This document describes, in great detail, how to get Solaris 8 to work with Fedora Directory Server.
Setting up a Solaris native client has a lot of steps, but I didn’t find it particularly difficult, and I was happy that I didn’t need to mess with building openldap libraries to get things going. Here’s what I did on a solaris 9 box.
For Solaris 10, here is some information about how to set up SSL LDAP clients: http://forum.sun.com/jive/thread.jspa?forumID=13&threadID=101250
Both 60nis.ldif and 60rfc4876.ldif are provided with Directory Server.
Create a profile entry for your solaris client. I created a new OU called “profile”, and here’s the (sanitized) ldif for my test machine (which works):
dn: cn=shades, ou=profile,dc=my,dc=domain,dc=com
credentialLevel: proxy
serviceAuthenticationMethod: pam_ldap:tls:simple
defaultServerList: ldap.my.domain.com ldap2.my.domain.com
authenticationMethod: tls:simple
defaultSearchBase: dc=my,dc=domain,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: shades
serviceSearchDescriptor: passwd:ou=People,dc=my,dc=domain,dc=com?sub
serviceSearchDescriptor: shadow:ou=People,dc=my,dc=domain,dc=com?sub
serviceSearchDescriptor:
user_attr:ou=People,dc=my,dc=domain,dc=com?sub
serviceSearchDescriptor:
audit_user:ou=People,dc=my,dc=domain,dc=com?sub
serviceSearchDescriptor: group:ou=Group,dc=my,dc=domain,dc=com?sub
You can create this ldif on the solaris client itself by running “ldapclient genprofile”. Read the ldapclient man page for details.
Now it’s time to run “ldapclient init”, feeding it the arguments it’ll need to find the server, bind to it (if you’re using proxy authentication), and find the profile. Here’s the command I used, based on an assumption that the preceding process outlined in this document was followed:
ldapclient -v init -a profileName=shades -a proxyDN=uid=sun,ou=profile,dc=my,dc=domain,dc=com \
-a proxyPassword=secret myserver
I’m really not sure if this will help, but here are the full instructions I used to get this working on a clean solaris 9 install (I haven’t given it a shot on solaris 10 yet)
Download the nspr, and nss packages for Solaris 9 here (http://sourceforge.net/project/showfiles.php?group_id=19386) and install them.
Get Sun one Resource Kit here: http://www.sun.com/download/products.xml?id=3f74a0db And install it.
Next run this command to setup your certificate database:
# LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH
# /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap
You should have generated your server certificate with the fully qualified host and domain name in the cn attribute of the subjectDN in the cert. If not, and you have used some other value (e.g. cn=server-cert), you’ll have to add a hosts entry to /etc/hosts for Ldap server, ** matching the certificate name ** (in my case, server-cert). You’ll get this error, which will let you know the name you need to put in /etc/hosts: (I couldn’t ‘pull’ it from the cert in any way)
Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: cert server name 'server-cert'
does not match 'corporate-ds': SSL connection denied
Get CA cert from directory using these commands:
[root@corporate-ds alias]# pwd
/opt/fedora-ds/alias
[root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA certificate" -r > /root/cert.der
Copy it to the solaris server, and import it with this:
# /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/
Run this command to set ldap client settings on the machine:
# ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy \
-a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \
-a domainName=yourdomain.com -a followReferrals=false \
-a serviceSearchDescriptor="netgroup: ou=netgroup,dc=inside,dc=yourdomain,dc=com" \
-a preferredServerList=10.5.1.18 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a proxyPassword=blahblahblah -a proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com
Restart ldap.client:
# /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start
That should do it. Test settings with id, getent, or ldaplist: (You must be root, or sudo to use ldaplist)
# ldaplist -l passwd yournamehere
(This should list your entry in the ldap dir)
I hope this helps someone, and I’m sure I’ll attempt to get solaris 10 working at some point soon.
For this example the server was on ldapHost01.example.com on the example.com domain. This is a rough guide, but hopefully it will get cleaned up, people can add more detail (or fix mistakes I made!), and at the very least, it might save someone the month or so I spent doing this (it can take a while to get some answers to some of the questions).
