Professional Web Applications Themes

Known Solaris and LDAP Problems - Sun Solaris

I can help on a couple of these:   nsaccountlock attr on user entry - remove attribute or: directoryserver -s servername account-activate -D cn="Directory Manager" -w password -h host -p port -I uid=user,ou=people,etc,etc   Leave the "with password management" default (other) account entries alone, but insert an rsh service specific entry beforehand - listing only pam_unix - won't fix interactive rsh/rlogind (i.e. rsh host) - but will fix use of rhosts files (rsh host ls). And I believe this is a bug in the pam module - but I'll let you know if/when I get a fix. Excerpt from my ...

  1. #1

    Default Re: Known Solaris and LDAP Problems

    I can help on a couple of these:
     

    nsaccountlock attr on user entry - remove attribute or:
    directoryserver -s servername account-activate -D cn="Directory
    Manager" -w password -h host -p port -I uid=user,ou=people,etc,etc
     

    Leave the "with password management" default (other) account entries
    alone, but insert an rsh service specific entry beforehand - listing
    only pam_unix - won't fix interactive rsh/rlogind (i.e. rsh host) -
    but will fix use of rhosts files (rsh host ls). And I believe this is
    a bug in the pam module - but I'll let you know if/when I get a fix.
    Excerpt from my pam.conf:

    #
    # rsh service - explicit because ldap fails
    #
    rsh account required pam_unix_account.so.1
    #
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account
    management
    #
    other account requisite pam_roles.so.1
    other account required pam_projects.so.1
    other account sufficient pam_unix_account.so.1 server_policy debug
    other account required pam_ldap.so.1
    #

    HTH,
    Chris
    Chris Guest

  2. #2

    Default Re: Known Solaris and LDAP Problems


    I found another problem concerning LDAP netgroup and NFS exports.
    I tried to use a LDAP netgroup in order to share a directory from
    a NFS server (also a LDAP client), using Solaris 9 8/03 and DS 5.1.

    server# share -F nfs -o rw=trust_group /export/local

    dn: cn=trust_group,ou=netgroup,dc=my,dc=dom
    objectClass: nisNetgroup
    objectClass: top
    cn: trust_group
    memberNisNetgroup: client.my.dom
    memberNisNetgroup: client
    nisNetgroupTriple: (client,,my.dom)

    This results in a permission denied error on the client, but it
    can mount the resource if it is shared directly: "rw=client.my.dom".
    For me it looks that the NFS server doesn't use the LDAP netgroup
    at all, although "netgroup: ldap" is specified in nsswitch.conf.

    Is there a workaround?

    Bye,
    MBr










    Bruns Guest

  3. #3

    Default Re: Known Solaris and LDAP Problems

    On Fri, 26 Sep 2003 10:55:07 +0200, Bruns wrote:
     
    PMFJI, but I have found that the access log in the slapd server can be
    useful for troubleshooting these types of problems. The log is large, so
    I note the time that the mount is attempted and review the ldapsearch
    statements to see how the search is performed. Have you tried this?

    Alex Moore
    Alex Guest

  4. #4

    Default Re: Known Solaris and LDAP Problems

     

    thanks for the hint.
    I thought that I have tested all possibilities but a closer look into
    the slapd log showed the following search request from the NFS server:

    SRCH base ="ou=netgroup,dc=my,dc=dom" scope=1
    filter="(&(objectClass=nisNetGroup)
    (nisNetgroupTriple=\28client.my.dom,*,*\29))"
    attrs ="cn nisNetgroupTriple memberNisNetgroup"

    By adding "nisNetgroupTriple: (client.my.dom,,)" to the netgroup, the
    client can mount the directory from the server. The memberNisNetgroup
    Attribute isn't used at all. In our NIS+ doamin we have used the
    triple "(client,,my.dom)".

    It would be still better if I could use the nisNetgroupTriple without
    specifying the domain part, but the NFS share works only when the
    complete name is found. Maybe the NFS client request comes with its
    full name: client.my.dom.

