1. Собственно я делал - но с использованием ldap profiles. Клиенты - solaris 10 sparc & x86Добавить в openldap ldap scheme:
Updated to match RFC 4876 2007-2007
# http://www.rfc-editor.org/rfc/rfc4876.txt
objectIdentifier DUAConfSchemaOID 1.3.6.1.4.1.11.1.3.1
attributetype ( DUAConfSchemaOID:1.0 NAME 'defaultServerList'
DESC 'Default LDAP server host address used by a DUA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase'
DESC 'Default LDAP base DN used by a DUA'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.2 NAME 'preferredServerList'
DESC 'Preferred LDAP server host addresses to be used by a
DUA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit'
DESC 'Maximum time in seconds a DUA should allow for a
search to complete'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit'
DESC 'Maximum time in seconds a DUA should allow for the
bind operation to complete'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.5 NAME 'followReferrals'
DESC 'Tells DUA if it should follow referrals
returned by a DSA search result'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.6 NAME 'authenticationMethod'
DESC 'A keystring which identifies the type of
authentication method used to contact the DSA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.7 NAME 'profileTTL'
DESC 'Time to live, in seconds, before a client DUA
should re-read this configuration profile'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.9 NAME 'attributeMap'
DESC 'Attribute mappings used by a DUA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( DUAConfSchemaOID:1.10 NAME 'credentialLevel'
DESC 'Identifies type of credentials a DUA should
use when binding to the LDAP server'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.11 NAME 'objectclassMap'
DESC 'Objectclass mappings used by a DUA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope'
DESC 'Default search scope used by a DUA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
attributetype ( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel'
DESC 'Identifies type of credentials a DUA
should use when binding to the LDAP server for a
specific service'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor'
DESC 'LDAP search descriptor list used by a DUA'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMethod'
DESC 'Authentication method used by a service of the DUA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: ( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases'
DESC 'Specifies if a service or agent either requires, supports, or uses dereferencing of aliases.'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
objectclass ( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile'
SUP top STRUCTURAL
DESC 'Abstraction of a base configuration for a DUA'
MUST ( cn )
MAY ( defaultServerList $ preferredServerList $
defaultSearchBase $ defaultSearchScope $
searchTimeLimit $ bindTimeLimit $
credentialLevel $ authenticationMethod $
followReferrals $ serviceSearchDescriptor $
serviceCredentialLevel $ serviceAuthenticationMethod $
objectclassMap $ attributeMap $
profileTTL $ dereferenceAliases ) )
objectclass ( DUAConfSchemaOID:2.1 NAME 'posixNamingProfile'
SUP top AUXILIARY
DESC 'POSIX naming profile'
MAY ( attributeMap $ serviceSearchDescriptor ) )
objectclass ( DUAConfSchemaOID:2.2 NAME 'configurationProfile'
SUP top AUXILIARY
DESC 'Configuration profile'
MUST ( cn )
MAY ( attributeMap $ serviceSearchDescriptor ) )
# depends on nis.schema
# See http://docs.sun.com/app/docs/doc/816-4556/appendixa-2,
# http://docs.hp.com/en/J4269-90074/ch04s02.html
attributetype ( 1.3.6.1.1.1.1.1.30 NAME 'nisDomain'
DESC 'NIS domain'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject'
SUP top AUXILIARY
DESC 'Associates a NIS domain with a naming context'
MUST ( nisDomain ) )
attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
DESC 'Automount Key value'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
DESC 'Automount information'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
objectclass (1.3.6.1.1.1.2.16 NAME 'automountMap'
SUP top STRUCTURAL
MUST ( automountMapName )
MAY description )
objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount'
SUP top STRUCTURAL
DESC 'Automount'
MUST ( automountKey $ automountInformation )
MAY description )
2. Начальный ldiff:
dn: ou=Ldap,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Ldap
description: Ldap Users
dn: cn=Solaris,ou=Ldap,dc=someorg
cn: Solaris
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: top
userPassword:: e1NTSEF9UzJSbGlpWG0wR09MTFhEall0UldDMTBFd1dJSks1RTdLempLUFE9PQ=
=
dn: ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
objectClass: nisDomainObject
ou: Posix
l: None
nisDomain: someorg
dn: ou=Computers,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Computers
dn: ou=Idmap,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Idmap
dn: sambaDomainName=SOMEORG,ou=Posix,dc=someorg
objectClass: sambaDomain
objectClass: sambaUnixIdPool
