{"id":599,"date":"2016-06-02T11:28:13","date_gmt":"2016-06-02T09:28:13","guid":{"rendered":"http:\/\/drfugazi.eu.org\/?p=599"},"modified":"2016-10-14T14:17:03","modified_gmt":"2016-10-14T12:17:03","slug":"ldap-server-for-solaris-and-linux-clients","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/ldap-server-for-solaris-and-linux-clients\/","title":{"rendered":"LDAP server for Solaris and Linux clients"},"content":{"rendered":"

\"LDAP-DIT\"<\/a>Few months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer’s infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL\/TLS support. Servers was installed on Virtual Machines with CentOS 6.7.
\nI will not describe LDAP installation, because on modern Linuxes it’s simple like:<\/p>\n

$ sudo yum install openldap-servers<\/pre>\n
Directory Information Tree configuration is also set during installation. I will use dc=mycompany,dc=com in this document. I will also use “o=mycompany” and “o=customer” as branches in my DIT to separate users and groups.
\nThere are lot of manuals how to configure Master-Slave replication in OpenLDAP, so this is out of scope, you’ll need to find one and configure it by yourself. I used dynamic configuration which is not well documented, but there is possibility (and sometimes the only way) to prepare static slapd.conf and convert it to dynamic configuration with ‘slaptest’. My recommendation is to use this method.
\nApart from ‘syncrepl’ overlay, I’m also using ‘memberof’ and ‘refint’ overlays (here is HOWTO<\/a>) and ‘unique’. Overlays description you can find here: http:\/\/www.openldap.org\/doc\/admin24\/overlays.html<\/a>
\nThere is a list of enabled modules in my configuration:<\/p>\n
\r\ndn: cn=module{0},cn=config\r\nobjectClass: olcModuleList\r\ncn: module{0}\r\nolcModuleLoad: {0}memberof.la\r\nolcModuleLoad: {1}syncprov.la\r\nolcModuleLoad: {2}refint.la\r\nolcModuleLoad: {3}unique\r\nolcModulePath: \/usr\/lib64\/openldap\r\n<\/pre>\n
and overlays configuration:<\/p>\n
\r\ndn: olcOverlay={0}memberof,olcDatabase={2}bdb,cn=config\r\nobjectClass: olcMemberOf\r\nobjectClass: olcOverlayConfig\r\nolcOverlay: {0}memberof\r\nolcMemberOfDangling: ignore\r\nolcMemberOfRefInt: FALSE\r\n\r\ndn: olcOverlay={1}syncprov,olcDatabase={2}bdb,cn=config\r\nobjectClass: olcSyncProvConfig\r\nobjectClass: olcOverlayConfig\r\nolcOverlay: {1}syncprov\r\nolcSpCheckpoint: 100 10\r\nolcSpSessionlog: 200\r\n\r\ndn: olcOverlay={2}refint,olcDatabase={2}bdb,cn=config\r\nobjectClass: top\r\nobjectClass: olcConfig\r\nobjectClass: olcOverlayConfig\r\nobjectClass: olcRefintConfig\r\nolcOverlay: {2}refint\r\nolcRefintAttribute: member memberof\r\n\r\ndn: olcOverlay={3}unique,olcDatabase={2}bdb,cn=config\r\nobjectClass: olcUniqueConfig\r\nobjectClass: olcOverlayConfig\r\nolcOverlay: {3}unique\r\nolcUniqueURI: ldap:\/\/\/dc=mycompany,dc=com?gidNumber?sub?(objectClass=posixGroup)\r\nolcUniqueURI: ldap:\/\/\/dc=mycompany,dc=com?uid,uidNumber?sub?(objectClass=posixAccount)\r\n<\/pre>\n
When LDAP server(s) is configured and running, we can focus on Solaris Profiles. Why to use Profiles? Because it’s faster and simpler to make a change in single LDAP entry than reconfigure every client connected to LDAP. I didn’t hear about Linux LDAP Profiles, but with Solaris 10 and 11 it works fine.
