Saturday Aug 08, 2015

OpenLDAP + TLS in Solaris 11

This blog post serves as a followup to Configuring a Basic LDAP Server + Client in Solaris 11. It covers creating self-signed certificates and enabling TLS for secure communication.

1) Create certificates
# mkdir /etc/openldap/certs
# cd /etc/openldap/certs
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout server.key -out server.crt
# chmod 400 server.*
# chown openldap:openldap server.*
2) Update slapd.conf
Add the following lines to the end of /etc/openldap/slapd.conf

TLSCACertificateFile /etc/certs/ca-certificates.crt
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
3) Restart LDAP server
# svcadm disable ldap/server
# svcadm enable ldap/server
That's it! Connect to your LDAP server on port 389.

Wednesday Jul 10, 2013

Solaris 11 IPoIB + IPMP

I recently needed to create a two port active:standby IPMP group to be served over Infiniband on Solaris 11. Wow that's a mouthful of terminology! Here's how I did it:

List available IB links

[root@adrenaline ~]# dladm show-ib
net5         21280001CF4C96  21280001CF4C97  1    up     FFFF
net6         21280001CF4C96  21280001CF4C98  2    up     FFFF
Partition the IB links. My pkey will be 8001.
[root@adrenaline ~]# dladm create-part -l net5 -P 0x8001 p8001.net5
[root@adrenaline ~]# dladm create-part -l net6 -P 0x8001 p8001.net6
[root@adrenaline ~]# dladm show-part
LINK         PKEY  OVER         STATE    FLAGS
p8001.net5   8001  net5         unknown  ----
p8001.net6   8001  net6         unknown  ----
Create test addresses for the newly created datalinks
[root@adrenaline ~]# ipadm create-ip p8001.net5
[root@adrenaline ~]# ipadm create-addr -T static -a p8001.net5/ipv4
[root@adrenaline ~]# ipadm create-ip p8001.net6
[root@adrenaline ~]# ipadm create-addr -T static -a p8001.net6/ipv4
[root@adrenaline ~]# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
p8001.net5/ipv4   static   ok 
p8001.net6/ipv4   static   ok 
Create an IPMP group and add the IB datalinks
[root@adrenaline ~]# ipadm create-ipmp ipmp0
[root@adrenaline ~]# ipadm add-ipmp -i p8001.net5 -i p8001.net6 ipmp0
Set one IB datalink to standby
[root@adrenaline ~]# ipadm set-ifprop -p standby=on -m ip p8001.net6
Assign an IP address to the IPMP group
[root@adrenaline ~]# ipadm create-addr -T static -a ipmp0/v4
That's it! Final checks:
[root@adrenaline ~]# ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
ipmp0             ipmp       ok           --         --
   ipmp0/v4       static     ok           --
p8001.net5        ip         ok           ipmp0      --
   p8001.net5/ipv4 static    ok           --
p8001.net6        ip         ok           ipmp0      --
   p8001.net6/ipv4 static    ok           --

[root@adrenaline ~]# ping is alive

Thursday Feb 21, 2013

Configuring a Basic LDAP Server + Client in Solaris 11

Configuring the Server
Solaris 11 ships with OpenLDAP to use as an LDAP server. To configure, you're going to need a simple slapd.conf file and an LDIF schema file to populate the database. First, let's look at the slapd.conf configuration:
# cat /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/openldap/run/
argsfile        /var/openldap/run/slapd.args

database        bdb
suffix          "dc=buford,dc=hillvalley"
rootdn          "cn=admin,dc=buford,dc=hillvalley"
rootpw          secret
directory       /var/openldap/openldap-data
index           objectClass     eq
You may want to change the lines suffix and rootdn to better represent your network naming schema. My LDAP server's hostname is buford and domain name is hillvalley. You will need to add additional domain components (dc=) if the name is longer. This schema assumes the LDAP manager will be called admin. Its password is 'secret'. This is in clear-text just as an example, but you can generate a new one using slappasswd:
[paulie@buford ~]$ slappasswd
New password: 
Re-enter new password: 
Replace 'secret' with the entire hash, {SSHA}MlyFaZxG6YIQ0d/Vw6fIGhAXZiaogk0G, for the rootpw line. Now, let's create a basic schema for my network.
# cat /etc/openldap/schema/hillvalley.ldif
dn: dc=buford,dc=hillvalley
objectClass: dcObject
objectClass: organization
o: bufford.hillvalley
dc: buford

dn: ou=groups,dc=buford,dc=hillvalley
objectCLass: top
objectClass: organizationalunit
ou: groups

dn: ou=users,dc=buford,dc=hillvalley
objectClass: top
objectClass: organizationalunit
ou: users

dn: cn=world,ou=groups,dc=buford,dc=hillvalley
objectClass: top
objectClass: posixGroup
cn: world
gidNumber: 1001

