Tutorial on how to integrate Solaris 10 boxes into Apple OpenDirectory authentication infrastructure
Edit /etc/nsswitchldap
hosts: dns NOTFOUND=return ldap files ipnodes: dns NOTFOUND=return ldap files
Start resolver if not running
# svcadm enable svc:/network/dns/client:default # ping borg.loopback.org borg.loopback.org is alive
Generate Kerberos init on OD controller
borg:~ akira$ sudo kadmin.local Password: Authenticating as principal root/admin@BORG.LOOPBACK.ORG with password.
kadmin.local: addprinc -randkey host/test.loopback.org@BORG.LOOPBACK.ORG
WARNING: no policy specified for host/test.loopback.org@BORG.LOOPBACK.ORG; defaulting to no policy
Principal “host/test.loopback.org@BORG.LOOPBACK.ORG” created.
kadmin.local: ktadd -k /tmp/host.test.keytab host/test.loopback.org@BORG.LOOPBACK.ORG
Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/host.test.keytab. Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/host.test.keytab. Entry for principal host/test.loopback.org@BORG.LOOPBACK.ORG with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/host.test.keytab.
Copy keytab file to target host
borg# scp /tmp/host.test.keytab root@test:
Install Kerberos Conf and Keytab
borg# scp /Library/Preferences/edu.mit.Kerberos test:
test# mv edu.mit.Kerberos /etc/krb5/krb5.conf
test# mv host.test.keytab /etc/krb5/krb5.keytab
Run LdapClient
test# # ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 -a proxyDN=uid=proxyagent,cn=users,dc=loopback,dc=org -a proxyPassword=XXX borg.loopback.org System successfully configured
Run tests
# ldapsearch -h borg.loopback.org -b "cn=users,dc=loopback,dc=org" -o mech=gssapi -o authzid='' cn="Jan Schreiber" uidNumberversion: 1 dn: uid=jans,cn=users,dc=loopback,dc=org uidNumber: 1234 # listusers akira ...
Adjust home directory mountpoint
mkdir /Network ln -s /net /Network/Servers test# svcadm -v enable svc:/system/filesystem/autofs:default svc:/system/filesystem/autofs:default enabled. zion# svcs | grep auto online 6:21:59 svc:/system/filesystem/autofs:default
= Log in with ssh key=
Adjust /etc/pam.conf for LDAP login
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy
Test with “login”
References
http://discussions.apple.com/thread.jspa?threadID=382600
Appendix
Addendum: Make sure time is equal on all systems
Konfiguration in LDAP without Kerberos
ldapclient manual -a credentialLevel=proxy -a authenticationMethod=none -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org
Konfiguration without proxy
test# ldapclient manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 borg.loopback.org System successfully configured
With this, directory information is visible(“getent passwd”), but login does not work (except with ssh/key).