    M.Bruns



    Bruns Guest

  5. #5

    Default Re: Known Solaris and LDAP Problems

    On Mon, 29 Sep 2003 16:58:54 +0200 in <mpg.de>,
    Bruns said something similar to:
    :
    : By adding "nisNetgroupTriple: (client.my.dom,,)" to the netgroup, the
    : client can mount the directory from the server. The memberNisNetgroup
    : Attribute isn't used at all. In our NIS+ doamin we have used the
    : triple "(client,,my.dom)".
    :
    : It would be still better if I could use the nisNetgroupTriple without
    : specifying the domain part, but the NFS share works only when the
    : complete name is found. Maybe the NFS client request comes with its
    : full name: client.my.dom.

    Most likely the resolver on the server is returning the client's
    fully-qualified domain name for a reverse-lookup of the IP address.
    What do you have for the "hosts:" line in nsswitch.conf?
    Mike Guest

  6. #6

    Default Re: Known Solaris and LDAP Problems

     

    all LDAP host requests end up in the fully-qualified domain name:

    $ getent hosts client
    192.168.234.46 client.my.dom

    $ getent hosts 192.168.234.46
    192.168.234.46 client.my.dom

    The corresponding LDAP hosts entry contains only the host name:

    $ ldaplist -l hosts client
    dn: cn=client+ipHostNumber=192.168.234.46,ou=Hosts,dc= my,dc=dom
    objectClass: top
    objectClass: ipHost
    objectClass: device
    cn: client
    ipHostNumber: 192.168.234.46

    /etc/nsswitch.conf: "hosts: files ldap dns"
    /etc/resolv.conf : "domain my.dom"

    The same configuration in our NIS+ domain delivers just the host name.

    M.Bruns

    Bruns Guest

  7. #7

    Default Re: Known Solaris and LDAP Problems

    On Tue, 30 Sep 2003 10:14:07 +0200 in <mpg.de>,
    Bruns said something similar to:
    :
    : all LDAP host requests end up in the fully-qualified domain name:
    :
    : $ getent hosts client
    : 192.168.234.46 client.my.dom
    :
    : $ getent hosts 192.168.234.46
    : 192.168.234.46 client.my.dom
    [snip]
    : /etc/nsswitch.conf: "hosts: files ldap dns"
    : /etc/resolv.conf : "domain my.dom"

    It looks like you're stuck with this behaviour with LDAP:

    <http://docs.sun.com/db/doc/806-4077/6jd6blbf0?a=view>

    "Unresolved Hostname

    The Solaris operating environment LDAP client backend returns fully
    qualified hostnames for host lookups, such as hostnames returned by
    gethostbyname(3N) and getipnodebyname(3N). If the name stored is
    qualified that is contains at least one dot, the client returns the
    name as is. For example, if the name stored is hostB.eng, the returned
    name is hostB.eng.

    If the name stored in the LDAP directory is not qualified (it does
    not contain any dot), the client backend appends the domain part to
    the name. For example, if the name stored is hostA, the returned name
    is hostA.domainname."

    Personally, I prefer to use "hosts: dns files (nis|nisplus|ldap)" and know
    I'm always going to get FQDNs back from host/ip lookups.

    FWIW, there are a few network services (Kerberos for example) that require
    gethostbyname() and getipnodebyname() to always return FQDNs.
    Mike Guest

  8. Moderated Post

    Default Re: Known Solaris and LDAP Problems

    Removed by Administrator
    Bernd Guest
    Moderated Post

Similar Threads

  1. ldap migration for solaris 9
    By Phillip in forum Sun Solaris
    Replies: 2
    Last Post: September 15th, 08:37 PM
  2. #19683 [Opn->Fbk]: I can't configure php+Solaris 2.6+iplanet ldap.
    By sniper@php.net in forum PHP Development
    Replies: 0
    Last Post: July 11th, 02:10 AM
  3. Windows XP logon to LDAP on Solaris
    By Hrvoje Sertic in forum Linux / Unix Administration
    Replies: 1
    Last Post: July 9th, 03:22 PM
  4. Solaris 9 LDAP and Kerberos
    By Wayne Rasmussen in forum Sun Solaris
    Replies: 0
    Last Post: July 2nd, 07:46 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139