Re: Directory Server LDAP/LDIF import - working yet not working???
From: John_B (spam.sucks.and.spammers.blow_at_nospam.here.com)
Date: 11/30/04
- Next message: Neil W Rickert: "Re: Question re. NIS+ client setup"
- Previous message: ohaya: "Re: Question re. NIS+ client setup"
- In reply to: Jesse DeFer: "Re: Directory Server LDAP/LDIF import - working yet not working???"
- Next in thread: Gary Tay Teng Teck: "Re: Directory Server LDAP/LDIF import - working yet not working???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Nov 2004 12:39:49 -0500
Jesse DeFer wrote:
> If you are using pam_ldap, then you don't need to see the userpassword,
> if you are using pam_unix you do. pam_ldap uses and LDAP bind to
> authenticate the users, pam_unix retrieves the crypted password and
> compares it locally.
For security reasons, we are keeping root and other system-level
accounts local particularly since our servers have different passwords.
So, not every account will be going into LDAP. As long as I have
passwd: files ldap in nsswitch.conf, I assume that I'll need to keep the
pam_unix entries.
> In case of pam_unix, check to see that idsconfig updated the proper ACI
> that allows the proxy agent to read the password:
> http://docs.sun.com/app/docs/doc/806-5580/6jej518pq?l=fr&a=view
> Look in the section: Give the Proxy Agent Read Permission for Password.
Will do. Printing it off right now.
> One step idsconfig didn't do was add the proxy agent account, I had to
> do it myself. In the URL above see the section: Add the proxyagent
> Entry to the LDAP Server.
Interesting. I gave idsconfig all of the information for a proxyagent
account. Of course, in the jumble of this past week, I might be
hallucinating as well.
> Make sure your directory server is patched. I had the original 5.2 and
> it had a bug with VLVs that prevented groups from being enumerated (with
> an operations error message). There are different patches depending on
> if you have the package or the tarball version, a quick search on
> sunsolve will turn them up.
Fortunately, I always look for the newest patches when installing things
like this, for both the operating system and the application.
> The id and finger commands are useful to see if you're querying LDAP
> properly.
I did notice one thing that's unusual, unless I'm doing something wrong.
(Like THAT would be a surprise.) I can run ldaplist -l passwd
{userid} and have it respond without any problems. However, I can't run
ldapsearch, although this might come back to the proxyagent issue again.
bash-2.03# ldapsearch -D "cn=proxyagent,ou=profile,dc=#####,dc=###" -w
testing -b dc=#####,dc=### objectclass=\*
ldap_simple_bind_s: Can't contact LDAP server
bash-2.03# ldapsearch -D "cn=proxyagent,ou=profile,dc=#####.###" -w
testing -b dc=#####,dc=### objectclass=\*
ldap_simple_bind_s: Can't contact LDAP server
Needless to say, I'm a bit confused that I can contact the LDAP server
with one command but not the other, unless that error message ins't
really indiciative of the specific problem.
> I didn't add a authenticationMethod to my client profile when I created
> it, assuming it would default to something (like simple), it doesn't.
> Make sure you've got something in there.
That's very likely. Here is the LDIF file that I used for the profile.
As you stated, authenticationMethod is missing.
dn: cn=Sol8profile,ou=profile,dc=#####,dc=###
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: 10.224.0.105
defaultSearchBase: dc=#####,dc=###
cn: Sol8profile
> Using a separate LDAP server and client, so you can sniff the LDAP
> traffic is very useful.
Fortunatley, that's what I'm doing. And, yes, they're test servers, not
production. :) That would be asking not just for trouble but for a
pink slip.
I'll take a look at the proxyagent password as was suggested in another
reply as well.
-- John
- Next message: Neil W Rickert: "Re: Question re. NIS+ client setup"
- Previous message: ohaya: "Re: Question re. NIS+ client setup"
- In reply to: Jesse DeFer: "Re: Directory Server LDAP/LDIF import - working yet not working???"
- Next in thread: Gary Tay Teng Teck: "Re: Directory Server LDAP/LDIF import - working yet not working???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
