Hi, so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.
But the ACI should be placed on the root entry dc=example,dc=com. If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig. There you must adjust the version checking, so that 389DS matches DS 5.2. Am 09.03.12, schrieb MATON Brett <[email protected]>: > > <!-- > /* Font Definitions */ > @font-face > {font-family:"Cambria Math"; > panose-1:2 4 5 3 5 4 6 3 2 4;} > @font-face > {font-family:Calibri; > panose-1:2 15 5 2 2 2 4 3 2 4;} > @font-face > {font-family:Tahoma; > panose-1:2 11 6 4 3 5 4 4 2 4;} > @font-face > {font-family:Verdana; > panose-1:2 11 6 4 3 5 4 4 2 4;} > /* Style Definitions */ > p.MsoNormal, li.MsoNormal, div.MsoNormal > {margin:0cm; > margin-bottom:.0001pt; > font-size:12.0pt; > font-family:"Times New Roman","serif";} > a:link, span.MsoHyperlink > {mso-style-priority:99; > color:blue; > text-decoration:underline;} > a:visited, span.MsoHyperlinkFollowed > {mso-style-priority:99; > color:purple; > text-decoration:underline;} > p > {mso-style-priority:99; > mso-margin-top-alt:auto; > margin-right:0cm; > mso-margin-bottom-alt:auto; > margin-left:0cm; > font-size:12.0pt; > font-family:"Times New Roman","serif";} > p.MsoAcetate, li.MsoAcetate, div.MsoAcetate > {mso-style-priority:99; > mso-style-link:"Balloon Text Char"; > margin:0cm; > margin-bottom:.0001pt; > font-size:8.0pt; > font-family:"Tahoma","sans-serif";} > span.EmailStyle18 > {mso-style-type:personal; > font-family:"Calibri","sans-serif"; > color:#1F497D;} > span.EmailStyle21 > {mso-style-type:personal-reply; > font-family:"Calibri","sans-serif"; > color:#1F497D;} > span.BalloonTextChar > {mso-style-name:"Balloon Text Char"; > mso-style-priority:99; > mso-style-link:"Balloon Text"; > font-family:"Tahoma","sans-serif";} > span.apple-converted-space > {mso-style-name:apple-converted-space;} > .MsoChpDefault > {mso-style-type:export-only; > font-size:10.0pt;} > @page WordSection1 > {size:612.0pt 792.0pt; > margin:72.0pt 72.0pt 72.0pt 72.0pt;} > div.WordSection1 > {page:WordSection1;} > --> > > > > > I came across this link > https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native > > > > Which mentions adding the following ACL’s: > > > > the baseDN - (target = ldap:///dc=example,dc=com) (targetscope = base) > (targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, > search) (userdn = "ldap:///anyone";) ;) . > > For super secure access, this aci could be modified thus to only allow access > to the nisDomain attribute > > (target = ldap:///dc=example,dc=com) (targetscope = base) > (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, > compare, search) (userdn = "ldap:///anyone";) ;) . > > the profile container - (target = "ldap:///ou=profile,dc=example,dc=com";) > (targetscope = subtree) (targetattr="\*") (version 3.0; acl > "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone";) ;) > > For super secure access, this aci could be modified thus to only allow access > to the proxyagent user object > > (target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";) (targetscope > = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow > (all) (userdn = "ldap:///anyone";) ;) > > > > I just can’t figure out where to put them, any help appreciated! > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of MATON Brett > Sent: 08 March 2012 14:39 > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Solaris 10 Clients without anonymous binds > > > > > > Hi Carsten, > > > > I’ll give it ago, thanks. > > > > Brett > > > > From: [email protected] > [mailto:[email protected] > <[email protected]>] On Behalf Of Carsten Grzemba > Sent: 08 March 2012 14:34 > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Solaris 10 Clients without anonymous binds > > > > > Hi, > > I guess it must be able for the Solaris client to read at least the base so > the client can see the supported features: > # ldapsearch -h <ldapserver> -b "" -s base objectclass="*" > should return the supportedcontrols, etc. > > > Am 08.03.12, schrieb MATON Brett <[email protected]>: > > > > I’ve got some hosts using Solaris 10 > > > > cat /etc/release > > Solaris 10 10/09 s10s_u8wos_08a SPARC > > Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. > > Use is subject to license terms. > > Assembled 16 September 2009 > > > > Which I’ve configured with ldapclient manual (failed miserably until I > allowed anonymous binds in dse.ldif). > > > > ldapclient manual -vv \ > > -a defaultSearchBase=<blah> \ > > -a defaultSearchScope=sub \ > > -a authenticationMethod=tls:simple \ > > -a credentialLevel=proxy \ > > -a proxyDN=cn=ldapsearch,cn=config \ > > -a proxyPassword=<blah> \ > > -a serviceAuthenticationMethod=pam_ldap:tls:simple \ > > -a domainName=<blah> \ > > -a certificatePath=/var/ldap \ > > -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server> > > > > If I turn anonymous binds off once the client is configured, it fails to > connect because the Solaris client is still insisting on making anonymous > binds. > > I’m getting these in my access log: > > > > [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from > <Solaris 10> to <389 DS> > > [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4 > > [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous > access not allowed > > [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 > etime=0 > > [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND > > [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1 > > > > Anyone come across this before and have a solution? I really don’t want to > have to allow anonymous binds... > > Brett > > > > > > > ------------------------------------------------------------------- > > GreeNRB > NRB considers its environmental responsibility and goes for green IT. > May we ask you to consider yours before printing this e-mail? > > NRB, daring to commit > This e-mail and any attachments, which may contain information that is > confidential and/or protected by intellectual property rights, are intended > for the exclusive use of the above-mentioned addressee(s). Any use (including > reproduction, disclosure and whole or partial distribution in any form > whatsoever) of their content is prohibited without prior authorization of > NRB. If you have received this message by error, please contact the sender > promptly by resending this e-mail back to him (her), or by calling the above > number. Thank you for subsequently deleting this e-mail and any files > attached thereto. > > > ------------------------------------------------------------------- > > GreeNRB > NRB considers its environmental responsibility and goes for green IT. > May we ask you to consider yours before printing this e-mail? > > > > NRB, daring to commit > This e-mail and any attachments, which may contain information that is > confidential and/or protected by intellectual property rights, are intended > for the exclusive use of the above-mentioned addressee(s). Any use (including > reproduction, disclosure and whole or partial distribution in any form > whatsoever) of their content is prohibited without prior authorization of > NRB. If you have received this message by error, please contact the sender > promptly by resending this e-mail back to him (her), or by calling the above > number. Thank you for subsequently deleting this e-mail and any files > attached thereto. > > > > > > -- Carsten Grzemba Tel.: +49 3677 64740 Mobil: +49 171 9749479 Fax:: +49 3677 6474111 Email: [email protected] contac Datentechnik GmbH
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
