Solaris’s LDAP is Hard Work

November 8, 2006 at 8:06 pm Leave a comment

A while ago we switched from using YPNIS to LDAP to handle all the authentication and name service lookups on our company LAN. It was fairly easy to set up a Linux network client, but quite hard to set up a Solaris network client. The server’s obviously Isode’s M-Vault running with its standard schema.

Here’s what I had to do to get a Solaris client working.

We allow general name service queries (what group is xxx in, what’s the username for uid 123) over plain LDAP. But we only allow authentication using LDAP over TLS. This gives us better security than NIS.

Sun’s LDAP libraries look for certificates and keys in two database files called cert7.db and key3.db. We need to make sure the LDAP server’s SSL certificate (actually the CA’s certificate) is in cert7.db. Start by downloading and installing Sun’s Directory Server Resource Kit because (sigh) the certutil tool you need to build these files isn’t part of Solaris. I installed it into /opt/dsrk52. Now run certutil:

# LD_LIBRARY_PATH=/opt/dsrk52/lib:/opt/dsrk52/lib/nss/lib
# /opt/dsrk52/lib/nss/bin/certutil –A –n "Isode CA" -t "TCu,Cu,Tuw" \\
  -d /tmp –i ~/ca.crt

That magic means create the two files in /tmp, and trust the issuer of that certificate. Now test those files:

# /usr/bin/ldapsearch –h –Z –b "" -s base –P /tmp \\

The -Z flag means use LDAPS, that is, LDAP over SSL/TLS on port 636.

Now that works, we’re ready to start configuring the machine as an LDAP client. For your first attempt, do this in a Solaris zone, as errors could otherwise lock you out of your machine…

In your zone, set up /etc/nsswitch.ldap to use “files ldap” for most things, and “files dns” for hosts. Copy those two database files into /var/ldap and chmod them to 0444.

Now set up a script in the zone’s root called /initldap as follows:

ldapclient -v manual \\
  -a \\
  -a defaultSearchBase=ou=System,o=Isode \\
  -a serviceSearchDescriptor=passwd:ou=Staff,o=Isode \\
  -a serviceSearchDescriptor=group:ou=Group, \\
  -a authenticationMethod=simple \\
  -a serviceAuthenticationMethod=pam_ldap:tls:simple \\
  -a proxyDN=cn=Dummy,ou=System,o=Isode \\
  -a proxyPassword=dummy

Yikes! Let’s take it apart and see what it is doing.

First, it is initializing the client manually. Automatic initializations rely on some proprietary Sun schema, so won’t work.

Next, we set the address of the LDAP server. Note as we’re going to use SSL the name here has to match the name in the server’s certificate. Note also that this means we can’t use LDAP to look up host names…

Third, we generally start our searches at <ou=System,o=Isode>, except (the next line) for passwd-type searches we search our white page entries in <ou=Staff,o=Isode> instead, and (the next line) for group-type searches we search <ou=Group,ou=System,o=Isode>. Sun has its own idea of where to look for passwd and group information that don’t match the way our directory’s set up, so this overrides things.

Next, we generally authenticate with simple authentication. Except (the next line) the pam_ldap service uses simple authentication over TLS.

The last two lines are to get around some bugs in the ldapclient command. The name and password don’t get used.

Now just run the script.

If all goes well you can use id(1m) to query the name service.

Now get PAM configured up. Edit /etc/pam.conf so that everywhere you seen a line like:

service auth    required

Replace it with the following 2 lines:

service auth    binding server_policy
service auth    required use_first_pass

Now you should be able to authenticate!


Entry filed under: LDAP, OpenSolaris.

Upcoming LOSUG meeting FMA

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

November 2006
« Oct   Dec »


access(2) OpenSolaris

%d bloggers like this: