Andy Singleton wrote:
Hi Rob,
Ok ive switched on the compat plugin.
Incidentally, does this need to be done separately for all replicas?
Yes. The plugin configuration of each 389-ds is not replicated.
However, when I run ldapclient init <ipa_server>, I get this message:
"Failed to find defaultSearchBase for domain"
Hmm, can you look in the DS logs to see what queries it is making/
(/var/log/dirsrv/slapd-YOUR-INSTANCE/access).
Probably a good idea to ensure you have the Solaris default profile set
up too:
ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com"
rob
Cheers
Andy
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: 03 February 2010 17:34
To: Andy Singleton; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
Andy Singleton wrote:
Hi Rob,
Neither of the commands give any results.
/me smacks head
Ok, sorry I didn't see this the first go-round.
The Solaris nss_ldap doesn't use /etc/ldap.conf.
What you want to do is something like:
# ldapclient init ipa.example.com
This should set everything up for you on the Solaris side assuming
you're running freeIPA 1.2.2.
You'll also need to enable the compat schema on the IPA side by running
ipa-compat-manage enable and restarting the DS (if you haven't done so
already).
Note that the Solaris LDAP client assumes that if you want to use LDAP
for anything then you want to use it for EVERYTHING, so you'll want to
fix up /etc/nsswitch.conf, at least setting files and ipnodes back to
dns from ldap.
rob
Andy
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: 03 February 2010 16:11
To: Andy Singleton
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
Andy Singleton wrote:
Hi rob,
Glad you caught up with this problem.
The nsswitch.conf is set up as per the install document. So:
passwd: files ldap[NOTFOUND=return]
group: files ldap[NOTFOUND=return]
The system uses the standard solaris nss_ldap package.
Ok, can you see if you can get a specific user and group:
getent passwd admin
getent group ipausers
rob
Cheers
Andy
----- Original Message -----
From: Rob Crittenden <rcrit...@redhat.com>
To: Andy Singleton
Cc: freeipa-users@redhat.com <freeipa-users@redhat.com>
Sent: Tue Feb 02 21:01:33 2010
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
Andy Singleton wrote:
> Hi guys,
>
>
>
> I am installing IPA 1.2.2 client installation on one of our Solaris
> servers, and I cant seem to get the system to see the IPA users. “getent
> passwd” only returns local users, and no traffic is leaving the client
> for the IPA server for ldap.
>
>
>
> I have followed the instructions from the documentation, but I
> definitely get the feeling that something is missing.
>
> All the various configuration files are populated, and the Kerberos
> portion works correctly because I can obtain a ticket.
>
> So possibly there is a problem with the nss_ldap part, or the ldap.conf
> itself.
>
>
>
> Does anyone know common problems that might have this result on
Solaris 10?
>
>
>
> For reference, here is the /etc/ldap.conf file:
>
>
>
> ldap_version 3
>
> base cn=compat,dc=live,dc=tipp24,dc=net
>
> nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub
>
> nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub
>
> nss_schema rfc2307bis
>
> nss_map_objectclass shadowAccount posixAccount
>
> nss_map_attribute uniqueMember member
>
> nss_initgroups_ignoreusers root,dirsrv,oracle
>
> nss_reconnect_maxsleeptime 8
>
> nss_reconnect_sleeptime 1
>
> bind_timelimit 2
>
> timelimit 4
>
> nss_srv_domain live.tipp24.net
>
> uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net
>
>
>
> Thanks
>
> Andy
Sorry, missed this one last week..
What does /etc/nsswitch.conf read? Is it configured to use ldap?
You might also try killing nscd in case it is interfering.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
