Getting Solaris 10 to Authenticate Against OpenLDAP
Brief History:
I’m busy setting up a new debug/staging environment at work so that we can consolidate the many tens of old FreeBSD 4.4 (ohgod) and Solaris 9/10 servers into a few distinct Solaris 10 servers. Personally, I would have gone with some sort of Linux distro, but for some reason somebody thinks that Solaris is the way to go. Now, if we were switching to OpenSolaris, I might not complain too much, as it has a proper package management system and recent versions of applications, but Solaris 10? Short of me becoming a certified Solaris admin, it is pretty painful to deal with - the install is designed more as a right of passage than an application, finding out what went wrong where is better left to those with an ability to see into the ninth dimension, etc. However, Solaris 10 is what I have to work with, so on we go.
The Servers:
The idea is relatively simple - one Sun V40z with a large RAID 5 array running openfiler connected two two networks, one for debug and one for staging. The debug environment would then have two V40zs with an iSCSI mount that stores data that needs to be shared between the servers (configuration files, J2EE apps and the like) along with some zones to allow us to run WebLogic 9.2 and 10.3 side by side plus zones for Apache/Perl/PHP stuff. There are also two V20zs that will be setup with an iSCSI setup to support an Oracle RAC instance. There is a final pair of V20zs that are to be used for any Windows-specific services (we have one or two). All of these servers will be setup to talk to the OpenLDAP server that openfiler ships with, so that we can have a centralized location to store credentials.
The Implementation:
After doing some digging, it appeared that there were two ways of setting Solaris 10 to use LDAP - use PADL’s pam_ldap module, or configure Solaris natively using a tool called ‘ldapclient.’ After doing some digging, I chose the former, since it is the native way of doing things, and I didn’t want to download/compile/manage anything special. More digging ensues, and I run into a ton of documentation talking about setting ldapclient up under Solaris 8 or 9, but not much for setting up Solaris 10. This is pretty odd, since Solaris 10 is four years old at this point; not exactly new. Thus began the travails into trial and error - and into seeing how far I could push myself before I lost my grip on reality. With that noted, on we go!
The first step is to setup openfiler to use LDAP - not a very difficult task to do! You just need to login to the openfiler administration UI, tell it to use LDAP, and off you go. Some of the defaults that openfiler used didn’t sit well, so I hacked at it for a bit. Pop open the file /opt/openfiler/var/www/includes/ldap.inc in a text editor; I changed the home directory from “/dev/null” to “/export/home/”.$username so that the directory would be valid. I also changed the shell from /bin/false to /bin/bash as I actually wanted my users to be able to login to remote places. I also modified the create_slapd() function as the LDAP config will be (re)written when you enable LDAP and Solaris needs a more special setup. You need to download the nisdomainobject schema, DUAConfigProfile schema and solaris schema to /etc/openldap/schema/ and then add them as includes to the slapd.conf file. I also added in a section at the bottom of the config generator to add in TLS support as transmitting credentials in cleartext is a no-no. (Of course, I discovered that ldapclient has issues talking TLS, but that’s a problem for later.)
So, openfiler is now serving up our LDAP content, time to modify the LDAP itself! Step one, your root DSE needs to have two additional object classes added to it - domainRelatedObject and nisDomainObject. Both will require new attributes to be set, and both should have the same value, corresponding to your domain name. So, if your root DSE is dc=blah,dc=me the attributes would both be set to blah.me. With the root DSE added, you need to add a profile that ldapclient will use to configure itself. This requires two entries to be created - a new OU and an entry underneath it. Here is the LDIF - change the IPs and off you go!
dn: ou=profile,dc=blah,dc=me
objectClass: organizationalUnit
objectClass: top
ou: profile
dn: cn=Solaris,ou=profile,dc=blah,dc=me
objectClass: DUAConfigProfile
objectClass: top
cn: Solaris
authenticationMethod: simple
bindTimeLimit: 2
credentialLevel: proxy
defaultSearchBase: dc=blah,dc=me
defaultSearchScope: sub
defaultServerList: 10.10.10.10
followReferrals: TRUE
preferredServerList: 10.10.10.10
profileTTL: 0
searchTimeLimit: 30
Next step - configure LDAP on Solaris! Run this magic little command, replacing the password with the openfiler password, and the correct IP of the openfiler server:
ldapclient init -a proxyPassword=somepassword -a proxyDN=cn=openfiler,dc=blah,dc=me -a domainname=blah.me -a profileName=Solaris 10.10.10.10
When it is done (may take a while, and doesn’t tell you SQUAT about what it is doing), you should see this:
System successfully configured
If you don’t, you are in problem town; run the previous command, but throw a -v in there so you can see what it is doing. On one of the RAC clients the LDAP service (svc:/network/ldap/client:default) was stuck in maintenance mode, which was hoofing everything up. I had to manually create the /var/ldap/ldap_client_cred and /var/ldap/ldap_client_file files, fire the service up, then try again. Hopefully you don’t have any issues as it is very difficult to figure out what is going on and how to fix it - I wasted a HUGE chunk of time yesterday trying to get the ldapclient command to work.
At this point in time, you should be done, and should be able to create a user in openfiler and login to using that user on your Solaris 10 machine. Two notes to this little guide: I still haven’t figured out how to get Solaris/TLS to work yet, and I also need to find out how to have a user’s non-existent home directory created automatically when they login for the first time. But hey, that is what Friday is for!
Good luck!
