On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: > On 09/02/2012 04:37 PM, Natxo Asenjo wrote: >> hi, >> >> Recently I have been playing with the zfs for its native nfs4 acl >> capabilities. I have used openindiana for this. For those wondering >> about openindiana, it is a distribution of the former opensolaris code. >> >> I got the ldap client to work for retrieveing user/group info from >> ipa using the ldapclient command: >> >> # ldapclient manual \ >> -a authenticationMethod=none \ >> -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ >> -a domainName=*ipa.asenjo.nx* \ >> -a defaultServerList=kdc.ipa.asenjo.nx \ >> -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ >> -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] >> >> you need to enable the ldap/client service: >> >> # svcadm enable ldap/client:default [enter] >> >> After which, modify /etc/nsswitch.conf to add the ldap provider for >> passwd and group: >> >> passwd: files ldap >> group: files ldap >> >> That's it, test it: >> >> # id admin >> uid=642800000(admin) gid=642800000(admins) groups=642800000(admins) >> >> # getent passwd admin >> admin:x:642800000:642800000:Administrator:/home/admin:/bin/bash >> >> So it works. The kerberos stuff will be next ... >> >> One thing I have not yet gotten to work is that these changes are not >> persistent accross reboots. The ldapclient config stays, but the >> service ldap/client does not start (stays disabled) and nsswitch.conf >> missess the ldap entries. So far I am fixing this from cfengine >> (gotta love it). >> >> So apparently, for solaris 10 and newer versions, the procedure >> outlined in http://freeipa.com/page/ConfiguringSolarisClients is no >> longer necessary as far as the ldap client is concerned. >> >> >> -- >> Groeten, >> natxo >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hi, > > I'm using Nexenta as an IPA client, another derivative of OpenSolaris. > I use a DUAProfile with ldapclient. This stays configured and the > ldap/client service is enabled across reboots. > > > There is a DUAProfile included by default with IPA, but it requires > some tweaking to support more than just the basic features. See this > bugzilla for a more comprehensive example: > > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > > There is also some more info about configuring Solaris clients in this > bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=815533
Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest? If you find some inconsistency would mind filing a fedora doc bug? > > > The ldap/client service is enabled when you run the ldapclient script. > There should be no need for doing this manually. When you run > ldapclient, run it with the -v flag and look for errors. > > After a reboot, what does "svcs -xv ldap/client" output? > > Is the services is depend on in online state? "svcs -d ldap/client" > > What does /var/svc/log/network-ldap-client:default.log display after a > reboot? > > What files do you have in /var/ldap? > > What is the content of the /var/ldap/ldap_client_file? > > > > Regards, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users