Solaris LDAP client configuration

LDAP DIT
Oracle Solaris has native LDAP support built in OS, so there is no need to install third-party software to configure Solaris to use LDAP as users/groups and other repository. You can use different ways to do this, and I will describe few of them.

If secure communication is required, and we have Self Signed certificates, we need to install CA certificate on each client.
This can be achieved by import CA certificate to local store with certutil (/usr/sfw/bin/certutil in Solaris 10). First create NSS DB (Don’t enter password. Just hit return)

certutil -N -d /var/ldap
chmod 444 /var/ldap/*

Download the CA certificate and save it to a temporary location. Ex: /var/tmp/cacert.pem. Then add CA certificate to the NSS DB:

certutil -A -n "ca-cert" -i /var/tmp/cacert.pem -a -t CT -d /var/ldap

Three files should be created in /var/ldap: cert8.db, key3.db and secmod.db. Now you can test if it works with ldapsearch:

ldapsearch -v -h ldapsrvp01 -p 636 -Z -P /var/ldap/cert8.db \ 
 -b "dc=mycompany,dc=com" -s base "objectclass=*"

where ldapsrvp01 is LDAP server name which is defined in /etc/hosts or DNS and also stored as Common Name in server’s certificate. If these names will be different you will receive an error, eg.

ldap_search: Can't contact LDAP server.

In that case you need to define name from Certificate’s CN in /etc/hosts or regenerate server’s certificate (not CA).

Now we can proceed to LDAP client initialization.
Wait! Not yet, especially if you don’t plan to use LDAP as Name resolver etc. LDAP client initialization replaces /etc/nsswitch.conf file with /etc/nsswitch.ldap file (Solaris 10). This can be dangerous, because in most environments DNS is used as name resolver, and this setting will be overwritten.
My advice is to make backup of file /etc/nsswitch.ldap and overwrite /etc/nsswitch.ldap with content of actual /etc/nsswitch.conf:

mv /etc/nsswitch.ldap /etc/nsswitch.ldap.default
cp -p /etc/nsswitch.conf /etc/nsswitch.ldap

then edit /etc/nsswitch.ldap and add ‘ldap’ to particular entries, e.g.:

passwd:     files ldap
group:      files ldap

but leave other entries as they should be, e.g.:

hosts:      cluster files [SUCCESS=return] dns
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    cluster files dns [TRYAGAIN=0]
networks:   files dns
protocols:  files

Now you can initialize LDAP client manually or using Solaris Profile defined on LDAP server.
I’m assuming that user “cn=proxyuser,dc=mycompany,dc=com” with password “secretProxyPassword” is defined in LDAP and have Read access to DIT, base is “dc=mycompany,dc=com” and LDAP server name is “ldapsrvp01” (IP address is also allowed).
Manual initialization:

ldapclient manual \
-a domainName=mycompany.com -a credentialLevel=proxy \
-a defaultSearchBase=dc=mycompany,dc=com \ 
-a proxyDN=cn=proxyagent,dc=mycompany,dc=com \ 
-a proxyPassword=secretProxyPassword \
ldapsrvp01

This will do following things:
ldap_client_file will be created with LDAP settings as above
ldap_client_cred will be created with proxyagent credentials
/etc/nsswitch.ldap will be copied as /etc/nsswitch.conf
Service svc:/network/ldap/client:default will be started

If you want to use secure communication and have possibility to change users’ passwords from OS, you need to add some settings, e.g.:

ldapclient mod \
-a authenticationMethod=tls:simple \
-a enableShadowUpdate=TRUE \
-a adminDN=cn=admin,dc=mycompany,dc=com \
-a adminPassword=secretAdminPassword

This can be little confusing, that authenticationMethod is “tls:simple”, but connection to server is not on 389 port with StartTLS, but on SSL port 636, be aware of this.

You can also initialize LDAP client using Solaris Profile, if it is defined in LDAP under “ou=profile,dc=mycompany,dc=com”, see my previous post for description and example. Here I’m using profile “cn=dev,ou=profile,dc=mycompany,dc=com” to initialize client:

ldapclient init \
-a domainName=mycompany.com \
-a profileName=dev \
-a proxyDN=cn=proxyagent,dc=mycompany,dc=com \
-a proxyPassword=secretProxyPassword \
-a adminDN=cn=admin,dc=mycompany,dc=com \
-a adminPassword=secretAdminPassword \
-a enableShadowUpdate=TRUE \
192.168.0.1

If system is successfully configured, you should be able to list LDAP settings:

ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,dc=mycompany,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 192.168.0.1
NS_LDAP_SEARCH_BASEDN= dc=mycompany,dc=com
NS_LDAP_CREDENTIAL_LEVEL= proxy
...

and list users/groups from LDAP tree with “getent passwd”, “getent group” or similar.
If something went wrong, you need to troubleshoot the issue, starting from messages returned by ldapclient, logs, ldap/client service status and Name Service Switch configuration.

Other way to configure LDAP client – especially if you have big amount of clients – is to configure one of them with above methods and then copy content of /var/ldap directory and /etc/nsswitch.conf file to remaining hosts. Then enable svc:/network/ldap/client:default on them and voila, done. This is quick and dirty way, but it works.

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.