[LDAP-interop] native solaris 8 client and openldap 2.2: "require bind" / acls

andy bezella andrew.bezella at navitaire.com
Fri Aug 19 10:32:36 EDT 2005 

lo -

i am working my way through an attempt to get the native solaris 8 ldap
client (with patch 108993-36) working with openldap 2.2.13 installed
from rpm on Red Hat Enterprise Linux AS release 4 (Nahant Update 1).  i
am pretty much restricted to these versions at this time.  everything
below boils down to: is the "require bind" option (useful and/or)
compatible with the solaris client, and if not what is the best set of
options or acls to use in its place.

i've got the basics working.  i've taken the default slapd.conf and
modified the suffix and rootdn entries, and un-commented and edited
rootpw.  added the initial entries and used the migration scripts to
move over the data from a nis domain.

at that point i can use the ldapclient program to initialize the client:
# ldapclient -i -b "dc=blah,dc=navitaire,dc=com" -d domain \
	-s sub 192.168.9.22
System successfully configured

`ldaplist passwd` returns the expected values, and i can su to a user
(fails with "No directory!" since i haven't gotten automounts setup
yet).  this all appears to be working properly.

the problems arise as i try to incrementally increase security.  my
initial step was simply to try to exclude unauthenticated access.  in
slapd.conf, the desired option seemed to be "require bind" (which,
afaict, differs from "require authc" in that it would still allow
anonymous binds).  i created a
"cn=proxyagent,ou=profile,dc=blah,dc=navitaire,dc=com" ldap entry for
the clients to use (i don't think it matters, but i'll mention that the
full dn has four "dc=blah" components).  since eventually i hope to
implement tls, i am planning on using simple authentication.

if that isn't the proper way to do it, and it is instead better
attempted through acls, then everything below here might be pointless.
i've taken these acl directives from
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%
20OpenLDAP%20for%20RedHat%20Enterprise%20Linux3.htm and they appear to
work:
  # ACL directives
  access to attrs=userPassword
            by self write
            by * auth
  access to dn="" 
            by * read
  access to dn="ou=People,dc=example,dc=com"
            by self write
            by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
            by users auth
            by anonymous read
  access to *
            by self write
            by * read
i am browsing to see if they can be tightened down in this situation
while maintaining functionality.  any suggestions?

the remainder deals with my struggle with "require bind:"
# ldapsearch -h 149.122.9.22 -b "" -s base '(objectclass=*)' \
namingContexts
now fails but:
# ldapsearch -h 149.122.9.22 -b "" -s base \
	-D "cn=proxyagent,ou=profile,dc=blah,dc=navitaire,dc=com" \
	-w passwd '(objectclass=*)' namingContexts
succeeds.  again, seems to be working as i expect.  however, no matter
what i try, i cannot seem to get the ldapclient routine to successfully
initialize the client.
# ldapclient -i -b "dc=blah,dc=navitaire,dc=com" \
	-D "cn=proxyagent,ou=profile,dc=blah,dc=navitaire,dc=com" \
	-w passwd -d domain -s sub -c proxy -a simple 192.168.9.22
hangs and i have to ^C the script:
^Cstart: /usr/lib/ldap/ldap_cachemgr... failed
"/usr/lib/ldap/ldap_cachemgr" returned: 33280

the slapd.log shows repeated:
Aug 16 16:39:00 nvtmmds001 slapd[24159]: >>> dnPrettyNormal: <>
Aug 16 16:39:00 nvtmmds001 slapd[24159]: <<< dnPrettyNormal: <>, <>
and
Aug 16 16:39:00 nvtmmds001 slapd[24159]: send_ldap_result: err=1
matched="" text="BIND required"
but i cannot find any method to tweak the solaris8 ldapclient to bind
before it attempts directory operations.  i have tried adding "allow
bind_anon_cred bind_anon_dn" to slapd.conf without effect.

i've also tried using profiles (fails with "__ns_ldap_list return NULL
resultp") and simply starting the solaris ldap services with the
existing /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred files
(appears to hang similarly to a manual configuration).

i've been using http://web.singnet.com.sg/~garyttt/ and
http://www.ypass.net/solaris8/openldap/ as references, as well as the
o'reilly and sun blueprints books.  while there are some recipes that
appear to work, i feel that i am falling short on understanding...  any
suggestions or thoughts are welcome.

thanks in advance...

	andy

-- 
andy bezella <andrew.bezella at navitaire.com>
navitaire, inc.
_______________________________________________
LDAP-interop mailing list
LDAP-interop at fini.net
http://lists.fini.net/mailman/listinfo/ldap-interop

More information about the LDAP-interop mailing list