Изпечатай

[tmcdos]

Инсталирал съм Solaris - OpenIndiana 151a, SAMBA 3.5.5 и OpenLDAP 2.4.13
SAMBA работи, LDAP сървъра също - мога да се логна в него и дори си създадох няколко профила вътре (posixAccount).
SAMBA обаче не взима на доверие UID от свойствата на профила в LDAP, ами пробва с Get_PwNam и не успява.
getent passwd ldap_user не ми показва нищо.

/etc/openldap/slapd.conf:
include      /etc/openldap/schema/core.schema
include   /etc/openldap/schema/cosine.schema
include   /etc/openldap/schema/nis.schema
include   /etc/openldap/schema/inetorgperson.schema
include   /etc/openldap/schema/solaris.schema
include   /etc/openldap/schema/samba.schema

pidfile      /var/run/openldap/slapd.pid
argsfile   /var/run/openldap/slapd.args

database   bdb
suffix      "dc=domain,dc=com"
rootdn      "cn=admin,dc=domain,dc=com" 

rootpw      my-secret
password-hash {CLEARTEXT}

directory   /var/openldap
monitoring off

authz-regexp uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com
authz-regexp uid=([^,]*),cn=[^,]*,cn=auth cn=$1,DC=domain,DC=com
authz-policy to

access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none
access to attrs=sambaLMPassword,sambaNTPassword by dn="uid=samba_admin,dc=domain,dc=com" read by * none
access to dn.base="" by * read


/etc/openldap/init.ldif:

dn: dc=domain,dc=com
dc: domain
o: Office
objectclass: dcObject
objectclass: organization
objectclass: top

dn: cn=admin,dc=domain,dc=com
cn: admin
objectclass: organizationalRole

dn: ou=groups,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

dn: ou=machines,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: machines

dn: ou=users,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

dn: sambaDomainName=domain,dc=domain,dc=com
objectclass: sambaDomain
objectclass: top
sambaalgorithmicridbase: 10000
sambadomainname: domain
sambasid: S-1-5-21-1

dn: uid=samba_admin,dc=domain,dc=com
objectclass: account
objectclass: simpleSecurityObject
objectclass: top
uid: samba_admin
userpassword: {SSHA}V4aSjZpxJs0jroIXrKAZKYRdDf7+M9H/


/etc/nsswitch.conf:

passwd:     files ldap
group:      files ldap
hosts:      files dns mdns
ipnodes:   files dns mdns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:   user files

auth_attr:  files
prof_attr:  files
project:    files

tnrhtp:     files
tnrhdb:     files


Добавил съм в /etc/pam.conf:

login auth sufficient pam_ldap.so.1
other auth sufficient pam_ldap.so.1
other account sufficient pam_ldap.so.1


Настроил съм профил USER с nwamcfg:

        activation-mode                 manual
        enabled                         true
        nameservices                    files,dns,ldap
        nameservices-config-file        "/etc/nsswitch.conf"
        dns-nameservice-configsrc       manual
        dns-nameservice-domain          "domain.com"
        dns-nameservice-servers         "192.168.2.1"
        dns-nameservice-search          "domain.com"
        ldap-nameservice-configsrc      manual
        ldap-nameservice-servers        "127.0.0.1"
        default-domain                  "domain.com"


/var/ldap/ldap_client_cred:

NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com
NS_LDAP_BINDPASSWD= my-secret


/var/ldap/ldap_client_file:

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
NS_LDAP_CACHETTL= 0
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com


Това ми е първи сблъсък със SOLARIS и съм като в небрано лозе.

[tmcdos]

Проблемът се реши с редактиране на NWAM профила Automatic и повторно изпълнение на ldapclient:

ldapclient manual -v \
 -a credentialLevel=proxy \
 -a authenticationMethod=simple \
 -a proxyDN=cn=admin,dc=domain,dc=com \
 -a proxyPassword=my-secret \
 -a defaultServerList=127.0.0.1:389 \
 -a defaultSearchBase=dc=domain,dc=com \
 -a domainName=domain.com \
 -a followReferrals=false \
 -a attributeMap=group:userpassword=userPassword \
 -a attributeMap=group:memberuid=memberUid \
 -a attributeMap=group:gidnumber=gidNumber \
 -a attributeMap=passwd:gecos=cn \
 -a attributeMap=passwd:gidnumber=gidNumber \
 -a attributeMap=passwd:uidnumber=uidNumber \
 -a attributeMap=passwd:homedirectory=homeDirectory \
 -a attributeMap=passwd:loginshell=loginShell \
 -a attributeMap=shadow:shadowflag=shadowFlag \
 -a attributeMap=shadow:userpassword=userPassword \
 -a objectClassMap=group:posixGroup=posixGroup \
 -a objectClassMap=passwd:posixAccount=posixAccount \
 -a objectClassMap=shadow:shadowAccount=shadowAccount \
 -a serviceSearchDescriptor=passwd:ou=users,dc=domain,dc=com?sub \
 -a serviceSearchDescriptor=group:ou=groups,dc=domain,dc=com?sub

и малка корекция в /etc/nsswitch.ldap - да използва DNS за hosts