PADL nss_ldap under Solaris 10

From: Paul B. Henson (henson@acm.org)
Date: Fri Jan 18 2008 - 15:34:17 EST

• Next message: Jim Seymour: "insufficient space in super block for rotational layout"
• Previous message: Bruce A. Hamilton: "SUMMARY: Solaris 10 u4, unable to mount / rw"
• Next in thread: Paul B. Henson: "SUMMARY: PADL nss_ldap under Solaris 10"
• Reply: Paul B. Henson: "SUMMARY: PADL nss_ldap under Solaris 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are trying to integrate Solaris 10 into an existing openLDAP based
system currently used by our Linux servers.

There are a couple of deficiencies in the native client that are pretty
much showstoppers.

First, there is no way to use TLS encryption for the client unless you are
also authenticating to the LDAP server.

It seems to me these two options should not be intertwined and serve
different purposes. The only reason to authenticate to the LDAP server is
if the naming services information required is not publicly readable.
However, you should *always* use TLS to verify the authenticity of the LDAP
server and prevent a malicious man in the middle from spoofing your
directory and feeding you invalid information. We are not going to deal
with the management overhead of creating/maintaining service accounts for
every Solaris server on campus that wishes to avail of central naming
services. However, it is unacceptable to run the client in a mode that does
not verify the server.

Second, our LDAP group implementation is based on rfc2307bis, and uses
groupOfNames/member to store group information, not posixGroup/memberUid.
Linux nss_ldap supports this perfectly, and in general I think it's a
better approach. The Solaris client does not support this, and hence is
unable to determine group memberships. I understand rfc2307bis was not
finalized, but given how widely it is deployed and supported by other UNIX
implementations it seems silly of Sun to ignore it.

At this point, I am thinking about ripping out Sun's native client and
trying to install PADL's nss_ldap, which works great under Linux and would
much better meet our needs.

It looks like it should support Solaris 10, but before I invest a lot of
time in it I was wondering if anyone knew of any incompatibility issues
that would prevent its use? Or of any way to make Sun's native client meet
our needs? (Which I think is unlikely, as I have verified both of these
deficiencies with Sun support -- although they don't consider them
deficiencies 8-/).

Thanks...

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Jim Seymour: "insufficient space in super block for rotational layout"
• Previous message: Bruce A. Hamilton: "SUMMARY: Solaris 10 u4, unable to mount / rw"
• Next in thread: Paul B. Henson: "SUMMARY: PADL nss_ldap under Solaris 10"
• Reply: Paul B. Henson: "SUMMARY: PADL nss_ldap under Solaris 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:41 EDT