BigAdmin Feature Article: Sun Java System Directory Server 6.0 as an LDAP Naming Service: Part 2 -- Client Configurations for the Solaris OS

BigAdmin System Administration Portal

Feature Article

Submit Content | Check BigAdmin Bucks

Sun Java System Directory Server 6.0 as an LDAP Naming Service: Part 2 -- Client Configurations for the Solaris OS

Jonathan Gershater, Sun Microsystems, and Vineeth Katarki, Mascon Global Limited (MGL); October 2007 (updated January 2008)

Article Contents

This article is presented in the following four parts:

Note: When you run the commands shown in the procedures of this article, replace COMPANY with a value that is appropriate for your environment.

Part 2 -- Client Configurations for the Solaris OS

Part 2 provides instructions for configuring the UNIX native LDAP clients that run the Solaris 8, 9, or 10 Operating System, so you can deploy Sun Java System Directory Server 6.0 (hereafter referred to as "Directory Server") as a naming service.

Use the appropriate procedure on each Solaris client according to the OS version running on each client.

These procedures configure each client as an LDAP client for TLS:SIMPLE authentication, which is authentication over SSL using CA signed certificates. The root CA signing certificate must exist in each native LDAP client so that the client trusts the server certificate presented by Directory Server during authentication.

Note: See Setting Up ACIs for Anonymous Access During Solaris Client Setup in Part 4 for more information.

Part 2 Contents

Applying Patches for Your Solaris Client
Configuring Clients That Run the Solaris 8 OS
Configuring Clients That Run the Solaris 9 OS
Configuring Clients That Run the Solaris 10 OS

Applying Patches for Your Solaris Client

Please refer to the tables in the author's blog: http://blogs.sun.com/jo/entry/solaris_patches_required_to_enable. The tables list the patches required to enable servers and workstations that run the Solaris OS for SPARC platforms to migrate to native LDAP clients.

The Patch column in the tables contains a number that indicates the patch to install. The number is linked to http://sunsolve.sun.com to enable you to download patches. The links are current as of January 8, 2008.

Caution: Solaris patches are revised and replaced by newer patches. The links in the Patch column might not lead to the latest patch available. Please read the patch notes carefully, be aware of obsoleted patches, and download the newer patch.

Note: The patches must be installed in the order specified.

Configuring Clients That Run the Solaris 8 OS

1. Verify that the following Solaris 8 native LDAP phase II packages are installed on the client system:

SUNWnisu
SUNWcsr
SUNWcsu
SUNWcsl

Note: The following steps configure SSL for communication between the Solaris 8 clients and the servers on which Directory Server is installed (hereafter referred to as "the directory servers"). These steps assume that the directory servers have been configured for SSL according to the Configuring SSL section in Part 1.

2. Verify that the server name in the cn attribute of the server certificate matches the name of the directory server that the client is connecting to. If it does not, change the defaultServerList or the preferredServerList attribute to match the cn attribute of the server certificate.

Note: Solaris 8 native LDAP clients expect Solaris 8 certificate databases to be in a cert7.db database. The certutil utility that ships with the Solaris 9 OS in /usr/sfw/bin creates a cert8.db database. To create a cert7.db database, proceed as follows.

3. If the certutil utility is available on the client system, for example, in /usr/local/bin, verify that the utility can create a cert7.db database, not a cert8.db database.

4. If the certutil is not available or creates only a cert8.db database, perform the following substeps:

a. Download the Directory Server Resource Kit 5.2.1, which has a bundled certutil utility.

b. As root, install the Directory Server Resource Kit 5.2.1 on the client system by running the following commands:

# mkdir /tmp/sunone
# unzip dsrk52-SunOS5.8_OPT.zip
# java DSRK

Note: You can install the kit in any directory you want. The following steps assume that it is installed in the /opt/dsrk directory.

5. Add /opt/dsrk/lib to your LD_LIBRARY_PATH.

6. Create the certificate database and add the certificates by running the following commands:

# cd /opt/dsrk/lib/nss/bin
# ./certutil -N -d /var/ldap
# chmod 644 /var/ldap/*.db

7. Import the root CA certificates and the subordinate CA signing certificate (if applicable) into the certificate database:

Note: The following commands assume that the certificate file is in ASCII format. If it is in binary format, remove the -a option from the commands.

