The .com I was doing this work for went belly up in March 2000. This removed a lot of my motivation and resources to complete this piece of documentation, as such it's quite incomplete but it does contain all the information I needed to get up and running (and a lot more I pieced together). Hopefully the information contained here is still useful and since it's on the Wiki site, hopefully someone will feel like completing it for everyone's benefit. -- AdamShand
This was originally written early February 2001 in the hopes that no one else would suffer through the frustration I went through getting LDAP to work as a central naming and authentication service using the native Solaris 8 LDAP libraries. In the end I discovered that this really wasn't very hard to do, but since I knew very little about LDAP or PAM going into this it was quite a learning curve. I've attempted to document a "best practice" but my personal bias as well as my inexperience with LDAP will obviously show through. If you have any feedback (good or bad), especially if I've misunderstood or misrepresented something, please let me know.
[Note: The original non-wiki document. Since you can't edit it, it's largely useless but it does have more links until I finish porting them over.]
See also: SunSolaris, LdapAuthentication, AppleOsxIntegrationWithOpenldap, OpenLdap, Solaris 9 LDAP Updates
Compile OpenLDAP Server
I chose to stick with the 2.0 OpenLdap tree. currently it's the unstable branch but I decieded I would rather deal with possible bugs now then worry about a migration of such a crucial service later. i configure OpenLdap without cyrus sasl and with openssl, tcp wrappers and berkeley db. the main reason for omitting sasl was i felt that there were enough unknowns without adding sasl to the mix as well. i also think that simple authentication, so long as a secure transport is used (eg. ssl/tls), is sufficent to keep your users information secure.
- compile and install berkeley db (or download a package). berkeley db or another db is required for openldap to run.
- compile and install tcp wrappers (or download a package). if you don't want the ability to control what hosts can talk to your ldap server with the hosts.allow/hosts.deny files you can omit this step.
- compile and install openssl (or download a package). if you don't want the ability to have queries go to your ldap server via ssl then you can omit this step.
download the latest version of openldap (version > 2.0) and untar it in your src directory.
- now you need run configure in the source directory. you'll need to use some common sense and change the library paths if you've installed them into different places then i did. also the export paths will only work with bash/ksh, you'll need to adapt them for plain sh or [t]csh.
# export LDFLAGS="-L/usr/local/BerkeleyDB.3.1/lib -L/usr/local/ssl/lib -R/usr/local/BerkeleyDB.3.1/lib"
# export CPPFLAGS="-I/usr/local/BerkeleyDB.3.1/include -I/usr/local/ssl/include"
# ./configure --prefix=/usr/local --enable-wrappers --with-tls --without-cyrus-sasl it's worth scrolling through the output of configure to make sure that all the libraries that you wanted it to find, were indeed found. the "-R" option to CPPFLAGS is required under solaris 8 so that the the dynamically linked libraries canbe found at run time (there is another way, see tips and tricks). - now build and install openldap.
# make depend
# make
# make test
# make -n install
# make install during the tests watch carefully and make sure that they all suceed. if they don't you have done something wrong and you're going to have problems, you need to fix it now before you go farther. the "make -n install" is an optional step, it just lets you see where the makefile will install everything without actually doing anything. i like doing this before an install just because i hate running unknown commands are root.
Configure Master Server
first you need to get your master server up and running. the hardest part of that is building and designing the schema. since your schema is really up to you and what you want i'm going to show you what i did (which is the bare minimum to make it work).
- configure your slapd.conf (it should be in /usr/local/etc/openldap). i've included a sanitized version of mine for you to look at and we'll go through the important pieces here.
Configure Slave Servers
Configure Clients
make sure that ldap_cachemgr isn't running
# /etc/init.d/ldap.client stop
- create the /var/ldap/ldap_client_file
NS_LDAP_SERVERS= 192.168.1.125
NS_LDAP_SEARCH_BASEDN= dc=metstream,dc=net
NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
NS_LDAP_DOMAIN=metstream.net" - create the /var/ldap/ldap_client_cred file
NS_LDAP_BINDDN= cn=proxyagent,dc=metstream,dc=net
NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxx" > /var/ldap/ldap_client_cred
- make sure that these file are read only by root
# chown root:root /var/ldap/*
# chmod 600 /var/ldap/* - update your /etc/nsswitch.conf file to use ldap for the passwd: and group: parts. the relevant parts should look like this (the TRYAGAIN part stops it from trying to reach the ldap server forever if it's down):
passwd: files ldap [TRYAGAIN=5]
group: files ldap [TRYAGAIN=5]
- start up ldap_cachemgr
# /etc/init.d/ldap.client start
- now see if you can finger a user that only exists in your ldap database.
