[geeks] Authenticating Solaris 9 from AD
Mike Meredith
mike at redhairy1.demon.co.uk
Tue Sep 27 17:45:48 CDT 2005
On Tue, 27 Sep 2005 13:50:55 -0500, David Stipp wrote:
> I have a unix only solution using openldap + mit krb5. Works pretty
> nicely between linux & solaris machines.
Well given a choice, I'd rather do that myself. But I'm not going to
recreate the 60,000 accounts already in the NDS. Mind you, I've noticed
that our NDS seems to be creeping across onto Linux servers.
> I found it was easier to set my ldap server to output way too much
> debug information, and go through that.
It wasn't my LDAP server, and I couldn't dedicate an LDAP server just
for testing for a long period (our LDAP servers get a *lot* of queries),
and the NDS server log files are clumsy to generate and not especially
helpful.
> > Running something like 'id meredith' would result in just 'No such
> > user', and there would be nothing in the logs to indicate what the
> > problem might be (something like "ldapauth: 'meredith' lacks
> > 'gecos', 'loginShell' attributes would be nice).
>
> That *does* work with mine. Are you sure you have nss setup right? Or
> all the correct fields for each user entry?
Pretty sure. After all I did get Sun to assist me, and it was definitely
working. But definitely no detailed logging in the obvious places.
> If you follow that, all you will have to add is
> 'objectClass: shadowAccount' to the records and it will work on
Ha! I also write the code that manages the NDS student accounts, and it
sure ain't that simple with NDS. You can't add an objectclass to an
existing object unless it has the required attributes, and you can't add
the required attributes unless it has the associated objectclass. If you
add all of the stuff in one call (I previously used something that
couldn't do this), you have to add the attributes in the right
*undocumented* order. Novell has a "TID" sketching out how it might be
done, and the example code is wrong.
And people wonder why my desk has bite marks in it.
(The new academic year starts next Monday, so anytime anybody mentions
LDAP, NDS, or account management I automatically go into rant mode. )
More information about the geeks
mailing list