I'm not yet a guru on this. I was assuming some kind of single-label ldap server is allowed and we had directions for it, but that assumption might be wrong. I was also thinking in terms of nscd.
For ldap, we are using a TX ldap server. What follows here is my understanding (which might be wrong) based on years of TS8 and nisplus, and weeks of TX + nscd, NOT based on personal TX+ldap experience. Maybe one of the gurus has a better answer. For the TX ldap server case, if the server is configured as CIPSO in tnrhdb, then every zone should be able to contact it (but the ldap server would have to have each of your zones configured as CIPSO, I think.) I think the global zone might need the ldap server as CIPSO in its tnrhdb -- again, assuming your ldap server is also TX. If the ldap server is single-label, then I would *guess* you need to ONLY have the global zone contact it. Do we have directions for that? Someone who has used the ldap directions in detail could give a better answer. It has been months since I've looked at our directions, but I would think there would be a difference between using a TX ldap server vs. a single-label ldap server. >Date: Wed, 03 Oct 2007 14:03:23 +0100 >From: Ira Bargon III <ira.bargon at gmail.com> >Subject: Re: [security-discuss] TX43 with Multiple Network Interfaces? >To: security-discuss at opensolaris.org >Delivered-to: security-discuss at opensolaris.org >Thanks for the response. Im still somewhat confused. > >On page 65 of the TX installation and config manual, step 2 describes >intializing your zone for LDAP. I looked at the code for action >"Initialize Zone for LDAP" and it places a sysidcfg in the local zone >which has its naming service setup for LDAP. This sysidcfg file has >the local zones LDAP server, proxy agent, domain name, etc.. set to >the same information as the global zone uses. When execute step 3 on >page 66 to start the zone, my initial boot fails because my local >zone is attempting to run ldapclient on the global zones LDAP server. >This is why i thought the local zone is directly contacting the >global zones LDAP server. > >Am i misinterpreting the documentation? Should my local zone be a >ldap client of the global zone's LDAP server? > >Thanks, >Ira >On Oct 2, 2007, at 11:43 PM, Jan Parcel wrote: > >> The normal design is that the local zones contact the global zone, >> which does the work after judging label dominance and privs etc. >> This is done via nscd aka /services/name-service-cache. The >> local zones don't contact the ldap server directly. >> >> If the local zones are not getting whatever information they are >> supposed >> to from nscd, that is odd, if all the documents were followed >> regarding >> ldap setup. >> >> There upcoming are changes to allow, instead, each zone to have its >> own name >> service cache. Part of this has been released, part is still to >> come. But >> this will not be the evaluated configuration. >> >> The administrative interface for this feature is not yet complete, but >> customers of Solaris 10 who have support contracts can get advanced >> test >> copies of the interface if they file an escalation asking for it. >> >>> Date: Tue, 02 Oct 2007 10:05:34 -0700 (PDT) >>> From: i3bargon <ira.bargon at gmail.com> >>> Subject: Re: [security-discuss] TX43 with Multiple Network >>> Interfaces? >>> To: security-discuss at opensolaris.org >>> Delivered-to: security-discuss at opensolaris.org >> >>> List-Id: OpenSolaris Security Discussions <security- >>> discuss.opensolaris.org> >>> >>> Could i accomplish the same thing with a VNI instead of bge0:1. I >>> have a >> simliar configuration as the original poster, a seperate NIC for >> each zone. But >> i have a VNI that is set all-zones. Its on the same subnet as my >> global zone. I >> can not contact the LDAP server from the local zones. I have tried >> ldapclient >> and I have also tried telnetting to the ldap server on port 389. >> Neither case >> worked. tnrhdb is set up properly and my global zone was able to >> connect to the >> ldap server. My local zones dont have network connectivity to the >> LDAP servers >> global zone. >>> >>> My default route is set to lcoalhost from the global zone. Im >>> running Solaris >> 10 08/07 TX SPARC on the client and the LDAP server. >>> >>> --- Client ---- >>> Global Zone: 10.0.0.2 (bge0) >>> vni0: 10.0.0.42 (all-zones) >>> Zone 1: 10.0.1.2 (bge1) >>> Zone 2: 10.0.2.2 (bge2) >>> Default Route: localhost >>> >>> LDAP Server: 10.0.0.3 (global) >>> >>> 1. Do i need to set change from a VNI to a standard virtual >>> interface "bge0:1" >>> 2. When setup correctly shoudl i be able to run ldapclient from >>> the local zone >> and specify the global zone's ldap server which is on a different >> subnet >> (10.0.2\24) as my local zone. Also, should I be able to telnet to >> 10.0.0.3 389 >> work as another test from my local zone. >>> >>> Any help is apprreciated. >>> >>> Thanks, >>> Ira >>> >>> >>> This message posted from opensolaris.org >>> _______________________________________________ >>> security-discuss mailing list >>> security-discuss at opensolaris.org >> > >_______________________________________________ >security-discuss mailing list >security-discuss at opensolaris.org