Setup SSL/TLS
- generate a self-signed certificate for each server
# openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
- add the certificate to slapd.conf
TLSCertificateFile /path/to/server.pem
TLSCertificateKeyFile /path/to/server.pem
TLSCACertificateFile /path/to/server.pem
Unanswered Questions
- exactly what is the {NS1} encoding generated by ldap_gen_profile
- why using {sha} doesn't work, and must use {crypt}?
- what is secure rpc?
- setting nsswitch.conf to do ldap first and only fall back to files. seems to work okay execpt that /usr/bin/passwd claims it's an unsupported configuration. what about just "ldap" (ie. no files). if the directory is down ... hrm can you still log in in single user mode? hrm, no maintainance would be a bitch. any better ideas?
passwd: ldap [TRYAGAIN=5] files
group: ldap [TRYAGAIN=5] files
- what about persistant connections? how to you show that connections are persistant, how do you make them persistant?
- what are the best acls to use? if the user needs no access to their own data except for authentication and the ability to change their password.
- segmenting super user access? is it a good idea to give each process that needs privledged access a seperate login, even if their permissions are the same?
- what are the best indexes to use on an ldap server for pam/nss use.
- if i try and use anything other then {crypt} as the password hashing algorithm for the userPassword attribute i get an error stating that the request requires "secure rpc credentials". can this be worked around?
- how do i make sure that solaris is using a persistant connection to the ldap server? is this really important?
- supposedly pam_ldap provides support for cram-md5. with this i believe that clear text passwords are no longer used across the network for authentication via ldap. what do i need to do to make this work? is this a better option then using tls?
- what other reason would make me want to use pam_ldap instead of pam_unix? i made no changes to /etc/pam.conf and everything works perfectly. why would i want to use pam_ldap instead of pam_unix?
- there is a memory leak somewhere. we believe it is in solaris 8's libc. it causes slapd to slowly grow over time. there is no patch available from sun that anyone can find.
- supposedly solaris 8 supports using tls for transport security from the solaris client to the ldap server. i can't make this work (it does work from server to server for replication though so i assume i have openldap setup right). how do we make this work?
- one you have an ldap master/slave setup using solaris' passwd command to change passwords no longer works because the referral isn't followed with sufficient privledges. what can we do about this?
Tips and Tricks
- for ldap_cachemgr to re-read config files in /var/ldap
# pkill -HUP ldap_cachemgr
- debugging modes for slapd (shows acl's and binds)
# /usr/local/libexec/slapd -d 384
- how watch to see if ssl works
# snoop -x 0 port 389
if you're feeling brave you can play with a new feature of solaris 8 called crle which does the same thing that linux's ld.so.conf does. beware though or you'll overwrite the default paths an nothing dynamically linked will work. if you do this (i did) remember that echo is your friend.
- posixGroups must have userPassword set for nscd will crash.
- uncomment the below line from /etc/nscd.conf (note: if you don't use dns or have a huge hosts file this may not be a good idea).
enable-cache hosts no
- how to setup dynamic ldap configuration with ldap_client list igor's message.
- script to convert v1 schema's to v2
Useful Links
- Eric Kilfoil's Solaris 8 and LDAP page.
- Local archives of the padl.com mailing lists (useful because the padl archives have been broken for a long time).
Solaris question and answer forum with the authors of the "Solaris and LDAP Naming Services" book (BookIsbn:0130306789).
- howto on acl's (hiddeen in the faq-o-matic)
- useful links for linux and openldap in general (ldap aware useradd/mod stuff)
- archives of the padl.com lists (ldap-nis, pamldap and nssldap)
- the official archives for ldap-nis, pamldap and nssldap
- Securing LDAP on Solaris (SSL/TLS)
Thanks To
- igor brezac for lots of help with solaris 8 integrations and being one of the first people to figure this out
- timo fischer for help with openldap and tls.
- ian diddams for help with solaris and pam and writing an ldap and nss/pam howto.