LDAP Account information in Solaris 8

Solaris 8 comes with "Out-of-the-box" support for LDAP account=20 databases - there's a module "/usr/lib/nss_ldap.so.1", and some = programs=20 called "ldapclient", "ldap_gen_profile", and "ldapcachemgr". At = the time=20 of writing, the documentation is sparse. (NOTE: Since then, = documentation=20 has appeared - see below)

See http://www.sun= .com/blueprints/1000/ldap-sol8.html=20 for extra info. Despite what the article says (you need various=20 crappy^H^H^H^H^H^H unnecessay LDAP extensions) you can get it to = work=20 against OpenLDAP 2.x

Here's how things are supposed to work:

You run "ldap_gen_profile" with the appropriate arguments = (see the=20 man page). This returns an LDAP LDIF file. The directory entry = this=20 would create is called a profile.=20
When the machine boots, "ldapclient" is run. It bootstraps = itself=20 (locating the LDAP server using either a commandline option or = some=20 mysterious DNS method). It loads the given profile from the LDAP = server.=20 It re-binds to the (possibly new) LDAP server, if necessary, and = stores=20 the configuration data under /var/ldap/ldap_client_file and=20 /var/ldap/ldap_client_cred=20
"ldapcachemgr" runs, increasing performance by caching the = results.=20

Here's what really happens:

You run ldap_gen_profile. It generates something like: =

dn: cn=3Ddefault,ou=3Dprofile,dc=3Ddomain,dc=3Dcom
SolarisLDAPServers: 192.168.3.5:389
SolarisSearchBaseDN: dc=3Ddomain,dc=3Dcom
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: default
ObjectClass: top
ObjectClass: SolarisNamingProfile

You realise you don't have the schema for the = SolarisNamingProfile=20 objectclass, or any of it's properties. Since LDAPv3 servers = require=20 that it (or you) know this, you can't use this. Note to Sun - = the LDAPv3=20 schema (including OIDs and syntaxes for the attributes) would be = a very=20 helpful thing to release.=20
You try to use "ldapclient", passing commandline options = rather than=20 letting it bootstrap itself. This fails, because it seems to = want=20 something from the directory RootDSE which your server isn't=20 supplying.

The answer is this: the "ldapclient" program=20 requires the "simple page mode" and "VLV (virtual list = view)"=20 optional LDAP controls. Since they're optional, this is = appalling=20 behaviour on the part of Sun. OpenLDAP users will find that = (currently)=20 OpenLDAP does not support these. Thus, the "ldapclient" will not = work.

Interestingly, the NSS/PAM will work, just = not the=20 automated setup. What you have to do is listed below.
=20
You look for something, anything, which constitutes=20 documentation. There isn't any to speak of.

Correction: = Sun have=20 now released the documentation for the Solaris 8 LDAP support in = Acrobat=20 format. The filename is "sun_ldap_setup.pdf", and the title is = "LDAP=20 Setup and Configuration guide". You can probably find in on http://docs.sun.com/ - if = you're using=20 OpenLDAP, since it assumes the existence of the "simple paged = mode" and=20 "VLV" controls.

There is also now a (beginning of a = series,=20 apparently) article at: http://www.sun= .com/blueprints/1000/ldap-sol8.html
What I did:

bash-2.03# ldd =
/usr/lib/nss_ldap.so.1
libsldap.so.1 =3D> /usr/lib/libsldap.so.1
libnsl.so.1 =3D> /usr/lib/libnsl.so.1
libsocket.so.1 =3D> /usr/lib/libsocket.so.1
libc.so.1 =3D> /usr/lib/libc.so.1
libldap.so.4 =3D> /usr/lib/libldap.so.4
libdoor.so.1 =3D> /usr/lib/libdoor.so.1
libdl.so.1 =3D> /usr/lib/libdl.so.1
libmp.so.2 =3D> /usr/lib/libmp.so.2
libresolv.so.2 =3D> /usr/lib/libresolv.so.2
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1

Hmm. What is "libsldap". It turns out this is the config file = parser.=20 You do this:

bash-2.03# strings /usr/lib/libsldap.so.1 | =
less

After a lot of hacking, you come up with = this:

bash-2.03# cat /var/ldap/ldap_client_file
NS_LDAP_SERVERS=3D192.168.3.5:389
NS_LDAP_SEARCH_BASEDN=3Ddc=3Ddomain,dc=3Dcom

And it works.

I believe the other available parameters are as follows. Mail me if you find any = others, or can=20 help document the /var/ldap/ldap_client_cred file. Note to SUN: = Please=20 assist me/us here?

Addendum - Jason J Hinze supplied the following information = about=20 ldap_client_cred:

Hello,=20

You may have already found the solution to this problem=20
yourself, but just in case you haven't, I thought I'd pass=20
on a recipe that worked for me.

