i was trying this from last 3 weeks. can you please give us more details
about this. I tried ldapclient and i got lot of dependency service related
error. can you please give me list of services and configuration file need
to change/enable before trying ldapclient ?
once again thanks for your effort.
Thanks & Regards,
On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal <d...@redhat.com> wrote:
> On 01/02/2015 03:17 PM, Watson, Dan wrote:
>> I finally got it working, the default setup of "ldapclient init" missed
>> the special mapping for netgroups, so I had to do a manual setup that
>> included the mapping.
>> ldapclient manual \
>> -a credentialLevel=anonymous \
>> -a authenticationMethod=none \
>> -a defaultSearchBase=dn=domain,dn=name \
>> -a domainName=domain.name \
>> -a defaultServerList=server.domain.name \
>> -a objectClassMap=shadow:shadowAccount=posixaccount \
>> -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp'
>> -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp
>> -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp
>> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp
>> It's the last line that forces the OS level ldap client to look in the
>> rich location for the netgroup information. I hope this helps the next
> Would you mind creating a wiki page with the solution on the wiki?
>> Thanks for all the help!
>> -----Original Message-----
>> From: Watson, Dan
>> Sent: January 02, 2015 11:41 AM
>> To: 'Rob Crittenden'; email@example.com
>> Subject: RE: [Freeipa-users] Integration with Solaris 10
>> Hi Rob,
>> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't
>> seem to like the netgroup option:
>> -bash-3.2# getent netgroup test1
>> Unknown database: netgroup
>> usage: getent database [ key ... ]
>> -bash-3.2# uname -a
>> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc
>> -bash-3.2# cat /etc/release
>> Solaris 10 10/09 s10s_u8wos_08a SPARC
>> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>> Use is subject to license terms.
>> Assembled 16 September 2009
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: January 02, 2015 10:15 AM
>> To: Watson, Dan; firstname.lastname@example.org
>> Subject: Re: [Freeipa-users] Integration with Solaris 10
>> Watson, Dan wrote:
>>> Hi All,
>>> I've lurked in the list history and cannot find anyone saying they have
>>> gotten login restrictions working with Solaris 10 u8. Has anyone on here
>>> successfully configured login restrictions on Solaris 10 u8 through u11?
>>> I'm looking for specific instructions from someone who has gotten this to
>>> work before.
>>> The two main routes to login restrictions I could find online are
>>> Netgroups or conditional ldap queries in ldapclient
>>> I initially tried netgroups but wasn't sure how to trouble shoot when it
>>> didn't work. There don't seem to be any user-land tools to query netgroups
>>> and further investigation turned up an issue with OpenLDAP. It seems the
>>> built-in Solaris 10 ldap client expects schema RFC2307bis and not the
>>> OpenLDAP standard RFC2307 (explanation here
>>> does anyone know if this issue applies to IPA? Or how I check?
>>> The alternative of passing a restrictive query to ldapclient seems like
>>> a good route but doesn't seem to work. The common solution when using the
>>> old SunOne directory server was to pass the ldapclient (command line ldap
>>> configuration tool) an option like "passwd:ou=people,o=myorg,c=
>>> de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here
>>> https://community.oracle.com/thread/2014224?start=0&tstart=0) which is
>>> supposed to restrict account checking to only people in
>>> ou=people,p=myorg,c=de who are also members of
>>> Unfortunately this doesn't seem to work in IPA, first of all because there
>>> is no "isMemberof" attribute to a user, but also doesn't work on other
>>> attributes like uid or uidNumber. One possible explanation I've found is
>>> that these attributes are not indexed, but I have no idea if this is
>>> correct or how to add them to be indexed.
>>> Has anyone else solved this? I just need to be able to allow only a
>>> specific user group to log in to the host, unfortunately the ssh directive
>>> "AllowGroups" is not good enough, this has to be system wide as we also
>>> have samba and some other services that rely on system authentication.
>>> Can anyone be of some help?
>>> You can use getent netgroup <name> to get a specific netgroup.
>> Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project