On 01/03/2015 03:26 AM, Ben .T.George wrote:
Hi Dmitri


i was trying this from last 3 weeks. can you please give us more details about this. I tried ldapclient and i got lot of dependency service related error. can you please give me list of services and configuration file need to change/enable before trying ldapclient ?

once again thanks for your effort.


Hi Ben,

I am a bit confused. My last suggestion was for you to add a wiki page to FreeIPA.org becuase you indicated that you got it working.
Rob, may be this is the comment for you.

Thanks
Dmitri



Thanks & Regards,
Ben



On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 01/02/2015 03:17 PM, Watson, Dan wrote:

        I finally got it working, the default setup of "ldapclient
        init" missed the special mapping for netgroups, so I had to do
        a manual setup that included the mapping.

        ldapclient manual \
        -a credentialLevel=anonymous \
        -a authenticationMethod=none \
        -a defaultSearchBase=dn=domain,dn=name \
        -a domainName=domain.name <http://domain.name> \
        -a defaultServerList=server.domain.name
        <http://server.domain.name> \
        -a objectClassMap=shadow:shadowAccount=posixaccount \
        -a
        
serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp'
        \
        -a
        serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp
        \
        -a
        
serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp
        \
        -a
        serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp

        It's the last line that forces the OS level ldap client to
        look in the rich location for the netgroup information. I hope
        this helps the next person.


    Would you mind creating a wiki page with the solution on the wiki?



        Thanks for all the help!
        Dan
        -----Original Message-----
        From: Watson, Dan
        Sent: January 02, 2015 11:41 AM
        To: 'Rob Crittenden'; freeipa-users@redhat.com
        <mailto:freeipa-users@redhat.com>
        Subject: RE: [Freeipa-users] Integration with Solaris 10

        Hi Rob,

        Thanks for the reply. Unfortunately /usr/bin/getent on my
        system doesn't seem to like the netgroup option:
        -bash-3.2# getent netgroup test1
        Unknown database: netgroup
        usage: getent database [ key ... ]
        -bash-3.2# uname -a
        SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc
        SUNW,SPARC-Enterprise-T5120
        -bash-3.2# cat /etc/release
                               Solaris 10 10/09 s10s_u8wos_08a SPARC
                    Copyright 2009 Sun Microsystems, Inc. All Rights
        Reserved.
                                 Use is subject to license terms.
                                    Assembled 16 September 2009
        -bash-3.2#

        Thanks!
        Dan

        -----Original Message-----
        From: Rob Crittenden [mailto:rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>]
        Sent: January 02, 2015 10:15 AM
        To: Watson, Dan; freeipa-users@redhat.com
        <mailto:freeipa-users@redhat.com>
        Subject: Re: [Freeipa-users] Integration with Solaris 10

        Watson, Dan wrote:

            Hi All,

            I've lurked in the list history and cannot find anyone
            saying they have gotten login restrictions working with
            Solaris 10 u8. Has anyone on here successfully configured
            login restrictions on Solaris 10 u8 through u11? I'm
            looking for specific instructions from someone who has
            gotten this to work before.

            The two main routes to login restrictions I could find
            online are Netgroups or conditional ldap queries in ldapclient

            I initially tried netgroups but wasn't sure how to trouble
            shoot when it didn't work. There don't seem to be any
            user-land tools to query netgroups and further
            investigation turned up an issue with OpenLDAP. It seems
            the built-in Solaris 10 ldap client expects schema
            RFC2307bis and not the OpenLDAP standard RFC2307
            (explanation here
            
http://www.openldap.org/lists/openldap-software/200501/msg00309.html).
            does anyone know if this issue applies to IPA? Or how I check?

            The alternative of passing a restrictive query to
            ldapclient seems like a good route but doesn't seem to
            work. The common solution when using the old SunOne
            directory server was to pass the ldapclient (command line
            ldap configuration tool) an option like
            
"passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)"
            (from here
            https://community.oracle.com/thread/2014224?start=0&tstart=0)
            which is supposed to restrict account checking to only
            people in ou=people,p=myorg,c=de who are also members of
            cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this
            doesn't seem to work in IPA, first of all because there is
            no "isMemberof" attribute to a user, but also doesn't work
            on other attributes like uid or uidNumber. One possible
            explanation I've found is that these attributes are not
            indexed, but I have no idea if this is correct or how to
            add them to be indexed.

            Has anyone else solved this? I just need to be able to
            allow only a specific user group to log in to the host,
            unfortunately the ssh directive "AllowGroups" is not good
            enough, this has to be system wide as we also have samba
            and some other services that rely on system authentication.

            Can anyone be of some help?

            Thanks!
            Dan

        You can use getent netgroup <name> to get a specific netgroup.

        Or ldapsearch -x -b  cn=usertest,cn=ng,cn=compat,dc=example,dc=com

        rob



-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


-- Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to