Hello,
I've changed the default aci for my userRoot directory (dc=sunny,dc=de)
for Anonymous access, from granting access to all users to the proxy
user only. (To prevent everyone from reading my directory)
Unfortunatelly now I'm not able to set up a client with the ldapclient
init command shown below anymore.
According to the logs in the access file of the ldap server, the client
is still trying to connect and download the profile via anonymous user.
So, how can I force the ldapclient init command to use the proxy account
to set up the client host?
As I found out, it is only a matter of the setup, once set up, the
refresch of the profile runs fine. Because the client connects to the
server and binds to proxyagent. But it doen't do this for the setup :-((
Thank you
Wolfgang
Here's the command:
ldapclient init -a proxypassword=proxy -a profileName=default \
-a proxydn=cn=proxyagent,ou=profile,dc=sunny,dc=de \
-a domainname=sunny.de 192.168.230.35
And here is the output:
Parsing proxydn=cn=proxyagent,ou=profile,dc=sunny,dc=de
Parsing proxypassword=proxy
Parsing profileName=default
Parsing domainname=sunny.de
Arguments parsed:
domainName: sunny.de
proxyDN: cn=proxyagent,ou=profile,dc=sunny,dc=de
profileName: default
proxyPassword: proxy
defaultServerList: 192.168.230.35
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=sunny.de))"
rootDN[0] dc=sunny,dc=de
NOTFOUND:Could not find the nisDomainObject for DN dc=sunny,dc=de
findBaseDN: __ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=sunny.de))"
rootDN[1] o=NetscapeRoot
NOTFOUND:Could not find the nisDomainObject for DN o=NetscapeRoot
found_cxt = -1
findBaseDN: Err exit
Failed to find defaultSearchBase for domain sunny.de
#
|
|
0
|
|
|
|
Reply
|
 wolfgang.mair (5)
|
5/10/2004 10:21:28 AM |
|
Wolfgang Mair wrote:
> Hello,
>
> I've changed the default aci for my userRoot directory (dc=sunny,dc=de)
> for Anonymous access, from granting access to all users to the proxy
> user only. (To prevent everyone from reading my directory)
> Unfortunatelly now I'm not able to set up a client with the ldapclient
> init command shown below anymore.
>
> According to the logs in the access file of the ldap server, the client
> is still trying to connect and download the profile via anonymous user.
>
> So, how can I force the ldapclient init command to use the proxy account
> to set up the client host?
> As I found out, it is only a matter of the setup, once set up, the
> refresch of the profile runs fine. Because the client connects to the
> server and binds to proxyagent. But it doen't do this for the setup :-((
>
> Thank you
>
> Wolfgang
>
> Here's the command:
>
> ldapclient init -a proxypassword=proxy -a profileName=default \
> -a proxydn=cn=proxyagent,ou=profile,dc=sunny,dc=de \
> -a domainname=sunny.de 192.168.230.35
>
> And here is the output:
>
> Parsing proxydn=cn=proxyagent,ou=profile,dc=sunny,dc=de
> Parsing proxypassword=proxy
> Parsing profileName=default
> Parsing domainname=sunny.de
> Arguments parsed:
> domainName: sunny.de
> proxyDN: cn=proxyagent,ou=profile,dc=sunny,dc=de
> profileName: default
> proxyPassword: proxy
> defaultServerList: 192.168.230.35
> Handling init option
> About to configure machine by downloading a profile
> findBaseDN: begins
> findBaseDN: ldap not running
> findBaseDN: calling __ns_ldap_default_config()
> found 2 namingcontexts
> findBaseDN: __ns_ldap_list(NULL,
> "(&(objectclass=nisDomainObject)(nisdomain=sunny.de))"
> rootDN[0] dc=sunny,dc=de
> NOTFOUND:Could not find the nisDomainObject for DN dc=sunny,dc=de
> findBaseDN: __ns_ldap_list(NULL,
> "(&(objectclass=nisDomainObject)(nisdomain=sunny.de))"
> rootDN[1] o=NetscapeRoot
> NOTFOUND:Could not find the nisDomainObject for DN o=NetscapeRoot
> found_cxt = -1
> findBaseDN: Err exit
> Failed to find defaultSearchBase for domain sunny.de
> #
Can't help you, from my experience you need to grant anon access, but to
the configuration profile only. So you should add another ACI granting
anon access to the container with objectclass=nisDomainObject, the
ou=Profile container below that, and all profiles below that. For
Solaris 8 and patch 108993 < 13 you can use this targetfilter:
(|(objectClass=nisDomainObject)(ou=Profile)(objectClass=SolarisNamingProfile))
and for Solaris 8 with patch 108993 >14, Solaris 9 etc. you can use:
(|(objectClass=nisDomainObject)(ou=Profile)(objectClass=DUAConfigProfile))
This will only grant anon access to the data needed to install clients.
Another option is to install on 1 machine, and copy the files
/etc/nsswitch.conf, /etc/pam.conf, /var/ldap/ldap_client_file and
/var/ldap/ldap_client_cred to the machine you're doing a new install on.
You probably only need to adjust some values in
/var/ldap/ldap_client_cred and/or /var/ldap/ldap_client_file. Start
ldap_cachemgr and restart nscd to check, reboot to really activate.
HTH, Erik
P.S. I don't recommed the above with Sol8/patch108993<13 as this exposed
the (encrypted) password of the proxy-agent to anon access. With pathc
108993 > 14 and the DUA Config profiles the profiles don't contain the
password anymore.
--
---------------------------------------------------------------------------
Erik C.J. Laan elaan at dds.nl
Please reply below the message, please cut unrelevant pieces from a reply.
---------------------------------------------------------------------------
|
|
|
0
|
|
|
|
Reply
|
 Erik
|
5/10/2004 7:19:33 PM
|
|
|
1 Replies
260 Views
(page loaded in 1.519 seconds)
Similiar Articles:7/29/2012 5:03:43 AM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
3277 articles. 
4 followers. 