Thanks everyone for your responses. My configuration is 1 LDAP server running Trusted Extensions. It's port is bound to an MLP in the global zone. My LDAP clients are running TX and the local zones have their own network interface and subnet. Since each zone is one their own interface they also share a all-zones interface which at first was a VNI device. This all-zones VNI is on the same subnet as the global zone. My X server functionality works just fine in this configuration but i was unable to contact the LDAP server from the local zone. The global zone was able to communication with the LDAP server was just fine.
My LDAP client has the LDAP server defined as CIPSO and vice versa. The LDAP client also has its local zones ip addresses defined as CIPSO and the VNI address is also defined as CIPSO. When using a VNI device as your all-zones device can you communicate with other hosts (an LDAP Server) besides your own global zone? When i switched from a VNI to a standard interface alias (i.e. bge0:1 with all-zones property) my local zones were able to communicate with the LDAP server. For security purposes I would like to switch back to a VNI but still have a communication path with LDAP server which is running in the global zone on another host. Thanks. Ira On Oct 3, 2007, at 9:28 PM, Glenn Faden wrote: > In order for the labeled zones and the global zone to use a single > LDAP server you have to do one of the following: > > 1. Run the LDAP server in the global zone of some TX system on your > network and bind it to an MLP. > > or. > > 1. Run the LDAP server on a single-leve l host, and assign that > host the admin_low network template. > > 2. Run an LDAP proxy server in the global zone of some TX system on > your network and bind it to an MLP. Use the proxy server to access > the remote server. > > or. > > 1. Run both the LDAP server and the proxy server in the global zone > of some TX system on your network. > > 2. Have just the LDAP proxy bind to an MLP, and have your labeled > zones configured as clients of the proxy. > > 3. Restrict the proxy to do read-only operations. That will prevent > anyone from writing into LDAP unless they are running in the global > zone of a TX system on your network. > > --Glenn > > i3bargon wrote: > >> Could i accomplish the same thing with a VNI instead of bge0:1. I >> have a simliar configuration as the original poster, a seperate >> NIC for each zone. But i have a VNI that is set all-zones. Its on >> the same subnet as my global zone. I can not contact the LDAP >> server from the local zones. I have tried ldapclient and I have >> also tried telnetting to the ldap server on port 389. Neither case >> worked. tnrhdb is set up properly and my global zone was able to >> connect to the ldap server. My local zones dont have network >> connectivity to the LDAP servers global zone. >> >> My default route is set to lcoalhost from the global zone. Im >> running Solaris 10 08/07 TX SPARC on the client and the LDAP server. >> --- Client ---- >> Global Zone: 10.0.0.2 (bge0) >> vni0: 10.0.0.42 (all-zones) >> Zone 1: 10.0.1.2 (bge1) >> Zone 2: 10.0.2.2 (bge2) >> Default Route: localhost >> >> LDAP Server: 10.0.0.3 (global) >> >> 1. Do i need to set change from a VNI to a standard virtual >> interface "bge0:1" >> 2. When setup correctly shoudl i be able to run ldapclient from >> the local zone and specify the global zone's ldap server which is >> on a different subnet (10.0.2\24) as my local zone. Also, should I >> be able to telnet to 10.0.0.3 389 work as another test from my >> local zone. >> >> Any help is apprreciated. >> Thanks, >> Ira >> This message posted from opensolaris.org >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >> >
