I finally got it working, the default setup of "ldapclient init" missed the special mapping for netgroups, so I had to do a manual setup that included the mapping.
ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dn=domain,dn=name \ -a domainName=domain.name \ -a defaultServerList=server.domain.name \ -a objectClassMap=shadow:shadowAccount=posixaccount \ -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp It's the last line that forces the OS level ldap client to look in the rich location for the netgroup information. I hope this helps the next person. Thanks for all the help! Dan -----Original Message----- From: Watson, Dan Sent: January 02, 2015 11:41 AM To: 'Rob Crittenden'; firstname.lastname@example.org Subject: RE: [Freeipa-users] Integration with Solaris 10 Hi Rob, Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem to like the netgroup option: -bash-3.2# getent netgroup test1 Unknown database: netgroup usage: getent database [ key ... ] -bash-3.2# uname -a SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc SUNW,SPARC-Enterprise-T5120 -bash-3.2# cat /etc/release Solaris 10 10/09 s10s_u8wos_08a SPARC Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 16 September 2009 -bash-3.2# Thanks! Dan -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: January 02, 2015 10:15 AM To: Watson, Dan; email@example.com Subject: Re: [Freeipa-users] Integration with Solaris 10 Watson, Dan wrote: > Hi All, > > I've lurked in the list history and cannot find anyone saying they have > gotten login restrictions working with Solaris 10 u8. Has anyone on here > successfully configured login restrictions on Solaris 10 u8 through u11? I'm > looking for specific instructions from someone who has gotten this to work > before. > > The two main routes to login restrictions I could find online are Netgroups > or conditional ldap queries in ldapclient > > I initially tried netgroups but wasn't sure how to trouble shoot when it > didn't work. There don't seem to be any user-land tools to query netgroups > and further investigation turned up an issue with OpenLDAP. It seems the > built-in Solaris 10 ldap client expects schema RFC2307bis and not the > OpenLDAP standard RFC2307 (explanation here > http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does > anyone know if this issue applies to IPA? Or how I check? > > The alternative of passing a restrictive query to ldapclient seems like a > good route but doesn't seem to work. The common solution when using the old > SunOne directory server was to pass the ldapclient (command line ldap > configuration tool) an option like > "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" > (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) > which is supposed to restrict account checking to only people in > ou=people,p=myorg,c=de who are also members of > cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to work > in IPA, first of all because there is no "isMemberof" attribute to a user, > but also doesn't work on other attributes like uid or uidNumber. One possible > explanation I've found is that these attributes are not indexed, but I have > no idea if this is correct or how to add them to be indexed. > > Has anyone else solved this? I just need to be able to allow only a specific > user group to log in to the host, unfortunately the ssh directive > "AllowGroups" is not good enough, this has to be system wide as we also have > samba and some other services that rely on system authentication. > > Can anyone be of some help? > > Thanks! > Dan > You can use getent netgroup <name> to get a specific netgroup. Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project