Begin by editing the /usr/lib/ldap/idsconfig script to be compatible with Red Hat Directory Server 7.x
Find the line that says:
if [ "${IDS_MAJVER}" != "5" ]; then
Change the 5 to 7. Save, exit and run the script:
/usr/lib/ldap/idsconfig
Follow the session below:
It is strongly recommended that you BACKUP the directory server before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] Y
Enter the directory server's hostname to setup: ldapHost01
Enter the Directory Server's port number (h=help): [389]
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager : adminpass
Enter the domainname to be served (h=help): example.com
Enter LDAP Base DN (h=help): [dc=example,dc=com] <enter>
Enter the profile name (h=help): [default] <enter>
Default server list (h=help): [192.168.10.61] <enter>
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one] sub
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 4
Do you want to add another Authentication Method? <enter>
Do you want the clients to follow referrals (y/n/h)? [n] <enter>
Do you want to modify the server timelimit value (y/n/h)? [n] <enter>
Do you want to modify the server sizelimit value (y/n/h)? [n] <enter>
Do you want to store passwords in "crypt" format (y/n/h)? [n] <enter>
Do you want to setup a Service Authentication Methods (y/n/h)? [n] <enter>
Client search time limit in seconds (h=help): [30] <enter>
Profile Time To Live in seconds (h=help): [43200] <enter>
Bind time limit in seconds (h=help): [10] <enter>
Do you wish to setup Service Search Descriptors (y/n/h)? [n] <enter>
Enter config value to change: (1-19 0=commit changes) [0] <enter>
Enter DN for proxy agent:[cn=proxyagent,ou=profile,dc=example,dc=com] <enter>
Enter passwd for proxyagent: proxy
Re-enter passwd: proxy
WARNING: About to start committing changes. (y=continue, n=EXIT) y
A few quick notes:
Copy the certificates onto the Solaris computer:
ssh ldapHost01 -l root
scp /etc/openldap/cacerts/cacert.pem clientHostName:/tmp/
Load the certificates needed for SSH:
cd /usr/sfw/bin
mkdir /var/ldap/
certutil -N -d /var/ldap
chmod 444 /var/ldap/*
certutil -A -n "Server-cert" -i /tmp/cacert.pem -t CT -d /var/ldap/
Verify the certificates loaded by doing a search, note that solaris only accepts port 636 and 389, the default ports.
ldapsearch -v -h ldapHost01.example.com -p 636 -Z -P /var/ldap/cert8.db -b dc=example,dc=com -s base objectclass=* nisDomain
This should output:
version: 1
dn: dc=example,dc=com
nisDomain: example.com
Add profile and proxy users if necessary
Search to see if the users are there:
ldapsearch -h ldapHost01 -D "cn=directory manager" -w ldapadmin -b ou=profile,dc=example,dc=com objectclass=*
The output should include:
dn: cn=proxyagent,ou=profile,dc=example,dc=com
dn: cn=default,ou=profile,dc=example,dc=com
If the users do not exist:
cd /var/ldap/
vi SolarisProfile.ldif
Modify the file so it matches the contents below:
SolarisProfile.ldif:
dn: cn=proxyagent,ou=profile,dc=example,dc=com
objectclass: top
objectclass: person
cn: proxyagent
sn: proxyagent
userpassword: proxy
dn: cn=default,ou=profile,dc=example,dc=com
objectclass: top
objectclass: DUAConfigProfile
profileTTL: 43200
bindTimeLimit: 10
credentialLevel: proxy
searchTimeLimit: 30
defaultSearchScope: sub
defaultSearchBase: dc=example,dc=com
cn: default
serviceSearchDescriptor: passwd:dc=example,dc=com?sub
serviceSearchDescriptor: shadow:dc=example,dc=com?sub
serviceSearchDescriptor: group:dc=example,dc=com?sub
serviceSearchDescriptor: netgroup:dc=example,dc=com?sub
authenticationMethod: tls:simple
defaultServerList: 192.168.10.61
READ THE NOTES ABOUT THE IDSCONFIG SCRIPT. SOME VALUES MAY CHANGE
Save the file by typing in the vi command :wq
ldapmodify -h 192.168.10.61 -D "cn=Directory Manager" -w ldapadmin -a -c -f /var/ldap/SolarisProfile.ldif
Run the ldapclient command
ldapclient -v init -a profileName=default -a domainname=example.com -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com -a proxyPassword=proxy 192.168.10.61
NOTE: If the ldapmodify command was use to add the proxyagent and default profile. When I tried it the day I did it, it did not work. The next day I tried it and the changes finally took effect. I guess it may take the server may several hours until allowing the users to be visible using getent passwd
Go here: http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view
And use this as the pam.conf file.
