Monday Jun 20, 2005

Native LDAP PSD!

Native LDAP De-Mystified aka LDAP Product Support Document!!! From quite some time, we have been working on a product support
document for Native LDAP in Solaris[TM] Operating Environment.
Finally we managed to come up with a share-able version of the
document which I'm including below!

My sincere thanks to following people who helped me in this effort:

\* Martin Reifenrath
\* Michael Haines
\* Serge Dussud
\* Stacey Marshall

The Native LDAP PSD can also be accessed from

http://blogs.sun.com/roller/resources/raja/ldap-psd.html

Questions, error-fixes, additions and amendments to:

Raja Gopal Andra
rajagopal DOT andra AT sun DOT com

----------------------------------------------------------------------------------------


Revision: 1.1
Date: June 20, 2005
 
Table of Contents

1.0 About Native LDAP

   1.1. What is Native LDAP?
   1.2. What is Native/Secure LDAP?
   1.3. Why use LDAP?
   1.4. What are the benefits of using Secure LDAP versus using NIS, NIS+, or files?

2.0 Common How Tos

   2.1. How to Set Up a Solaris[TM] Secure LDAP Client on Solaris 8?
   2.2. How to Set Up a Solaris[TM] Secure LDAP Client on Solaris 9?
   2.3. How to Create Client Profiles Manually?
   2.4. How to Setup and Implement printing?
   2.5. How to Setup and Implement SSD's?
   2.6. How to Setup and Implement RBAC?
   2.7. How to Setup and Implement SMC?
   2.8. How to Setup and Implement Automounter?
   2.9. How to use ldapaddent(1M)?
   2.10. How do I reinitialize a client?
   2.11. How do I un-initialize a client?
   2.12. How to setup Secure NFS??

3.0 LDAP Client Security

   3.1. How to Setup and Implement SASL DIGEST-MD5?
   3.2. How to Setup and Implement TLSv1/SSL?

4.0 Debugging LDAP

   4.1. How to start debugging, if something fails? What to do first?
   4.2. How to use snoop to debug the LDAP Client?
   4.3. How to debug PAM?
   4.4. How to understand the Sun ONE Directory Server v5.2 access log?
   4.5. How to use ssltap to debug TLSv1/SSL communication?

5.0 Some Frequently Asked Questions

   5.1. Does the LDAP Client (Phase I/II) support password aging?
   5.2. Is there a user name limit imposed on LDAP clients?
   5.3. What schema is used by the LDAP (Phase I/II)?
   5.4. What tools exist to Automate the LDAP Client setup?
   5.5. Does the LDAP Client (Phase I/II) support TLSv1/SSL?
   5.6. What is NS1 format?? How is the NS1 format converted/used to
    authenticate against the userPassword in CRYPT format in the
    LDAP server?
   5.7. What TLSv1/SSL Functions are supported in the LDAP Client (Phase I/II)?
   5.8. Are there any restrictions on where idsconfig can be run from?
   5.9. Does ldapaddent(1M) have any requirements?
  5.10. Can you use both pam_ldap and pam_unix to support the password policy?
  5.11. How do I run ldaplist(1)?
  5.12. Why would I want multiple profiles?
  5.13. Can my Directory (LDAP) Server be it's own LDAP client?
  5.14. What are the requirements for Directory server to support Solaris
    Native LDAP clients?
  5.15. What commands are usually run on a Native LDAP Client?
  5.16. What commands are usually run on a directory server?
  5.17. Can I use SASL CRAM-MD5?
  5.18. What is the ldap_cachemgr(1M) daemon?
  5.19. What is RFC2307bis?
  5.20. Why does /usr/bin/passwd fail, if root tries to change and end-users
    password in LDAP?
  5.21. What Printer Schema is used by the Secured LDAP Client?
  5.22. How to troubleshoot when users are not able to login using LDAP?
  5.23. Can the client profile location be changed?

6.0 Information Gathering

   6.1. Which files should I gather?
   6.2. Which commands should I run to collect status/config information?
   6.3. Which information does an Explorer (since version 4.1) collect and
    how can this become interpreted?
   6.4. Which simple commands should I run for some basic testing?
   6.5. How to troubleshoot when client does not seem to be able to contact
    server?

7.0 Packages

   7.1. List the Sun ONE Directory Server 5.1 Packages?
   7.2. List the Sun ONE Directory Server 5.2 Packages?
   7.3 Secure LDAP client packages in Solaris 8 and 9

8.0 Naming Service Migration?

   8.1. NIS+/LDAP
   8.2. NIS/LDAP

9.0 Patches

10.0 Known Bugs & RFEs?
   
   10.0. Bugs
   10.1. RFE's

11.0 References?

   1. Important Man Pages
   2. Sun SRDBs / InfoDocs
   3. Sun Educational Services
   4. Solaris Documentation
   5. Third Party Documentation
   6. RFCs

12.0 Supportability

13.0 Additional Support

14.0 Index of LDAP documents

   1. docs.sun.com
   2. Manual Pages
   3. Other

15 Contributors

1.0. About Native LDAP

1.1. What is Native LDAP?

Native LDAP is the integration of LDAP as a name service for the
Solaris Operating Environment (OE).

First introduced in Solaris 8 OE, Native LDAP allows the name
services library function calls to retrieve their information
from an LDAP server (such as the Sun Java System Directory Server).
These functions are known as the getXbyY functions and
include, not limited to, gethostbyname(3NSL), gethostbyaddr(3NSL),
getpwent(3NSL), and getservbyname(3NSL).

For more details on the getXbyY functions please see the nsswitch.conf(4)
man page, which contains the "Database" and "Used By" listing in the
DESCRIPTION section.  Most of the getXbyY and other calls that use
name service are listed in the "Used By" column.  The man pages for
each of these calls have more calls listed in the NAME section.

Once configured Native LDAP is another name service option
within nsswitch.conf(4) designed to complement /etc files and
DNS and is used in the same way as NIS or NIS+. Please note that
LDAP clients do a hard lookup for getXbyY calls which means that
the caller waits until it gets a response.

1.2. What is Native/Secure LDAP?

Secure LDAP is Native LDAP client with security features included.
A more robust security model, which supports strong authentication,
TLS encrypted sessions. A client's proxy credentials are NO LONGER
stored in a client's profile on the directory server

1.3. Why use LDAP?

The answer to this question depends on your role and how you
use the system. If you are a user, a system administrator, or a
developer then the following apply:

As a user, LDAP offers:

        \* A single place to maintain personal information
        \* A single source for information about others
        \* A place to find what you need to access
        \* Remote access as easy as local access
        \* Mobility from your desktop
        \* A way to ease every day communication and work

As a system administrator, LDAP offers:

        \* A single place to administer users and groups
        \* A single place to administer enterprise configuration information
        \* A way for authority to be distributed
        \* A way to enable data to be distributed and replicated for
          reliability and performance

As a developer, LDAP offers:

        \* A place to get and store information about users
        \* A place to get and store configuration information
        \* Mobility to users of your application
        \* A general attribute/value directory that is fast, replicated
          and reliable

1.4. What are the benefits of using Secure LDAP versus using NIS,
     NIS+, or files?

LDAP offers an extensive and extensible standards based data repository.
The Lightweight Directory Access Protocol provides the standard models
and protocols used in directories today. One of the key advantages to
LDAP, is it's inter-operability, and the fact that it is possible for
a LDAP client developed by Novell for example to work with a server
developed by Sun.