# ./certutil -A -a -i <path to root CA cert> -n "RootCA"
  -t "CT" -d /var/ldap
# ./certutil -A -a -i <path to sub CA cert> -n "SubCA"
  -t "CT" -d /var/ldap

8. Configure the client using the ldapclient utility:

a. Back up the /etc/pam.conf and /etc/nsswitch.conf files:

# ldapclient -P COMPANYprofile -d "COMPANY.com" -D
  "cn=proxyagent,ou=profile,dc=COMPANY,dc=com"
  -w "<proxy_password>"  <primary directory server IP address>

Note: If ldapclient fails, check the Directory Server ACIs. For the ldapclient command to succeed, the ACIs should allow for anonymous access. See Recommendations for Directory Server Access Control in Part 4 for details on setting up the ACIs.

b. Verify the configuration on the client:

# ldapclient -l

c. The ldapclient initialization modifies the /etc/nsswitch.conf hosts line to point to LDAP. Change the hosts line as follows before proceeding:

hosts:  files dns

9. Configure /etc/pam.conf as follows:

# Not complete. All services have not been defined. Only changes are
# documented.
login   auth requisite      pam_authtok_get.so.1
login   auth required       pam_dhkeys.so.1
login   auth required       pam_dial_auth.so.1
login   auth binding        pam_unix_auth.so.1 server_policy
login   auth required       pam_ldap.so.1 use_first_pass

other   auth requisite      pam_authtok_get.so.1
other   auth required       pam_dhkeys.so.1
other   auth binding        pam_unix_auth.so.1 server_policy
other   auth required       pam_ldap.so.1 use_first_pass

passwd  auth binding        pam_passwd_auth.so.1 server_policy
passwd  auth required       pam_ldap.so.1 use_first_pass

other   account requisite   pam_roles.so.1
other   account required    pam_projects.so.1
other   account binding     pam_unix_account.so.1 server_policy
other   account required    pam_ldap.so.1

other   password required   pam_dhkeys.so.1
other   password requisite  pam_authtok_get.so.1
other   password requisite  pam_authtok_check.so.1
other   password required   pam_authtok_store.so.1 server_policy

10. If you will use netgroups to limit access to systems, configure /etc/nsswitch.conf as follows.

passwd:     	compat
shadow:      	compat
passwd_compat: 	ldap
shadow_compat:	ldap
group:          files ldap
netgroup:       ldap

11. To use netgroups to restrict access to the systems, do the following:

Note: This step describes how to configure one server. Make similar changes to other servers, as needed.

a. Add a netgroup to Directory Server, as described in the Adding Netgroups Using the Console section of Part 1.

b. Add the following line to the end of the /etc/password file on the Solaris client:

+@<netgroup>

c. Add the following line to the end of the /etc/shadow file on the Solaris client:

+@<netgroup>

Note: Due to a limitation in the pam_ldap module, ensure that there are no trailing colons (:) on the lines you add to the /etc/password and /etc/shadow files.

d. Modify the /etc/nsswitch.conf file as described in Step 10.

12. If you are using Open SSH on the Solaris 8 OS, ensure that Open SSH has been compiled with PAM support:

a. Configure Open SSH to use PAM by ensuring the following line is in the /etc/local/etc/sshd_config configuration file:

UsePAM 	yes

b. Verify that ChallengeResponseAuthentication is not set to No.

Configuring Clients That Run the Solaris 9 OS

1. Verify that the following Solaris 9 LDAP library packages are installed on the client system:

SUNWnisu
SUNWcsr
SUNWcsu
SUNWcsl

Note: The following steps configure SSL for communication between the Solaris 9 clients and the directory servers. These steps assume that the directory servers have been configured for SSL according to the Configuring SSL section in Part 1.

Note: Solaris 9 native LDAP clients expect Solaris 9 certificate databases to be in a cert7.db database. The certutil utility that ships with the Solaris 9 OS in /usr/sfw/bin creates a cert8.db database. To create a cert7.db database, proceed as follows.

3. If the certutil utility is available on the client system, for example, in /usr/local/bin, verify that the utility can create a cert7.db database, not a cert8.db database.

4. If the certutil is not available or creates only a cert8.db database, perform the following substeps:

a. Download the Directory Server Resource Kit 5.2.1, which has a bundled certutil utility.

b. As root, install the Directory Server Resource Kit 5.2.1 on the client system by running the following commands:

# mkdir /tmp/sunone
# unzip dsrk52-SunOS5.8_OPT.zip
# java DSRK

Note: You can install the kit in any directory you want. The following steps assume that it is installed in the /opt/dsrk directory.