Update nsswitch.conf and add the ldap entry (either before or after files) for passwd, shadow, group and netgroup.
When I was playing around with users, I noticed that I needed to have both the posixAccount variable set, the shadowAccount variable set and the gecos variable set, for each user.
I got this error on a Solaris 10 client when trying to configure a SSL/tls:simple connection to the FDS. Meanwhile, in the access log on the FDS, I saw this error: “conn=497 op=-1 fd=66 closed - SSL peer cannot verify your certificate”. This was after importing the CA certificate (using certutil as described above) used to sign the FDS’ self-signed certificate.
In the end, the problem was an address mismatch:
Thus, the Solaris 10 machine connected via SSL, but refused to deal with the FDS because it expected a CN in the certificate of “192.168.0.1” instead of “ld-01.example.com”. This was especially confusing because ldapsearch worked over SSL, and the reason for refusing to continue was not logged anywhere; all I saw was the “simple bind failed” error.
Changing the defaultServerList entry to match what was in the CN (ie, changing it to “ld-01.example.com”), then re-running ldapclient init, made things work flawlessly.
This method worked for me on Solaris 10/08 (latest version as of November 2008); note that I did not have to run idsconfig as described above.
Import the CA certificate on the Solaris client:
mkdir /var/ldap/
chmod 755 /var/ldap
certutil -N -d /var/ldap
chmod 444 /var/ldap/*
certutil -A -n "example.com CA" -i /tmp/cacert.pem -t CT -d /var/ldap/
Verify with ldapsearch:
ldapsearch -v -h ld-01.example.com -p 636 -Z -P /var/ldap/cert8.db -b dc=example,dc=com -s sub objectclass=*
Add DUAConfigProfile schema as described above.
Add cn=proxyagent to your FDS:
dn: cn=proxyagent,ou=profile,dc=example,dc=com
objectclass: top
objectclass: person
cn: proxyagent
sn: proxyagent
userpassword: proxy
Add the default profile to your FDS:
dn: cn=default,ou=profile,dc=example,dc=com
objectclass: top
objectclass: DUAConfigProfile
profileTTL: 43200
bindTimeLimit: 10
credentialLevel: proxy
searchTimeLimit: 30
defaultSearchScope: sub
defaultSearchBase: dc=example,dc=com
cn: default
serviceSearchDescriptor: passwd:dc=example,dc=com?sub
serviceSearchDescriptor: shadow:dc=example,dc=com?sub
serviceSearchDescriptor: group:dc=example,dc=com?sub
serviceSearchDescriptor: netgroup:dc=example,dc=com?sub
authenticationMethod: tls:simple
defaultServerList: ld-01.example.com
Note that the defaultServerList must match the CN in your server’s certificate!
This file will be copied over to nsswitch.conf by ldapclient; by default, it has ldap in front of just about everything. I found it simplest to simply copy nsswitch.dns to nsswitch.ldap, and make sure the passwd and group lines were changed like so:
passwd: files ldap
group: files ldap
Run ldapclient:
ldapclient -v init -a domainname=example.com -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com -a proxyPassword=proxy -a certificatePath=/var/ldap ld-01.example.com
Test:
id hugh
uid=30000(hugh) gid=30000