dn: uid=paulie,ou=users,dc=buford,dc=hillvalley
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Paul Johnson
uid: paulie
uidNumber: 1001
gidNumber: 1001
homeDirectory: /paulie/
loginShell: /usr/bin/bash
userPassword: secret
I've created a single group, world, and a single user, paulie. Both share the uid and gid of 1001. LDAP supports lots of additional variables for configuring a user and group account, but I've kept it basic in this example. Once again, be sure to change the domain components to match your network. Feel free to also change the user and group details. I've left the userPassword field in clear-text as 'secret'. The same slappasswd method above applies here as well. It's time to turn on the server, but first, let's change some ownership permissions:
[paulie@buford ~]$ sudo chown -R openldap:openldap /var/openldap/
... and now ...
[paulie@buford ~]$ sudo svcadm enable ldap/server
Check that it worked:
[paulie@buford ~]$ svcs | grep ldap
online         12:13:49 svc:/network/ldap/server:openldap_24
Neat, now let's add our schema file to the database:
[paulie@buford ~]$ ldapadd -D "cn=admin,dc=buford,dc=hillvalley" -f /etc/openldap/schema/hillvalley.ldif
Enter bind password: 
adding new entry dc=buford,dc=hillvalley
adding new entry ou=groups,dc=buford,dc=hillvalley
adding new entry ou=users,dc=buford,dc=hillvalley
adding new entry cn=world,ou=groups,dc=buford,dc=hillvalley
adding new entry uid=paulie,ou=users,dc=buford,dc=hillvalley
That's it! Our LDAP server is up, populated, and ready to authenticate against.

Configuring the Client
I'm going to turn my example server, buford.hillvalley, into an LDAP client as well. To do this, we need to run the `ldapclient` command to map our new user and group data:
[paulie@buford ~]$ ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=buford,dc=hillvalley \
-a domainName=buford.hillvalley \
-a defaultServerList= \
-a proxyDN=cn=admin,dc=buford,dc=hillvalley \
-a proxyPassword=secret \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:ou=users,dc=buford,dc=hillvalley \
-a serviceSearchDescriptor=group:ou=groups,dc=buford,dc=hillvalley \
-a serviceSearchDescriptor=shadow:ou=users,dc=buford,dc=hillvalley
As usual, change the host and domain names as well as the IP address held in defaultServerList and the proxyPassword. The command should respond back that the system was configured properly, however, additional changes will need to be made if you use DNS for hostname lookups (most people use DNS, so run these commands).
svccfg -s name-service/switch setprop config/host = astring: \"files dns ldap\"
svccfg -s name-service/switch:default refresh
svcadm restart name-service/cache
Now, we need to change how users login so that the client knows that there is an extra LDAP server to authenticate against. This should not lockout local worries. Examine the two files /etc/pam.d/login and /etc/pam.d/other. Change any instance of
auth required  
auth binding   server_policy
After this line, add the following new line:
auth required 
That's it! Finally, reboot your system and see if you can login with your newly created user.

Update: Glenn Faden wrote an excellent guide to configuring OpenLDAP using the native Solaris user/group/role management system.

Monday Feb 11, 2013

Recovering Passwords in Solaris 11

About once a year, I'll find a way to lock myself out of a Solaris system. Here's how to get out of this scenario. You'll need a Solaris 11 Live CD or Live USB stick.
  • Boot up from the Live CD/USB
  • Select the 'Text Console' option from the GRUB menu
  • Login to the solaris console using the username/password of jack/jack
  • Switch to root
  • $ sudo su
    password jack
  • Mount the solaris boot environment in a temporary directory
  • # beadm mount solaris /a
  • Edit the shadow file
  • # vi /a/etc/shadow
  • Find your username and remove the password hash
  • Convert
  • Allow empty passwords at login
  • $ vi /a/etc/default/login
    Switch this line
  • Update the boot archive
  • # bootadm update-archive -R /a
  • Reboot and remove the Live CD/USB from system
  • # reboot
    If prompted for a password, hit return since this has now been blanked.