After much pain and agony, =
and finding your (very helpful!)=20
web page of notes, I've got the whole Solaris 8 / nss_ldap.so.1 /=20
OpenLDAP mess working.=20

I basically followed your recipe, generating a =
bogus profile=20
with ldap_gen_profile:

# ldap_gen_profile -P bogus_profile -a =
simple \
  -b 'dc=3Ddomain,dc=3Dcom' -d 'domain.com' \
  -D 'cn=3Droot,dc=3Ddomain,dc=3Dcom' -w 'secret_stuff' \
  10.0.0.42
dn: cn=3Dbogus_profile,ou=3Dprofile,dc=3Ddomain,dc=3Dcom
        SolarisBindDN: cn=3Droot,dc=3Ddomain,dc=3Dcom
        SolarisBindPassword: {NS1}aBuncH0fCh4rs
        SolarisLDAPServers: 10.0.0.42
        SolarisSearchBaseDN: dc=3Ddomain,dc=3Dcom
        SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
        SolarisTransportSecurity: NS_LDAP_SEC_NONE
        SolarisSearchReferral: NS_LDAP_FOLLOWREF
        SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
        SolarisSearchTimeLimit: 30
        SolarisCacheTTL: 43200
        cn: bogus_profile
        ObjectClass: top
        ObjectClass: SolarisNamingProfile

Using your handy-dandy attribute-name to =
config-file-key=20
conversion chart, I built ldap_client_file by hand: =

NS_LDAP_SERVERS=3D10.0.0.42
NS_LDAP_SEARCH_BASEDN=3Ddc=3Ddomain,dc=3Dcom
NS_LDAP_AUTH=3DNS_LDAP_AUTH_SIMPLE

And then I build ldap_client_cred by hand: =

NS_LDAP_BINDDN=3Dcn=3Droot,dc=3Ddomain,dc=3Dcom
NS_LDAP_BINDPASSWD=3D{NS1}aBuncH0FreallyWWIERDshiT

Then:

# chown root =
/var/ldap/ldap_client_*
# chgrp bin /var/ldap/ldap_client_*
# chmod 644 /var/ldap/ldap_client_file
# chmod 600 /var/ldap/ldap_client_cred
# /etc/init.d/ldap.client start
And nss_ldap worked.  Finally.

The available configuration options (and their mapping to the = LDAP=20 objectClasses) are:

Name = in=20 /var/ldap/ldap_client_file	LDAP profile attribute	Option prefix	Default value	Other options
NS_LDAP_FILE_VERSION
NS_LDAP_BINDDN	SolarisBindDN
NS_LDAP_BINDPASSWD	SolarisBindPassword
NS_LDAP_SERVERS	SolarisLDAPServers
NS_LDAP_SEARCH_BASEDN	SolarisSearchBaseDN
NS_LDAP_AUTH	SolarisAuthMethod	NS_LDAP_AUTH_	NONE	SIMPLE; SASL_CRAM_MD5; SASL_GSSAPI; = SASL_SPNEGO;=20 TLS
NS_LDAP_TRANSPORT_SEC	SolarisTransportSecurity	NS_LDAP_SEC_	NONE	TLS; SASL_PRIVACY; SASL_INTEGRITY
NS_LDAP_SEARCH_REF	SolarisSearchReferral	NS_LDAP_	FOLLOWREF	NOREF
NS_LDAP_DOMAIN
NS_LDAP_EXP
NS_LDAP_CERT_PATH	SolarisCertificatePath
NS_LDAP_CERT_PASS	SolarisCertificatePassword
NS_LDAP_SEARCH_DN	SolarisDataSearchDN
NS_LDAP_SEARCH_SCOPE	SolarisSearchScope	NS_LDAP_SCOPE_	_ONELEVEL	BASE; SUBTREE
NS_LDAP_SEARCH_TIME	SolarisSearchTimeLimit
NS_LDAP_SERVER_PREF	SolarisPreferredServer
NS_LDAP_PREF_ONLY	SolarisPreferredServerOnly	NS_LDAP_		TRUE; FALSE
NS_LDAP_CACHETTL	SolarisCacheTTL		43200
NS_LDAP_PROFILE

There are a couple of other points:

LDAP server faliure

If the LDAP server fails, all logins (even local password = files) will=20 fail except root. You need to change this:

passwd: files ldap
group: files ldap

To this:

passwd: files ldap [TRYAGAIN=3D5]
group: files ldap [TRYAGAIN=3D5]

In the /etc/nsswitch.conf file. This will allow the LDAP = lookups to=20 timeout after 5 attempts (in this example).

For user account entries, I think you need this: =

dn: =
uid=3Duid,ou=3DPeople,ou=3DDirectory,dc=3Ddomain,dc=3Dcom

objec=
tclass: top

objectclass: posixAccount

objectclass: =
shadowAccount

<posix/shadowAccount specific stuff>

NOTE: the "objectclass: shadowAccount" is MANDATORY - this must = be=20 there, or things won't work.