LDAP provides better security through authentication and authorization
and by utilizing secure transport layers. The LDAP standard has proposed
ways (RFC 2251 and RFC 2829) in which LDAP clients can authenticate to
LDAP servers. Note, that RFC 3377 -  The LDAPv3 Technical Specification
was published to list all RFCs that comprise the full specifications of
LDAPv3. That is, RFC 2251-2256, RFC 2829 (authentication methods) and
RFC 2830 (Extension for TLS).

LDAP replication provides increased data availability, load
balancing, enhanced performance (by replicating on a local
server) and local data management.  It also provides a mechanism
for mix-and-matching data from different LDAP servers.

LDAP is the preferred naming service for the Solaris Operating
Environment.  We have announced that NIS+ may be removed at some
future (unspecified) time. In other words, we have announced the
EOF of NIS+

http://docs.sun.com/app/docs/doc/806-4077/6jd6blbba?a=view

gives a good comparison chart for different naming services.

2.0. Common How-to's

2.1. How to Set Up a Solaris[TM] Secure LDAP Client on Solaris 8?

The following procedure requires that the following 2 patches are
installed on the system:

    108993-47 (or newer) for the software and configuration modules
    108808-44 (or newer) for the man pages

It also assumes that a LDAP server has been successfully configured
for Native LDAP (e.g., using idsconfig(1M)).

A Solaris 8 system can be configured as Native LDAP client using
ldapclient(1M) (/usr/sbin/ldapclient) command. ldapclient(1M)
needs to be run as root to configure it as an LDAP client.
There are two ways to configure a system as LDAP client -
using profiles stored on LDAP server and using 'manual' method.
Using profiles is recommended as it's easy to make mistakes when
configuring a system using manual option. Please refer to man page
for different options with ldapclient(1M) command.

There are multiple ways to configure a Solaris 8 system to become
a native LDAP client. Before starting to configure the system, some
planning need to be done to have a clear road map for proceeding with
the configuration. One important question is how LDAP clients authenticate
with the LDAP server? The two options are:
          
    o no authentication at all / anonymous access:

    This method requires to leave complete DIT (Directory
Information Tree) that holds the Naming Services Data within the
LDAP server's database completely open for read/write access from
client systems. This method is not recommended due to security
concerns.

    o authentication through a Proxyagent:

    This method requires a special user to be already defined
in the LDAP database and to become used by all client systems when
authenticating to the LDAP server. This is the recommended method.
              
You may create a client profile in your LDAP server that may become
commonly used by all (or multiple) clients. Such a profile is good
for easily storing/administrating configuration parameters that will
become used by all (or multiple) clients in common.

Steps to be performed to configure an LDAP client:

1. Verify, if all required patches are installed on the client system
   and make sure the patches are latest.

    \* Run either one of the commands "showrev -p" or "ls /var/sadm/patch"
    \* ... then check, if the following patches appear in the output:
      108827, 108993 and 112218
    \* ... then cross check with SunSolve to see, if the revision (the
      extension "-nn" in the patch number) is identical.


2. Create ACI to allow anonymous access. Please skip to step 3, if you
   decided to authenticate through a Proxyagent.

When allowing to access the LDAP server with anonymous access, you will
need to create an ACI (Access Control Information) in the LDAP server
to permit READ access for User Passwords to anybody.

    \* Create an LDIF-file that looks like follows:

    dn: dc=ldap,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target="ldap:///dc=ldap,dc=example,dc=com") (targetattr="userPassword")
     (version 3.0; acl "password read"; allow (compare,read,search)
     userdn = "ldap:///anyone"; )

    \* Load this file into your LDAP-database:

    # ldapadd -h <IP-address> -D "cn=Directory Manager" -w <password>
    -f <filename>

This file will allow users that are stored in the LDAP database to login
to LDAP client systems.

Please keep in mind, that permitting users to change their passwords
requires to define similar ACIs that allow even higher access levels
to become opened for anonymous access.

Skip to step 4.

3. Create Proxyagent

If you decided to have the client authenticating through a proxyagent, you
will need to create the proxyagent in your LDAP database.

    \* Create an LDIF file that looks like follows:

    dn: cn=proxyagent,ou=profile,dc=ldap,dc=example,dc=com
    cn: proxyagent
    sn: proxyagent
    objectclass: top
    objectclass: person
    userpassword: test1234

    \* Load this file into your LDAP-database:

    # ldapadd -h <IP-address> -D "cn=Directory Manager" -w <password>
    -f <filename>

              
4. Create client Profile

Please skip to step 5., if you do not want to create a client profile.

If you decided to use a client profile for all (or multiple) native LDAP
clients, you will need to create the profile and store it in your LDAP
database.

    \* Create an LDIF file that contains information matching to your
environment:

      (example using a proxyagent)
      # ldap_gen_profile -P S8Profile -b dc=ldap,dc=example,dc=com \\
                   -D "cn=proxyagent,ou=profile,dc=ldap,dc=example,dc=com" \\
                   -w test1234 -a simple <IP-address> > S8Profile.ldif

      (example for anonymous access)
      # ldap_gen_profile -P S8Profile -b dc=ldap,dc=example,dc=com \\
                   -a none <IP-address> > S8Profile.ldif
       
    \* Edit the LDIF file. All lines must start with text in the first
column. Set all parameters to meet your environment's requirements:


      dn: cn=S8Profile,ou=profile,dc=ldap,dc=example,dc=com
      SolarisBindDN: cn=proxyagent,ou=profile,dc=dc=ldap,dc=example,dc=com
      SolarisBindPassword: {NS1}4a3788e8c053424f
      SolarisLDAPServers: 10.16.50.134
      SolarisSearchBaseDN: dc=ldap,dc=example,dc=com
      SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
      SolarisTransportSecurity: NS_LDAP_SEC_NONE
      SolarisSearchReferral: NS_LDAP_FOLLOWREF
      SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
      SolarisSearchTimeLimit: 30
      SolarisCacheTTL: 43200
      cn: S8Profile
      SolarisBindTimeLimit: 30
      ObjectClass: top
      ObjectClass: SolarisNamingProfile

    \* Load this file into your LDAP database:

      # ldapadd -h <IP-address> -D "cn=Directory Manager" -w <password> \\
    -f S8Profile.ldif
       

5. Initialize the system to become a native LDAP client

    \* for anonymous access without profile:

    # ldapclient -i -a none -d ldap.example.com <IP-address>
       
    \* for proxyagent access without profile:
    
    # ldapclient -i -a simple \\
                   -D "cn=proxyagent,ou=profile,dc=ldap,dc=example,dc=com" \\
                   - w <password> \\
                   -d ldap.example.com <Ldap_Server_IP_address>

    \* for any access with profile:

      # ldapclient -P <profile_name>   -d ldap.example.com <IP-address>
       

6. Verify that the LDAP client works

    \* Run the command ldaplist to verify, if the LDAP client works:

      (the output MUST look like the following example)

      # ldaplist
      dn: cn=Directory Administrators, dc=ldap,dc=example,dc=com
      dn: ou=People, dc=ldap,dc=example,dc=com
      dn: ou=Special Users,dc=ldap,dc=example,dc=com
      dn: ou=Groups, dc=ldap,dc=example,dc=com
      dn: ou=group,dc=ldap,dc=example,dc=com
      dn: ou=rpc,dc=ldap,dc=example,dc=com
      ...
       
