On Sat, 11 Oct 2014, Rob Crittenden wrote:
sipazzo wrote:
Thank you,I know where the profile is in the directory tree and how I would 
invoke it were it there...I don't know how to get it into the directory tree so 
that it is available to clients. I see posts giving examples of different 
profilesthat could be used but no post as to how to add it to the directory. 
Sorry if I am missing something obvious.


--------------------------------------------
On Fri, 10/10/14, Rob Crittenden <rcrit...@redhat.com> wrote:

 Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
 To: "sipazzo" <sipa...@yahoo.com>, freeipa-users@redhat.com
 Date: Friday, October 10, 2014, 4:53 PM

 sipazzo wrote:
 >
 Hello, I am trying to set up a default profile for my
 Solaris 10 IPA clients as recommended. I generated a profile
 on a Solaris with the attributes I needed except I got an
 "invalid parameter" error when specifying the
 domainName attribute like this -a domainName=example.com
 even though this parameter works when I use it in
 ldapclient manual. More of an issue though is I have been
 unable to find documentation on getting the profile
 incorporated into the ipa server. How do I get this profile
 on the ipa server and make it available to my Solaris
 clients? Also, my understanding is the clients periodically
 check this profile so they stay updated with the latest
 configuration information. What generates this check? Is it
 time based, a restart of a service or ??
 >
 > Thank you for any
 assistance.
 >

 It's been forever since I configured a
 Solaris anything client but I can
 tell you
 where the profile gets stored:
 cn=profilename,cn=default,ou=profile,$SUFFIX

 IPA ships with a default
 profile of:

 dn:
 cn=default,ou=profile,$SUFFIX
 ObjectClass:
 top
 ObjectClass: DUAConfigProfile
 defaultServerList: $FQDN
 defaultSearchBase: $SUFFIX
 authenticationMethod: none
 searchTimeLimit: 15
 cn:
 default
 serviceSearchDescriptor:
 passwd:cn=users,cn=accounts,$SUFFIX
 serviceSearchDescriptor:
 group:cn=groups,cn=compat,$SUFFIX
 bindTimeLimit: 5
 objectClassMap:
 shadow:shadowAccount=posixAccount
 followReferrals:TRUE

 The full schema can be found at
 http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html

 So if your profile is named
 foo you'd invoke it with something like:

 # ldapclient init -a
 profileName=foo ipa.example.com

 rob



Here is an example inspired by
https://bugzilla.redhat.com/show_bug.cgi?id=815515

$ ldapmodify -x -D 'cn=Directory Manager' -W
dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl_test
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
preferredServerList: ipa01.example.com ipa02.example.com
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor:
auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com
serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com
<blank line>
^D

You may want to check out
https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.
Should the profile be available anonymously? It is not in 4.x:
$ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test
# extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
$ kinit admin
Password for ad...@ipacloud.test:
$ ldapsearch -Y GSSAPI -b ou=profile,dc=ipacloud,dc=test
SASL/GSSAPI authentication started
SASL username: ad...@ipacloud.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# profile, ipacloud.test
dn: ou=profile,dc=ipacloud,dc=test
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile

# default, profile, ipacloud.test
dn: cn=default,ou=profile,dc=ipacloud,dc=test
defaultServerList: cc21.ipacloud.test
defaultSearchBase: dc=ipacloud,dc=test
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=ipacloud,dc=test
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=ipacloud,dc=test
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2


I think it should be available anonymously too, so we need to add a
specialized ACI for that.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to