5. Add /opt/dsrk/lib to your LD_LIBRARY_PATH.

6. Create the certificate database and add the certificates by running the following commands:

# cd /opt/dsrk/lib/nss/bin
# ./certutil -N -d /var/ldap
# chmod 644 /var/ldap/*.db

7. Import the root CA certificates and the subordinate CA signing certificate (if applicable) into the certificate database:

Note: The following commands assume that the certificate file is in ASCII format. If it is in binary format, remove the -a option from the commands.

# ./certutil -A -a -i <path to root CA cert> -n "RootCA"
  -t "CT" -d /var/ldap
# ./certutil -A -a -i <path to sub CA cert> -n "SubCA"
  -t "CT" -d /var/ldap

8. Configure the client using the ldapclient utility:

a. Back up the /etc/pam.conf and /etc/nsswitch.conf files:

# ldapclient init -a profileName=COMPANYprofile -a
    proxyDN=cn=proxyagent,ou=profile,dc=COMPANY,dc=com
    -a domainName=COMPANY.com -a proxyPassword=<password>
    <primary directory server IP address>

b. Verify the configuration on the client:

# ldapclient list

c. The ldapclient initialization modifies the /etc/nsswitch.conf hosts line to point to LDAP. Change the hosts line as follows before proceeding:

hosts:  files dns

9. Configure /etc/pam.conf as follows:

# Not complete. All services have not been defined. Only changes are
# documented.
login   auth requisite      pam_authtok_get.so.1
login   auth required       pam_dhkeys.so.1
login   auth required       pam_dial_auth.so.1
login   auth binding        pam_unix_auth.so.1 server_policy
login   auth required       pam_ldap.so.1 use_first_pass

other   auth requisite      pam_authtok_get.so.1
other   auth required       pam_dhkeys.so.1
other   auth binding        pam_unix_auth.so.1 server_policy
other   auth required       pam_ldap.so.1 use_first_pass

passwd  auth binding        pam_passwd_auth.so.1 server_policy
passwd  auth required       pam_ldap.so.1 use_first_pass

other   account requisite   pam_roles.so.1
other   account required    pam_projects.so.1
other   account binding     pam_unix_account.so.1 server_policy
other   account required    pam_ldap.so.1

other   password required   pam_dhkeys.so.1
other   password requisite  pam_authtok_get.so.1
other   password requisite  pam_authtok_check.so.1
other   password required   pam_authtok_store.so.1 server_policy

10. To use netgroups to restrict access to the systems, do the following:

Note: This step describes how to configure one server. Make similar changes to other servers, as needed.

a. Add a netgroup to Directory Server, as described in the Adding Netgroups Using the Console section of Part 1.

b. Add the following line to the end of the /etc/password file on the Solaris client:

+@<netgroup>

c. Add the following line to the end of the /etc/shadow file on the Solaris client:

+@<netgroup>

Note: Due to a limitation in the pam_ldap module, ensure that there are no trailing colons (:) on the lines you add to the /etc/password and /etc/shadow files.

11. Modify /etc/nsswitch.conf as follows.

passwd:     	compat
shadow:      	compat
passwd_compat: 	ldap
shadow_compat:	ldap
group:          files ldap
netgroup:       ldap

12. Ensure that the following line exists in the sshd configuration file /etc/ssh/sshd_config:

PAMAuthenticationViaKBDInt	yes

13. If you are using Solaris SSH, use the following substeps (from Sun Alert ID 102451) as a workaround for the Solaris 9 SSL bug.

Note: This issue is addressed in the following releases for SPARC platforms:

Solaris 9 with patch 114356-08 or later (BugID 6402708)
Solaris 9 with patch 112908-29 or later (BugID 5020096)
Solaris 9 with patch 113273-13 or later and 114356-09 or later (BugID 6410762)

a. Disable GSS-API support by adding the following entries to sshd_config(4) (/etc/ssh/sshd_config):

GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIStoreDelegatedCredentials no

b. In addition, add the following entries to ssh_config(4) (/etc/ssh/ssh_config):

GSSAPIAuthentication no
GSSAPIKeyExchange no

c. Then restart the SSH service by running the following command as root:

# /etc/init.d/sshd restart

Configuring Clients That Run the Solaris 10 OS

1. Verify that the following Solaris 10 native LDAP phase II packages are installed on the client system:

SUNWnisu
SUNWcsr
SUNWcsu
SUNWcsl

Note: The following steps configure SSL for communication between the Solaris 10 clients and the directory servers. These steps assume that the directory servers have been configured for SSL according to the Configuring SSL section in Part 1.