7. Prepare nsswitch.conf file
Edit the file /etc/nsswitch.conf to use LDAP as the Naming Service
for those tables that meet your environment. Please regard the file
/etc/nsswitch.ldap as an example for this.

8. Reboot your client system
It is recommended (but not required) to reboot the system, after it
became configured as a native LDAP client, because some application
programs (like automountd) need to become restarted to reload their
naming service information.


Example 1:

Example for configuring a native LDAP client in Solaris 8

# /usr/sbin/ldapclient  -P example_prof  -D cn=proxyagent,ou=profile,dc=example,dc=com -w proxy12 -d example.com 192.168.1.1
Arguments parsed:
        domainName: example.com
        proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
        profileName: example_prof
        proxyPassword: proxy12
        defaultServerList: 192.168.1.1
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 1 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[0] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}ecc423aad07c60
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
nis_cache not running
nispasswd not running
Stopping nis(yp)
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "sunicnc.France.Sun.COM"
file_backup: stat(/var/yp/binding/sunicnc.France.Sun.COM)=0
file_backup: (/var/yp/binding/sunicnc.France.Sun.COM -> /var/ldap/restore/sunicnc.France.Sun.COM)
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
#

\*NOTE\*

When ldapclient(1M) ends with "System successfully configured", it means
that the Native LDAP client has been successfully configured. But it does
NOT mean the Native Ldap client will also successfully work! For example:
If for instance you did specify a non-existing name for the proxy DN,
ldapclient(1M) will log the message "System successfully configured", but
the system will not be able to work as a LDAP client (won't be able to
bind to the LDAP server). It is hence strongly recommended to check that
the Native LDAP client indeed works fine, for instance by running
ldaplist(1).

2.2. How to Set Up a Solaris[TM] Secured LDAP Client on Solaris 9?

This is described in detail at:

http://docs.sun.com/app/docs/doc/806-4077/6jd6blbfk?a=view

The LDAP client in Solaris 9 is configured with the ldapclient(1M)
(/usr/sbin/ldapclient) command. ldapclient(1M) must be run as root
to configure the system as an LDAP client, and also can be used to
generate client profiles. Please refer to man page for different
options available.

Example 1: Setting up a system as Native LDAP client using
'example_prof' profile and using 192.168.1.1 as the directory
server.


# /usr/sbin/ldapclient -v init -a profilename=example_prof -a proxydn=cn=proxyagent,ou=profile,dc=example,dc=com -a proxypassword=proxy12 -a domainname=example.com 192.168.1.1
Parsing profilename=example_prof
Parsing proxydn=cn=proxyagent,ou=profile,dc=example,dc=com
Parsing proxypassword=proxy12
Parsing domainname=example.com
Arguments parsed:
        domainName: example.com
        proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
        profileName: example_prof
        proxyPassword: proxy12
        defaultServerList: 192.168.1.1
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 1 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[0] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}ecc423aad07c60
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
nis_cache not running
nispasswd not running
Stopping nis(yp)
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "sunicnc.France.Sun.COM"
file_backup: stat(/var/yp/binding/sunicnc.France.Sun.COM)=0
file_backup: (/var/yp/binding/sunicnc.France.Sun.COM -> /var/ldap/restore/sunicnc.France.Sun.COM)
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
#

\*NOTE\*

When ldapclient(1M) ends with "System successfully configured", it means
that the Native LDAP client has been successfully configured. But it does
NOT mean the Native Ldap client will also successfully work! For example:
If for instance you did specify a non-existing name for the proxy DN
(option: "-a proxydn=..."), ldapclient(1M) will log the message
"System successfully configured", but the system will not be able to
work as a LDAP-client (won't be able to bind to the LDAP server).
Hence it is strongly recommended to check that the Native LDAP
client indeed works fine, for instance by running ldaplist(1).

2.3. How to Create Client Profiles Manually?

On Solaris 9, use genprofile option of ldapclient(1M) and on
Solaris 8, use ldap_gen_profile(1M) commands.

Example 1: This example shows how to create a profile on a Solaris 8
system.

$ldap_gen_profile -P s8profile -b dc=sun,dc=com  -D "cn=proxyagent,ou=people,dc=sun,dc=com" -w test1234 -a simple 129.158.226.172
      dn: cn=s8profile,ou=profile,dc=sun,dc=com
         SolarisBindDN: cn=proxyagent,ou=people,dc=sun,dc=com
         SolarisBindPassword: {NS1}4a3788e8c053424f
         SolarisLDAPServers: 129.158.226.172
         SolarisSearchBaseDN: dc=sun,dc=com
         SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
         SolarisTransportSecurity: NS_LDAP_SEC_NONE
         SolarisSearchReferral: NS_LDAP_FOLLOWREF
         SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
         SolarisSearchTimeLimit: 30
         SolarisCacheTTL: 43200
         cn: s8profile
         ObjectClass: top
         ObjectClass: SolarisNamingProfile
$

Now you must edit the s8profile.ldif file to work around bug 4346889.

Remove any white space from the beginning of the lines. The result
should look like the following (except that it will have your suffix
instead of dc=sun,dc=com):

dn: cn=s8profile,ou=profile,dc=sun,dc=com
SolarisBindDN: cn=proxyagent,ou=people,dc=sun,dc=com
SolarisBindPassword: {NS1}4a3788e8c053424f
SolarisLDAPServers: 129.158.226.172
SolarisSearchBaseDN: dc=sun,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: s8profile
ObjectClass: top
ObjectClass: SolarisNamingProfile

Example 2: The following example shows how to create a profile using
genprofile subcommand of ldapclient(1M) on a Solaris 9 system.

$ldapclient genprofile -a profileName=s9profile -a credentialLevel=proxy -a authenticationMethod=simple -a bindTimeLimit=20 -a defaultSearchBase=dc=test,dc=com
dn: cn=s9profile,ou=profile,dc=test,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultSearchBase: dc=test,dc=com
authenticationMethod: simple
cn: s9profile
credentialLevel: proxy
bindTimeLimit: 20
$
 

2.4. How to setup and implement printing?

There is already an existing Info Doc on the subject:

Info Doc 73358 How to administer the printers(4) database when using ldap(1) as Naming Service

http://sunsolve.sun.com/search/document.do?assetkey=1-9-73358-1&searchclause=73358

2.5. How to Setup and Implement Service Search Descriptors(SSD's)?

SSD's are explained in detail at

http://docs.sun.com/app/docs/doc/806-4077/6jd6blber?a=view

It is easy to configure SSD's - simple steps that can be used are:

1. Create a profile with SSD's
2. Add the profile to LDAP server
3. Configure a system as Native LDAP client using this profile
4. Verify everything works fine and SSD's are working properly.

We are not covering 'manual' method of ldapclient for setting up
SSD's as using profiles is the recommended and easy way to do this.

