Known Solaris and LDAP Problems

From: Bernd Nies (bernd.nies_at_astroinfo.org)
Date: 09/02/03 

Date: 2 Sep 2003 00:02:49 -0700

Hi,

I'll post this list of Solaris and LDAP problems to comp.unix.solaris
because I haven't found a solution for this yet. Most are bugs in the
LDAP integration of Solaris 8 2/02 and Solaris 9 4/03 with Sun ONE
Directory Server 5.2.

NIS+/LDAP Incompability
-----------------------

* LDAP: LDAP automounter maps: no '+' allowed in key name, case
insensitive
  keys (eg. mountpoint /opt/install/easypres and /opt/install/EASYPRES
cannot
  coexist) Workaround for upper case file names: add second entry
using the
  %Abc encoding (eg. %E%A%S%Y%P%R%E%S)
* LDAP/NIS+: Transition mode (NIS+ gets tables from LDAP) on Solaris 9
only
* LDAP/NIS+: For transition the PasswordStorageScheme must be crypt.
Default
  and more secure is SSHA.
* Solaris 8/9: Programs using getpwnam function for authentication
(ex.
  /opt/openwin/bin/xlock, KDE 2.1.1 screen lock) get an empty password
on
  LDAP client.

Users and Passwords
-------------------

* Solaris 8: LDAP user inactivation does not work. Inactivated user
can
  still log in. Fixed after patching and using pam.conf with binding
control
  flag.
* Directory Console: Account lockout after n wrong password logins:
Where is
  information stored? How to unlock?
* Directory Console: Creating Users: How to add shadowAccount
Objectclass +
  Attributes automatically?
* Directory Console: Missing: simple GUI for phone number and user
account
  management.
* Solaris 8/9: Changing passwords using the passwd command does not
work
  through LDAP Replica because LDAP referral URL is not properly
recognized.
  Workarounds:
  o Use the Directory Server Console
  o Log in on adnldap.adnovum.ch which binds to the supplier LDAP
server
  o Use ldapmodify: Create a file containing

    ldapmodify -v -h ldap-master -D
uid=bernd,ou=people,o=mycompany,c=ch <<EOF
    dn: uid=bernd,ou=people,o=mycompany,c=ch
    changetype: modify
    replace: userPassword
    userPassword: test123
    EOF

* SuSE Linux 8.2: Changing passwords works but by default stores new
password
  in crypt format. Change in /etc/openldap/ldap.conf the password
scheme to
  pam_password clear so the LDAP server will encrypt the password.
* Solaris 8/9: Using this stack (LDAP with password management) in
  /etc/pam.conf

    other account requisite pam_roles.so.1
    other account required pam_projects.so.1
    other account binding pam_unix_account.so.1
server_policy
    other account required pam_ldap.so.1

  rsh/rlogin without password (host/username entry in .rhosts) does
not work.
  When using this stack (LDAP without password management)

    other account requisite pam_roles.so.1
    other account required pam_projects.so.1
    other account required pam_unix_account.so.1

  rsh/rlogin without password works ... BUT inactivated users can
login with
  ANY PASSWORD !!! This is a bug in the Directory Server.
* Solaris 8/9: Password aging does not work. When user changes
password with
  passwd the shadowlastchange attribute is unchanged. Workaround:
Remove all
  shadow* attributes or set shadowmax to -1.

JumpStart
---------

* Solaris 8: Does not work with Solaris 9 style sysidcfg file.
Requires a
  separate without proxy_dn and proxy_password parameters
* Solaris 8: Requires old style profile with ObjectClass
SolarisNamingProfile.
  Newer Solaris 9 style profile works only after patching.
* Solaris 9: Syntax of sysidcfg file supports more parameters
(proxy_dn and
  proxy_password). Workaround to be compatible with Solaris 8: Created
common
  sysidcfg with hybrid LDAP profile for Solaris 8/9 and anonymous
  authentication (Profile name: jumpstart). Example:

    system_locale=C
    terminal=vt100
    timezone=MET
    timeserver=192.168.5.45
    name_service=LDAP
    { domain_name=mycompany.ch
      profile=jumpstart
      profile_server=192.168.5.216
    }
    network_interface=primary
    { netmask=255.255.255.0
      protocol_ipv6=no
      default_route=192.168.5.253
    }
    security_policy=NONE
    root_password=EnCrYpTeDpAsSwOrD
  
