Some time ago i was asked to provide a walktrough for the configuration of LDAP in Solaris 11. It’s a walkthrough how to set up LDAP name services for Solaris 11 including the LDAP server.
It’s absolutely paramount that the resolving names in DNS is working perfectly. In both directions. If this isn’t the case either the automated setup tools will not work or the configuration created by them will not work or creates hard to find errors. So please ensure that all lookups are working and deliver consistent data (Sidenote: I was driving more than once to a customer for a problem that proved at the end as a really suble problem in DNS)
Creating the LDAP Server certificate
You need some properly signed certificates. I’m using my own CA for this based on easyRSA. I don’t use the ones generated by the openldap configuration process as this explains the necessary steps if you use certificates of your own CA.
I will use the easy-rsa toolset for it. In my case it was on a different system. I’m quite opinionated that a CA doesn’t have any place on a normal server but should be on a specially protected server or a notebook in a safe. But that’s a different story.
Now we build the CA environment.
At last we create the certificate and key for the ldap server
I will copy them to a different location to make the next commands a little bit shorter ;)
You can’t use the certificate in it’s current form. You have to create .pem files out of them.
Now we copy them over to LDAP server.
To validate the certificates you need the certicate of your CA on the clients as well. Repeat the next step on all clients you want to integrate.
Configuring the LDAP-Server
At first you have to install the LDAP server.
For the next step you have to change into the openldap user. It will not work as root. You can omit the -d 2 option, but it gives you a good overview what the tool is actually doing.
The first thing we are doing with our new LDAP server is deactivating it.
Now we copy it to the other preexisting certificates.
Now we copy the cerficates and keys for use by the OpenLDAP server.
Now we can reenable it.
You should be able to connect to LDAP and see the proper certificates in use.
On each client
At first we have to integraate the certificate of our own CA into Solaris. The mechanism is explained here
Now we use the ldapclient command to do the setup of the clients. The -vvvvv is not nescessary, but it gives you a pretty good overview what the heck the system is doing while setting this up.
With getent you should now see the users in files as well as in LDAP.
If you don’t have any users in your LDAP you won’t see any addtional users in your system. however with -s ldap with useradm, useradd or similar tools you can create, delete or modify users in LDAP and afterwards you should see them with getent passwd.
I would suggest now to to ensure that the name service switch is set to files dns:
I’m not a fan of putting host information into LDAP, but if it’s differently in your environment, you can insert ldap into the config/host line.
If you won’t see any users in LDAP (or if adding doesn’t work) it’s almost universally a problem with the TLS connection. Please ensure:
That your DNS is properly configured.
That you use the name in the certifcate the system is actually resolving to.
At the end i would like you to point you to this great blog entry by Todd A. Cox explaining this in much more broadness like setting up replication, ILB, making the ILB HA with VRRP … all the things you should consider when doing this in production.