Example 1: Following is an example on how to configure and use SSD's.

step 1: create a profile with SSD

Profile is created as explained in section 2.3

ldapsrv$cat ssd_profile.ldif
dn: cn=ssd_profile,ou=profile,dc=example,dc=sun,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultSearchBase: dc=example,dc=sun,dc=com
authenticationMethod: simple
preferredServerList: 129.158.233.109
cn: ssd_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd:ou=people,dc=example,dc=sun,dc=com?one
ldapsrv$

Step 2: Add the profile to LDAP server

ldapsrv$ldapadd -v -D "cn=directory manager" -w nssecret -f ssd_profile.ldif
add ObjectClass:
        top
        DUAConfigProfile
add defaultSearchBase:
        dc=example,dc=sun,dc=com
add authenticationMethod:
        simple
add preferredServerList:
        129.158.233.109
add cn:
        ssd_profile
add credentialLevel:
        proxy
add serviceSearchDescriptor:
        passwd:ou=people,dc=example,dc=sun,dc=com?one
adding new entry cn=ssd_profile,ou=profile,dc==example,dc=sun,dc=com
modify complete

ldapsrv$

Step 3: Initialize a system as LDAP client using ssd_profile

ldapclnt2/$ldapclient -v init -a
proxyDN=cn=proxyagent,ou=profile,dc=example,dc=sun,dc=com -a
domainname=example.sun.com -a profilename=ssd_profile -a proxypassword=nssecret
129.158.233.109
Parsing proxyDN=cn=proxyagent,ou=profile,dc=example,dc=sun,dc=com
Parsing domainname=example.sun.com
Parsing profilename=ssd_profile
Parsing proxypassword=nssecret
Arguments parsed:
        domainName: example.sun.com
        proxyDN: cn=proxyagent,ou=profile,dc=example,dc=sun,dc=com
        profileName: ssd_profile
        proxyPassword: nssecret
        defaultServerList: 129.158.233.109
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=example.sun.com))"
rootDN[0] dc=example,dc=sun,dc=com
found baseDN dc=example,dc=sun,dc=com for domain example.sun.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=sun,dc=com
Proxy password: {NS1}6849886b43e612a6
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
nis_cache not running
nispasswd not running
Stopping nis(yp)
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "blr03-01.India.Sun.COM"
file_backup: stat(/var/yp/binding/blr03-01.India.Sun.COM)=0
file_backup: (/var/yp/binding/blr03-01.India.Sun.COM ->
/var/ldap/restore/blr03-01.India.Sun.COM)
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname example.sun.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
ldapclnt2#

4. Verify

ldapclnt2$ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=sun,dc=com
NS_LDAP_BINDPASSWD= {NS1}6849886b43e612a6
NS_LDAP_SEARCH_BASEDN= dc=example,dc=sun,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SERVER_PREF= 129.158.233.109
NS_LDAP_PROFILE= ssd_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=example,dc=sun,dc=com?one
ldapclnt2$

ldaplist passwd lists correct entries.

Example 2: Following is an example profile using 2 way search.

$cat ssd_prof1.ldif
dn: cn=ssd_prof1,ou=profile,dc=example,dc=sun,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultSearchBase: dc=example,dc=sun,dc=com
authenticationMethod: simple
preferredServerList: 129.158.233.109
cn: ssd_prof1
credentialLevel: proxy
serviceSearchDescriptor:
passwd:ou=people,dc=example,dc=sun,dc=com?one;ou=people,dc=sun,dc=com?one
$

Follow the same procedure as above and verify that ldaplist passwd dumps
user entries correctly.


2.6. How to Setup and Implement RBAC?

There is already an existing Info Doc on the subject:

Info Doc 70152 How to load RBAC configuration data into a Native LDAP datastore

http://sunsolve.sun.com/search/document.do?assetkey=1-9-70152-1&searchclause=70152


2.7. How to Setup and Implement SMC?

Here is a brief description of how to achieve this:

- Creating the Name Service Domain Tool box

- Register the LDAP administrative credentials with SMC as root

- Verify communications with the Sun Java (LDAP) Directory Server

- Create the tool box for managing LDAP within SMC using the scope

- Start the console and select your new LDAP tool box.

2.8. How to Setup and Implement Automounter?

There is already an existing internal Info Doc on the subject:

Info Doc 47323 Solaris[TM] 8 and 9 Native LDAP clients and Automount Maps

http://sunsolve.sun.com/search/document.do?assetkey=47323

and few things worth knowing:

- case sensitive mount point not working, if LDAP server is Sun ONE DS 5.1:
  this is bug 4630941, fixed in Sun ONE DS 5.2 (too risky to fix in 5.1)
- what to use: auto.sun or auto_sun?

Below is an extract from a mail on internal mail alias that explains it all:

For the /product mount point the customer has:

automountKey=/product,automountMapName=auto_master,dc=cs,dc=xxxxx,dc=xxx,dc=xxx
objectClass: automount
objectClass: top
automountKey: /product
automountInformation: auto.sun4 -intr,nosuid

Note the "." in auto.sun4. What the automounter will now look for is a
container called automountMapName=auto.sun4 _not_ automountMapName=auto_sun4.
She probably has done the same thing with /net in that instead of auto_net
she has auto.net in the entry automountKey=/net,
automountMapName=auto_master,dc=cs,dc=xxx....

Just fix the problem with the automountInformation attribute to all the entries
under the automountMapName=auto_master container which have the problem.

After this, issue the command /etc/init.d/autofs stop and start on one of
the clients and I thing she should be OK. I do not believe she needed to
restart anything else.

Bottom line is that when /etc/auto_master is imported, make sure that the
maps in the source files do have the auto_xxx format, rather than auto.xxx
format. E.g.:

/home auto_home -intr,nosuid,nobrowse
/usr/pkg auto_pkg -intr,nosuid
/usr/lang auto_lang -intr,nosuid


2.9. How to use ldapaddent(1M)?

Before we take a look at how to use ldapaddent(1M), we need to understand
a little behind what ldapaddent(1M) is.

Probably one of the most important things to remember is that ldapaddent
is not a completely stand-alone utility. If you are familiar with
ldapaddent(1M) you may have noticed that it does not have an option to
specify which server the data should be loaded to, i.e something like a
-h option in ldapadd/modify is missing in ldapaddent.
 
This is because ldapaddent(1M) has to access the configuration from an already
setup Secure LDAP client in order to talk to a Directory Server.  There is
no doubt that it would be desirable to ldapaddent(1M) as a totally stand alone
utility, but it was not designed in that way.

After the Secure LDAP Client has been initialized, you can then use the
ldapaddent(1M) command to create entries in LDAP containers from their
corresponding /etc files. The following example uses the -a option, which
specifies the authentication method and the -f option which indicates the
input file to read:

# /usr/sbin/ldapaddent -D "cn=Directory Manager" -w <password> -a simple -f /etc/hosts hosts

The ldapaddent(1M) command functions by using the bind DN proxy agent to search
for the ou=hosts directory entry. When the ou=hosts directory entry has been
located, the Directory Manager is used to bind to the directory, add host
entries, and attributes for each system beneath the ou=hosts directory entry.