Also - the following LDAPv3 schema may help, from a posting on = the=20 OpenLDAP mailing list. TBD is probably 42, Sun's enterprise number = as=20 registered with IANA.

# solaris.schema
# ''works in progress and incomplete''. =20
# It would help if sun would publish this information!=20
# If you have any comments/suggestion/correction
# please let me know (igor 'at' ipass 'dot' net)

attributetype ( 1.3.6.1.4.1.TBD.1.1.12 SUP name
	NAME 'nisDomain' )

objectclass ( 1.3.6.1.4.1.TBD.1.4.2
	NAME 'nisDomainObject'
	SUP top AUXILIARY
	MUST ( nisDomain ) )

# Below is optional unless you want to use ldap_gen_profile
attributetype ( 1.3.6.1.4.1.TBD.1.1.1 SUP name
	NAME 'SolarisBindDN'
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.TBD.1.1.2 SUP name
	NAME 'SolarisBindPassword'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.3 SUP name
	NAME 'SolarisLDAPServers'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.4 SUP name
	NAME 'SolarisSearchBaseDN'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.5 SUP name
	NAME 'SolarisAuthMethod'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.6 SUP name
	NAME 'SolarisTransportSecurity'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.7 SUP name
	NAME 'SolarisSearchReferral'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.8 SUP name
	NAME 'SolarisDataSearchDN'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.9 SUP name
	NAME 'SolarisSearchScope'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.10=20
	NAME 'SolarisSearchTimeLimit'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.TBD.1.1.11=20
	NAME 'SolarisCacheTTL'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.TBD.1.4.1
	NAME 'SolarisNamingProfile'
	DESC 'Solaris LDAP NSS Profile'
	SUP top AUXILIARY
	MUST ( cn $ SolarisLDAPServers )
	MAY	( SolarisBindDN $ SolarisBindPassword $=20
		SolarisSearchBaseDN $ SolarisAuthMethod $
		SolarisTransportSecurity $ SolarisSearchReferral $
		SolarisDataSearchDN $ SolarisSearchScope $
		SolarisSearchTimeLimit $ SolarisCacheTTL ) )


# End of solaris.scheam

This is courtesy of Igor Brezac, whose full mail to the=20 openldap-software list is show below:

Here it goes.

First apply the patch =
below to OpenLDAP.  This patch allows OpenLDAP to
return all root DSE attributes without explicitely specifying=20
attribute list in a query.  Kurt, please let me know if I am missing
something.

--- servers/slapd/result.c.orig	Fri Sep  8 =
12:59:11 2000
+++ servers/slapd/result.c	Fri Sep  8 18:38:50 2000
@@ -628,8 +628,10 @@
 			/* all addrs request, skip operational attributes */
 			if( is_at_operational( desc->ad_type ) )
 			{
-				continue;
-			}
+				if (strcasecmp( e->e_dn, LDAP_ROOT_DSE )) {
+					continue;
+				}
+			}=20

 		} else {
 			/* specific addrs requested */
@@ -700,7 +702,9 @@
 		if ( attrs =3D=3D NULL ) {
 			/* all addrs request, skip operational attributes */
 			if( is_at_operational( desc->ad_type ) ) {
-				continue;
+				if (strcasecmp( e->e_dn, LDAP_ROOT_DSE )) {
+					continue;
+				}
 			}

 		} else =
{

------------------------------------------------

Ad=
d the following schema to your OpenLDAP config:

# =
solaris.schema
# ''works in progress and incomplete''. =20
# It would help if sun would publish this information!=20
# If you have any comments/suggestion/correction
# please let me know (igor 'at' ipass 'dot' net)

attributetype =
( 1.3.6.1.4.1.TBD.1.1.12 SUP name
	NAME 'nisDomain' )

objectclass ( 1.3.6.1.4.1.TBD.1.4.2
	NAME 'nisDomainObject'
	SUP top AUXILIARY
	MUST ( nisDomain ) )

# Below is optional unless you want to =
use ldap_gen_profile
attributetype ( 1.3.6.1.4.1.TBD.1.1.1 SUP name
	NAME 'SolarisBindDN'
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.TBD.1.1.2 SUP name
	NAME 'SolarisBindPassword'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.3 SUP name
	NAME 'SolarisLDAPServers'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.4 SUP name
	NAME 'SolarisSearchBaseDN'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.5 SUP name
	NAME 'SolarisAuthMethod'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.6 SUP name
	NAME 'SolarisTransportSecurity'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.7 SUP name
	NAME 'SolarisSearchReferral'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.8 SUP name
	NAME 'SolarisDataSearchDN'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.9 SUP name
	NAME 'SolarisSearchScope'
	SINGLE-VALUE)

