Andy Singleton wrote:
Hi Rob,

Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2:

We still have an issue that ipa users cannot log on to our Solaris 10 client. 
("800047 auth.error: pam Authentication failed")

Can't log in via console, ssh?

Currently I can get a ticket with "kinit", and can see the ipa users/groups with 
"getent". "ldapclient init" worked eventually.
However, there was some hoop jumping to get to this state:

I changed the following parts of the freeipa schema contents:

1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am 
not sure if this is deliberately set or not. "getent passwd" would refused to work 
otherwise.
"dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net

Yeah, I need to investigate this further. It should work without having to go through compat. There is some VLV problem I need to figure out.

2) The defaultServerList defaults to the master server, which was not reachable 
from the clients subnet. (the linux clients rely on two slaves in this subnet)
"dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
defaultServerList: [slave].live.tipp24.net

Hmm, I think we can probably add in the replicas to this list when they are installed. Would that be an acceptable solution? Assuming of course that Solaris will skip to the next entry if one is not accessible.

3) Our install covers three separate domains, and solaris appears to require 
that nisDomain and associatedDomain conform to the clients specific domain only.
"dn: dc=live,dc=tipp24,dc=net"
nisDomain: live.tipp24.net
associatedDomain: live.tipp24.net

That is a limitation of the Solaris ldap client. associatedDomain needs to match the client domain. I don't think there is a workaround for this.


Finally, when users attempt to connect, the dirsrv log on the slave has the 
following contents:
[24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from 
[client IP] to [slave IP]
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 
etime=0
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1

Clients attempt to connect and fail right? Are you saying this is the only thing logged in that case?

rob



Any comments/advice would be appreciated.

Thanks
Andy

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 05 February 2010 16:58
To: Andy Singleton
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10

Andy Singleton wrote:
Hi Rob,

Ok ive switched on the compat plugin.
Incidentally, does this need to be done separately for all replicas?

Yes. The plugin configuration of each 389-ds is not replicated.

However, when I run ldapclient init <ipa_server>, I get this message:
"Failed to find defaultSearchBase for domain"

Hmm, can you look in the DS logs to see what queries it is making/ (/var/log/dirsrv/slapd-YOUR-INSTANCE/access).

Probably a good idea to ensure you have the Solaris default profile set up too:

ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com"

rob

Cheers
Andy


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 03 February 2010 17:34
To: Andy Singleton; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10

Andy Singleton wrote:
Hi Rob,

Neither of the commands give any results.
/me smacks head

Ok, sorry I didn't see this the first go-round.

The Solaris nss_ldap doesn't use /etc/ldap.conf.

What you want to do is something like:

# ldapclient init ipa.example.com

This should set everything up for you on the Solaris side assuming you're running freeIPA 1.2.2.

You'll also need to enable the compat schema on the IPA side by running ipa-compat-manage enable and restarting the DS (if you haven't done so already).

Note that the Solaris LDAP client assumes that if you want to use LDAP for anything then you want to use it for EVERYTHING, so you'll want to fix up /etc/nsswitch.conf, at least setting files and ipnodes back to dns from ldap.

rob
Andy

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 03 February 2010 16:11
To: Andy Singleton
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10

Andy Singleton wrote:
Hi rob,

Glad you caught up with this problem.

The nsswitch.conf is set up as per the install document. So:
 passwd:     files ldap[NOTFOUND=return]
 group:    files ldap[NOTFOUND=return]

The system uses the standard solaris nss_ldap package.
Ok, can you see if you can get a specific user and group:

getent passwd admin
getent group ipausers

rob

Cheers
Andy

----- Original Message -----
From: Rob Crittenden <rcrit...@redhat.com>
To: Andy Singleton
Cc: freeipa-users@redhat.com <freeipa-users@redhat.com>
Sent: Tue Feb 02 21:01:33 2010
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10

Andy Singleton wrote:
 > Hi guys,
 >
> >
 > I am installing IPA 1.2.2 client installation on one of our Solaris
 > servers, and I cant seem to get the system to see the IPA users. “getent
 > passwd” only returns local users, and no traffic is leaving the client
 > for the IPA server for ldap.
 >
> >
 > I have followed the instructions from the documentation, but I
 > definitely get the feeling that something is missing.
 >
 > All the various configuration files are populated, and the Kerberos
 > portion works correctly because I can obtain a ticket.
 >
 > So possibly there is a problem with the nss_ldap part, or the ldap.conf
 > itself.
 >
> > > Does anyone know common problems that might have this result on Solaris 10?
 >
> >
 > For reference, here is the /etc/ldap.conf file:
 >
> >
 > ldap_version 3
 >
 > base cn=compat,dc=live,dc=tipp24,dc=net
 >
 > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub
 >
 > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub
 >
 > nss_schema rfc2307bis
 >
 > nss_map_objectclass shadowAccount posixAccount
 >
 > nss_map_attribute uniqueMember member
 >
 > nss_initgroups_ignoreusers root,dirsrv,oracle
 >
 > nss_reconnect_maxsleeptime 8
 >
 > nss_reconnect_sleeptime 1
 >
 > bind_timelimit 2
 >
 > timelimit 4
 >
 > nss_srv_domain live.tipp24.net
 >
 > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net
 >
> >
 > Thanks
 >
 > Andy

Sorry, missed this one last week..

What does /etc/nsswitch.conf read? Is it configured to use ldap?

You might also try killing nscd in case it is interfering.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to