You can use the ldapaddent(1M) command to populate the other databases, such as
passwd, shadow, rpc, services, protocols, and so on. For better performance,
you should use the ldapaddent(1M) command to populate the passwd information
before the shadow information, networks before netmasks, and bootparams
before ethers. Valid databases to the ldapaddent(1M) command are:

\*passwd     \*shadow     \*networks     \*netmasks
\*bootparams     \*ethers     \*aliases     \*group
\*hosts         \*netgroup     \*protocols     \*publickey
\*rpc         \*services

Valid databases also include auto_master, auto_home, or auto_name,
where the name can be any automount map name such as the auto_direct
file. A syntax error occurs when using the ldapaddent(1M) command if the
/etc/auto_name file contains entries that begin with a plus (+). The
resulting LDAP automount information functions, but the plus (+) entry
is considered a syntax error by the ldapaddent(1M) command.

Using ldapaddent(1M) with NIS

If your naming service data is already in a NIS server and you want to
move the data to a Directory Server (LDAP) for LDAP naming services, you
can use the ypcat(1) command to dump the NIS maps into files and run the
ldapaddent(1M) command against those files. For example to migrate the
protocols map from NIS perform the following:

# cd /var/tmp

# /usr/bin/ypcat protocols > protocols.txt

# /usr/sbin/ldapaddent -D "cn=Directory Manager" -w <password> -f /var/tmp/protocols.txt protocols

When importing the passwd data from NIS, each entry contains the
encrypted password. For example:

# ypcat passwd | grep mh13749
mh13749:5dJCOKb8w.4R2:14749:10:..

To process this as one file i.e. no shadow file, use the -p option and
the ldapaddent(1M) command as follows. For example:

# /usr/sbin/ldapaddent -p -D "cn=Directory Manager" -w <password> -f /var/tmp/passwd.txt passwd

ldapaddent(1M) Performance

Firstly, ldapaddent(1M) does not perform any connection management by itself.
Instead, ldapaddent(1M) uses interfaces from the libsldap library, so it
basically relies on libsldap and ldap_cachemgr(1M) to do the connection
management. (Remember, we have to run ldapaddent(1M) from a configured
Secure LDAP Client).

ldapaddent(1M) reads line by line from a supplied /etc format file and tries
to add the entry to the server one by one. Its all sequential, which is
probably one of the reasons why the performance of ldapaddent(1M) is slow.

To improve ldapaddent(1M) performance, what is required is to make
ldapaddent(1M) multi-threaded so that entries can be added in parallel.

Right now, the best one can do is to just have multiple terminal
windows and start a ldapaddent(1M) per window but for different container(s).

2.10. How do I reinitialize a client?

There might be some cases, such as 4688752, where the Native LDAP II client
is broken, and one needs to set it up again. In this particular case, as
explained in bug workaround and evaluation fields, you might want to try
to restore missing files (e.g., /etc/nsswitch.conf) from /var/ldap/restore,
and then restart ldap_cachemgr(1M) and nscd(1M).

However, running again ldapclient(1M) init (or equivalent on Solaris 8, see
section 2.1 and 2.2 above) is probably the best thing.

2.11. How do I un-initialize a client?

This is achieved with ldapclient(1M) run as root on both Solaris 8 (with
108993-47 or later revision of patch and 108808-43) and Solaris 9. The
command line option is however different between Solaris 8 and later
releases.

Solaris 8: /usr/sbin/ldapclient [-v] -u

Example: Un-initializing a Solaris 8 LDAP client

#/usr/sbin/ldapclient -v -u
Arguments parsed:
Handling uninit option
Restoring machine to previous configuration state
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "sunicnc.France.Sun.COM"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/sunicnc.France.Sun.COM)=0
recover: file_move(/var/ldap/restore/sunicnc.France.Sun.COM, /var/yp/binding/sunicnc.France.Sun.COM)=0
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname sunicnc.France.Sun.COM... success
start: /usr/lib/netsvc/yp/ypstart... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully recovered

Solaris 9: /usr/sbin/ldapclient [-v] uninit

Example: Un-initializing a Solaris 9 LDAP client

# /usr/sbin/ldapclient -v uninit
Arguments parsed:
Handling uninit option
Restoring machine to previous configuration state
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "sunicnc.France.Sun.COM"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/sunicnc.France.Sun.COM)=0
recover: file_move(/var/ldap/restore/sunicnc.France.Sun.COM, /var/yp/binding/sunicnc.France.Sun.COM)=0
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname sunicnc.France.Sun.COM... success
start: /usr/lib/netsvc/yp/ypstart... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully recovered

2.12. How to setup Secure NFS??

There is already an existing Info Doc on the subject:

Info Doc 72141 How to configure secure RPC when using LDAP as Naming Service?

http://sunsolve.sun.com/search/document.do?assetkey=1-9-72141-1&searchclause=72141

Secure RPC hasn't been fully implemented yet in the Solaris LDAP client,
because the libnsl function netname2user(3NSL) doesn't yet support ldap
as a source for the publickey database. In consequence of that, the
keyserv daemon is unable to convert a netname (like "unix.1234@example.com")
into a user name. Therefore NFS cannot become secured by Secure RPC yet
in a LDAP environment. Please see bugs 4953916 and 5106725 for details.

3.0 LDAP client Security

3.1. How to Setup and Implement SASL DIGEST-MD5?

There is already an existing Info Doc on the subject:

Info Doc 70546 Configuring sasl/DIGEST-MD5 for Native LDAP in Sun[TM] ONE Directory Server

http://sunsolve.sun.com/search/document.do?assetkey=1-9-70546-1&searchclause=70546

Steps:

1. Ensure the system can see it's own host name in as a fully qualified
   host name

# grep hosts /etc/nsswitch.conf hosts: dns [NOTFOUND=continue] files

OR (quick & dirty)

# grep lab134 /etc/hosts
10.16.50.134 lab134.commslab.dns.com lab134 loghost
#
# getent hosts lab134 10.16.50.134 lab134.commslab.dns.com

2. setup the (S9 bundled DS)

# directoryserver setup ...
administrator ID [admin]:
Password: nssecret Password (again): nssecret ...
Suffix [dc=commslab, dc=dns, dc=com]: dc=example,dc=com ...
Directory Manager DN [cn=Directory Manager]:
Password: nssecret
Password (again): nssecret ...
Administration Domain [commslab.dns.com]: example.com ...

3. configure the DS for LDAP Naming Service

# /usr/lib/ldap/idsconfig ... ...
Answer the following with YES !!! ...
Do you want to store passwords in "crypt" format (y/n/h)? [n] y ...

Summary of Configuration

1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : 10.16.50.134
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : sasl/DIGEST-MD5
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : TRUE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Service Search Descriptors Menu

...

Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]
Enter passwd for proxyagent: nssecret Re-enter passwd: nssecret

...

