Friday, August 12, 2005

TOPIC: SOLARIS LDAP CLIENT INTEGRATION WITH OPENLDAP

TOPIC: SOLARIS LDAP CLIENT INTEGRATION WITH OPENLDAP
===============================

I am starting to setup my Solaris 8 boxes to talk to a Linux Openldap
server (2.2.6). I cannot remember the patchid but I'm patched the
Solaris boxes with the latest LDAP client patches - I'm aware there
were some issues with the original ldapclient in Sol8.

The howto's I'm following have me manually editing the ldap_client_file
(against Sun's recommendation) but it seems to be the way of getting
the Native Sun LDAP client to speak with Openldap.

The test Solaris boxes happily query the LDAP server for their user
information and users can log in - the Solaris LDAP client uses a
specially created (proxy) ldap account to log into LDAP server.

The problem I have is the root account cannot arbitrarily reset
passwords (as it should normally do), if root tries to change a users
password it prompts for the users current password before asking for
the new one (ala a regular user). The password change does work.

On Linux using the PADL nss_ldap libraries there is an option in the
LDAP configuration files to define a "root" login for LDAP i.e. any
process running as UID 0 uses the given credentials (defined as rootDN)
which will be suitably permissioned.

I don't have the option of using PADL nss_ldap libraries on solaris (I
know I could compile them) I have to use what is there already. How
does Solaris normally get around this problem or is all management
functions (e.g. resetting passwords) done through some fancy GUI based
tool (we're not running X on the boxes either)

So after rambling away my question is....is there an equivalent
configuration option in the Solaris Native LDAP client to the PADL
nss_ldap configuration option RootDN?

I have a suspicion the answer is no and all management level stuff is
done purely through the GUI tool rather than existing ldapified
commands e.g. passwd

Thanks in advance for any insights.

> I have a suspicion the answer is no and all management level stuff is
> done purely through the GUI tool rather than existing ldapified
> commands e.g. passwd

We don't use the GUI tools either, and also don't use passwd and such.
We use LDAP Administrator (www.ldapadministrator.com) to do all
administration in LDAP directly. No need to pay for LDAP Administrator,
there are also other tools around (LDAP Browser/Editor by Jarek Gawor
is the one I'm using at home).

HTH, Erik.

0 Comments:

Post a Comment

<< Home