Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 815533
Please update the Solaris 10 LDAP client documentation to use a DUA profile with ldapclient instead of a manual installation. Using a DUAProfile is easier both for installing, and maintaining the Solaris clients as they will re-read configuration from the DUA profile periodically. See BZ #815515 for an updated DUA config profile. The documentation could state two examples, for configuring an authenticated and secured bind and for configuring anonymous binds: LDAP configuration, anonymous bind using DUA profile "default". solarishost $ ldapclient -v init \ -a profileName=default \ ipaserver.example.com LDAP configuration, authenicated and secured bind. Requires a new default DUA profile named "default_secure". See BZ #815515 for details of a DUA profile example. Create NSS DB (Don't enter password. Just hit return) ipaserver $ certutil -N -d /var/ldap Convert the IPA certificate to PEM format: ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem Add CA certificate to the NSS DB ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host. solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/ solarishost $ chmod 444 /var/ldap/*.db Create an account to use for authentication: ipaserver $ ldapmodify -a -h ipaserver -D "cn=Directory Manager" -W dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top uid: solaris userPassword: setapasswordplease Run ldapclient: $ ldapclient -v init \ -a profileName=default_secure \ -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \ -a proxyPassword="setapasswordplease" \ -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ -w setapasswordplease \ ipaserver.example.com The -D and -w is required as the nisdomainobject won't be available to the ldapclient script when the 389-ds ldap server is set to not allow anonymous bind, even then 389-ds is configured to allow anonymous bind to read the rootdse. The -D and -w options we're added in a fairly recent Solaris patch set. Kerberos client setup: Keep the existing section 3 and 4, but add the following: Verify that the pkcs11_softtoken_extra.so provider has been installed and enabled for AES256 support: solarishost $ cryptoadm list If pkcs11_softtoken_extra.so is missing, use the "-e" option with ipa-getkeytab to limit the encryption type to aes128, or install and enable the provider. See the Solaris documentation for details. Add the host to the IPA server and request a keytab for the host: ipaserver $ ipa host-add solarishost.example.com ipaserver $ ipa-getkeytab -s ipaserver -p host/solarishost.example.com -k /tmp/solarishost.keytab Copy the keytab /etc/krb5/krb5.keytab on the Solaris client: solarishost $ scp ipaserver:/tmp/solarishost.keytab /etc/krb5/krb5.keytab Make sure it's secured: solarishost $ chmod 600 /etc/krb5/krb5.keytab PAM setup: Keep the existing step 5.
attachment freeipa-rga-0014-DOC-Update-Solaris-client-documentation.patch
Patch posted for review
Just for reference, patch is posted in this thread. https://www.redhat.com/archives/freeipa-devel/2014-April/msg00286.html
FreeIPA project no longer actively maintains an upstream guide (see details). This ticket is already cloned to RHEL downstream guide so the issue should fixed at least there. Closing the upstream ticket.
I will send the reference to rga's patch to the downstream Bugzilla though - thank you!
Follow up ticket: #4633
Metadata Update from @mkosek: - Issue assigned to rga - Issue set to the milestone: FreeIPA 3.x Documentation
Login to comment on this ticket.