{"id":641,"date":"2016-06-21T17:50:48","date_gmt":"2016-06-21T15:50:48","guid":{"rendered":"http:\/\/drfugazi.eu.org\/?p=641"},"modified":"2016-10-06T13:56:25","modified_gmt":"2016-10-06T11:56:25","slug":"solaris-ldap-client-configuration","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-client-configuration\/","title":{"rendered":"Solaris LDAP client configuration"},"content":{"rendered":"

\"LDAP<\/a>
\nOracle Solaris has native LDAP support built in OS, so there is no need to install third-party software to configure Solaris to use LDAP as users\/groups and other repository. You can use different ways to do this, and I will describe few of them.<\/p>\n

If secure communication is required, and we have Self Signed certificates, we need to install CA certificate on each client.
\nThis can be achieved by import CA certificate to local store with certutil (\/usr\/sfw\/bin\/certutil in Solaris 10). First create NSS DB (Don’t enter password. Just hit return)<\/p>\n

\r\ncertutil -N -d \/var\/ldap\r\nchmod 444 \/var\/ldap\/*\r\n<\/pre>\n
<\/p>\n
Download the CA certificate and save it to a temporary location. Ex: \/var\/tmp\/cacert.pem. Then add CA certificate to the NSS DB:<\/p>\n
\r\ncertutil -A -n "ca-cert" -i \/var\/tmp\/cacert.pem -a -t CT -d \/var\/ldap\r\n<\/pre>\n
Three files should be created in \/var\/ldap: cert8.db, key3.db and secmod.db. Now you can test if it works with ldapsearch:<\/p>\n
\r\nldapsearch -v -h ldapsrvp01 -p 636 -Z -P \/var\/ldap\/cert8.db \\ \r\n -b "dc=mycompany,dc=com" -s base "objectclass=*"\r\n<\/pre>\n
where ldapsrvp01 is LDAP server name which is defined in \/etc\/hosts or DNS and also stored as Common Name in server’s certificate. If these names will be different you will receive an error, eg.<\/p>\n
ldap_search: Can't contact LDAP server.<\/pre>\n
In that case you need to define name from Certificate’s CN in \/etc\/hosts or regenerate server’s certificate (not CA).<\/p>\n
Now we can proceed to LDAP client initialization.
\nWait! Not yet, especially if you don’t plan to use LDAP as Name resolver etc. LDAP client initialization replaces \/etc\/nsswitch.conf file with \/etc\/nsswitch.ldap file (Solaris 10). This can be dangerous, because in most environments DNS is used as name resolver, and this setting will be overwritten.
\nMy advice is to make backup of file \/etc\/nsswitch.ldap and overwrite \/etc\/nsswitch.ldap with content of actual \/etc\/nsswitch.conf:<\/p>\n
\r\nmv \/etc\/nsswitch.ldap \/etc\/nsswitch.ldap.default\r\ncp -p \/etc\/nsswitch.conf \/etc\/nsswitch.ldap\r\n<\/pre>\n
then edit \/etc\/nsswitch.ldap and add ‘ldap’ to particular entries, e.g.:<\/p>\n
\r\npasswd:     files ldap\r\ngroup:      files ldap\r\n<\/pre>\n
but leave other entries as they should be, e.g.:<\/p>\n
\r\nhosts:      cluster files [SUCCESS=return] dns\r\n# Note that IPv4 addresses are searched for in all of the ipnodes databases\r\n# before searching the hosts databases.\r\nipnodes:    cluster files dns [TRYAGAIN=0]\r\nnetworks:   files dns\r\nprotocols:  files\r\n<\/pre>\n
Now you can initialize LDAP client manually or using Solaris Profile defined on LDAP server.
\nI’m assuming that user “cn=proxyuser,dc=mycompany,dc=com” with password “secretProxyPassword” is defined in LDAP and have Read access to DIT, base is “dc=mycompany,dc=com” and LDAP server name is “ldapsrvp01” (IP address is also allowed).
\nManual initialization:<\/p>\n
\r\nldapclient manual \\\r\n-a domainName=mycompany.com -a credentialLevel=proxy \\\r\n-a defaultSearchBase=dc=mycompany,dc=com \\ \r\n-a proxyDN=cn=proxyagent,dc=mycompany,dc=com \\ \r\n-a proxyPassword=secretProxyPassword \\\r\nldapsrvp01\r\n<\/pre>\n
This will do following things:
\nldap_client_file will be created with LDAP settings as above
\nldap_client_cred will be created with proxyagent credentials
\n\/etc\/nsswitch.ldap will be copied as \/etc\/nsswitch.conf
\nService svc:\/network\/ldap\/client:default will be started<\/p>\n
If you want to use secure communication and have possibility to change users’ passwords from OS, you need to add some settings, e.g.:<\/p>\n
\r\nldapclient mod \\\r\n-a authenticationMethod=tls:simple \\\r\n-a enableShadowUpdate=TRUE \\\r\n-a adminDN=cn=admin,dc=mycompany,dc=com \\\r\n-a adminPassword=secretAdminPassword\r\n<\/pre>\n
This can be little confusing, that authenticationMethod is “tls:simple”, but connection to server is not on 389 port with StartTLS, but on SSL port 636, be aware of this.<\/p>\n
You can also initialize LDAP client using Solaris Profile, if it is defined in LDAP under “ou=profile,dc=mycompany,dc=com”, see my previous post for description and example. Here I’m using profile “cn=dev,ou=profile,dc=mycompany,dc=com” to initialize client:<\/p>\n
\r\nldapclient init \\\r\n-a domainName=mycompany.com \\\r\n-a profileName=dev \\\r\n-a proxyDN=cn=proxyagent,dc=mycompany,dc=com \\\r\n-a proxyPassword=secretProxyPassword \\\r\n-a adminDN=cn=admin,dc=mycompany,dc=com \\\r\n-a adminPassword=secretAdminPassword \\\r\n-a enableShadowUpdate=TRUE \\\r\n192.168.0.1\r\n<\/pre>\n
If system is successfully configured, you should be able to list LDAP settings:<\/p>\n
\r\nldapclient list\r\nNS_LDAP_FILE_VERSION= 2.0\r\nNS_LDAP_BINDDN= cn=proxyagent,dc=mycompany,dc=com\r\nNS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f\r\nNS_LDAP_SERVERS= 192.168.0.1\r\nNS_LDAP_SEARCH_BASEDN= dc=mycompany,dc=com\r\nNS_LDAP_CREDENTIAL_LEVEL= proxy\r\n...\r\n<\/pre>\n
