On 09/07/2012 08:38 PM, Dmitri Pal wrote:
On 09/02/2012 12:58 PM, Sigbjorn Lie wrote:
On 09/02/2012 04:37 PM, Natxo Asenjo wrote:

Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code.

I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command:

# ldapclient manual \
-a authenticationMethod=none \
-a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \
-a domainName=*ipa.asenjo.nx* \
-a defaultServerList=kdc.ipa.asenjo.nx \
-a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \
-a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter]

you need to enable the ldap/client service:

# svcadm enable ldap/client:default [enter]

After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group:

passwd:     files ldap
group:      files ldap

That's it, test it:

# id admin
uid=642800000(admin) gid=642800000(admins) groups=642800000(admins)

# getent passwd admin

So it works. The kerberos stuff will be next ...

One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it).

So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned.


Freeipa-users mailing list

I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots.

There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example:


There is also some more info about configuring Solaris clients in this bugzilla:


Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest?

If you find some inconsistency would mind filing a fedora doc bug?

There are some issues in that document.

I have been working with Rob with regards to the previous 2 bugzilla doc bug's I opened:

These BZ covers configuring a DUA profile and configuring Solaris 10 as an IPA client.

I presume Rob's work will become the new Solaris 10 IPA Client documentation for both Fedora and RHEL?


Freeipa-users mailing list

Reply via email to