How to get Solaris to work with 389 Directory Server

Basic Information

This document describes, in great detail, how to get Solaris 8 to work with Fedora Directory Server.

Setting up a Solaris native client has a lot of steps, but I didn’t find it particularly difficult, and I was happy that I didn’t need to mess with building openldap libraries to get things going. Here’s what I did on a solaris 9 box.

For Solaris 10, here is some information about how to set up SSL LDAP clients:

DUAConfigProfile Schema

Both 60nis.ldif and 60rfc4876.ldif are provided with Directory Server.

You can create this ldif on the solaris client itself by running “ldapclient genprofile”. Read the ldapclient man page for details.

Solaris 9 TLS/SSL Client

I’m really not sure if this will help, but here are the full instructions I used to get this working on a clean solaris 9 install (I haven’t given it a shot on solaris 10 yet)

Download the nspr, and nss packages for Solaris 9 here ( and install them.

Get Sun one Resource Kit here: And install it.

Next run this command to setup your certificate database:

# LD_LIBRARY_PATH=/usr/lib:/usr/local/lib ; export LD_LIBRARY_PATH    
# /opt/sunone/lib/nss/bin/certutil -N -d /var/ldap    

You should have generated your server certificate with the fully qualified host and domain name in the cn attribute of the subjectDN in the cert. If not, and you have used some other value (e.g. cn=server-cert), you’ll have to add a hosts entry to /etc/hosts for Ldap server, ** matching the certificate name ** (in my case, server-cert). You’ll get this error, which will let you know the name you need to put in /etc/hosts: (I couldn’t ‘pull’ it from the cert in any way)

Feb 15 13:31:28 unknown sendmail[2061]: libldap: CERT_VerifyCertName: cert server name 'server-cert'    
does not match 'corporate-ds': SSL connection denied    

Get CA cert from directory using these commands:

[root@corporate-ds alias]# pwd    
[root@corporate-ds alias]# ../shared/bin/certutil -L -d . -n "CA certificate" -r > /root/cert.der    

Copy it to the solaris server, and import it with this:

# /opt/sunone/lib/nss/bin/certutil -A -n "CA certificate" -i /export/home/mmont/cert.der -t "CTu,u,u" -d /var/ldap/    

Run this command to set ldap client settings on the machine:

# ldapclient -v manual -a authenticationMethod=tls:simple -a credentialLevel=proxy \    
-a defaultSearchBase="dc=inside,dc=yourdomain,dc=com" \    
-a -a followReferrals=false \    
-a serviceSearchDescriptor="netgroup: ou=netgroup,dc=inside,dc=yourdomain,dc=com" \    
-a preferredServerList= -a serviceAuthenticationMethod=pam_ldap:tls:simple \    
-a proxyPassword=blahblahblah -a proxyDn=cn=proxyagent,ou=profile,dc=inside,dc=yourdomain,dc=com    

Restart ldap.client:

# /etc/init.d/ldap.client stop ; sleep 2 ; /etc/init.d/ldap.client start    

That should do it. Test settings with id, getent, or ldaplist: (You must be root, or sudo to use ldaplist)

# ldaplist -l passwd yournamehere    

(This should list your entry in the ldap dir)

I hope this helps someone, and I’m sure I’ll attempt to get solaris 10 working at some point soon.

Solaris 10 LDAP Client

For this example the server was on on the domain. This is a rough guide, but hopefully it will get cleaned up, people can add more detail (or fix mistakes I made!), and at the very least, it might save someone the month or so I spent doing this (it can take a while to get some answers to some of the questions).

Begin by editing the /usr/lib/ldap/idsconfig script to be compatible with Red Hat Directory Server 7.x

Find the line that says:

if [ "${IDS_MAJVER}" != "5" ]; then    

Change the 5 to 7. Save, exit and run the script:


Follow the session below:

It is strongly recommended that you BACKUP the directory server before running idsconfig.    
Hit Ctrl-C at any time before the final confirmation to exit.    
Do you wish to continue with server setup (y/n/h)? [n] Y    
Enter the directory server's hostname to setup: ldapHost01    
Enter the Directory Server's port number (h=help): [389]    
Enter the directory manager DN: [cn=Directory Manager]    
Enter passwd for cn=Directory Manager : adminpass    
Enter the domainname to be served (h=help):    
Enter LDAP Base DN (h=help): [dc=example,dc=com]     <enter>
Enter the profile name (h=help): [default]     <enter>
Default server list (h=help): []     <enter>
Preferred server list (h=help):    
Choose desired search scope (one, sub, h=help):  [one] sub    
The following are the supported credential levels:    
  1  anonymous    
  2  proxy    
  3  proxy anonymous    
Choose Credential level [h=help]: [1] 2    
The following are the supported Authentication Methods:    
  1  none    
  2  simple    
  3  sasl/DIGEST-MD5    
  4  tls:simple    
  5  tls:sasl/DIGEST-MD5    
Choose Authentication Method (h=help): [1] 4    
Do you want to add another Authentication Method? <enter>
Do you want the clients to follow referrals (y/n/h)? [n] <enter>
Do you want to modify the server timelimit value (y/n/h)? [n] <enter>
Do you want to modify the server sizelimit value (y/n/h)? [n] <enter>
Do you want to store passwords in "crypt" format (y/n/h)? [n] <enter>
Do you want to setup a Service Authentication Methods (y/n/h)? [n] <enter>
Client search time limit in seconds (h=help): [30] <enter>
Profile Time To Live in seconds (h=help): [43200] <enter>
Bind time limit in seconds (h=help): [10] <enter>
Do you wish to setup Service Search Descriptors (y/n/h)? [n] <enter>
Enter config value to change: (1-19 0=commit changes) [0] <enter>
Enter DN for proxy agent:[cn=proxyagent,ou=profile,dc=example,dc=com] <enter>
Enter passwd for proxyagent: proxy
Re-enter passwd: proxy
WARNING: About to start committing changes. (y=continue, n=EXIT) y

