Hi Oops sorry. i wrongly addressed you. Actually that question i asked is to Mr. Watson.
Regards, Ben On Sat, Jan 3, 2015 at 10:17 PM, Dmitri Pal <[email protected]> wrote: > On 01/03/2015 03:26 AM, Ben .T.George wrote: > > Hi Dmitri > > > i was trying this from last 3 weeks. can you please give us more details > about this. I tried ldapclient and i got lot of dependency service > related error. can you please give me list of services and configuration > file need to change/enable before trying ldapclient ? > > once again thanks for your effort. > > > Hi Ben, > > I am a bit confused. My last suggestion was for you to add a wiki page to > FreeIPA.org becuase you indicated that you got it working. > Rob, may be this is the comment for you. > > Thanks > Dmitri > > > > > Thanks & Regards, > Ben > > > > On Sat, Jan 3, 2015 at 12:11 AM, Dmitri Pal <[email protected]> wrote: > >> On 01/02/2015 03:17 PM, Watson, Dan wrote: >> >>> I finally got it working, the default setup of "ldapclient init" missed >>> the special mapping for netgroups, so I had to do a manual setup that >>> included the mapping. >>> >>> ldapclient manual \ >>> -a credentialLevel=anonymous \ >>> -a authenticationMethod=none \ >>> -a defaultSearchBase=dn=domain,dn=name \ >>> -a domainName=domain.name \ >>> -a defaultServerList=server.domain.name \ >>> -a objectClassMap=shadow:shadowAccount=posixaccount \ >>> -a >>> serviceSearchDescriptor='passwd:cn=users,cn=accounts,dc=bcferries,dc=corp' \ >>> -a >>> serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=bcferries,dc=corp \ >>> -a >>> serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=bcferries,dc=corp \ >>> -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=bcferries,dc=corp >>> >>> It's the last line that forces the OS level ldap client to look in the >>> rich location for the netgroup information. I hope this helps the next >>> person. >>> >> >> Would you mind creating a wiki page with the solution on the wiki? >> >> >> >>> Thanks for all the help! >>> Dan >>> -----Original Message----- >>> From: Watson, Dan >>> Sent: January 02, 2015 11:41 AM >>> To: 'Rob Crittenden'; [email protected] >>> Subject: RE: [Freeipa-users] Integration with Solaris 10 >>> >>> Hi Rob, >>> >>> Thanks for the reply. Unfortunately /usr/bin/getent on my system doesn't >>> seem to like the netgroup option: >>> -bash-3.2# getent netgroup test1 >>> Unknown database: netgroup >>> usage: getent database [ key ... ] >>> -bash-3.2# uname -a >>> SunOS vdcudantest01 5.10 Generic_147440-27 sun4v sparc >>> SUNW,SPARC-Enterprise-T5120 >>> -bash-3.2# cat /etc/release >>> Solaris 10 10/09 s10s_u8wos_08a SPARC >>> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. >>> Use is subject to license terms. >>> Assembled 16 September 2009 >>> -bash-3.2# >>> >>> Thanks! >>> Dan >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:[email protected]] >>> Sent: January 02, 2015 10:15 AM >>> To: Watson, Dan; [email protected] >>> Subject: Re: [Freeipa-users] Integration with Solaris 10 >>> >>> Watson, Dan wrote: >>> >>>> Hi All, >>>> >>>> I've lurked in the list history and cannot find anyone saying they have >>>> gotten login restrictions working with Solaris 10 u8. Has anyone on here >>>> successfully configured login restrictions on Solaris 10 u8 through u11? >>>> I'm looking for specific instructions from someone who has gotten this to >>>> work before. >>>> >>>> The two main routes to login restrictions I could find online are >>>> Netgroups or conditional ldap queries in ldapclient >>>> >>>> I initially tried netgroups but wasn't sure how to trouble shoot when >>>> it didn't work. There don't seem to be any user-land tools to query >>>> netgroups and further investigation turned up an issue with OpenLDAP. It >>>> seems the built-in Solaris 10 ldap client expects schema RFC2307bis and not >>>> the OpenLDAP standard RFC2307 (explanation here >>>> http://www.openldap.org/lists/openldap-software/200501/msg00309.html). >>>> does anyone know if this issue applies to IPA? Or how I check? >>>> >>>> The alternative of passing a restrictive query to ldapclient seems like >>>> a good route but doesn't seem to work. The common solution when using the >>>> old SunOne directory server was to pass the ldapclient (command line ldap >>>> configuration tool) an option like >>>> "passwd:ou=people,o=myorg,c=de?one?(isMemberof=cn=unixadmins,ou=groups,o=myorg,c=de)" >>>> (from here https://community.oracle.com/thread/2014224?start=0&tstart=0) >>>> which is supposed to restrict account checking to only people in >>>> ou=people,p=myorg,c=de who are also members of >>>> cn=unixadmins,ou=groups,o=myorg,c=de. Unfortunately this doesn't seem to >>>> work in IPA, first of all because there is no "isMemberof" attribute to a >>>> user, but also doesn't work on other attributes like uid or uidNumber. One >>>> possible explanation I've found is that these attributes are not indexed, >>>> but I have no idea if this is correct or how to add them to be indexed. >>>> >>>> Has anyone else solved this? I just need to be able to allow only a >>>> specific user group to log in to the host, unfortunately the ssh directive >>>> "AllowGroups" is not good enough, this has to be system wide as we also >>>> have samba and some other services that rely on system authentication. >>>> >>>> Can anyone be of some help? >>>> >>>> Thanks! >>>> Dan >>>> >>>> You can use getent netgroup <name> to get a specific netgroup. >>> >>> Or ldapsearch -x -b cn=usertest,cn=ng,cn=compat,dc=example,dc=com >>> >>> rob >>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
