Hi Dmitri
i was trying this from last 3 weeks. can you please give us more details about this. I tried ldapclient and i got lot of dependency service related error. can you please give me list of services and configuration file need to change/enable before trying ldapclient ? once again thanks for your effort. Thanks & Regards, Ben On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal <d...@redhat.com> wrote: > On 01/02/2015 03:17 PM, Watson, Dan wrote: > >> I finally got it working, the default setup of "ldapclient init" missed >> the special mapping for netgroups, so I had to do a manual setup that >> included the mapping. >> >> ldapclient manual \ >> -a credentialLevel=anonymous \ >> -a authenticationMethod=none \ >> -a defaultSearchBase=dn=domain,dn=name \ >> -a domainName=domain.name \ >> -a defaultServerList=server.domain.name \ >> -a objectClassMap=shadow:shadowAccount=posixaccount \ >> -a serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' >> \ >> -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp >> \ >> -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp >> \ >> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp >> >> It's the last line that forces the OS level ldap client to look in the >> rich location for the netgroup information. I hope this helps the next >> person. >> > > Would you mind creating a wiki page with the solution on the wiki? > > > >> Thanks for all the help! >> Dan >> -----Original Message----- >> From: Watson, Dan >> Sent: January 02, 2015 11:41 AM >> To: 'Rob Crittenden'; freeipa-users@redhat.com >> Subject: RE: [Freeipa-users] Integration with Solaris 10 >> >> Hi Rob, >> >> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't >> seem to like the netgroup option: >> -bash-3.2# getent netgroup test1 >> Unknown database: netgroup >> usage: getent database [ key ... ] >> -bash-3.2# uname -a >> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc >> SUNW,SPARC-Enterprise-T5120 >> -bash-3.2# cat /etc/release >> Solaris 10 10/09 s10s_u8wos_08a SPARC >> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. >> Use is subject to license terms. >> Assembled 16 September 2009 >> -bash-3.2# >> >> Thanks! >> Dan >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcrit...@redhat.com] >> Sent: January 02, 2015 10:15 AM >> To: Watson, Dan; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Integration with Solaris 10 >> >> Watson, Dan wrote: >> >>> Hi All, >>> >>> I've lurked in the list history and cannot find anyone saying they have >>> gotten login restrictions working with Solaris 10 u8. Has anyone on here >>> successfully configured login restrictions on Solaris 10 u8 through u11? >>> I'm looking for specific instructions from someone who has gotten this to >>> work before. >>> >>> The two main routes to login restrictions I could find online are >>> Netgroups or conditional ldap queries in ldapclient >>> >>> I initially tried netgroups but wasn't sure how to trouble shoot when it >>> didn't work. There don't seem to be any user-land tools to query netgroups >>> and further investigation turned up an issue with OpenLDAP. It seems the >>> built-in Solaris 10 ldap client expects schema RFC2307bis and not the >>> OpenLDAP standard RFC2307 (explanation here >>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). >>> does anyone know if this issue applies to IPA? Or how I check? >>> >>> The alternative of passing a restrictive query to ldapclient seems like >>> a good route but doesn't seem to work. The common solution when using the >>> old SunOne directory server was to pass the ldapclient (command line ldap >>> configuration tool) an option like "passwd:ou=people,o=myorg,c= >>> de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" (from here >>> https://community.oracle.com/thread/2014224?start=0&tstart=0) which is >>> supposed to restrict account checking to only people in >>> ou=people,p=myorg,c=de who are also members of >>> cn=unixadmins,ou=groups,o=myorg,c=de. >>> Unfortunately this doesn't seem to work in IPA, first of all because there >>> is no "isMemberof" attribute to a user, but also doesn't work on other >>> attributes like uid or uidNumber. One possible explanation I've found is >>> that these attributes are not indexed, but I have no idea if this is >>> correct or how to add them to be indexed. >>> >>> Has anyone else solved this? I just need to be able to allow only a >>> specific user group to log in to the host, unfortunately the ssh directive >>> "AllowGroups" is not good enough, this has to be system wide as we also >>> have samba and some other services that rely on system authentication. >>> >>> Can anyone be of some help? >>> >>> Thanks! >>> Dan >>> >>> You can use getent netgroup <name> to get a specific netgroup. >> >> Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com >> >> rob >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project