UKOUG Technology Conference

UKOUG Technology Conference
UKOUG Technology Conference 2018 Call for Papers

Thursday, May 02, 2013

Setting up Oracle Solaris 11 with DHCP and LDAP


Someone asked me how to setup a LDAP client on Solaris if you are using DHCP. I thought it would be a simple answer since Solaris comes with Automatic Network mode. The Automatic mode does a very good job and you can configure a lot of settings, but LDAP support is very limited.

Configuring LDAP When in Automatic Mode (Ref: from Managing Network Configuration When in Automatic Mode)
"Automatic network configuration mode provides limited support for LDAP. Only LDAP anonymous mode works when in automatic mode. If you want to use an LDAP proxy or LDAP self modes and some form of security credentials you must first enable the DefaultFixed profile and manually configure your network. For instructions, see Chapter 12, Setting Up LDAP Clients (Tasks), in Oracle Solaris Administration: Naming and Directory Services."

So, here is a little step by step guide:

Some good references:
Switch off Automatic Network mode.
# netadm enable -p ncp DefaultFixed
# /usr/sbin/netadm list
TYPE        PROFILE        STATE
ncp         Automatic      disabled
ncp         DefaultFixed   online
loc         NoNet          offline
loc         Automatic      offline
loc         DefaultFixed   online
Create the IP interfaces (for example net0)
# dladm show-phys
LINK       MEDIA         STATE    SPEED  DUPLEX    DEVICE
net0       Ethernet      unknown  1000   full      e1000g0

# ipadm create-ip net0
# ipadm show-if
IFNAME     CLASS      STATE      ACTIVE      OVER
lo0        loopback   ok         yes         ---
net0       ip         down       no          ---
The following sets up a DHCP address on net0. The "-h my-host" Specifies the hostname to  which  the  client  would like the DHCP server to map the client's leased IPv4 address. This is not required but it helped in my DNS/DHCP setup.
# ipadm create-addr -T dhcp -h my-host net0/v4
# ipadm show-if
IFNAME     CLASS    STATE    ACTIVE OVER
lo0        loopback ok       yes    --
net0       ip       ok       yes    --
You should now see a DHCP address appear
# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           dhcp     ok           193.1.1.218/24
lo0/v6            static   ok           ::1/128
# netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              193.61.29.245        UG        2         17 net0     
127.0.0.1            127.0.0.1            UH        2        186 lo0      
193.61.29.0          193.61.29.218        U         7       1020 net0     

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If  
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2       0 lo0  
You can also add a IPv6 address but is is not required. "-t" flags specifies that the configured address is temporary and changes apply only to the active configuration and will be lost after a reboot. I only add this as an example.
# ipadm create-addr -t -T addrconf  net0/v6
# /usr/sbin/ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           dhcp     ok           193.61.29.218/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::a00:27ff:fefd:319c/10
You can now setup your LDAP information
The following is taken from a previous blog entry: Solaris 11 Authentication Login with Active Directory

# ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=srv_ldapproxy,cn=Users,dc=dcs,dc=bbk,dc=ac,dc=uk \
-a proxyPassword=ClearTextPassword \
-a defaultSearchBase=dc=dcs,dc=bbk,dc=ac,dc=uk \
-a domainName=DCS.BBK.AC.UK \
-a "defaultServerList=193.61.1.1,193.61.2.2" \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=description \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=dcs,dc=bbk,dc=ac,dc=uk?sub \
-a serviceSearchDescriptor=group:dc=dcs,dc=bbk,dc=ac,dc=uk?sub


# svccfg
svc:> select name-service/switch
svc:/system/name-service/switch>
setprop config/password = "files ldap"
setprop config/group = "files ldap"
setprop config/host = "files [SUCCESS=return] dns"
setprop config/network = "files"
setprop config/protocol = "files"
setprop config/rpc = "files"
setprop config/ether = "files"
setprop config/netmask = "files"
setprop config/bootparam = "files"
setprop config/publickey = "files"
setprop config/netgroup= "files"
setprop config/automount = "files ldap"
setprop config/alias = "files"
setprop config/service = "files"
setprop config/project = "files"
setprop config/auth_attr = "files"
setprop config/prof_attr = "files"
setprop config/tnrhtp = "files"
setprop config/tnrhdb = "files"
setprop config/printer = "user files"

svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default> exit

# svcadm restart svc:/milestone/name-services:default

# egrep "ldap|dns" /etc/nsswitch.conf
passwd:    files ldap
group:     files ldap
hosts:     files [SUCCESS=return] dns
ipnodes:   files [SUCCESS=return] dns
automount: files ldap

Now when the system is reboot everything should stay the same.......

No comments: