAttr SolarisUserQualifier SikarusAttrReserved1
SolarisAttrReserved2 SolarisAttrKeyValue

which -of course- is happily rejected by the AD as unknown thingies.

Any ideas ?

Rob

**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Karl.Rossing@Federated.CA: "StorEdge 6130 or EMC Cx300"
• Previous message: Michael Segale: "Summary: urgent: cfgadm configure problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:54 EDT