and list users\/groups from LDAP tree with “getent passwd”, “getent group” or similar.
\nIf something went wrong, you need to troubleshoot the issue, starting from messages returned by ldapclient, logs, ldap\/client service status and Name Service Switch configuration.<\/p>\n
Other way to configure LDAP client – especially if you have big amount of clients – is to configure one of them with above methods and then copy content of \/var\/ldap directory and \/etc\/nsswitch.conf file to remaining hosts. Then enable svc:\/network\/ldap\/client:default on them and voila, done. This is quick and dirty way, but it works.<\/p>","protected":false},"excerpt":{"rendered":"
Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language. Oracle...<\/p>\n","protected":false},"author":1,"featured_media":627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115,108],"tags":[6,9],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1267%2C1073&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-al","jetpack-related-posts":[{"id":692,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-autofs-client-configuration\/","url_meta":{"origin":641,"position":0},"title":"Solaris LDAP autofs client configuration","author":"drfugazi","date":"Thursday December 15th, 2016","format":false,"excerpt":"Last time I wrote about autofs configuration on LDAP server, now it is time to configure autofs client in Solaris. I assume that in DUAConfigProfile, objectClasses and attributes are already defined. You can check this with simply commands: [bash] % ldaplist -l auto_master dn: automountMapName=auto_master,ou=service,dc=mycompany,dc=com automountMapName: auto_master objectClass: automountMap objectClass:\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":729,"url":"https:\/\/drfugazi.eu.org\/en\/sudoers-in-ldap\/","url_meta":{"origin":641,"position":1},"title":"Sudoers in LDAP","author":"drfugazi","date":"Wednesday June 28th, 2017","format":false,"excerpt":"In addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment. You need to have LDAP server and client configured, if you do not have already, see my previous posts. LDAP schema extension for sudo\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2017\/06\/sudo-sudoers-make-me-sandwich.jpg?fit=360%2C299&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":599,"url":"https:\/\/drfugazi.eu.org\/en\/ldap-server-for-solaris-and-linux-clients\/","url_meta":{"origin":641,"position":2},"title":"LDAP server for Solaris and Linux clients","author":"drfugazi","date":"Thursday June  2nd, 2016","format":false,"excerpt":"Few months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer's infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL\/TLS support. Servers was installed on Virtual Machines with CentOS 6.7. I will not describe LDAP\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":685,"url":"https:\/\/drfugazi.eu.org\/en\/autofs-in-ldap-configuration-linux-solaris\/","url_meta":{"origin":641,"position":3},"title":"Autofs in LDAP configuration – for Linux and Solaris","author":"drfugazi","date":"Friday November 25th, 2016","format":false,"excerpt":"If you have LDAP server as user repository it is also good to have NFS server to store their home directories. To avoid autofs map configuration on every host, you can use LDAP service to store maps. I assume that NFS server (NFSHOME) is already installed, LDAP server and client\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":672,"url":"https:\/\/drfugazi.eu.org\/en\/linux-ldap-client-configuration\/","url_meta":{"origin":641,"position":4},"title":"Linux LDAP client configuration","author":"drfugazi","date":"Thursday October  6th, 2016","format":false,"excerpt":"The simplest way to configure LDAP client in Linux is to use some kind of tool delivered with system. SuSE has yast (yast2), RedHat family has authconfig (authconfig-tui). This should install required packages like: nss-pam-ldapd, nscd, pam_ldap, ldapclient etc. Unfortunatelly I don't remember list of packages for particular distributions, because\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/10\/linux-logo.jpg?fit=300%2C300&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":719,"url":"https:\/\/drfugazi.eu.org\/en\/linux-ldap-autofs-client-configuration\/","url_meta":{"origin":641,"position":5},"title":"Linux LDAP autofs client configuration","author":"drfugazi","date":"Wednesday May 10th, 2017","format":false,"excerpt":"There is a plenty of Linux distributions, so there is not my point to describe how to configure autofs in every one of them. This description is based on RedHat\/CentOS, but it can be applied to other distributions with very small changes. If you have local users and their directories\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/10\/linux-logo.jpg?fit=300%2C300&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/641"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=641"}],"version-history":[{"count":11,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/641\/revisions"}],"predecessor-version":[{"id":671,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/641\/revisions\/671"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media\/627"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}