A few quick notes:

  1. I have heard (I’m not sure about this), that not storing passwords in the crypt format is more secure because then the passwords are only in the SSH format
  2. The default location for users on the ldap server is in ou=people. If the users are in several locations, such as both in the ou=people level, and at the base level, then you should use sub. If not, you can use one (this will also go for the ldif file that’s made later).

Copy the certificates onto the Solaris computer:

 ssh ldapHost01 -l root    
 scp /etc/openldap/cacerts/cacert.pem clientHostName:/tmp/    

Load the certificates needed for SSH:

 cd /usr/sfw/bin    
 mkdir /var/ldap/    
 certutil -N -d /var/ldap    
 chmod 444 /var/ldap/*    
 certutil -A -n "Server-cert" -i /tmp/cacert.pem -t CT -d /var/ldap/    

Verify the certificates loaded by doing a search, note that solaris only accepts port 636 and 389, the default ports.

 ldapsearch -v -h -p 636 -Z -P /var/ldap/cert8.db -b dc=example,dc=com -s base objectclass=* nisDomain    

This should output:

 version: 1    
 dn: dc=example,dc=com    

Add profile and proxy users if necessary

Search to see if the users are there:

 ldapsearch -h ldapHost01 -D "cn=directory manager" -w ldapadmin -b ou=profile,dc=example,dc=com objectclass=*    

The output should include:

 dn: cn=proxyagent,ou=profile,dc=example,dc=com    
 dn: cn=default,ou=profile,dc=example,dc=com    

If the users do not exist:

 cd /var/ldap/    
 vi SolarisProfile.ldif    

Modify the file so it matches the contents below:


 dn: cn=proxyagent,ou=profile,dc=example,dc=com    
 objectclass: top    
 objectclass: person    
 cn: proxyagent    
 sn: proxyagent    
 userpassword: proxy    
 dn: cn=default,ou=profile,dc=example,dc=com    
 objectclass: top    
 objectclass: DUAConfigProfile    
 profileTTL: 43200    
 bindTimeLimit: 10    
 credentialLevel: proxy    
 searchTimeLimit: 30    
 defaultSearchScope: sub    
 defaultSearchBase: dc=example,dc=com    
 cn: default    
 serviceSearchDescriptor: passwd:dc=example,dc=com?sub    
 serviceSearchDescriptor: shadow:dc=example,dc=com?sub    
 serviceSearchDescriptor: group:dc=example,dc=com?sub    
 serviceSearchDescriptor: netgroup:dc=example,dc=com?sub    
 authenticationMethod: tls:simple    


Save the file by typing in the vi command :wq

 ldapmodify -h -D "cn=Directory Manager" -w ldapadmin -a -c -f /var/ldap/SolarisProfile.ldif    

Run the ldapclient command

 ldapclient -v init -a profileName=default -a -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com -a proxyPassword=proxy    

NOTE: If the ldapmodify command was use to add the proxyagent and default profile. When I tried it the day I did it, it did not work. The next day I tried it and the changes finally took effect. I guess it may take the server may several hours until allowing the users to be visible using getent passwd or id .

Configure Solaris to use the ldap users

Go here:

And use this as the pam.conf file.

Update nsswitch.conf and add the ldap entry (either before or after files) for passwd, shadow, group and netgroup.

Final Notes

When I was playing around with users, I noticed that I needed to have both the posixAccount variable set, the shadowAccount variable set and the gecos variable set, for each user.

Error in SSL connection: “libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can’t contact LDAP server”

I got this error on a Solaris 10 client when trying to configure a SSL/tls:simple connection to the FDS. Meanwhile, in the access log on the FDS, I saw this error: “conn=497 op=-1 fd=66 closed - SSL peer cannot verify your certificate”. This was after importing the CA certificate (using certutil as described above) used to sign the FDS’ self-signed certificate.

In the end, the problem was an address mismatch:

Thus, the Solaris 10 machine connected via SSL, but refused to deal with the FDS because it expected a CN in the certificate of “” instead of “”. This was especially confusing because ldapsearch worked over SSL, and the reason for refusing to continue was not logged anywhere; all I saw was the “simple bind failed” error.

Changing the defaultServerList entry to match what was in the CN (ie, changing it to “”), then re-running ldapclient init, made things work flawlessly.

Another, simpler method for Solaris 10 prompted by the above error

This method worked for me on Solaris 10/08 (latest version as of November 2008); note that I did not have to run idsconfig as described above.

Note that the defaultServerList must match the CN in your server’s certificate!

This file will be copied over to nsswitch.conf by ldapclient; by default, it has ldap in front of just about everything. I found it simplest to simply copy nsswitch.dns to nsswitch.ldap, and make sure the passwd and group lines were changed like so:

 passwd:     files ldap    
 group:      files ldap    
Last modified on 1 February 2016