Не получается подружить Solaris 10 (sparc, обновление 08/05) с сервером OpenLDAP.с помощью certutil экспортирую корневой и промежуточный сертификаты в хранилище:
# certutil -A -n "CA certificate" -i ca.crt -t "CT" -d /var/ldap/
# certutil -A -n "subCA certificate" -i subca.crt -t "CT" -d /var/ldap/
# chmod 0444 /var/ldap/*db
# ls -la /var/ldap/*db
-r--r--r-- 1 root root 65536 авг. 21 15:45 /var/ldap/cert8.db
-r--r--r-- 1 root root 32768 авг. 21 15:45 /var/ldap/key3.db
-r--r--r-- 1 root root 32768 авг. 21 11:12 /var/ldap/secmod.db
Проверяю работу ldapsearch:
# ldapsearch -h ldap1 -p 636 -b "" -s base -D "cn=pambrowser,..." -w <...>-Z -P /var/ldap "(objectclass=*)"
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
А дальше ldapclient manual не хочет заводиться:
# ldapclient manual -v -a credentialLevel=proxy -a 'proxyDN=cn=pambrowser,...' -a 'proxyPassword=...' -a authenticationMethod=tls:simple -a 'serviceAuthenticationMethod=pam_ldap:tls:simple' -a 'defaultSearchBase=o=...' -a 'servicesearchdescriptor=group:ou=Groups,o=...' -a 'defaultServerList=ldap1 ldap2'
Parsing credentialLevel=proxy
Parsing proxyDN=cn=pambrowser,...
Parsing proxyPassword=...
Parsing authenticationMethod=tls:simple
Parsing serviceAuthenticationMethod=pam_ldap:tls:simple
Parsing defaultSearchBase=...
Parsing servicesearchdescriptor=group:ou=Groups,...
Parsing defaultServerList=ldap1 ldap2
Arguments parsed:
authenticationMethod: tls:simple
serviceAuthenticationMethod:
arg[0]: pam_ldap:tls:simple
defaultSearchBase: ...
credentialLevel: proxy
proxyDN: cn=pambrowser,...
serviceSearchDescriptor:
arg[0]: group:ou=Groups,...
proxyPassword: ...
defaultServerList: ldap1 ldap2
Handling manual option
Proxy DN: cn=pambrowser,...
Proxy password: {NS1}......
Credential level: 1
Authentication method: 3
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: system/filesystem/autofs:default... failed: entity not found
Stopping autofs failed with (1). You may need to restart it manually for changes to take effect.
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "..."
file_backup: stat(/var/yp/binding/...)=-1
file_backup: No /var/yp/binding/... directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname ... ... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: network/ldap/client:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: system/filesystem/autofs:default... failed: entity not found
Stopping autofs failed with (1). You may need to restart it manually for changes to take effect.
ldap not running
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "..."
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/stacksoft.ru)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname ... ... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
# cat /var/svc/log/network-ldap-client\:default.log
[ Aug 22 15:43:48 Enabled. ]
[ Aug 22 15:43:49 Executing start method ("/usr/lib/ldap/ldap_cachemgr") ]
[ Aug 22 15:45:49 Method or service exit timed out. Killing contract 110 ]
[ Aug 22 15:45:49 Leaving maintenance because disable requested. ]
[ Aug 22 15:45:49 Disabled. ]# cat /var/ldap/cachemgr.log
Fri Aug 22 15:43:49.0324 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.logС помощью tcpdump'а видно, что сервер пытается соединяться с ldap-серверами по 389 порту. Если 389 порт открыт, то пытается делать запросы без starttls (который раньше он точно не умел, сейчас, похоже, тоже). Доступ к серверу без шифрования запрещен, поэтому soalris ничего в ответ не получает, кроме "TLS Confidentiality required".
Есть ли какой-нибудь способ побороть это, не переходя на библиотеки из openldap?