attributetype ( 1.3.6.1.4.1.TBD.1.1.10=20
	NAME 'SolarisSearchTimeLimit'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE =
)

attributetype ( 1.3.6.1.4.1.TBD.1.1.11=20
	NAME 'SolarisCacheTTL'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE =
)

objectclass ( 1.3.6.1.4.1.TBD.1.4.1
	NAME 'SolarisNamingProfile'
	DESC 'Solaris LDAP NSS Profile'
	SUP top AUXILIARY
	MUST ( cn $ SolarisLDAPServers )
	MAY	( SolarisBindDN $ SolarisBindPassword $=20
		SolarisSearchBaseDN $ SolarisAuthMethod $
		SolarisTransportSecurity $ SolarisSearchReferral $
		SolarisDataSearchDN $ SolarisSearchScope $
		SolarisSearchTimeLimit $ SolarisCacheTTL ) )

# End of solaris.scheam =

-----------------------------------------------------

The nisDomainObject object must be added to the root DN: dn: dc=3Dexample,dc=3Dcom objectclass: nisDomainObject nisDomain: = example.com

---------------------------------------------------=
---
Run ldapclient
# ldapclient -i -d example.com -b dc=3Dexample,dc=3Dcom <ldap =
servers>

Check "man ldapclient" for more info.  You may =
need to pass -a -D -w

OR  =
-------------------

Profile use:
Add to ldap directory:
dn: ou=3DProfile,dc=3Dexample,dc=3Dcom
objectclass: top
objectclass: organizationalUnit
ou: Profile

ldap_gen_profile -P eng -d example.com -b =
dc=3Dexample,dc=3Dcom <ldap servers>|\
ldapadd=20
Again, You may need to pass -a -D -w=20
ldapclient -P eng -d example.com <ldap servers>
------------------------------------------------------
Double check /etc/nssswitch.conf.

If you use LDAP for groups, =
make sure to add userPassword (ex. userPassword:
{crypt}*) to (objectclass=3DposixGroup) entries.  Otherwise nscd will be
crashing and, trust me, you want nscd to work.

Be careful with =
pam_ldap.  Service names need to look similar to
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
other   auth sufficient  /usr/lib/security/$ISA/pam_ldap.so.1 =
use_first_pass
The Man pages suggest=20
other   auth sufficient   /usr/lib/security/$ISA/pam_unix.so.1
other   auth required     /usr/lib/security/$ISA/pam_ldap.so.1 =
use_first_pass
which will make your system open for public use.

I think that =
this is it...

Good luck.

-Igor

On Tue, 12 =
Sep 2000, Donald Hudson wrote:

> Date: Tue, 12 Sep 2000 =
12:19:55 -0700
> From: Donald Hudson
> Subject: configuring Solaris 8 pre-installed LDAP as NIS =
replacement?
>=20
> Has anyone successfully pulled together the information necessary =
to set
> up a directory to work as a NIS replacement for Solaris 8 clients =
using
> the "pre-installed" ldap support?  Solaris 8 appears to come
> pre-installed with the necessary modules (nss_ldap, pam_ldap) to =
use
> LDAP as a replacement for NIS, but documentation for setting it up =
seems
> to be almost non-existent!
>=20
> To start with, I've run into schema isssues.   Their client
> configuration utility "ldapclient", which is supposed to be the way =
to
> quickly configure a client for LDAP replacement of NIS, looks for a
> "nisDomainObject", which I was unable to find in the current set of
> nis/rfc2307 defs.  I did eventually locate a copy of Luke's 2307bis
> draft  with the additional defs (though that was difficult, as it
> appears to have expired and been dropped from the IETF site), so I =
was
> able to add the missing classes and attributes by hand.
>=20
> If I run their "ldap_gen_profile", which is supposed to create a =
LDIF
> file that can used to set up an LDAP entry that client machines can =
then
> use to when being configured for LDAP support, I see another set of
> objects and atttributes ( SolarisNamingProfile,  =
SolarisLDAPServers,
> SolarisSearchBaseDN, etc.)  that also don't appear to be in the =
schemas
> known to either the OpenLDAP server or the Netscape Directory =
Server.
> Anyone know where I can find the Solaris schema?
>=20
> Also, one side note about schema conflicts that I noticed when =
searching
> through the schemas.  RFC2307(bis) defines "nisMap" as .2.9, and =
appears
> to skip .2.13 in the list of class definitions.  Netscape's server
> appears to define .2.9 as "automount" (noting that it is =
deprecated),
> and defines .2.13 as "nisMap".
>=20
> Anyhow, if anyone out there has been through this same headache of
> trying to set up a Solaris 8 ldap client with the pre-installed =
software
> and can post a few details on how to do it, I'm sure it will be
> appreciated by more than just me.
>=20
> Donald Hudson