Now change the passwordstoragescheme into clear:

# cat > passwordstoragescheme.ldif
dn: cn=config
changetype: modify
replace: passwordstoragescheme
passwordstoragescheme: clear

# ldapmodify -h lab134 -D "cn=directory manager" -w nssecret \\
    -f passwordstoragescheme.ldif
modifying entry cn=config

# directoryserver stop
# directoryserver -s lab134 vlvindex -n userRoot -T example.com.getgrent
# directoryserver -s lab134 vlvindex -n userRoot -T example.com.gethostent
# directoryserver -s lab134 vlvindex -n userRoot -T example.com.getnetent
# directoryserver -s lab134 vlvindex -n userRoot -T example.com.getpwent
# directoryserver -s lab134 vlvindex -n userRoot -T example.com.getrpcent
# directoryserver -s lab134 vlvindex -n userRoot -T example.com.getspent

4. change Passwords into cleartext

NOTE: the DS was stopped in step 3. and still needs to be down when
performing this step.

For "cn=Directory Manager":

# cd /var/ds5/slapd-lab134/config
# vi dse.ldif

change the line ...
    nsslapd-rootpw: {SSHA}Sata+Zn2dBOkMVbiB7XqQDDszDhfcnJ4FT8MBg==
to ...
    nsslapd-rootpw: {clear}nssecret ...

Restart the DS

# directoryserver start

For the proxyagent:

It is SSHA before:

# ldapsearch -h lab134 -D "cn=directory manager" -w nssecret \\
-b ou=profile,dc=example,dc=com cn=proxyagent \\
cn=proxyagent,ou=profile,dc=example,dc=com \\
cn=proxyagent sn=proxyagent objectClass=top objectClass=person \\
userPassword={SSHA}uNU3CmDQ01hbFj9gxzyB5At1+I2OSacPwwGVEQ==

# cat > /tmp/proxy.ldif
dn: cn=proxyagent,ou=profile,dc=example,dc=com
changetype: modify
replace: userPassword
userpassword: {clear}nssecret

# ldapmodify -h lab134 -D "cn=directory manager" -w nssecret \\
-f /tmp/proxy.ldif
modifying entry cn=proxyagent,ou=profile,dc=example,dc=com

... and is CLEAR now:

# ldapsearch -h lab134 -D "cn=directory manager" -w nssecret
-b ou=profile,dc=example,dc=com cn=proxyagent \\
cn=proxyagent,ou=profile,dc=example,dc=com cn=proxyagent \\
sn=proxyagent objectClass=top objectClass=person \\
userPassword={clear}nssecret

Test, if proxyagent can BIND (and read it's own entry)

# ldapsearch -h lab134 -D "cn=proxyagent,ou=profile,dc=example,dc=com"
-w nssecret -b ou=profile,dc=example,dc=com cn=proxyagent \\
cn=proxyagent,ou=profile,dc=example,dc=com cn=proxyagent sn=proxyagent \\
objectClass=top objectClass=person userPassword={clear}nssecret

5. configure a S9 client:

# ldapclient -v init -a proxydn=cn=proxyagent,ou=profile,dc=example,dc=com
-a proxypassword=nssecret -a domainname=example.com 10.16.50.134
...
System successfully configured

Verify it works:

# ldaplist | more dn: cn=Directory Administrators, dc=example,dc=com

dn: ou=People, dc=example,dc=com

dn: ou=Special Users,dc=example,dc=com

dn: ou=Groups, dc=example,dc=com

dn: ou=group,dc=example,dc=com

dn: ou=rpc,dc=example,dc=com

Verify it has configured SASL/Digest-MD5:

# cat /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 10.16.50.134
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= sasl/DIGEST-MD5
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10

Verify it does really use SASL:

On the server

# tail -f /var/ds5/slapd-lab134/logs/access

and check the logs related to the ldap client.

On the client

# ldaplist

and check that it lists the naming information stored on directory server.

3.2. How to Setup and Implement TLSv1/SSL?

There is already an existing Info doc on the subject:

Info Doc 73098 Solaris[TM]:Configuration example to secure a LDAP Naming Service environment with TLSv1/SSL

http://sunsolve.sun.com/search/document.do?assetkey=1-9-73098-1

4.0 Debugging LDAP

4.1. How to start debugging, if something fails? What to do first?

Basic troubleshooting techniques are covered in

http://docs.sun.com/app/docs/doc/806-4077/6jd6blbfq?a=view


Few basic things to check:

    \* is ldap_cachemgr(1M) running ?
    \* is nsswitch.conf(4) configured for ldap?
    \* can you ping(1M) the LDAP server ? using hostname?
    \* is ldaplist(1M) working ?
    \* messages on the console or on /var/adm/messages
    \* get the current profile by running /usr/sbin/ldapclient list
    (or on Solaris 8, /usr/sbin/ldapclient -l)

Some less trivial things to check:

    \* if connection to the LDAP server is failing, you might want
      to check that:
          o proxy agent password is correct
          o proxy agent account is not locked, and proxy agent password
        has not expired (this is to be checked on the LDAP server)
    \* if Client Credential Level is anonymous, are all the useful data
      in the LDAP server readable by anyone(check ACL's) ?
    \* the LDAP server errors and access files. See 4.7 below.
    \* the LDAP data sent and received. See 4.3 to 4.4 below.

4.2. How to use snoop to debug the LDAP Client?

You would use the ldap keyword of snoop(1M). E.g.:

# snoop -i /tmp/snoop.out ldap   
  1   0.00000    ldapclnt -> ldapsrv     LDAP C port=33823
  2   0.00002     ldapsrv -> ldapclnt    LDAP R port=33823
  3   0.00022    ldapclnt -> ldapsrv     LDAP C port=33823
  4   0.00024    ldapclnt -> ldapsrv     LDAP C port=33823 Bind Request
  5   0.00026     ldapsrv -> ldapclnt    LDAP R port=33823
  6   0.00423     ldapsrv -> ldapclnt    LDAP R port=33823 Bind Response Success
  7   0.00013    ldapclnt -> ldapsrv     LDAP C port=33823
  8   0.00065    ldapclnt -> ldapsrv     LDAP C port=33823 Search Request derefAlways
...

The -v option gives even more data:

# snoop -i /tmp/snoop.out -v ldap
....
TCP:  
LDAP:  ----- Lightweight Directory Access Protocol Header -----
LDAP:    \*[LDAPMessage]
LDAP:       [Message ID]
LDAP:      Operation \*[APPL 0: Bind Request]
LDAP:          [Version]
LDAP:          [Object Name]
LDAP:              cn=proxyagent,ou=profile,dc=exam
LDAP:              ple,dc=com
LDAP:         Authentication: Simple  [0]
LDAP:              proxy12
LDAP:  

ETHER:  ----- Ether Header -----
ETHER:  
.....


Please note that this is useful only if the LDAP port that used is 389,
the default LDAP port. snoop(1M) is not able to manage LDAP traffic on
other ports. Ethereal, available from http://www.sunfreeware.com/, can
also be used to capture network traffic along with snoop.


4.3. How to debug PAM?

PAM trace and debug mechanism uses syslogd(1M) and you would hence need
to customize syslog.conf(4). PAM debugging is explained in detail in

Infodoc 72189 How to Enable Debugging in PAM (Pluggable Authentication Module)

http://sunsolve.sun.com/search/document.do?assetkey=1-9-72189-1&searchclause=72189

4.4. How to understand the Sun Java Directory Server v5.2 access log?

It is all well documented in Sun Java Directory Server 5.2 Reference Manual,
chapter 8: Access Logs and Connection Codes.

