Ken, Thanks for your response.
On Oct 4, 2007, at 4:33 PM, ken Powell - Sun Microsystem wrote: > Ira Bargon III wrote: >> Thanks everyone for your responses. >> My configuration is 1 LDAP server running Trusted Extensions. >> It's port is bound to an MLP in the global zone. My LDAP clients >> are running TX and the local zones have their own network >> interface and subnet. Since each zone is one their own interface >> they also share a all-zones interface which at first was a VNI >> device. This all-zones VNI is on the same subnet as the global >> zone. My X server functionality works just fine in this >> configuration but i was unable to contact the LDAP server from >> the local zone. The global zone was able to communication with >> the LDAP server was just fine. >> My LDAP client has the LDAP server defined as CIPSO and vice >> versa. The LDAP client also has its local zones ip addresses >> defined as CIPSO and the VNI address is also defined as CIPSO. >> When using a VNI device as your all-zones device can you >> communicate with other hosts (an LDAP Server) besides your own >> global zone? > > If I understand your configuration correctly, the answer is no. > Even-though you created the all-zones vni interface address from > the global zone's subnet range, the non-global zones still do not > have access to the external bge0:1 interface. The system does > not have routes to send non-global zone traffic out through > bge0:1. You can see this by using the "ifconfig -a" and "netstat > -nr" commands in the various zones. > >> When i switched from a VNI to a standard interface alias (i.e. >> bge0:1 with all-zones property) my local zones were able to >> communicate with the LDAP server. > > Yes, this makes sense. > >> For security purposes I would like to switch back to a VNI but >> still have a communication path with LDAP server which is running >> in the global zone on another host. > > The system should be using the LDAP client in the global zone > for applications that do lookups through nscd. Some applications > however call LDAP library services directly. I gather you are > running into this? I dont believe I've ran into that yet. I was basically trying to setup LDAP authentication between a TX server and a TX client., but I was using instructions from the TX Install / Config manual. The document states that you need to make your local zones LDAP clients of the global zone's LDAP server. Is this step not necessary for a standard LDAP authentication configuration (usernames, passwords, groups, printers, etc..). Are you saying that NSCD should take care of this and I wont need to make my local zone's ldap clients. From what I understand by your post there are certain situations in which I would need to make my local zone's LDAP clients. > > It sounds like you need a selected network application > (ldap client in this case) to have access to the global > zone's network from inside non-global zones without > opening up access for all applications. I don't see an > easy solution for this today. > > Ken Thanks, Ira
