SUMMARY: LDAP & NIS on Solaris 10

From: Rob McMahon <Rob.McMahon_at_warwick.ac.uk>
Date: Wed Jun 24 2009 - 06:52:57 EDT
Thanks for some really good answers, I'm up and running.  The original 
problem:

On 19/06/2009 15:04, Rob McMahon wrote:
> I have a need to set up some servers to authenticate against Novell's
> eDirectory via LDAP....
> The problem is `ldapclient', which seems to be the only
> approved way of setting this up, likes to change everything to be LDAP.
> I really want most services to still use NIS so that I don't have to
> persuade people to extend schemas, migrate all my data into eDir, and
> change all my administration procedures ...  All I really want is
> authentication to go via LDAP, although I have the rest of the POSIX
> passwd attributes in eDir for the use of a bunch of Linux clients.
>
> The documents say
>
> "A NIS client and a Native LDAP client cannot co-exist on the same
> client machine."
>
> What ??  Why ?
>    
Peter Winterflood recommends using kerberos rather than LDAP for 
authentication, but it's not really an option here.  He also warned me 
that NIS is going away in Solaris 10+.  Is this true ?  I haven't seen 
any warnings.

Alper Suner sent me the link 
http://www.rodrickbrown.com/docs/Beginners_Guide_to_SunONE_DS.pdf, which 
looks pretty comprehensive, but is really for people using Sun's 
Directory Server and moving en-masse to LDAP, which I'm not quite yet.

Brian Miller pointed out that Novell have a product which can make the 
eDirectory effectively a slave NIS server, though I don't really want to 
add all the data to eDirectory just yet.  Maybe soon.  He also pointed 
me at www.padl.com for an LDAP client that works.  Indeed that looks 
like a good option for people who can't get the native client to work, 
or just want to be consistent across platform.

Milan Jurik gave me the comfort that, despite the documents, it should 
be doable on Solaris 10+, and Ryan Anderson said it should work if the 
NIS and LDAP domains are the same.  To be honest, I haven't actually 
worked out what the LDAP "domain" is used for ...  He also suggested PADL.

Thanks to Peter van Gemert too for his input.

Andrew Laden sent me a really good cookbook, and between that and the 
hints from the above, I got there.  I won't post it here without his 
permission, he might want to put it on the web somewhere.

Basically

Get the eDirectory CA certificate, which you can get using
openssl s_client -showcerts -connect /server/:636
and grabbing the last certificate, as a .pem file.  Convert to a .der file:
openssl x509 -in serverca.pem -out serverca.der -outform der
Teach Solaris about it:
/usr/sfw/bin/certutil -N -d /etc/ssl
/usr/sfw/bin/certutil -A -n ServerCA -t C,C,C -i serverca.der -d /etc/ssl
Test with
ldapsearch -b /base/ -P /etc/ssl -D /proxydn/ -h /server/ cn=/user/ uid 
uidNumber
The hostnames on the command line and returned by the server must match!

Take a copy of nsswitch.ldap, and copy nsswitch.conf to nsswitch.ldap. 
ldapclient will trash your nsswitch.conf and change everything to use ldap.
Run
ldapclient -v manual -a certificatePath=/etc/ssl -a 
authenticationMethod=tls:simple \
      -a credentialLevel=proxy -a proxyDN=... -a proxyPassword=... \
     -a defaultServerList="..." -a preferredServerList="..." \
     -a defaultSearchBase=/base/ -a defaultSearchScope=sub
svcadm restart nis/client
ldapclient helpfully stops nis/client.  You won't be needing that after 
all, will you ...
When searching the directory, it appears to helpfully prepend ou=people 
to the default search base, so
ldapclient mod -a serviceSearchDescriptor=passwd:/base/ -a 
serviceSearchDescriptor=shadow:/base/
svcadm restart nis/client
We don't set the gecos attribute in our directory, we have fullName, so
ldapclient mod -a attributeMap=passwd:gecos=fullName
svcadm restart nis/client
The Solaris client, unlike PADL, wants users to have objectClass 
shadowAccount in addition to posixAccount, but the attributes don't 
really matter if you can do without the password aging, which apparently 
only works with Sun's directory anyway, so:
ldapclient mod -a objectclassMap=passwd:shadowAccount=posixAccount -a 
objectclassMap=shadow:shadowAccount=posixAccount
svcadm restart nis/client
Test with
ldaplist passwd /user/
Once again, the hostnames must match.  We have a load sharer in front of 
the authentication servers, and adding that didn't work, I had to add 
the list of servers explicitly.
If it doesn't work, and you're on a reasonably secure bit of the 
network, change -a authenticationMethod=simple, so you can see the LDAP 
traffic, dig out snoop and ethereal, and have fun.  Don't forget to 
change it back, thish will reveal the proxy user's password.  In the 
next section, if you want to run like this, but hide "real" passwords, 
you can add -a serviceAuthenticationMethod=pam_ldap:tls:simple, to 
override the default.

Change /etc/pam.conf so that all the pam_unix_auth lines are made 
binding instead of required, and add the server_policy option, and add 
the pam_ldap lines after.  This is documented in pam_ldap(5).

That's it.  Freely mix ldap and nis in nsswitch.conf!  Yeh.

The only thing I've found that doesn't work is the combination of

passwd: compat ldap

with the name service switch running.  It works fine if you stop it.  It 
may seem a perverse thing to do, but was handy for testing by using NIS 
normally, but excluding test users with `/-user/' in the password file, 
forcing just that user to use LDAP.  I just wish there was a less brutal 
command than ldapclient to configure this.

Thanks again to all.

Rob

-- 
E-Mail:	Rob.McMahon@warwick.ac.uk		PHONE:  +44 24 7652 3037
Rob McMahon, IT Services, Warwick University, Coventry, CV4 7AL, England
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Jun 24 06:54:18 2009

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:14 EST