This was originally written early February 2001 in the hopes that no one else would suffer through the frustration I went through getting LDAP to work as a central naming and authentication service using the native Solaris 8 LDAP libraries. In the end I discovered that this really wasn't very hard to do, but since I knew very little about LDAP or PAM going into this it was quite a learning curve. I've attempted to document a "best practice" but my personal bias as well as my inexperience with LDAP will obviously show through. If you have any feedback (good or bad), especially if I've misunderstood or misrepresented something, please let me know.

[Note: The original non-wiki document. Since you can't edit it, it's largely useless but it does have more links until I finish porting them over.]

See also: SunSolaris, LdapAuthentication, AppleOsxIntegrationWithOpenldap, OpenLdap, Solaris 9 LDAP Updates

Compile OpenLDAP Server

I chose to stick with the 2.0 OpenLdap tree. currently it's the unstable branch but I decieded I would rather deal with possible bugs now then worry about a migration of such a crucial service later. i configure OpenLdap without cyrus sasl and with openssl, tcp wrappers and berkeley db. the main reason for omitting sasl was i felt that there were enough unknowns without adding sasl to the mix as well. i also think that simple authentication, so long as a secure transport is used (eg. ssl/tls), is sufficent to keep your users information secure.

  1. compile and install berkeley db (or download a package). berkeley db or another db is required for openldap to run.
  2. compile and install tcp wrappers (or download a package). if you don't want the ability to control what hosts can talk to your ldap server with the hosts.allow/hosts.deny files you can omit this step.
  3. compile and install openssl (or download a package). if you don't want the ability to have queries go to your ldap server via ssl then you can omit this step.
  4. download the latest version of openldap (version > 2.0) and untar it in your src directory.

  5. now you need run configure in the source directory. you'll need to use some common sense and change the library paths if you've installed them into different places then i did. also the export paths will only work with bash/ksh, you'll need to adapt them for plain sh or [t]csh.

    # export LDFLAGS="-L/usr/local/BerkeleyDB.3.1/lib -L/usr/local/ssl/lib -R/usr/local/BerkeleyDB.3.1/lib" 
    # export CPPFLAGS="-I/usr/local/BerkeleyDB.3.1/include -I/usr/local/ssl/include" 
    # ./configure --prefix=/usr/local --enable-wrappers --with-tls --without-cyrus-sasl it's worth scrolling through the output of configure to make sure that all the libraries that you wanted it to find, were indeed found. the "-R" option to CPPFLAGS is required under solaris 8 so that the the dynamically linked libraries canbe found at run time (there is another way, see tips and tricks).

  6. now build and install openldap.

    # make depend 
    # make
    # make test
    # make -n install 
    # make install during the tests watch carefully and make sure that they all suceed. if they don't you have done something wrong and you're going to have problems, you need to fix it now before you go farther. the "make -n install" is an optional step, it just lets you see where the makefile will install everything without actually doing anything. i like doing this before an install just because i hate running unknown commands are root.

Configure Master Server

first you need to get your master server up and running. the hardest part of that is building and designing the schema. since your schema is really up to you and what you want i'm going to show you what i did (which is the bare minimum to make it work).

  1. configure your slapd.conf (it should be in /usr/local/etc/openldap). i've included a sanitized version of mine for you to look at and we'll go through the important pieces here.

Configure Slave Servers

Configure Clients

  1. make sure that ldap_cachemgr isn't running

    # /etc/init.d/ldap.client stop 

  2. create the /var/ldap/ldap_client_file

    NS_LDAP_SERVERS= 192.168.1.125
    NS_LDAP_SEARCH_BASEDN= dc=metstream,dc=net
    NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
    NS_LDAP_DOMAIN=metstream.net"

  3. create the /var/ldap/ldap_client_cred file

    NS_LDAP_BINDDN= cn=proxyagent,dc=metstream,dc=net
    NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxx" > /var/ldap/ldap_client_cred

  4. make sure that these file are read only by root

    # chown root:root /var/ldap/* 
    # chmod 600 /var/ldap/*

  5. update your /etc/nsswitch.conf file to use ldap for the passwd: and group: parts. the relevant parts should look like this (the TRYAGAIN part stops it from trying to reach the ldap server forever if it's down):

    passwd:     files ldap [TRYAGAIN=5] 
    group:     files ldap [TRYAGAIN=5]

  6. start up ldap_cachemgr

    # /etc/init.d/ldap.client start

  7. now see if you can finger a user that only exists in your ldap database.

Setup SSL/TLS

  1. generate a self-signed certificate for each server

    # openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365

  2. add the certificate to slapd.conf

    TLSCertificateFile /path/to/server.pem 
    TLSCertificateKeyFile /path/to/server.pem
    TLSCACertificateFile /path/to/server.pem

Unanswered Questions

Tips and Tricks

Useful Links

Thanks To


CategorySoftware CategoryUnix

Solaris8Ldap (last edited 2005-03-16 19:13:04 by AdamShand)