On 03/16/2015 04:21 PM, [email protected] wrote:
and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
into /var/ldap's database with certutil:
# certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap
Ok, following your advice I installed the SUNWtlsu package (prepares rant
about how the top 3 pages of google results didn't tell me which darn
package certutil was actually in) and now I have certutil on the system.
I copied the ca.crt file from my FreeIPA controller to the /tmp directory
on Solaris, and then ran
#certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap
It worked! The difference was that running that certutil command creates
/var/ldap/secmod.db. secmod.db is required for tls to work. Without
secmod.db existing, you can use simple, but not tls:simple.
So I can now login with both AD and FreeIPA users on this machine, get the
correct shell, correct home directory, and the ability to sudo.
However...
I can only do this through SSH. I have run into some really strange
Solaris behavior when I try to login through console. I added the
following entries to my /etc/pam.conf
login auth sufficient pam_ldap.so.1
login auth sufficient pam_krb5.so.1
Apparently, Solaris has a total name limit of 31 characters, that only
applies to the [login] section and not to the [other] section.
So if I ssh I can login with a user named
'[email protected]' (AD user)
However, if I console login, my pam logs indicate that it is being chopped
down to '[email protected]' before being passed onto ldap.
This causes ldap to throw the following error:
/usr/lib/security/pam_ldap.so.1 returned System error
I created a really short AD username called
'[email protected]' which just barely fit in 31 characters
and it could login fine.
So my next question is (and I know you guys are not Solaris experts, but
any help is appreciated) : Is there a way to set the default domain so
that AD users do not have to type their domain suffix? Currently, it is
backward and ipa users can login as 'ipauser1' without a suffix, but AD
users have to type their suffix.
I know this can be done in Linux with sssd.conf and I have that working
for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
trying to figure out how to do this.
I have already tried setting the default_domain and default_realm flags in
/etc/krb5/krb5.conf but that doesn't work at all because AD users are
authenticated through LDAP. I also tried the ldapclient init with ' -a
domainName=addomain.net' but that did not work either.
Is there even a way to do this in Solaris for LDAP users? Without the
ability to skip the domain name for AD users, I am stuck with either no
console login for AD for having all AD users with only 3 character names
due to the length of the fqdn.
The only hack that comes to mind is to add a new attribute in the
compatibility tree (cn=compat) via slapi-nis plugin that will expose
short names and then point your Solaris box to that attribute as uid.
This is a hack because:
- you will have duplicates and this is up to you how to deal with them
- you would have to figure out how to do this transformation with
slapi-nis using its stock capabilities (I think it is possible but would
require some research)
- you would have to change the configuration on all replicas you have in
the similar way
May be others have better ideas.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
