Re: [OpenIndiana-discuss] Setting up Ldap client

Sun, 25 Dec 2011 04:17:55 -0800 

On 25 Dec 2011, at 09:27, Ram Chander wrote:

> Hi,
> 
> I am trying to setup ldap client   and authentication on OpenIndiana  but
> no success. I searched on internet but couldnt get proper steps.
> Can someone pls  provide detailed steps on how to setup the same and which
> packages to install ?

Is your directory server already running with all the right entries in? If not, 
get that working first.

Once the server's working, I have a shell script I run on each Solaris client 
that sets up ldapclient in "manual" mode. Before running it make sure your 
/etc/nsswitch.ldap file contains a good value for hosts. It'll automatically 
get copied to /etc/nsswitch.conf by ldapclient. The shell script just runs:

ldapclient -v manual \
        -a defaultServerList=127.0.0.1 \
        -a defaultSearchBase=o=MyCompany \
        -a authenticationMethod=simple \
        -a proxyDN=cn=Dummy,ou=System,o=MyCompany \
        -a proxyPassword=dummy

The last two "proxy" lines are necessary but not used. (A longstanding upstream 
misfeature.) This sets up the client to do anonymous searches for 
user/group/etc details.

To test that config works, run things like /usr/bin/id and /usr/bin/getent. You 
should find that data is being returned from your LDAP server. It helps if you 
can set up some LDAP-only groups or something so that testing shows something 
"obviously" from LDAP. If not, run "ldapclient uninit", and try "ldapclient -v 
manual" again with different args.

Setting up authentication is a little more fiddly. Don't start this until you 
have ldapclient configured properly.

You have to edit /etc/pam.conf and append "<service> auth required 
pam_ldap.so.1" to each section. I think you also have to edit the previous line 
to "<service> auth binding pam_unix_auth.so.1 server_policy", but I don't have 
a stock OI pam.conf file to hand to check.

Here's the section for the login service in mine:

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth binding            pam_unix_auth.so.1 server_policy
login   auth required           pam_ldap.so.1

Changes to pam.conf take immediate effect. You may need to tweak sshd_config as 
well.

Cheers,

Chris

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Reply via email to