Hi Mike, > Try the following change to the nsswitch.conf file > > # consult /etc "files" only if ldap is down. > hosts: files dns mdns ldap
That worked! Now ldap and dns are happy! very cool. thanks to both of you guys! best regards, Tim On Sun, May 6, 2012 at 1:01 AM, Mike La Spina <mike.lasp...@laspina.ca> wrote: > Hi Tim, > > Try the following change to the nsswitch.conf file > > # consult /etc "files" only if ldap is down. > hosts: files dns mdns ldap > > > This will set the resolution order to; 1 local hosts file, 2 dns, 3 multicast > dns, 4 ldap lookup > > Regards, > Mike > > -----Original Message----- > From: Tim Dunphy [mailto:bluethu...@gmail.com] > Sent: Saturday, May 05, 2012 9:43 PM > To: Discussion list for OpenIndiana > Subject: Re: [OpenIndiana-discuss] openindiana ldap client > > Thanks! > > That really did the trick! > > ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a > proxyDN=cn=Manager,dc=example,dc=com -a proxyPassword=secret -a > defaultSearchBase=dc=example,dc=com -a domainName=example.com -a > defaultServerList=192.168.1.44 > > > Grep ldap for ldap user: > > > root@openindiana:/var/ldap# getent passwd | grep walbs > walbs:x:1002:1003:Walkiria Soares-Dunphy:/home/walbs:/bin/bash > > > However I notice that now dns resolution seems mixed up, but only since > running ldapclient: > > root@openindiana:/var/ldap# ping yahoo.com > ping: unknown host yahoo.com > > Here's what nsswitch.conf is looking like: > > root@openindiana:/var/ldap# cat /etc/nsswitch.conf # CDDL HEADER START # # > The contents of this file are subject to the terms of the # Common > Development and Distribution License (the "License"). > # You may not use this file except in compliance with the License. > # > # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or > http://www.opensolaris.org/os/licensing. > # See the License for the specific language governing permissions # and > limitations under the License. > # > # When distributing Covered Code, include this CDDL HEADER in each # file and > include the License file at usr/src/OPENSOLARIS.LICENSE. > # If applicable, add the following below this CDDL HEADER, with the # fields > enclosed by brackets "[]" replaced with your own identifying # information: > Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # > Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. > # > > # > # /etc/nsswitch.ldap: > # > # An example file that could be copied over to /etc/nsswitch.conf; it # uses > LDAP in conjunction with files. > # > # "hosts:" and "services:" in this file are used only if the # /etc/netconfig > file has a "-" for nametoaddr_libs of "inet" transports. > > # LDAP service requires that svc:/network/ldap/client:default be enabled # > and online. > > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. > passwd: files ldap > group: files ldap > > # consult /etc "files" only if ldap is down. > hosts: files ldap > > # Note that IPv4 addresses are searched for in all of the ipnodes databases # > before searching the hosts databases. > ipnodes: files ldap > > networks: files ldap > protocols: files ldap > rpc: files ldap > ethers: files ldap > netmasks: files ldap > bootparams: files ldap > publickey: files ldap > > netgroup: ldap > > automount: files ldap > aliases: files ldap > > # for efficient getservbyname() avoid ldap > services: files ldap > > printers: user files ldap > > auth_attr: files ldap > prof_attr: files ldap > > project: files ldap > > tnrhtp: files ldap > tnrhdb: files ldap > > If I revert the file to pre-ldapclient I can ping yahoo and external hosts > again: > > root@openindiana:/var/ldap# cat /etc/nsswitch.conf.bak > /etc/nsswitch.conf > > root@openindiana:/var/ldap# ping yahoo.com yahoo.com is alive > > And of course I can't find ldap users in the directory again. > > root@openindiana:/var/ldap# getent passwd | grep walbs > root@openindiana:/var/ldap# > > Is there any way to have my cake and eat it too? > > thanks > tim > > On Sat, May 5, 2012 at 9:57 PM, Joshua M. Clulow <j...@sysmgr.org> wrote: >> On 6 May 2012 11:15, Tim Dunphy <bluethu...@gmail.com> wrote: >>> I've also tried using ldapclient, but am having no luck there either: >> >> I would definitely suggest that you'll want to use the native LDAP >> bits, not the PADL stuff. >> >>> root@openindiana:~/nss_ldap-265# ldapclient init -v -a >>> profileName=default \ >>>> -a domainname=example.com \ >>>> -a proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com \ -a >>>> proxyPassword=secret \ >>>> 192.168.1.44 >>> Parsing profileName=default >>> Parsing domainname=example.com >>> Parsing proxyDN=cn=uid=proxy,ou=People,dc=example,dc=com >>> Parsing proxyPassword=secret >>> Arguments parsed: >>> domainName: example.com >>> proxyDN: cn=uid=proxy,ou=People,dc=example,dc=com >>> profileName: default >>> proxyPassword: secret >>> defaultServerList: 192.168.1.44 Handling init option About to >>> configure machine by downloading a profile Can not find the >>> nisDomainObject for domain example.com >> >> So you're specifying a profileName here. Have you created a profile >> object in your directory with the name "default"? The "init" mode of >> ldapclient uses a profile object in the directory for configuration. >> >> If you don't have or don't want to have a profile object, you could >> try using "ldapclient manual" rather than "ldapclient init". I >> believe the manual mode of ldapclient is described in the man page for >> the tool. There are also documents out on the Internet for >> configuring the Solaris 10 (or 11) Native LDAP Naming Service client >> which are mostly, if not entirely, applicable to the bits on >> OpenIndiana. >> >> >> Cheers. >> >> -- >> Joshua M. Clulow >> UNIX Admin/Developer >> http://blog.sysmgr.org >> >> _______________________________________________ >> OpenIndiana-discuss mailing list >> OpenIndiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
