Watson, Dan wrote:
> I finally got it working, the default setup of "ldapclient init" missed the 
> special mapping for netgroups, so I had to do a manual setup that included 
> the mapping.
> ldapclient manual \
> -a credentialLevel=anonymous \
> -a authenticationMethod=none \
> -a defaultSearchBase=dn=domain,dn=name \
> -a domainName=domain.name \
> -a defaultServerList=server.domain.name \
> -a objectClassMap=shadow:shadowAccount=posixaccount \
> -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' 
> \
> -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \
> -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp 
> \
> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp
> It's the last line that forces the OS level ldap client to look in the rich 
> location for the netgroup information. I hope this helps the next person.

Glad you got it working, and that'll teach me to catch up on all e-mail
before responding :-)


> Thanks for all the help!
> Dan
> -----Original Message-----
> From: Watson, Dan 
> Sent: January 02, 2015 11:41 AM
> To: 'Rob Crittenden'; freeipa-users@redhat.com
> Subject: RE: [Freeipa-users] Integration with Solaris 10
> Hi Rob,
> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't seem 
> to like the netgroup option:
> -bash-3.2# getent netgroup test1
> Unknown database: netgroup
> usage: getent database [ key ... ]
> -bash-3.2# uname -a
> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc 
> SUNW,SPARC-Enterprise-T5120
> -bash-3.2# cat /etc/release
>                       Solaris 10 10/09 s10s_u8wos_08a SPARC
>            Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
>                         Use is subject to license terms.
>                            Assembled 16 September 2009
> -bash-3.2#
> Thanks!
> Dan
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com] 
> Sent: January 02, 2015 10:15 AM
> To: Watson, Dan; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Integration with Solaris 10
> Watson, Dan wrote:
>> Hi All,
>> I've lurked in the list history and cannot find anyone saying they have 
>> gotten login restrictions working with Solaris 10 u8. Has anyone on here 
>> successfully configured login restrictions on Solaris 10 u8 through u11? I'm 
>> looking for specific instructions from someone who has gotten this to work 
>> before.
>> The two main routes to login restrictions I could find online are Netgroups 
>> or conditional ldap queries in ldapclient
>> I initially tried netgroups but wasn't sure how to trouble shoot when it 
>> didn't work. There don't seem to be any user-land tools to query netgroups 
>> and further investigation turned up an issue with OpenLDAP. It seems the 
>> built-in Solaris 10 ldap client expects schema RFC2307bis and not the 
>> OpenLDAP standard RFC2307 (explanation here 
>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). does 
>> anyone know if this issue applies to IPA?  Or how I check?
>> The alternative of passing a restrictive query to ldapclient seems like a 
>> good route but doesn't seem to work. The common solution when using the old 
>> SunOne directory server was to pass the ldapclient (command line ldap 
>> configuration tool) an option like 
>> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
>>  (from here https://community.oracle.com/thread/2014224?start=0&tstart=0)  
>> which is supposed to restrict account checking to only people in 
>> ou=people,p=myorg,c=de who are also members of 
>> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to 
>> work in IPA, first of all because there is no "isMemberof" attribute to a 
>> user, but also doesn't work on other attributes like uid or uidNumber. One 
>> possible explanation I've found is that these attributes are not indexed, 
>> but I have no idea if this is correct or how to add them to be indexed.
>> Has anyone else solved this? I just need to be able to allow only a specific 
>> user group to log in to the host, unfortunately the ssh directive 
>> "AllowGroups" is not good enough, this has to be system wide as we also have 
>> samba and some other services that rely on system authentication.
>> Can anyone be of some help?
>> Thanks!
>> Dan
> You can use getent netgroup <name> to get a specific netgroup.
> Or ldapsearch -x -b  cn=usertest,cn=ng,cn=compat,dc=example,dc=com
> rob

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to