Monday Feb 20, 2012

CIFS Sharing on Solaris 11

Things have changed since Solaris 10 (and Solaris 11 Express too!) on how to properly set up a CIFS server on your Solaris 11 machine so that Windows clients can access files. There's some documentation on the changes here, but let me share the full instructions from beginning to end.
hostname: adrenaline
username: paulie
poolname: pool
mountpnt: /pool
share: mysharename
  • Install SMB server package
  • [paulie@adrenaline ~]$ sudo pkg install service/file-system/smb
  • Create the name of the share
  • [paulie@adrenaline ~]$ sudo zfs set share=name=mysharename,path=/pool,prot=smb pool
  • Turn on sharing using zfs
  • [paulie@adrenaline ~]$ sudo zfs set sharesmb=on pool
  • Turn on your smb server
  • [paulie@adrenaline ~]$ sudo svcadm enable -r smb/server
  • Check that the share is active
  • [paulie@adrenaline ~]$ sudo smbadm show-shares adrenaline
    Enter password: 
    c$                  Default Share
    IPC$                Remote IPC
    3 shares (total=3, read=3)
  • Enable an existing UNIX user for CIFS sharing (you may have to reset the password again eg.`passwd paulie` )
  • [paulie@adrenaline ~]$ sudo smbadm enable-user paulie
  • Edit pam to allow for smb authentication (add line to end of file)
  • Solaris 11 GA only:
    [paulie@adrenaline ~]$ vi /etc/pam.conf
    other   password required nowarn
    Solaris 11 U1 or later:
    [paulie@adrenaline ~]$ vi /etc/pam.d/other
    password required nowarn
  • Try to mount the share on your Windows machine
  • \\adrenaline\mysharename

Tuesday May 31, 2011

Compiling Alpine on Solaris 11

I use alpine as my primary e-mail client. In order to get it compiled for Solaris 11 (snv_166 and later), you will need to make a few changes to the source.
[paulie@adrenaline ~]$ uname -orv
5.11 snv_166 Solaris
[paulie@adrenaline ~]$ ./configure --with-ssl-include-dir=/usr/include/openssl
[paulie@adrenaline ~]$ gmake
We run into a problem ...
In file included from osdep.c:66:
scandir.c: In function `Scandir':
scandir.c:45: error: structure has no member named `dd_fd'
Let's investigate:
[paulie@adrenaline ~]$ vi /usr/include/dirent.h
#if defined(__USE_LEGACY_PROTOTYPES__)
/* traditional SVR4 definition */
typedef struct {
        int     dd_fd;          /* file descriptor */
        int     dd_loc;         /* offset in block */
        int     dd_size;        /* amount of valid data */
        char    *dd_buf;        /* directory block */
} DIR;                          /* stream data from opendir() */
/* default definition (POSIX conformant) */
typedef struct {
        int     d_fd;           /* file descriptor */
        int     d_loc;          /* offset in block */
        int     d_size;         /* amount of valid data */
        char    *d_buf;         /* directory block */
} DIR;                          /* stream data from opendir() */
#endif  /* __USE_LEGACY_PROTOTYPES__ */
Interesting, so alpine *should* be using POSIX instead of the older UNIX SVR4 definitions. Let's make a change to the scandir.c file, which is located in alpine-2.00/imap/c-client/scandir.c. On line 45 I see the following use of dd_fd:
  if ((!dirp) || (fstat (dirp->dd_fd,&stb) < 0)) return -1;
Let's change that dd_fd to d_fd.
  if ((!dirp) || (fstat (dirp->d_fd,&stb) < 0)) return -1;
After recompile, everything works as expected. I'm sure there is a better way of fixing this problem, but considering how trivial this issue is, a small edit is sufficient.

Monday Jan 03, 2011

ZFS Encryption for USB sticks on Solaris 11 Express

USB memory sticks are easily lost, so to keep your data safe, it's best to use the new encryption feature of ZFS available since snv_149 (ZFS version 30). Here's how to take advantage of it.
[paulie@adrenaline ~]$ uname -a
SunOS adrenaline 5.11 snv_155 i86pc i386 i86pc Solaris
Get the device id for the USB stick using rmformat.
[paulie@adrenaline ~]$ rmformat
Looking for devices...
     1. Logical Node: /dev/rdsk/c11t0d0p0
        Physical Node: /pci@0,0/pci108e,534a@2/hub@4/storage@1/disk@0,0
        Connected Device: SanDisk  U3 Cruzer Micro  8.02
        Device Type: Removable
	Bus: USB
	Size: 1.9 GB
	Access permissions: Medium is not write protected.
The device id is c11t0d0p0. Using this id, we can make a pool on the device called 'secret'. You can call yours whatever you want.
[paulie@adrenaline ~]# zpool create -O encryption=on secret c11t0d0p0
Enter passphrase for 'secret': 
Enter again: 
Let's create a random 128MB file in the new pool called file.enc.
[paulie@adrenaline ~]# cd /secret; mkfile 128m file.enc
Now, let's make sure it works by exporting and importing the secret pool and hope it asks for a password.
[paulie@adrenaline ~]# zpool export secret
[paulie@adrenaline ~]# zpool import secret
Enter passphrase for 'secret': 
It works as expected. Let's check for the created file.
[paulie@adrenaline ~]# ls /secret
We can also check the encryption of any zfs filesystem by using the following command:
[paulie@adrenaline ~]# zfs get encryption secret
secret  encryption  on           local
For more information visit:

Hiya, my name is Paul Johnson and I'm a software engineer working on the Oracle ZFS Storage Appliance .


« June 2016