On Sat, 11 Oct 2014, Rob Crittenden wrote:
sipazzo wrote:
Thank you,I know where the profile is in the directory tree and how I would
invoke it were it there...I don't know how to get it into the directory tree so
that it is available to clients. I see posts giving examples of different
profilesthat could be used but no post as to how to add it to the directory.
Sorry if I am missing something obvious.
--------------------------------------------
On Fri, 10/10/14, Rob Crittenden <[email protected]> wrote:
Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile
To: "sipazzo" <[email protected]>, [email protected]
Date: Friday, October 10, 2014, 4:53 PM
sipazzo wrote:
>
Hello, I am trying to set up a default profile for my
Solaris 10 IPA clients as recommended. I generated a profile
on a Solaris with the attributes I needed except I got an
"invalid parameter" error when specifying the
domainName attribute like this -a domainName=example.com
even though this parameter works when I use it in
ldapclient manual. More of an issue though is I have been
unable to find documentation on getting the profile
incorporated into the ipa server. How do I get this profile
on the ipa server and make it available to my Solaris
clients? Also, my understanding is the clients periodically
check this profile so they stay updated with the latest
configuration information. What generates this check? Is it
time based, a restart of a service or ??
>
> Thank you for any
assistance.
>
It's been forever since I configured a
Solaris anything client but I can
tell you
where the profile gets stored:
cn=profilename,cn=default,ou=profile,$SUFFIX
IPA ships with a default
profile of:
dn:
cn=default,ou=profile,$SUFFIX
ObjectClass:
top
ObjectClass: DUAConfigProfile
defaultServerList: $FQDN
defaultSearchBase: $SUFFIX
authenticationMethod: none
searchTimeLimit: 15
cn:
default
serviceSearchDescriptor:
passwd:cn=users,cn=accounts,$SUFFIX
serviceSearchDescriptor:
group:cn=groups,cn=compat,$SUFFIX
bindTimeLimit: 5
objectClassMap:
shadow:shadowAccount=posixAccount
followReferrals:TRUE
The full schema can be found at
http://docs.oracle.com/cd/E23824_01/html/821-1455/schemas-17.html
So if your profile is named
foo you'd invoke it with something like:
# ldapclient init -a
profileName=foo ipa.example.com
rob
Here is an example inspired by
https://bugzilla.redhat.com/show_bug.cgi?id=815515
$ ldapmodify -x -D 'cn=Directory Manager' -W
dn: cn=solaris_authssl_test,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl_test
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipa01.example.com ipa02.example.com ipa03.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
preferredServerList: ipa01.example.com ipa02.example.com
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor:
auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=example,dc=com
serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=example,dc=com
serviceSearchDescriptor: printers:ou=printers,ou=test,dc=example,dc=com
<blank line>
^D
You may want to check out
https://bugzilla.redhat.com/show_bug.cgi?id=815533 as well.
Should the profile be available anonymously? It is not in 4.x:
$ ldapsearch -x -b ou=profile,dc=ipacloud,dc=test
# extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
$ kinit admin
Password for [email protected]:
$ ldapsearch -Y GSSAPI -b ou=profile,dc=ipacloud,dc=test
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=profile,dc=ipacloud,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# profile, ipacloud.test
dn: ou=profile,dc=ipacloud,dc=test
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile
# default, profile, ipacloud.test
dn: cn=default,ou=profile,dc=ipacloud,dc=test
defaultServerList: cc21.ipacloud.test
defaultSearchBase: dc=ipacloud,dc=test
objectClass: top
objectClass: DUAConfigProfile
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=ipacloud,dc=test
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=ipacloud,dc=test
searchTimeLimit: 15
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
bindTimeLimit: 5
authenticationMethod: none
cn: default
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
I think it should be available anonymously too, so we need to add a
specialized ACI for that.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