\nTo configure profiles you need to extend LDAP schema with Attributes and ObjectClasses defined in DUAConfigProfile:
\nDUAConfigProfile<\/a>
\nJust download it, rename to ‘duaconfig.schema’ and put into ‘schema’ directory under your LDAP server configuration directory, download also:
\nNIS Domain schema extension<\/a> and put as ‘nisdomain.schema’ in this directory (default: \/etc\/openldap\/schema).
\nInclude these files in ‘slapd.conf’ with ‘include’ directive and convert to dynamic config with ‘slaptest’ if you use dynamic configuration.
\nExemplary profile for Solaris clients looks as follows:<\/p>\n
\r\ndn: cn=dev,ou=profile,dc=mycompany,dc=com\r\nobjectClass: DUAConfigProfile\r\nobjectClass: top\r\ncn: dev\r\nattributeMap: shadow:userpassword=userPassword\r\nattributeMap: passwd:loginshell=loginShell\r\nattributeMap: passwd:homedirectory=homeDirectory\r\nattributeMap: passwd:uidnumber=uidNumber\r\nattributeMap: passwd:gidnumber=gidNumber\r\nattributeMap: group:gidnumber=gidNumber\r\nattributeMap: automount:automountKey=cn\r\nattributeMap: automount:automountInformation=nisMapEntry\r\nattributeMap: automount:automountMapName=nisMapName\r\nauthenticationMethod: tls:simple\r\ncredentialLevel: proxy\r\ndefaultSearchBase: dc=mycompany,dc=com\r\ndefaultServerList: ldapsrvp01 ldapsrvp02\r\nobjectclassMap: shadow:shadowAccount=posixaccount\r\nobjectclassMap: passwd:posixAccount=posixaccount\r\nobjectclassMap: group:posixGroup=posixgroup\r\nobjectclassMap: automount:automount=nisObject\r\nobjectclassMap: automount:automountMap=nisMap\r\nprofileTTL: 300\r\nserviceSearchDescriptor: passwd:ou=people,o=mycompany,dc=mycompany,dc=com?su\r\nb?(|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(membero\r\nf=cn=dev,ou=groups,o=mycompany,dc=mycompany,dc=com));ou=people,o=cu\r\nstomer,dc=mycompany,dc=com?sub?memberof=cn=dev,ou=groups,o=customer\r\n,dc=mycompany,dc=com\r\nserviceSearchDescriptor: group:ou=groups,o=mycompany,dc=mycompany,dc=com;ou=\r\ngroups,o=customer,dc=mycompany,dc=com\r\nserviceSearchDescriptor: shadow:ou=people,o=mycompany,dc=mycompany,dc=com?su\r\nb?(|(memberof=cn=uxadmin,ou=groups,o=mycompany,dc=mycompany,dc=com)(membero\r\nf=cn=dev,ou=groups,o=mycompany,dc=mycompany,dc=com));ou=people,o=cu\r\nstomer,dc=mycompany,dc=com?sub?memberof=cn=dev,ou=groups,o=customer\r\n,dc=mycompany,dc=com\r\nserviceSearchDescriptor: auto_master:ou=service,dc=mycompany,dc=com?sub?nisM\r\napName=auto_master\r\nserviceSearchDescriptor: auto_home:ou=service,dc=mycompany,dc=com?sub?nisMap\r\nName=auto_home\r\n<\/pre>\n
I know that this profile may look complex, especially serviceSearchDescriptor filters, but I want to show you, how to search for users\/groups when they are defined in different LDAP branches.
\nThis Profile is called ‘cn=dev’, and using MemberOf overlay, to allows access to system for members of ‘uxadmin’ and ‘dev’ groups from ‘o=mycompany,dc=mycompany,dc=com’ and members of ‘dev’ group from ‘o=customer,dc=mycompany,dc=com’.
\nOf course you can define as many profiles as you need. Description of parameters you will find in documentation on Oracle website.
\nI did not hear about profiles for Linux systems, and I didn’t define any on LDAP servers.
