On 03/16/2015 04:21 PM, nat...@nathanpeters.com wrote:
and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
into /var/ldap's database with certutil:
    # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap
Ok, following your advice I installed the SUNWtlsu package (prepares rant
about how the top 3 pages of google results didn't tell me which darn
package certutil was actually in) and now I have certutil on the system.
I copied the ca.crt file from my FreeIPA controller to the /tmp directory
on Solaris, and then ran
#certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap

It worked!  The difference was that running that certutil command creates
/var/ldap/secmod.db.  secmod.db is required for tls to work.  Without
secmod.db existing, you can use simple, but not tls:simple.

So I can now login with both AD and FreeIPA users on this machine, get the
correct shell, correct home directory, and the ability to sudo.


I can only do this through SSH.  I have run into some really strange
Solaris behavior when I try to login through console. I added the
following entries to my /etc/pam.conf

login   auth sufficient         pam_ldap.so.1
login   auth sufficient         pam_krb5.so.1

Apparently, Solaris has a total name limit of 31 characters, that only
applies to the [login] section and not to the [other] section.

So if I ssh I can login with a user named
'someuserna...@subdomain1.topleveldom.net' (AD user)

However, if I console login, my pam logs indicate that it is being chopped
down to 'someusernames@subdomain1.toplev' before being passed onto ldap.
This causes ldap to throw the following error:

/usr/lib/security/pam_ldap.so.1 returned System error

I created a really short AD username called
'a...@subdomain1.topleveldom.net' which just barely fit in 31 characters
and it could login fine.

So my next question is (and I know you guys are not Solaris experts, but
any help is appreciated) : Is there a way to set the default domain so
that AD users do not have to type their domain suffix?  Currently, it is
backward and ipa users can login as 'ipauser1' without a suffix, but AD
users have to type their suffix.

I know this can be done in Linux with sssd.conf and I have that working
for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
trying to figure out how to do this.

I have already tried setting the default_domain and default_realm flags in
/etc/krb5/krb5.conf but that doesn't work at all because AD users are
authenticated through LDAP.  I also tried the ldapclient init with ' -a
domainName=addomain.net' but that did not work either.

Is there even a way to do this in Solaris for LDAP users?  Without the
ability to skip the domain name for AD users, I am stuck with either no
console login for AD for having all AD users with only 3 character names
due to the length of the fqdn.

The only hack that comes to mind is to add a new attribute in the compatibility tree (cn=compat) via slapi-nis plugin that will expose short names and then point your Solaris box to that attribute as uid. This is a hack because:
- you will have duplicates and this is up to you how to deal with them
- you would have to figure out how to do this transformation with slapi-nis using its stock capabilities (I think it is possible but would require some research) - you would have to change the configuration on all replicas you have in the similar way

May be others have better ideas.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to