Monday Jun 16, 2008

Anonymous access and Solaris native-ldap clients

Anonymous Access and Solaris native-ldap clients

Since anonymous access to an entire Directory tree can be a security risk, this blog posting clarifies exactly what anonymous access is required by Solaris native-ldap clients.

When Solaris native-ldap clients are initialized they require anonymous access to the Sun Java Directory Server's baseDN and ou=profile container. The following acis configure the appropriate access.

the baseDN - (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .

For super secure access, this aci could be modified thus to only allow access to the nisDomain attribute

(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .

the profile container - (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone") ;)

For super secure access, this aci could be modified thus to only allow access to the proxyagent user object

(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone") ;)

When a native-ldap client is initialized, the access required is visible, per this session below:

  • In red font, the client is searching for, and found, the baseDN.

  • In blue font, the client is searching for the profile, and the prompt for the password indicates the profile was found, and read, successfully.

# ./init_client.sh

Parsing domainName=example.com

Parsing profileName=exampleprofile

Parsing proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com

Arguments parsed:

domainName: example.com

proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com

profileName: exampleprofile

defaultServerList: 10.100.1.1

Handling init option

About to configure machine by downloading a profile

findBaseDN: begins

findBaseDN: ldap not running

findBaseDN: calling __ns_ldap_default_config()

found 2 namingcontexts

findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"

rootDN[0] cn=changelog

NOTFOUND:Could not find the nisDomainObject for DN cn=changelog

findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"

rootDN[1] dc=example,dc=com

found baseDN dc=example,dc=com for domain example.com

Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com

Proxy password: NULL

Credential level: 1

Authentication method: 3

credentialLevel requires proxyPassword

Proxy Bind Password:

About to modify this machines configuration by writing the files

Stopping network services

Stopping sendmail

Stopping nscd

Stopping autofs

ldap not running

nisd not running

nis_cache not running

nispasswd not running

nis(yp) not running

file_backup: stat(/etc/nsswitch.conf)=0

file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)

file_backup: stat(/etc/defaultdomain)=0

file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)

file_backup: stat(/var/nis/NIS_COLD_START)=-1

file_backup: No /var/nis/NIS_COLD_START file.

file_backup: nis domain is "example.com"

file_backup: stat(/var/yp/binding/example.com)=-1

file_backup: No /var/yp/binding/example.com directory.

file_backup: stat(/var/ldap/ldap_client_file)=-1

file_backup: No /var/ldap/ldap_client_file file.

Starting network services

start: /usr/bin/domainname example.com... success

start: /usr/lib/ldap/ldap_cachemgr... success

start: /etc/init.d/autofs start... success

start: /etc/init.d/nscd start... success

start: /etc/init.d/sendmail start... success

System successfully configured

References

Sun Directory Server and native-ldap clients

Setup LDAP client

ACIs - Access Control Instructions - Management

ACIs - Access Control Instruction - Reference

Monday Jan 07, 2008

Patches required to enable Solaris servers and workstations to migrate to native-ldap clients


Notes:

  1. The tables below list patches required to allow Solaris SPARC servers and workstations to migrate to native-ldap clients. (The equivalent x86 patch is available on the download links below).

  2. The patch column contains a number which references the patch to install. The number is hyperlinked to http://sunsolve.sun.com to enable patch downloads. The links are current as of January 8th, 2008.

  3. IMPORTANT: Solaris patches are revised and replaced by newer patches. The links in the patch column to download the patch, may not resolve the latest patch available. Please read the patch notes carefully, be aware of obsoleted patches and download the newer patch.


Solaris 10 patches

Install SUNWnisu package from the Solaris 10 DVD, before installing patches


Order

Patch

Prerequisite patch

1

119213 (NSS patch)

n/a

2

119042

n/a

3

119963

n/a

4

119574

n/a

5

119578

n/a

6

126419

n/a

7

118918

n/a

8

120900

n/a

9

125547

n/a

10

125378

n/a

11

121133

120900

12

126538

119042

13

119254

121133

14

118833

118918

119042

119578

119254

15

120272

119042

126538

118833

16

126897

119578

17

122640

118833

18

125503

118833

118918

119042

119574

119578

120272

120900

121133

126538

122640

126897

19

125369

118833

119578

126897

20

120011

119574

126538

122640

125369

125503

125547

126419

126897



Solaris 9 patches


Order

Patch

Prerequisite patch

1

119211 (NSS patch)

n/a

2

112233

n/a

3

112874

112233

4

112960

112874

Solaris 8 patches


Order

Patch

Prerequisite patch

1

119209 (NSS patch)

n/a

2

111310

n/a

3

111111

n/a

4

112936

n/a

5

116602

n/a

6

115827

n/a

7

113648

n/a

8

111317

n/a

9

111023

n/a

10

110386

n/a

11

108987

112936

12

108528

108987

111111

111310

13

108989

108528

14

128624

108528

108989

110386

111023

111317

113648

115827

116602

15

108993

108528

108989

110386

111023

111317

113648

115827

116602





About

Jonathan Gershater

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today