SUMMARY (update-2): Solaris-9 acting as LDAP-client from Win-2003 AD

rob.de.langhe at belgacom.be rob.de.langhe at belgacom.be
Wed Jun 15 12:51:07 EDT 2005


Still forgot one final thing to mention:

our AD-administrators loaded the schema-extensions into their AD to make
it RFC2307 compliant. Otherwise queries for attributes like
"homeDirectory" or "loginShell" would get no results. And that's exactly
what your UNIX client will be asking for when you login with an account
defined in AD.

Rob

-----Original Message-----
From: DE LANGHE Rob (ITD/OSD)
Sent: 15 June 2005 12:41
To: sunmanagers at sunmanagers.org
Subject: SUMMARY (update): Solaris-9 acting as LDAP-client from Win-2003
AD

To get rid of the error messages from "ldap_cachemgr" complaining that
it cannot refresh from a profile, install patch 112960-30

case closed.

-----Original Message-----
From: sunmanagers-bounces at sunmanagers.org
[mailto:sunmanagers-bounces at sunmanagers.org] On Behalf Of
rob.de.langhe at belgacom.be
Sent: 15 June 2005 09:59
To: sunmanagers at sunmanagers.org
Subject: SUMMARY: Solaris-9 acting as LDAP-client from Win-2003 AD

Found it myself :

1) since the Active-Directory doesn't have the right definition for the
ObjectClass "DUAConfigProfile", I could not use it to store
configuration profiles as typically done with an iPlanet directory
server.
Instead I ran "ldapclient manual ..." with all the attributes listed on
the command line to generate files "/var/ldap/ldap_client_file" and
"/var/ldap/ldap_client_cred"

The resulting file "ldap_client_file" contains :

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 45.34.54.69
NS_LDAP_SEARCH_BASEDN= dc=r2-bgc,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=unix,dc=r2-bgc,dc=net
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user

Warning : the "ldapclient" command reworks your nsswitch.conf file,
(re-)launches sendmail and (re-)launches automounter. So, edit
nsswitch.conf so that it contains

passwd:     files ldap
group:      files ldap
hosts:      files dns
(the rest points to "files" only)

and stop auto-mounter (if you don't need it)

The "ldap_cachmgr" will be started, and will complain about the missing
profile in the LDAP server :

Jun 15 09:14:13 ecarsf ldap_cachemgr[2393]: [ID 722288 daemon.error]
Error: Unable to refresh from profile:__default_config. (error=2)

(I have SUN now searching on how to avoid that)

Finally, tweak /etc/pam.conf to have it as follows (mind you that we
also integrated with Kerberos-authentication from the Windows-based KDC)
:

other   auth requisite          pam_authtok_get.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_krb5.so.1 use_first_pass
passwd  auth required           pam_passwd_auth.so.1
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

And off you go !!

Rob

________________________________

From: DE LANGHE Rob (ITD/OSD)
Sent: 14 June 2005 15:34
To: sunmanagers at sunmanagers.org
Subject: Solaris-9 acting as LDAP-client from Win-2003 AD


next step in our UNIX/Windows integration efforts for user accounts:
having the Solaris-9 server find out correctly user attributes via LDAP
from a Windows-2003 SP3 based Active Directory :

the use of a proxy-account works fine to bind itself with the AD-server
for querying about a user.

However, the LDAP-query which is sent by the SUN to the AD when I do,
for example, the command

id testaccount

or

finger testaccount

contains stuff like

SolarisUserAttr SolarisUserQualifier SikarusAttrReserved1
SolarisAttrReserved2 SolarisAttrKeyValue

which -of course- is happily rejected by the AD as unknown thingies.

Any ideas ?

Rob


**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers at sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers


**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer



More information about the sunmanagers mailing list