Note: The Solaris 10 OS comes with a bundled certutil utility in the /usr/sfw/bin directory. Unlike Solaris 8 and 9 clients, Solaris 10 clients expect a cert8.db database.

3. Create the certificate database and add the certificates:

a. Run the following commands:

# /usr/sfw/bin/certutil -N -d /var/ldap
# chmod 644 /var/ldap/*.db

Note: The following commands assume that the certificates are in the PEM or DER format. If the certificates have been bundled into a PKCS# 12 file, use the import instructions in the "To Export and Import a CA-Signed Server Certificate" section of the administration guide.

b. Import both the root CA and subordinate CA signing certificate into the certificate database:

Note: The following commands assume that the certificate file is in ASCII format. If it is in binary format, remove the -a option from the commands.

# /usr/sfw/bin/certutil -A -a -i <path to root CA cert>
  -n "RootCA" -t "CT" -d /var/ldap
# /usr/sfw/bin/certutil -A -a -i <path to sub CA cert>
  -n "SubCA" -t "CT" -d /var/ldap

4. Configure the client using the ldapclient utility:

a. Back up the /etc/pam.conf and /etc/nsswitch.conf files:

# ldapclient init -a profileName=COMPANYprofile -a
  domainName="COMPANY.com" -a proxyDN="cn=proxyagent,ou=profile,
  dc=COMPANY,dc=com" -a proxyPassword=<proxy_password>
  <primary directory server IP address>

b. Verify the configuration on the client:

# ldapclient list

c. The ldapclient initialization modifies the /etc/nsswitch.conf hosts line to point LDAP. Change the hosts line as follows before proceeding:

hosts:  files dns

5. Configure /etc/pam.conf as follows:

# Not complete. All services have not been defined. Only changes are
# documented here.
#
login   auth requisite      pam_authtok_get.so.1
login   auth required       pam_dhkeys.so.1
login   auth required       pam_unix_cred.so.1
login   auth required       pam_dial_auth.so.1
login   auth binding        pam_unix_auth.so.1 server_policy
login   auth required       pam_ldap.so.1

other   auth requisite      pam_authtok_get.so.1
other   auth required       pam_dhkeys.so.1
other   auth required       pam_unix_cred.so.1
other   auth binding        pam_unix_auth.so.1 server_policy
other   auth required       pam_ldap.so.1

passwd  auth binding        pam_passwd_auth.so.1 server_policy
passwd  auth required       pam_ldap.so.1

other   account requisite   pam_roles.so.1
other   account required    pam_projects.so.1
other   account binding     pam_unix_account.so.1 server_policy
other   account required    pam_ldap.so.1

other   password required   pam_dhkeys.so.1
other   password requisite  pam_authtok_get.so.1
other   password requisite  pam_authtok_check.so.1
other   password required   pam_authtok_store.so.1 server_policy

6. To use netgroups to restrict access to the systems, do the following:

Note: This step describes how to configure one server. Make similar changes to other servers, as needed.

a. Add a netgroup to Directory Server, as described in the Adding Netgroups Using the Console section of Part 1.

b. Add the following line to the end of the /etc/password file on the Solaris client:

+@<netgroup>

c. Add the following line to the end of the /etc/shadow file on the Solaris client:

+@<netgroup>

Note: Due to a limitation in the pam_ldap module, ensure that there are no trailing colons (:) on the lines you add to the /etc/password and /etc/shadow files.

d. Modify the /etc/nsswitch.conf file as described in Step 10.

7. If you will use netgroups to limit access to systems, configure /etc/nsswitch.conf as follows.

passwd:     	compat
shadow:      	compat
passwd_compat: 	ldap
shadow_compat:	ldap
group:          files ldap
netgroup:       ldap

8. Ensure that the following line exists in the sshd configuration file /etc/ssh/sshd_config:

PAMAuthenticationViaKBDInt	yes

Comments (latest comments first)

Discuss and comment on this resource in the BigAdmin Wiki

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.

Search BigAdmin

» Search the HCL

BigAdmin Wiki
Discuss and comment on this resource in the wiki.

BigAdmin Subscriptions

BigAdmin Areas

BigAdmin Sun Center

BigAdmin Topics

About Oracle | Oracle and Sun |