I am a novice in LDAP and need to configure an LDAP client(Solaris 10).
The client has to bind to an AD for LDAP queries. I have created a user called testbind in AD for binding purpose.
I am planning to configure LDAP client manually(as the requirement is as such).
This is the script,which i believe will configure the client as an LDAP client.
Please correct me if i have put something wrong:
ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=testbind,dc=example,dc=com \
-a proxyPassword=password@123 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a �defaultServerList=172.16.1.10� \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub
The user for binding is "testbind"
The password for testbind user is "password@123".
The IP of domain controller is 172.16.1.10
I will be running this as a script once i correct any mistakes above.
Appreciate if you could guide me.
Have you installed a Unix plugin on the AD server? What LDAP schema are you using? These affect the names of the objects you are interested in on the AD server.
I have been involved in extended attempts to get Solaris 10 to integrate with AD and got it such that you could su to a user from root, but could not get user log in to work from dtlogin(1), via SSH or even login(1).
I have done something very similar to you in order to get the output from "ps -ef" to translate UIDs and GIDs to the username and group on Solaris 10, but the actual logon is being handled by a LDAP PAM and NSS libraries from PADL with NSCD disabled (see "ps -ef" below).
What ever you do you will need to amend /etc/nsswitch.conf and /etc/pam.conf to refer to LDAP or Kerberos where appropriate, note that the settings in pam.conf have changed for Solaris 10.
Thanks for the reply.But you haven't cleared my doubts.
By the way, i am following scott lowe's blog on Solaris-AD integration to get my solaris servers integrated with AD. LDAP client config is one of the steps in the blog and i couldn't understand the way he(scott) has put it.
Infact the script i have pasted above is straight from his blog(except for the user"testbind"). But i was not too sure about whether i have been right with the customisations.
Now coming to ur questions....
Have you installed a Unix plugin on the AD server?
Yes,i have installed a unix plug-in and i am able to get the unix attributes for user..(i suppose that is what you are referring to..)
What LDAP schema are you using?
Honestly,i don't know what schema i am using. Can you enlighten me.
And i am aware that i have to edit the nsswitch.conf file and pam.conf file in the solaris end. But i believe when i run this script(ldapclient) the nsswitch.conf file automatically adds the ldap attribute to all services.
My confusion here, is how to configure my solaris client as an LDAP client. How to make the LDAP client bind with AD using a particular user and how to get it's queries answered.
Depending on what Unix plugin/LDAP schema you are using the object names on the AD server will vary, e.g.:
attributeMap: passwd:uid=msSFU30Name
Where the msFFU30Name is the name of the object in AD, if the object name is incorrect then the AD integration will not work (computers are picky like that!), the object names will vary depending on what Unix plugin you have installed so I imagine the object names will be documented in it and all need to be correct! The fact that you are getting user attributes back means you are not far off.
The testbind proxy user account needs to be a user in AD who has read permission for all the parts of the LDAP schema "tree" you need, it can be a non-interactive user but does need a password, i.e. the proxyPassword as you have shown.
Yes you are correct I was forgetting that the ldapclient(1m) command does copy /etc/nsswitch.ldap to /etc/nsswitch.conf.
I managed to configure the LDAP client,but when i give an ldaplist,it returns an object not found error.
When i run this command:
ldapsearch -v -h 10.0.0.3 -b "dc=lxdc-india,dc=com" -D "cn=fis,cn=Users,dc=lxdc-india,dc=com" -w - "cn=administrator"
....and the bind password thereafter,
I am getting the following error:
ldap_simple_bind:Invalid Credentials.
I have rechecked the password for administrator,but still the same error.
Appreciate if you could throw some light.
Also,getent passwd is displaying my local passwd file.
ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=fis,cn=users,dc=lxdc-india,dc=com \
-a proxyPassword=efunds_15 \
-a defaultSearchBase=dc=lxdc-india,dc=com \
-a domainName=lxdc-india.com \
-a �defaultServerList=10.0.0.3" \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=lxdc-india,dc=com?sub \
-a serviceSearchDescriptor=group:dc=lxdc-india,dc=com?sub
Tony,the AD i am using is a test AD(in a lab). currently i have only two machines connected to it,a windows desktop and the other a Sol10 client. i haven't created any OU's.
I have ensured that i am able to login using the bind user from the windows desktop.
So,I believe it's not a password incorrect issue.
Anyway,I will keep searching. Do let me know if you come across something worthwhile. Hoping that ur doc's do give me some. Thanks for ur consistent and informative replies.
I see there is now a 6.3.1
I had to install from the compress archive (zip) as the identity synchronization for windows was not part of the full pkg...
Currently i have a Solaris only environment.
So Would you advise me to use Sun Directory services for Integarating with AD or wud it be better to use Scott's methodology?
of course and as usual, it depend ...
I'm in an heterogenous environment, windows, solaris linux.
Adding unix schema to the corporate AD sounded to risky for management ...
There was a first attempt of synchronization done using openlad and kerberos but logs where full of error messages.
The main advantage of using a sun directory services is that you just need a unixproxy account from the AD administrators, after that your on the road.
you can manage nfs automount as well, works with redhat clients too...
I'm actually working on a per user/server access restriction so that Dev guy's can't log onto QA servers until they are granted from the ldap server...
I'll have to look if in the 6.3.1 pkg version they have included the identity sync tool !
Hi Tony,
Despite trying a few changes, I am still where I was.
Still facing the Invalid Credentials issue.
ldaplist showing object not found error.
I too feel that it is an issue with bind and I am not sure whether the highlighted entry is right.
Can you help me to modify it.
# cat ldapclient-mssfu.sh
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=fis,cn=Users,dc=lxdc-india,dc=com \
-a proxyPassword=efunds_15 \
-a defaultSearchBase=dc=lxdc-india,dc=com \
-a domainName=lxdc-india.com \
-a "defaultServerList=10.0.0.3" \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=msSFU30Name \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=lxdc-india,dc=com?sub \
-a serviceSearchDescriptor=group:dc=lxdc-india,dc=com?sub
In ADSI EDIT, I see this entry:
CN=User CN=User,CN=schema,CN=configuration,DC=lxdc-india,DC=com
So should I change the proxyDN entry to:
-a proxyDN=cn=fis,cn=User,cn=schema,cn=configuration,dc=lxdc-india,dc=com \
If an entry for ou is required,how and where should I add it
Also,please let me know whether the attribute mappings are fine. If it has to be checked somewhere in ADSI edit,please let me know where to check it.
I am trying hard to understand LDAP and ur inputs will be a big helping hand.
Thanks Tony.
I resolved the issue by creating a separate OU and creating a proxyuser inside the OU and then configured the ldapclient to bind with this new user.
Thanks again. Hope u had a good Easter.