Ira Bargon III wrote: > Thanks everyone for your responses. > > My configuration is 1 LDAP server running Trusted Extensions. It's > port is bound to an MLP in the global zone. My LDAP clients are > running TX and the local zones have their own network interface and > subnet. Since each zone is one their own interface they also share a > all-zones interface which at first was a VNI device. This all-zones > VNI is on the same subnet as the global zone. My X server > functionality works just fine in this configuration but i was unable > to contact the LDAP server from the local zone. The global zone was > able to communication with the LDAP server was just fine. > > My LDAP client has the LDAP server defined as CIPSO and vice versa. > The LDAP client also has its local zones ip addresses defined as > CIPSO and the VNI address is also defined as CIPSO. > > When using a VNI device as your all-zones device can you communicate > with other hosts (an LDAP Server) besides your own global zone?
If I understand your configuration correctly, the answer is no. Even-though you created the all-zones vni interface address from the global zone's subnet range, the non-global zones still do not have access to the external bge0:1 interface. The system does not have routes to send non-global zone traffic out through bge0:1. You can see this by using the "ifconfig -a" and "netstat -nr" commands in the various zones. > > When i switched from a VNI to a standard interface alias (i.e. bge0:1 > with all-zones property) my local zones were able to communicate with > the LDAP server. Yes, this makes sense. > For security purposes I would like to switch back to > a VNI but still have a communication path with LDAP server which is > running in the global zone on another host. The system should be using the LDAP client in the global zone for applications that do lookups through nscd. Some applications however call LDAP library services directly. I gather you are running into this? It sounds like you need a selected network application (ldap client in this case) to have access to the global zone's network from inside non-global zones without opening up access for all applications. I don't see an easy solution for this today. Ken
