But it's not necessary for files, and CANNOT run without ldap, so the man page should not make it sound like it is needed for files.
>Date: Mon, 01 Oct 2007 18:04:19 -0700 >From: Jarrett Lu <Jarrett.Lu at sun.com> >Subject: Re: [security-discuss] tnd dependency of ldap-client >To: Jan Parcel <jan.parcel at sun.com> >Cc: drl at metanate.com, security-discuss at opensolaris.org > >Jan Parcel wrote: >> This sounds like a documentation bug. The man page makes tnd sound like >> it's the same as Trusted Solaris 8, so I had the same confusion (except >> I had the confusion without the man page, since I'm a TS8 person....) >> >> File a man page bug? >> > >I believe tnd(1M) calls standard Get_X_by_Y() routines and is capable of >getting >local file contents as well as records resident in a network database. >So I don't think >it's man page bug. > >The intention of tnd is to synchronize a network configuration database >with what's >cached on a local system. It wakes periodically to check whether there >are any >discrepancies. It needs to do that because the network database is >usually managed >by someone other than the admin of a local system. > >If you use only files and not ldap, you don't need the overhead of tnd >to manage >what's in the file and what's in the kernel cache. After you change content >of the files (and you know exactly when that is), do 'svcadm restart >tnctl', And you >are in sync again. > >Jarrett > >> >> >>> Date: Mon, 01 Oct 2007 09:26:10 -0700 >>> From: Glenn Faden <Glenn.Faden at sun.com> >>> Subject: Re: [security-discuss] tnd dependency of ldap-client >>> To: David Lamkin <drl at metanate.com> >>> Cc: security-discuss at opensolaris.org >>> Delivered-to: security-discuss at opensolaris.org >>> X-Original-To: security-discuss at opensolaris.org >>> List-Unsubscribe: >>> >> <http://mail.opensolaris.org/mailman/listinfo/security-discuss>, >> <mailto:security-discuss-request at opensolaris.org?subject=unsubscribe> >> >>> List-Id: OpenSolaris Security Discussions <security-discuss.opensolaris.org> >>> >>> There is another service, tnctl, that loads the local trusted networking >>> configuration into the kernel. >>> >>> --Glenn >>> >>> David Lamkin wrote: >>> >>>> I'm confused - I read in tnd(1M): >>>> >>>> "The tnd (trusted network daemon) initializes the kernel with >>>> trusted network databases and also reloads the databases on >>>> demand from an LDAP server and local files." >>>> >>>> and >>>> >>>> "SIGHUP Causes svcadm refresh svc:/network/tnd to be run. >>>> >>>> Initiates a rescan of the local and LDAP tnrhdb and >>>> tnrhtp databases. tnd updates the kernel database >>>> with any changes found." >>>> >>>> I assumed these to mean that tnd is responsible for loading the >>>> kernel tables with information the local files as well as (if >>>> configured) ldap sources. Thus I thought : no tnd -> no setup of >>>> trusted network data in the kernel. >>>> >>>> regards, David >>>> >>>> >>>> >>>> On 1 Oct 2007, at 15:16, Glenn Faden wrote: >>>> >>>> >>>> >>>>> The purpose of tnd is to synchronize your local and LDAP entries >>>>> for the trusted networking databases. You don't need it if you >>>>> aren't using LDAP, so the dependency is correct. >>>>> >>>>> --Glenn >>>>> >>>>> David Lamkin wrote: >>>>> >>>>> >>>>> >>>>>> I am using Solaris 10 u4 >>>>>> >>>>>> I notice that there is a dependency in /var/svc/manifest/network/ >>>>>> tnd.xml: >>>>>> >>>>>> <dependency >>>>>> name='network-ldap-client' >>>>>> type='service' >>>>>> grouping='require_all' >>>>>> restart_on='none'> >>>>>> <service_fmri value='svc:/network/ldap/client' /> >>>>>> </dependency> >>>>>> >>>>>> Thus tnd will not start in a file-only based setup, which I >>>>>> believe is a valid configuration. >>>>>> Or is working LDAP a requirement for the correct functioning of tnd? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> >>>> >>> _______________________________________________ >>> security-discuss mailing list >>> security-discuss at opensolaris.org >>> >> >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >> >
