The normal design is that the local zones contact the global zone, which does the work after judging label dominance and privs etc. This is done via nscd aka /services/name-service-cache. The local zones don't contact the ldap server directly.
If the local zones are not getting whatever information they are supposed to from nscd, that is odd, if all the documents were followed regarding ldap setup. There upcoming are changes to allow, instead, each zone to have its own name service cache. Part of this has been released, part is still to come. But this will not be the evaluated configuration. The administrative interface for this feature is not yet complete, but customers of Solaris 10 who have support contracts can get advanced test copies of the interface if they file an escalation asking for it. >Date: Tue, 02 Oct 2007 10:05:34 -0700 (PDT) >From: i3bargon <ira.bargon at gmail.com> >Subject: Re: [security-discuss] TX43 with Multiple Network Interfaces? >To: security-discuss at opensolaris.org >Delivered-to: security-discuss at opensolaris.org >List-Id: OpenSolaris Security Discussions <security-discuss.opensolaris.org> > >Could i accomplish the same thing with a VNI instead of bge0:1. I have a simliar configuration as the original poster, a seperate NIC for each zone. But i have a VNI that is set all-zones. Its on the same subnet as my global zone. I can not contact the LDAP server from the local zones. I have tried ldapclient and I have also tried telnetting to the ldap server on port 389. Neither case worked. tnrhdb is set up properly and my global zone was able to connect to the ldap server. My local zones dont have network connectivity to the LDAP servers global zone. > >My default route is set to lcoalhost from the global zone. Im running Solaris 10 08/07 TX SPARC on the client and the LDAP server. > >--- Client ---- >Global Zone: 10.0.0.2 (bge0) >vni0: 10.0.0.42 (all-zones) >Zone 1: 10.0.1.2 (bge1) >Zone 2: 10.0.2.2 (bge2) >Default Route: localhost > >LDAP Server: 10.0.0.3 (global) > >1. Do i need to set change from a VNI to a standard virtual interface "bge0:1" >2. When setup correctly shoudl i be able to run ldapclient from the local zone and specify the global zone's ldap server which is on a different subnet (10.0.2\24) as my local zone. Also, should I be able to telnet to 10.0.0.3 389 work as another test from my local zone. > >Any help is apprreciated. > >Thanks, >Ira > > >This message posted from opensolaris.org >_______________________________________________ >security-discuss mailing list >security-discuss at opensolaris.org
