On Thu, 05 Mar 2015, nat...@nathanpeters.com wrote:
Ok, I sort of have this working now, but there are still some loose ends.
Comments inline

2. Setup Solaris properly
NS_LDAP_AUTH=tls:simple
NS_LDAP_CREDENTIAL_LEVEL=proxy
NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test
NS_LDAP_BINDPASSWD=ohaimakethissimethingtoughtobreak
NS_LDAP_CACHETTL=0
NS_LDAP_HOST_CERTPATH=/var/ldap

When I added NS_LDAP_HOST_CERTPATH to the ldap_client_file it complained
about that particular setting being invalid.  I think that setting doesn't
exist on Solaris 10?  I had to remove that line.
Perhaps it always defaults to /var/ldap.

Is that functionally equivalent to what you were trying to do with the
cert database or were you trying to do something different?
More or less -- create an NSS database and add a CA cert there.

OK, great, I think the manual copy worked.  The reason is because if  I
delete those 2 .db files I get the following log entries:

[ID 293258 daemon.warning] libsldap: Status: 91  Mesg: createTLSSession:
failed to initialize TLS security (security library: bad database.)
[ID 545954 daemon.error] libsldap: makeConnection: failed to open
connection to ipadc1.ipadomain.net
[ID 687686 daemon.warning] libsldap: Falling back to anonymous, non-SSL
mode for __ns_ldap_getRootDSE. createTLSSession: failed to initialize TLS
security (security library: bad database.)

But if those 2 files I manually copied exist, then those messages don't
happen.
Good.


Also, FYI, certutil is not really supported on Solaris 10.  Any download
links to that program are now 404.  It wasn't included in the Solaris 10
cd either.
See Rob's answer, I'm pretty sure there is a package somewhere that
allows to manipulate these databases or otherwise they wouldn't be used
by the system tools.

OK, I have added the following 2 lines to my pam.conf file and I can now
authenticate AD users:
other   auth sufficient         pam_ldap.so.1
other   account required         pam_ldap.so.1

However, I had to use a slighly different setting when initiating ldap
client:

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple

Note that if I chose tls:simple, the bind failed and I received the
following log entries :
Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
ldap_cachemgr[650]: [ID 293258 daemon.warning] libsldap: Status: 81  Mesg:
openConnection: simple bind failed - Can't contact LDAP server
Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
ldap_cachemgr[650]: [ID 545954 daemon.error] libsldap: makeConnection:
failed to open connection to ipadc1.ipadomain.net
Mar  5 13:07:21 ipaclient6-sandbox-atdev-van.ipadomain.net
ldap_cachemgr[650]: [ID 687686 daemon.warning] libsldap: Falling back to
anonymous, non-SSL mode for __ns_ldap_getRootDSE. openConnection: simple
bind failed - Can't contact LDAP server

So... any ideas why I could bind 'simple' but not 'tls:simple' ?
Perhaps tls:simple requires LDAPS (636) connection? "Can't contact LDAP
server" sounds like inability to reach a port on IPA master. Do you have
it open in your firewall?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to