Dmitri Pal wrote:
On 04/10/2014 12:18 PM, quest monger wrote:
Sorry about that. So I am Looking at the Solaris 10 client
documentation here -
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html


It says do the following on Solaris client -

    ldapclient manual
    ...
    -a proxyPassword={NS1}fbc123a92116812
    ...


Whats that proxyPassword for?


I suspect that it is a password that corresponds to the proxy user.
The client component on Solaris (pure speculation on my side) seems to
use proxy user to connect to LDAP server and do some operations for the
host. It is similar to SSSD but SSSD does not use passwords, it uses
keytabs if talks to IPA.

There are a number of different profile levels available, see http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74

proxy is usually a shared account that the Solaris box uses to authenticate to the LDAP server.

Solaris uses passwords but to prevent them from being stored in
configuration in clear the are "obfuscated" with the NS1 method
http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/
I suspect there should be some tool on Solaris that takes password and
creates an obfuscated string like this.

I didn't experiment using a proxy password inside a profile. I'll bet that if you manually enroll a client then you can dig out the password on that local system and store that in the profile.

There is also a self level which uses Kerberos. I've never used it myself (it may be newer than my experience with Solaris) but there are some fairly detailed docs on it at http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl

rob

Thanks
Dmitri

Thanks.



On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>> wrote:

    On 04/10/2014 11:41 AM, quest monger wrote:
    Thanks Rob, those bug reports help.
    One more question, in the official Solaris 10 documentation, i
    see this stuff -

    -aproxyPassword={NS1}*fbc123a92116812*
    
userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*=

    Is there a way to generate that password hash for a new password.
    I think that should be part of the documentation, dont want all
    Solaris IPA users to be using the same password and corresponding
    hash.

    Can you rephrase the question?
    It is unclear what hash you are asking about.
    If you are using IPA you do not need local password hashes.


    Thanks.




    On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden
    <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:

        quest monger wrote:


            I have read through the official documentation here for
            Solaris-10 -
            
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
            I have found a few web posts on how to make it work for
            Solaris-11.
            Have any of you tried adding a Solaris-11 host to an
            existing IPA
            server? If so, do you have any
            documentation/how-tos/instructions that i
            could use to do the same. Any help is appreciated.
            I am trying to do this to so I can centralize SSH
            authentication for all
            my Solaris-11 and Linux hosts.


        That is pretty much all we've got. There is a bug open with
        some documentation updates,
        https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some
        more in https://bugzilla.redhat.com/show_bug.cgi?id=801883

        We use sssd to help with centralized SSH auth so it probably
        won't work as smoothly on Solaris as it does on sssd-based
        Linux systems. See sss_ssh_authorizedkeys(1) and
        sss_ssh_knownhostsproxy(8).

        This document describes how it works in IPA
        
http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf

        rob




    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users


    --
    Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to