Check it out from http://docs.sun.com: 816-6699-10

4.5. How to use ssltap to debug TLSv1/SSL communication?

Info Doc 73098 covers a little bit in this regard.

The Mozilla web site provides the so called "NSS Security Tools", which
is a very helpful collection of tools, that can be used when debugging or
troubleshooting problems in a SSL/TLSv1 configuration. The source code of
these tools may be obtained from

http://www.mozilla.org/projects/security/pki/nss/tools

The tool ssltap can be used to capture the SSL communication between two
systems. This tool is, of course, unable to decrypt data, t

Tuesday Jun 14, 2005

Application(popper) mis-behaving when using multiple LDAP servers

Application(popper) mis-behaving when using multiple LDAP servers  
 

One of the interesting bugs (4809808) I handled was related to
an application mis-behaving when multiple LDAP servers were used
in a Native LDAP client. NS_LDAP_SERVERS parameter in ldap client
profile indicates the list of LDAP servers used. Services has done
pretty good analysis and provided us with following information:

---x---
Customer is using the mailing application qpopper 4.0.4 (please see
http://www.eudora.com/qpopper) on a Solaris 9 system that has been
configured as a Native LDAP client.

This program performs some getpwnam() or getspnam() calls that fail,
when there has been defined more than one Directory Server (either by
IP-addresses or hostnames) in the parameter NS_LDAP_SERVERS
of /var/ldap/ldap_client_file. It works fine, when only one Directory Server
is defined in this parameter.

In case of failure, the following messages become logged to /var/adm/messages:

Jan 24 12:10:00 hostname /src/net/qpopper/qpopper4.0.4/popper/popper[3011]: [ID
293258 local0.error] libsldap: Status: 0  Mesg: Invalid server (10.10.10.10,) in
 NS_LDAP_SERVERS
Jan 24 12:10:00 hostname last message repeated 1 time
Jan 24 12:10:00 hostname /src/net/qpopper/qpopper4.0.4/popper/popper[3011]: [ID
293258 local0.error] libsldap: Status: 2  Mesg: Unable to load configuration '/v
ar/ldap/ldap_client_file' ('Invalid server (10.10.10.10,) in NS_LDAP_SERVERS').

As the message "Invalid server (10.10.10.10,)" shows, there is a comma at
the end of the string that contains the IP-address of the 1rst Directory Server.

Also in a truss can be seen when the function __s_val_serverList() is calling
__s_api_isipv4(), the function __s_api_isipv4() is examining a string in the
length of the IP-address plus the comma. This means the wrong string (incl.
the trailing comma) has already been handed over to __s_val_serverList()
when this function became called.

/etc/nsswitch.conf contains "files ldap" only for passwd and group. All the other
databases are defined for "files" only:
passwd:     files ldap
group:      files ldap
hosts:      files dns
ipnodes:    files
----x---
 

I downloaded the qpopper application and was able to reproduce the problem
in-house. This made my life easier to troubleshoot the issue. Once I was able
to reproduce the problem, I built debug libsldap.so.1 binary which pointed out
to the parsing code in libsldap which builds list of servers. Scanning the
code, i didn't find anything wrong with that part of code. Then I used the dbx
debugger to further debug the issue. After a little bit of intro from the
dbx expert, Binu Jose philip, and excellent help feature that dbx provides,
I was able to use dbx very easily. I used the step tracing feature and checked
the threadlist when the wrong server address was passed from __s_val_serverList()
to the function it calls. I started popper in dbx and stopped at __s_api_isipv4().
The stack looks like:

(/ws/on81-tools/SUNWspro/SC6.1/bin/../WS6U1/bin/sparcv9/dbx) where
  [1] __s_api_isipv4(addr = 0x6d5a8 "129.158.233.109,"), line 1536 in
"ns_common.c"
=>[2] __s_val_serverList(i = NS_LDAP_FILE_VERSION_P, def = 0xff029b00, param =
0xffbfbf54, errbuf = 0xffbfaf90 ""), line 3496 in "ns_config.c"
  [3] __ns_ldap_setParamValue(ptr = 0x70560, type = NS_LDAP_SERVERS_P, data =
0xffbfc848, error = 0xffbfdcc8), line 2444 in "ns_config.c"
  [4] set_default_value(configptr = 0x70560, name = 0xffbfc838
"NS_LDAP_SERVERS", value = 0xffbfc848 "129.158.233.109, 129.158.233.128", error
= 0xffbfdcc8), line 1288 in "ns_config.c"
  [5] SetDoorInfo(buffer = 0x6de48 "NS_LDAP_FILE_VERSION=2.0", errorp =
0xffbfdcc8), line 3234 in "ns_config.c"
  [6] LoadCacheConfiguration(error = 0xffbfdcc8), line 3272 in "ns_config.c"
  [7] __s_api_loadrefresh_config(), line 1332 in "ns_config.c"
  [8] init_search_state_machine(), line 735 in "ns_reads.c"
  [9] __ns_ldap_list(service = 0xff066b7c "shadow", filter = 0xffbfdfc0
"(&(objectClass=shadowAccount)(uid=tempuser1))", init_filter_cb = 0xff053c10 =
&_merge_SSD_filter(), attribute = 0xff06710c, auth = (nil), flags = 0, rResult =
0x6dd5c, errorp = 0xffbfde4c, callback = (nil), userdata = 0xffbfdec0), line
2206 in "ns_reads.c"
  [10] _nss_ldap_lookup(be = 0x6dd40, argp = 0xffbfe1a0, database = 0xff066b7c
"shadow", searchfilter = 0xffbfdfc0
"(&(objectClass=shadowAccount)(uid=tempuser1))", domain = (nil), init_filter_cb
= 0xff053c10 = &_merge_SSD_filter(), userdata = 0xffbfdec0), line 108 in
"ldap_common.c"
  [11] getbynam(be = 0x6dd40, a = 0xffbfe1a0), line 240 in "getspent.c"
  [12] _nss_search(0x2, 0xff051f38, 0x6dce8, 0xffbfe1a0, 0x0, 0xff1bcf14), at
0xff149298
  [13] getspnam_r(0xffbfe7ec, 0x6d8b4, 0x6d8d8, 0x400, 0x0, 0x0), at 0xff196a90
  [14] auth_user(p = 0xffbfe7c4, pw = 0xffbff92c), line 627 in "pop_pass.c"
  [15] pop_pass(p = 0xffbfe7c4), line 1378 in "pop_pass.c"
  [16] qpopper(argc = 2, argv = 0xffbffc3c), line 334 in "popper.c"
  [17] motherforker(newsockfd = -1, sockfd = 5), line 945 in "main.c"
  [18] main(argc = 2, argv = 0xffbffc3c), line 619 in "main.c"
(/ws/on81-tools/SUNWspro/SC6.1/bin/../WS6U1/bin/sparcv9/dbx)

Please note that this is stack from a debug version of libsldap.so.1, and is
the reason for us to see the symbols getting resolved automatically. Once
I was here, i was able to suspect that something wrong is going on while
copying over NS_LDAP_SERVERS which made me check if popper application
has it's own version of strlcpy(). Running nm(1) on qpopper binary showed it's
version of strlcpy() which made me easy to write up the following evaluation

---x---

The application popper is defining strlcpy() which is behaving
differently(wrongly) from our strlcpy() which is the cause of
problem.