1. Собственно я делал - но с использованием ldap profiles. Клиенты - solaris 10 sparc & x86Добавить в openldap ldap scheme:
Updated to match RFC 4876 2007-2007
# http://www.rfc-editor.org/rfc/rfc4876.txt
objectIdentifier DUAConfSchemaOID 1.3.6.1.4.1.11.1.3.1attributetype ( DUAConfSchemaOID:1.0 NAME 'defaultServerList'
DESC 'Default LDAP server host address used by a DUA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase'
DESC 'Default LDAP base DN used by a DUA'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.2 NAME 'preferredServerList'
DESC 'Preferred LDAP server host addresses to be used by a
DUA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit'
DESC 'Maximum time in seconds a DUA should allow for a
search to complete'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit'
DESC 'Maximum time in seconds a DUA should allow for the
bind operation to complete'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.5 NAME 'followReferrals'
DESC 'Tells DUA if it should follow referrals
returned by a DSA search result'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.6 NAME 'authenticationMethod'
DESC 'A keystring which identifies the type of
authentication method used to contact the DSA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.7 NAME 'profileTTL'
DESC 'Time to live, in seconds, before a client DUA
should re-read this configuration profile'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.9 NAME 'attributeMap'
DESC 'Attribute mappings used by a DUA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )attributetype ( DUAConfSchemaOID:1.10 NAME 'credentialLevel'
DESC 'Identifies type of credentials a DUA should
use when binding to the LDAP server'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.11 NAME 'objectclassMap'
DESC 'Objectclass mappings used by a DUA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )attributetype ( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope'
DESC 'Default search scope used by a DUA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )attributetype ( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel'
DESC 'Identifies type of credentials a DUA
should use when binding to the LDAP server for a
specific service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )attributetype ( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor'
DESC 'LDAP search descriptor list used by a DUA'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )attributetype ( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMethod'
DESC 'Authentication method used by a service of the DUA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )attributeTypes: ( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases'
DESC 'Specifies if a service or agent either requires, supports, or uses dereferencing of aliases.'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )objectclass ( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile'
SUP top STRUCTURAL
DESC 'Abstraction of a base configuration for a DUA'
MUST ( cn )
MAY ( defaultServerList $ preferredServerList $
defaultSearchBase $ defaultSearchScope $
searchTimeLimit $ bindTimeLimit $
credentialLevel $ authenticationMethod $
followReferrals $ serviceSearchDescriptor $
serviceCredentialLevel $ serviceAuthenticationMethod $
objectclassMap $ attributeMap $
profileTTL $ dereferenceAliases ) )objectclass ( DUAConfSchemaOID:2.1 NAME 'posixNamingProfile'
SUP top AUXILIARY
DESC 'POSIX naming profile'
MAY ( attributeMap $ serviceSearchDescriptor ) )objectclass ( DUAConfSchemaOID:2.2 NAME 'configurationProfile'
SUP top AUXILIARY
DESC 'Configuration profile'
MUST ( cn )
MAY ( attributeMap $ serviceSearchDescriptor ) )# depends on nis.schema
# See http://docs.sun.com/app/docs/doc/816-4556/appendixa-2,
# http://docs.hp.com/en/J4269-90074/ch04s02.htmlattributetype ( 1.3.6.1.1.1.1.1.30 NAME 'nisDomain'
DESC 'NIS domain'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject'
SUP top AUXILIARY
DESC 'Associates a NIS domain with a naming context'
MUST ( nisDomain ) )attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
DESC 'Automount Key value'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
DESC 'Automount information'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )objectclass (1.3.6.1.1.1.2.16 NAME 'automountMap'
SUP top STRUCTURAL
MUST ( automountMapName )
MAY description )objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount'
SUP top STRUCTURAL
DESC 'Automount'
MUST ( automountKey $ automountInformation )
MAY description )2. Начальный ldiff:
dn: ou=Ldap,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Ldap
description: Ldap Usersdn: cn=Solaris,ou=Ldap,dc=someorg
cn: Solaris
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: top
userPassword:: e1NTSEF9UzJSbGlpWG0wR09MTFhEall0UldDMTBFd1dJSks1RTdLempLUFE9PQ=
=dn: ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
objectClass: nisDomainObject
ou: Posix
l: None
nisDomain: someorgdn: ou=Computers,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Computersdn: ou=Idmap,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Idmapdn: sambaDomainName=SOMEORG,ou=Posix,dc=someorg
objectClass: sambaDomain
objectClass: sambaUnixIdPool
objectClass: top
sambaDomainName: SOMEORG
sambaSID: S-1-5-21-2324298634-3382198163-123456789
sambaRefuseMachinePwdChange: 0
sambaLockoutThreshold: 0
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaForceLogoff: -1
gidNumber: 1004
sambaPwdHistoryLength: 5
uidNumber: 1028