\nHow to connect Linux and Solaris clients I will describe in separate post.<\/p>","protected":false},"excerpt":{"rendered":"
Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.Kilka miesi\u0119cy...<\/p>\n","protected":false},"author":1,"featured_media":627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115,98,108],"tags":[6,99,9],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1267%2C1073&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-9F","jetpack-related-posts":[{"id":685,"url":"https:\/\/drfugazi.eu.org\/en\/autofs-in-ldap-configuration-linux-solaris\/","url_meta":{"origin":599,"position":0},"title":"Autofs in LDAP configuration – for Linux and Solaris","author":"drfugazi","date":"Friday November 25th, 2016","format":false,"excerpt":"If you have LDAP server as user repository it is also good to have NFS server to store their home directories. To avoid autofs map configuration on every host, you can use LDAP service to store maps. I assume that NFS server (NFSHOME) is already installed, LDAP server and client\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":729,"url":"https:\/\/drfugazi.eu.org\/en\/sudoers-in-ldap\/","url_meta":{"origin":599,"position":1},"title":"Sudoers in LDAP","author":"drfugazi","date":"Wednesday June 28th, 2017","format":false,"excerpt":"In addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment. You need to have LDAP server and client configured, if you do not have already, see my previous posts. LDAP schema extension for sudo\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2017\/06\/sudo-sudoers-make-me-sandwich.jpg?fit=360%2C299&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":692,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-autofs-client-configuration\/","url_meta":{"origin":599,"position":2},"title":"Solaris LDAP autofs client configuration","author":"drfugazi","date":"Thursday December 15th, 2016","format":false,"excerpt":"Last time I wrote about autofs configuration on LDAP server, now it is time to configure autofs client in Solaris. I assume that in DUAConfigProfile, objectClasses and attributes are already defined. You can check this with simply commands: [bash] % ldaplist -l auto_master dn: automountMapName=auto_master,ou=service,dc=mycompany,dc=com automountMapName: auto_master objectClass: automountMap objectClass:\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":641,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-client-configuration\/","url_meta":{"origin":599,"position":3},"title":"Solaris LDAP client configuration","author":"drfugazi","date":"Tuesday June 21st, 2016","format":false,"excerpt":"Oracle Solaris has native LDAP support built in OS, so there is no need to install third-party software to configure Solaris to use LDAP as users\/groups and other repository. You can use different ways to do this, and I will describe few of them. If secure communication is required, and\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":672,"url":"https:\/\/drfugazi.eu.org\/en\/linux-ldap-client-configuration\/","url_meta":{"origin":599,"position":4},"title":"Linux LDAP client configuration","author":"drfugazi","date":"Thursday October  6th, 2016","format":false,"excerpt":"The simplest way to configure LDAP client in Linux is to use some kind of tool delivered with system. SuSE has yast (yast2), RedHat family has authconfig (authconfig-tui). This should install required packages like: nss-pam-ldapd, nscd, pam_ldap, ldapclient etc. Unfortunatelly I don't remember list of packages for particular distributions, because\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/10\/linux-logo.jpg?fit=300%2C300&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":75,"url":"https:\/\/drfugazi.eu.org\/en\/","url_meta":{"origin":599,"position":5},"title":"Solaris 10","author":"drfugazi","date":"Wednesday December 10th, 2008","format":false,"excerpt":"Solaris 10 Instalacja, konfiguracja, administracja i codzienne zmagania. Znajdziesz tu troch\u0119 informacji na temat instalacji, konfiguracji oraz administrowania systemami Unixowymi. Jako, \u017ce pracuj\u0119 g\u0142\u00f3wnie na systemach Solaris 10, to wi\u0119kszo\u015b\u0107 tekst\u00f3w b\u0119dzie dotyczy\u0142a tego systemu. Zreszt\u0105 lepszych lub gorszych opis\u00f3w dotycz\u0105cych system\u00f3w opartych o j\u0105dro Linuxa jest w sieci pod\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/599"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=599"}],"version-history":[{"count":17,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/599\/revisions"}],"predecessor-version":[{"id":683,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/599\/revisions\/683"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media\/627"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}