* Solaris 8/9: In /etc/bootparams the naming service parameter (ns=)
supports
  only nis, nisplus or none, no LDAP. See man bootparams. Workaround:
use only
  IP addresses in /etc/bootparams
* Solaris 9: Client cannot be setup using SSL LDAP with Jumpstart
(missing
  certificate databases). Must be done in a SystemV RC startup script.

Other Headaches
---------------

* For other authentication methods (sasl/digest-md5)
PasswordStorageScheme must
  be 'clear'. For Windows integration PasswordStorageScheme probably
also must
  be 'clear'
* Windows: Advanced Directory is the same as LDAP, but uses totally
different
  schemes.
* Solaris 8/9: LDAP schema differences:
  o config profile schema: attributes/Objectclasses in S8 begin with
Solaris*
    in S9 proxyDN/proxyPassword moved from profile to client. After
latest patch
    cluster Solaris 8 clients accept new Solaris 9 schema.
  o automounter maps: S8 cn/nisMapName/nisMapEntry,
    S9 automountKey/automountMapName/automountInformation
* Solaris 8: latest recommended patch cluster required. Fixes LDAP
case
  sensitivity bugs, most Solaris 9 schema differences, SSL/TLS support
and PAM
  modules. --> no patching, no LDAP!
* Solaris 9: documented 'binding' control flag produces illegal
pam.conf
  entries.
* SSL: Certificate of all subnet replica servers must be identical
  (ldap.mycompany.ch). But certificate of master server must be
different
  (ldap-master.mycompany.ch). Entries in /etc/hosts are required for
all LDAP
  servers
* Solaris 8/9: LDAP server being its own client is not supported by
Sun, but
  works when changing lookup and start/shutdown order.
* Solaris 8: lp services cannot lookup printer entries using LDAP in
  /etc/nsswitch.conf. Solaris 9 lp works. Workaround: all printers
must be
  added to /etc/printers.conf

Hope this helps,

Bye,
Bernd

Relevant Pages

  • Re: Directory Server LDAP/LDIF import - working yet not working???
    ... >> changes the ldap schema AND changes some of you existing ldap objects, ... The default install of DS 5.2 is plain jane LDAP server. ... >> and all your client machines, and set it to something reasonable. ... >> impossible to use the native Solaris 9 ldap client without it set) ...
    (comp.unix.solaris)
  • RE: LDAP in Unix
    ... I use the Sun LDAP server for users on ... Solaris and AIX. ... If you want to limit which hosts a user can access, ... I would like to use Sun ONE Directory server and centralise the user ...
    (Focus-SUN)
  • LDAP client behaviour - Solaris 9 vs 10
    ... I'm in the midst of converting our organisation's Solaris Naming Services ... in the way clients access the LDAP server depending on whether they are ... I did most of my principal testing with a Solaris 10 client, ... #1 - on the boot of the client a couple of anonymous connections would ...
    (SunManagers)
  • How can I tell which LDAP server my LDAP clients are bound?
    ... How can I tell which LDAP server my LDAP clients are bound? ... I have two LDAP replica servers running Solaris 9 and SunOne Directory 5.2 ... but it seems to be be bound to brsldap1 not the preferred server brslda2 ...
    (SunManagers)
  • SOLARIS LDAP CLIENT INTEGRATION WITH OPENLDAP
    ... I am starting to setup my Solaris 8 boxes to talk to a Linux Openldap ... Solaris boxes with the latest LDAP client patches - I'm aware there ... The test Solaris boxes happily query the LDAP server for their user ...
    (comp.unix.solaris)
Loading