Fooblog

Foobar’s blog and linkdump

Solaris 10 as LDAP client (to OpenLDAP 2.4.x)

with 6 comments

During the last couple of weeks I’ve been working on getting a central directory setup for my client, running on OpenLDAP 2.4. Not having worked with LDAP a lot before it proved quite a challenge, especially getting Solaris 10 to work with the LDAP server without any glitches.
In this document I’ll try and describe how this setup was made, because I have been unable to find a single consistent document describing all the intricate details.
At this time I have all my problems fixed (AFAIK), but during the setup phase I experienced various problems:

  • Solaris 10 not seeing any users from LDAP
  • Solaris seeing users, but not letting them log in
  • Log-in working from console, but not ssh
  • Passwordless login (pubkey) not working in SUN-SSH
  • Users being able to hack extra permissions for themselves
  • etc…. etc….etc…

The entire article has been moved to a more permanent location, as a page on this site. You can find it under the ‘Pages’ header on the right. Setting up ldap

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • De.lirio.us
  • LinkedIn
  • MySpace
  • Reddit
  • Slashdot
  • Technorati

Written by foobar

January 27th, 2009 at 12:32 pm

Posted in Just Blogging Stuff, Proxytunnel, hacking, rant, tech

Tagged with , , , , ,

«
»

6 Responses to 'Solaris 10 as LDAP client (to OpenLDAP 2.4.x)'

Subscribe to comments with RSS or TrackBack to 'Solaris 10 as LDAP client (to OpenLDAP 2.4.x)'.

  1. If you copied any of the slapd config, beware that I just changed part of the ACL’s. Proxyagent had write access to the People and Groups tree. This caused a ‘userdel’ command on a unix system to actually remove the user from LDAP (at least on AIX). This should no longer happen now.

    foobar

    27 Jan 09 at 19:17

  2. Foobar

    Excellent work!!, fantastic someone has taken the effort to deploy & document the process, Ive been pulling my hair out trying to get this to work

    Can you shed any light on

    objectClass: person
    objectClass: organizationalPerson
    objectClass: posixAccount
    objectClass: shadowAccount

    where are these objectClass’s referenced, in which schema?

    I’m also trying to figure out logically how it all hangs together

    Once I’m done i will post my results

    many thanks again

    Frank

    Franky_G

    28 Jan 09 at 19:33

  3. I think (from my head) that posixAccount and shadowAccount are from nis.schema. The person schema’s are from core.schema afaik.

    These are required for practically all *UX boxen

    foobar

    28 Jan 09 at 19:48

  4. Foobar

    The userPassword attribute for the testuser, can this be stored in crypt format? within the ldif file above?

    userPassword:: MUNGED

    Frank

    29 Jan 09 at 12:10

  5. It is stored (in this case) in SSHA format (Salted SHA1). You can also use various other hashing methods (MD5/Crypt/etc)

    Best is just to set it to something invalid (like this) and then use Apache Directory Studio (or some other ldap browser/editor) and set the password for the account using that.

    foobar

    29 Jan 09 at 12:17

  6. It took me awhile to figure out that the native Solaris LDAP client requires accounts to be a member of the shadowAccount class, else login will silently fail.

    See: http://forums.sun.com/thread.jspa?threadID=5075917

    Alex

    10 May 10 at 23:33

Leave a Reply