sambaNextRid: 1015dn: ou=Rpc,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Rpcdn: ou=Protocols,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Protocolsdn: ou=Profile,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Profiledn: ou=Networks,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Networksdn: ou=Netgroup,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Netgroupdn: ou=Mounts,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Mountsdn: ou=Aliases,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Aliasesdn: ou=Ethers,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Ethersdn: ou=Hosts,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Hostsdn: ou=Services,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Servicesdn: ou=Group,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Groupdn: ou=People,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Peopledn: automountMapName=auto_home,ou=Posix,dc=someorg
automountMapName: auto_home
objectClass: automountMap
objectClass: topdn: automountMapName=auto_master,ou=Posix,dc=someorg
automountMapName: auto_master
objectClass: automountMap
objectClass: topdn: cn=Solaris,ou=Profile,ou=Posix,dc=someorg
objectClass: DUAConfigProfile
objectClass: top
cn: Solaris
defaultSearchBase: ou=Posix,dc=someorg
defaultServerList: 10.1.2.10
bindTimeLimit: 2
searchTimeLimit: 30
followReferrals: TRUE
credentialLevel: proxy anonymous
authenticationMethod: simple
defaultSearchScope: sub
profileTTL: 3600dn: cn=Padl,ou=Profile,ou=Posix,dc=someorg
objectClass: DUAConfigProfile
objectClass: posixNamingProfile
objectClass: top
cn: Padl
defaultSearchScope: one
defaultServerList: ldap.someorg
serviceSearchDescriptor: aliases:ou=Aliases,dc=Posix,dc=someorg
serviceSearchDescriptor: fstab:ou=Mounts,dc=Posix,dc=someorg
serviceSearchDescriptor: group:ou=Group,dc=Posix,dc=someorg
serviceSearchDescriptor: hosts:ou=Hosts,dc=Posix,dc=someorg
serviceSearchDescriptor: netgroup:ou=Netgroup,dc=Posix,dc=someorg
serviceSearchDescriptor: networks:ou=Networks,dc=Posix,dc=someorg
serviceSearchDescriptor: passwd:ou=People,dc=Posix,dc=someorg
serviceSearchDescriptor: protocols:ou=Protocols,dc=Posix,dc=someorg
serviceSearchDescriptor: rpc:ou=Rpc,dc=Posix,dc=someorg
serviceSearchDescriptor: services:ou=Services,dc=Posix,dc=someorg
defaultSearchBase: ou=Posix,dc=someorgdn: cn=default,ou=Profile,ou=Posix,dc=someorg
aliasedObjectName: cn=Solaris,ou=Profile,ou=Posix,dc=someorg
cn: default
objectClass: extensibleObject
objectClass: alias
objectClass: top
credentialLevel: proxy
profileTTL: 600dn: cn=Solaris_pam_ldap,ou=Profile,ou=Posix,dc=someorg
cn: Solaris_pam_ldap
objectClass: DUAConfigProfile
objectClass: top
authenticationMethod: none
bindTimeLimit: 2
credentialLevel: anonymous
defaultSearchBase: ou=Posix,dc=someorg
defaultSearchScope: sub
followReferrals: TRUE
searchTimeLimit: 30
serviceAuthenticationMethod: pam_ldap:simple
serviceAuthenticationMethod: passwd-cmd:simple
preferredServerList: 10.1.2.10
defaultServerList: 10.1.2.250
profileTTL: 3600dn: cn=Solaris_pam_ldap_tls,ou=Profile,ou=Posix,dc=someorg
bindTimeLimit: 2
cn: Solaris_pam_ldap_tls
defaultSearchBase: ou=Posix,dc=someorg
defaultSearchScope: sub
followReferrals: TRUE
objectClass: DUAConfigProfile
objectClass: top
searchTimeLimit: 30
serviceAuthenticationMethod: passwd-cmd:tls:simple
serviceAuthenticationMethod: pam_ldap:tls:simple
profileTTL: 3600
preferredServerList: ldap.someorg
credentialLevel: proxy
authenticationMethod: tls:simple
defaultServerList: 10.1.2.10dn: automountKey=*,automountMapName=auto_home,ou=Posix,dc=someorg
automountKey: *
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,vers=3 somehost:/home/&3. Нужно поправить /etc/nsswitch.ldap, например минималистичный вариант:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files4. Поправить /etc/pam.conf согласно System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) http://docs.sun.com/app/docs/doc/816-4556/schemas-111
5. Импортировать корневой сертификат:
/usr/sfw/bin/certutil -N -d /var/ldap
/usr/sfw/bin/certutil -A -n "ca-cert" -i /tmp/root.pem -a -t CT -d /var/ldap
chmod 444 /var/ldap/*.db6. Включить использование ldap
ldapclient -v init -a profileName=Solaris_pam_ldap_tls -a domainName=someorg -a proxyDN="cn=Solaris,ou=Ldap,dc=someorg" -a proxyPassword="solaris" ldap.ot.byЗамечания:
a) При использовании профиля Solaris_pam_ldap_tls аутентификация осуществляется с помощью ldap bind.
b) Используются два (мастер/слэйв) сервера - ldap.someorg и 10.1.2.10.
c) Т.к. используется ldap bind, то cn=Solaris,ou=Ldap,dc=someorg не нужны какие-то дополнительные права (на чтение userpasswd и т.д.) - достаточно анонимных прав.
> start: network/ldap/client:default... timed out
> start: network/ldap/client:default... offline to disableВот эта фигня из за того что при запуске команды ldapclient файл /etc/nsswitch.ldap копируется в /etc/nsswitch.conf. В итоге хосты начинают резолвиться через LDAP, где конечно же записей нет. Как результат клиент не может достучаться до сервера и не стартует.
Что делать - описано в пункте 3 предыдущего поста.А вообще заставить нативный клиент (аффтар предыдущего поста использует не его, а PADL) ходить только по TLS мне так и не удалось. Т.е. похоже, что соединение он поддерживает по 389 порту, но все обращения: поиск, авторизация идут по 636, а там TLS и все как положено.
А по 389 сыплется вот такая шняга в лог:
conn=1022 fd=17 ACCEPT from IP=192.168.100.63:33168 (IP=0.0.0.0:389)
conn=1022 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=1022 op=0 SRCH attr=supportedControl supportedsaslmechanisms
conn=1022 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1022 op=1 UNBIND
conn=1022 fd=17 closedОстальное через ТЛС. Но в общем неплохо! =)