Re: ldapclient init with proxy
From: Erik C.J. Laan (news_at_elaan.dds.nl)
Date: 05/10/04
- Next message: Wayne Brown: "Re: Solaris 8 printer question"
- Previous message: mikemcdonough: "Re: solaris package listing"
- In reply to: Wolfgang Mair: "ldapclient init with proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 10 May 2004 21:19:33 +0200
Wolfgang Mair wrote:
> Hello,
>
> I've changed the default aci for my userRoot directory (dc=sunny,dc=de)
> for Anonymous access, from granting access to all users to the proxy
> user only. (To prevent everyone from reading my directory)
> Unfortunatelly now I'm not able to set up a client with the ldapclient
> init command shown below anymore.
>
> According to the logs in the access file of the ldap server, the client
> is still trying to connect and download the profile via anonymous user.
>
> So, how can I force the ldapclient init command to use the proxy account
> to set up the client host?
> As I found out, it is only a matter of the setup, once set up, the
> refresch of the profile runs fine. Because the client connects to the
> server and binds to proxyagent. But it doen't do this for the setup :-((
>
> Thank you
>
> Wolfgang
>
> Here's the command:
>
> ldapclient init -a proxypassword=proxy -a profileName=default \
> -a proxydn=cn=proxyagent,ou=profile,dc=sunny,dc=de \
> -a domainname=sunny.de 192.168.230.35
>
> And here is the output:
>
> Parsing proxydn=cn=proxyagent,ou=profile,dc=sunny,dc=de
> Parsing proxypassword=proxy
> Parsing profileName=default
> Parsing domainname=sunny.de
> Arguments parsed:
> domainName: sunny.de
> proxyDN: cn=proxyagent,ou=profile,dc=sunny,dc=de
> profileName: default
> proxyPassword: proxy
> defaultServerList: 192.168.230.35
> Handling init option
> About to configure machine by downloading a profile
> findBaseDN: begins
> findBaseDN: ldap not running
> findBaseDN: calling __ns_ldap_default_config()
> found 2 namingcontexts
> findBaseDN: __ns_ldap_list(NULL,
> "(&(objectclass=nisDomainObject)(nisdomain=sunny.de))"
> rootDN[0] dc=sunny,dc=de
> NOTFOUND:Could not find the nisDomainObject for DN dc=sunny,dc=de
> findBaseDN: __ns_ldap_list(NULL,
> "(&(objectclass=nisDomainObject)(nisdomain=sunny.de))"
> rootDN[1] o=NetscapeRoot
> NOTFOUND:Could not find the nisDomainObject for DN o=NetscapeRoot
> found_cxt = -1
> findBaseDN: Err exit
> Failed to find defaultSearchBase for domain sunny.de
> #
Can't help you, from my experience you need to grant anon access, but to
the configuration profile only. So you should add another ACI granting
anon access to the container with objectclass=nisDomainObject, the
ou=Profile container below that, and all profiles below that. For
Solaris 8 and patch 108993 < 13 you can use this targetfilter:
(|(objectClass=nisDomainObject)(ou=Profile)(objectClass=SolarisNamingProfile))
and for Solaris 8 with patch 108993 >14, Solaris 9 etc. you can use:
(|(objectClass=nisDomainObject)(ou=Profile)(objectClass=DUAConfigProfile))
This will only grant anon access to the data needed to install clients.
Another option is to install on 1 machine, and copy the files
/etc/nsswitch.conf, /etc/pam.conf, /var/ldap/ldap_client_file and
/var/ldap/ldap_client_cred to the machine you're doing a new install on.
You probably only need to adjust some values in
/var/ldap/ldap_client_cred and/or /var/ldap/ldap_client_file. Start
ldap_cachemgr and restart nscd to check, reboot to really activate.
HTH, Erik
P.S. I don't recommed the above with Sol8/patch108993<13 as this exposed
the (encrypted) password of the proxy-agent to anon access. With pathc
108993 > 14 and the DUA Config profiles the profiles don't contain the
password anymore.
-- --------------------------------------------------------------------------- Erik C.J. Laan elaan at dds.nl Please reply below the message, please cut unrelevant pieces from a reply. ---------------------------------------------------------------------------
- Next message: Wayne Brown: "Re: Solaris 8 printer question"
- Previous message: mikemcdonough: "Re: solaris package listing"
- In reply to: Wolfgang Mair: "ldapclient init with proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