objectClass: top
sambaDomainName: SOMEORG
sambaSID: S-1-5-21-2324298634-3382198163-123456789
sambaRefuseMachinePwdChange: 0
sambaLockoutThreshold: 0
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaForceLogoff: -1
gidNumber: 1004
sambaPwdHistoryLength: 5
uidNumber: 1028
sambaNextRid: 1015
dn: ou=Rpc,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Rpc
dn: ou=Protocols,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Protocols
dn: ou=Profile,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Profile
dn: ou=Networks,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Networks
dn: ou=Netgroup,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Netgroup
dn: ou=Mounts,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Mounts
dn: ou=Aliases,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Aliases
dn: ou=Ethers,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Ethers
dn: ou=Hosts,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Hosts
dn: ou=Services,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Services
dn: ou=Group,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: Group
dn: ou=People,ou=Posix,dc=someorg
objectClass: organizationalUnit
objectClass: top
ou: People
dn: automountMapName=auto_home,ou=Posix,dc=someorg
automountMapName: auto_home
objectClass: automountMap
objectClass: top
dn: automountMapName=auto_master,ou=Posix,dc=someorg
automountMapName: auto_master
objectClass: automountMap
objectClass: top
dn: cn=Solaris,ou=Profile,ou=Posix,dc=someorg
objectClass: DUAConfigProfile
objectClass: top
cn: Solaris
defaultSearchBase: ou=Posix,dc=someorg
defaultServerList: 10.1.2.10
bindTimeLimit: 2
searchTimeLimit: 30
followReferrals: TRUE
credentialLevel: proxy anonymous
authenticationMethod: simple
defaultSearchScope: sub
profileTTL: 3600
dn: cn=Padl,ou=Profile,ou=Posix,dc=someorg
objectClass: DUAConfigProfile
objectClass: posixNamingProfile
objectClass: top
cn: Padl
defaultSearchScope: one
defaultServerList: ldap.someorg
serviceSearchDescriptor: aliases:ou=Aliases,dc=Posix,dc=someorg
serviceSearchDescriptor: fstab:ou=Mounts,dc=Posix,dc=someorg
serviceSearchDescriptor: group:ou=Group,dc=Posix,dc=someorg
serviceSearchDescriptor: hosts:ou=Hosts,dc=Posix,dc=someorg
serviceSearchDescriptor: netgroup:ou=Netgroup,dc=Posix,dc=someorg
serviceSearchDescriptor: networks:ou=Networks,dc=Posix,dc=someorg
serviceSearchDescriptor: passwd:ou=People,dc=Posix,dc=someorg
serviceSearchDescriptor: protocols:ou=Protocols,dc=Posix,dc=someorg
serviceSearchDescriptor: rpc:ou=Rpc,dc=Posix,dc=someorg
serviceSearchDescriptor: services:ou=Services,dc=Posix,dc=someorg
defaultSearchBase: ou=Posix,dc=someorg
dn: cn=default,ou=Profile,ou=Posix,dc=someorg
aliasedObjectName: cn=Solaris,ou=Profile,ou=Posix,dc=someorg
cn: default
objectClass: extensibleObject
objectClass: alias
objectClass: top
credentialLevel: proxy
profileTTL: 600
dn: cn=Solaris_pam_ldap,ou=Profile,ou=Posix,dc=someorg
cn: Solaris_pam_ldap
objectClass: DUAConfigProfile
objectClass: top
authenticationMethod: none
bindTimeLimit: 2
credentialLevel: anonymous
defaultSearchBase: ou=Posix,dc=someorg
defaultSearchScope: sub
followReferrals: TRUE
searchTimeLimit: 30
serviceAuthenticationMethod: pam_ldap:simple
serviceAuthenticationMethod: passwd-cmd:simple
preferredServerList: 10.1.2.10
defaultServerList: 10.1.2.250
profileTTL: 3600
dn: cn=Solaris_pam_ldap_tls,ou=Profile,ou=Posix,dc=someorg
bindTimeLimit: 2
cn: Solaris_pam_ldap_tls
defaultSearchBase: ou=Posix,dc=someorg
defaultSearchScope: sub
followReferrals: TRUE
objectClass: DUAConfigProfile
objectClass: top
searchTimeLimit: 30
serviceAuthenticationMethod: passwd-cmd:tls:simple
serviceAuthenticationMethod: pam_ldap:tls:simple
profileTTL: 3600
preferredServerList: ldap.someorg
credentialLevel: proxy
authenticationMethod: tls:simple
defaultServerList: 10.1.2.10
dn: automountKey=*,automountMapName=auto_home,ou=Posix,dc=someorg
automountKey: *
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,vers=3 somehost:/home/&
3. Нужно поправить /etc/nsswitch.ldap, например минималистичный вариант:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
4. Поправить /etc/pam.conf согласно System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) http://docs.sun.com/app/docs/doc/816-4556/schemas-111
5. Импортировать корневой сертификат:
/usr/sfw/bin/certutil -N -d /var/ldap
/usr/sfw/bin/certutil -A -n "ca-cert" -i /tmp/root.pem -a -t CT -d /var/ldap
chmod 444 /var/ldap/*.db
6. Включить использование ldap
ldapclient -v init -a profileName=Solaris_pam_ldap_tls -a domainName=someorg -a proxyDN="cn=Solaris,ou=Ldap,dc=someorg" -a proxyPassword="solaris" ldap.ot.by
Замечания:
a) При использовании профиля Solaris_pam_ldap_tls аутентификация осуществляется с помощью ldap bind.
b) Используются два (мастер/слэйв) сервера - ldap.someorg и 10.1.2.10.
c) Т.к. используется ldap bind, то cn=Solaris,ou=Ldap,dc=someorg не нужны какие-то дополнительные права (на чтение userpasswd и т.д.) - достаточно анонимных прав.
