SUMMARY: Solaris-9 acting as LDAP-client from Win-2003 AD

From: <rob.de.langhe_at_belgacom.be>
Date: Wed Jun 15 2005 - 03:59:29 EDT
Found it myself :

1) since the Active-Directory doesn't have the right definition for the
ObjectClass "DUAConfigProfile", I could not use it to store
configuration profiles as typically done with an iPlanet directory
server.
Instead I ran "ldapclient manual ..." with all the attributes listed on
the command line to generate files "/var/ldap/ldap_client_file" and
"/var/ldap/ldap_client_cred"

The resulting file "ldap_client_file" contains :

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 45.34.54.69
NS_LDAP_SEARCH_BASEDN= dc=r2-bgc,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=unix,dc=r2-bgc,dc=net
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user

Warning : the "ldapclient" command reworks your nsswitch.conf file,
(re-)launches sendmail and (re-)launches automounter. So, edit
nsswitch.conf so that it contains

passwd:     files ldap
group:      files ldap
hosts:      files dns
(the rest points to "files" only)

and stop auto-mounter (if you don't need it)

The "ldap_cachmgr" will be started, and will complain about the missing
profile in the LDAP server :

Jun 15 09:14:13 ecarsf ldap_cachemgr[2393]: [ID 722288 daemon.error]
Error: Unable to refresh from profile:__default_config. (error=2)

(I have SUN now searching on how to avoid that)

Finally, tweak /etc/pam.conf to have it as follows (mind you that we
also integrated with Kerberos-authentication from the Windows-based KDC)
:

other   auth requisite          pam_authtok_get.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_krb5.so.1 use_first_pass
passwd  auth required           pam_passwd_auth.so.1
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

And off you go !!

Rob

________________________________

From: DE LANGHE Rob (ITD/OSD)
Sent: 14 June 2005 15:34
To: sunmanagers@sunmanagers.org
Subject: Solaris-9 acting as LDAP-client from Win-2003 AD


next step in our UNIX/Windows integration efforts for user accounts:
having the Solaris-9 server find out correctly user attributes via LDAP
from a Windows-2003 SP3 based Active Directory :

the use of a proxy-account works fine to bind itself with the AD-server
for querying about a user.

However, the LDAP-query which is sent by the SUN to the AD when I do,
for example, the command

id testaccount

or

finger testaccount

contains stuff like

SolarisUserAttr SolarisUserQualifier SikarusAttrReserved1
SolarisAttrReserved2 SolarisAttrKeyValue

which -of course- is happily rejected by the AD as unknown thingies.

Any ideas ?

Rob


**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Jun 15 05:45:17 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:48 EST