Tutorial on how to integrate Solaris 10 boxes into Apple OpenDirectory authentication infrastructure
Edit /etc/nsswitchldap
hosts: dns NOTFOUND=return ldap files
ipnodes: dns NOTFOUND=return ldap files
Start resolver if not running
svcadm enable svc:/network/dns/client:default
- ping borg.loopback.orgborg.loopback.org is alive
Generate Kerberos init on OD controller
borg:~ akira$ sudo kadmin.local
Password:
Authenticating as principal root/admin@BORG.LOOPBACK.ORG with password.
kadmin.local: addprinc -randkey host/test.loopback.org@BORG.LOOPBACK.ORG
WARNING: no policy specified for host/test.loopback.org@BORG.LOOPBACK.ORG; defaulting to no policy
Principal "host/test.loopback.org@BORG.LOOPBACK.ORG" created.
kadmin.local: ktadd -k /tmp/host.test.keytab host/test.loopback.org@BORG.LOOPBACK.ORG
Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/host.test.keytab.
Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/host.test.keytab.
Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/host.test.keytab.
Copy keytab file to target host
borg# scp /tmp/host.test.keytab root@test:
Install Kerberos Conf and Keytab
borg# scp /Library/Preferences/edu.mit.Kerberos test:
test# mv edu.mit.Kerberos /etc/krb5/krb5.conf
test# mv host.test.keytab /etc/krb5/krb5.keytab
Run LdapClient
test# # ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 -a proxyDN=uid=proxyagent,cn=users,dc=loopback,dc=org -a proxyPassword=XXX borg.loopback.org
System successfully configured
Run tests
- ldapsearch -h borg.loopback.org -b "cn=users,dc=loopback,dc=org" -o mech=gssapi -o authzid='' cn="Jan Schreiber" uidNumberversion: 1
dn: uid=jans,cn=users,dc=loopback,dc=org
uidNumber: 1234
- listusers
akira
...
Adjust home directory mountpoint
- mkdir /Network
- ln -s /net /Network/Servers
test# svcadm -v enable svc:/system/filesystem/autofs:default
svc:/system/filesystem/autofs:default enabled.
zion# svcs | grep auto
online 6:21:59 svc:/system/filesystem/autofs:default
= Log in with ssh key=
Adjust /etc/pam.conf for LDAP login
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
Test with "login"
References
http://discussions.apple.com/thread.jspa?threadID=382600
Appendix
Addendum: Make sure time is equal on all systems
Konfiguration in LDAP without Kerberos
ldapclient manual -a credentialLevel=proxy -a authenticationMethod=none -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org
Konfiguration without proxy
test# ldapclient manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org
System successfully configured
With this, directory information is visisble ("getent passwd"), but login does not work (except with ssh/key).