The strlcpy() from application(popper) is as shown below:

size_t
strlcpy ( char \*strdest, const char \*strsource, size_t bufsize )
{
    register char       \*dst = strdest;
    register const char \*src = strsource;
    register size_t      len = 0;

    /\*
     \* Copy characters as long as they fit
     \*/
    for ( len = bufsize; len > 0; len-- )
    {
        \*dst++ = \*src;
        if ( \*src++ == '\\0' )
            break;
    }

    /\*
     \* Add null if we stopped early
     \*/
    if ( len == 0 && bufsize != 0 )
    {
        \*dst = '\\0';
    }

    /\*
     \* We always return length of what we would have
     \* copied if the buffer were infinite.
     \*/
    while ( \*src != '\\0' )
        src++; /\* make sure we are at end of source string \*/
    return ( src - strsource );
}
 

Example showing the difference in behaviour:

strlcpy( dst, src, 16)

assume src ="129.158.233.109, 129.158.233.128"

with the above strlcpy() code, "129.158.233.109," is stored in
'dst' where as with our standard code, "129.158.233.109" is stored
in 'dst'. This is why we are seeing the problem only with
popper application.

Applications shouldn't re-define standard functions like strlcpy()
and in doing so we might see issues like this which would also
be hard to track down.

----x----

Once the strlcpy() function in the qpopper was renamed, things started
working fine. So, this bug taught me about how not to re-write standard
functions and also taught nice tracing features available in dbx. I hope
this is an interesting bug to share with OpenSolaris release.
 
 
Technorati Tag:
Technorati Tag:

Wednesday May 25, 2005

Bubba!


Bubba was bragging to his boss one day, "You know, I know everyone
there is to know. Just name someone, anyone, and I know him.

"Tired of his boasting, his boss called his bluff, "OK, Bubba how about
Tom Cruise?"
"Sure, yes, Tom and I are old friends, and I can prove it."
So Bubba and his boss fly out to Hollywood and knock on Tom Cruise's
door, and sure enough, Tom Cruise, shouts, "Bubba! Great to see you!
You and your friend come right in and join me for lunch!"

Although impressed, Bubba's boss is still sceptical.  After they leave
Cruise's house, he tells Bubba that he thinks Bubba's knowing Cruise
was just lucky.

"No, no, just name anyone else," Bubba says.
"President Clinton,"  his boss quickly retorts.
"Yes,"  Bubba says, "I know him, let's fly out to Washington."

And off they go. At the White House, Clinton spots Bubba on the tour
and motions him and his boss over, saying, "Bubba, what a surprise, I 
was
just on my way to a meeting, but you and your friend come on in and
let's have a cup of coffee first and catch up."

Well, the boss is very shaken by now, but still not  totally convinced.
After they leave the White house grounds, he expresses  his doubts to
Bubba,  who again implores him to name anyone else.
"The  Pope," his boss replies.
"Sure!" says Bubba.

"My folks are from Poland, and I've known the Pope along time." So off
they fly to Rome. Bubba and his boss are assembled with the masses in
Vatican Square when Bubba says, "This will never work. I can't catch
the Pope's eye among all these people.  Tell you what, I know all the
guards so let me just go upstairs and I'll come out on the balcony with
the Pope."

And he disappears into the crowd headed toward the Vatican. Sure 
enough, half an hour later Bubba emerges with the Pope on the balcony. 
But by the time Bubba returns, he finds that his boss has had a heart 
attack and is surrounded by paramedics.  Working his way to his boss' 
side, Bubba asks him, What happened?"  His boss looks up and says,  I 
was doing fine until you and the Pope came out on the balcony and the 
man next to me said, "Who's that on  the balcony with Bubba?" 

Sunday Feb 06, 2005

Bollywood Berkeley!


Bollywood Berkeley!

One of our friends is doing school at UCI and she invited us to
Bollywood berkely Hindi Film Dance competition yesterday night
which took place at Palace of Fine arts in San francisco. Bollywood
berkeley HFD is an intercollegiate South asian competition featuring
the style of dance portrayed in Hindi Films. The eight universities
that participated in this 4th annual competition are:

\* University of california, Berkeley
\* University of Southern California
\* University of California
\* Stanford University
\* University of California, Santa Barbara
\* University of California, San Diego
\* University of California, Los Angeles
\* University of California, Irvine


The show started around 7:30 pm with Stanford team performing first.
Berkeley and USC teams were the best performers with Berkeley notching
the top prize and USC bagging the second place. The other highlight
of the whole show was master of ceremonies done by Harvin Sethi and
Pari Mathur. They did an excellent job and entertained the crowd
a lot. An evening well spent - 3 cheers to MC's and all the participants! 

Monday Oct 18, 2004

Cachefs


I have been working on a 
CacheFS  issue recently as one of the customers
escalated the issue. I initially thought it's a simple Off-by-one
error which is a common programming mistake, but it turned out to be 
simple arithmetic problem. As I picked up the cachefs issue after 
long time,  went back to refer documentation from docs.sun.com to 
setup cachefs and i was able to do it in pretty quick time. A good 
job done by the doc writers, appreciated.

OTOH, I was wondering in what all places does customers use Cachefs
and how they use it in their environments. If you use cachefs, I would
be happy to listen to your experience and see if there are any areas
for improvement. Either add comments to this post or drop me a
mail to my sun email-id (rajagopal dot andra at sun dot com).

Thursday Oct 14, 2004

Driving and the choice you have!


I was driving along with a colleague from Mountain view to
Sunnyvale on our way to Toysrus today evening. The driver
in the left lane cut us sharply and entered our lane. Then 
he breaked as the car infront of that one cut this guy and 
took a right turn! I had to slow down significantly to avoid
the accident! Then we discussed about the choices we had:

 1. Honk and shout at the other guy and inadvertently feel
    bad.
 2. Take it easy, laugh at him and move on! Make your day!
  
No guesses on what option I picked. :-)

I believe in the world of choices and similarly Sun is trying
aggressively to make this happen in IT world. Sun strives hard
to maintain open standards and also provides customers a choice
on what they can choose. 

Cricket!

Australia is touring India and second test is currently in action. Till lunch time, Austalian openers did a very good job and run rate was more then 4. Then Indian bowlers strike backed :-) Especially Kumble was pretty impressive taking 7 wickets. Now the onus is on Indian batsmen to execute and put up a big score! Details can be found at Wisden CricInfo site.

Monday Oct 11, 2004

Shopping at Gilroy!


Couple of our colleagues from India are here and we went around to do 
some shopping at Gilroy. We started off in Fremont after lunch at
Shalimar restaurant around 1:30 pm. Gilroy was around 1 hr drive
(around 12 miles on I880 and 40 miles on 101). One friend wanted
to buy shoes, so we went around almost all the shoe shops there
like Nike, Adidas, Reebok and couple of others. Adidas shoes were
good, but expensive. Reebok shoes were the ones which we liked
and with the offer they had, they were coming around for 30 bucks.

While we were there, we did some other shopping at van huesen
and window-shopping at other stores. The Bose showroom was
impressive and audio headphones were pretty effective - cost
was little bit high though. Philips 50" Plasma TV was good 
- don't ask the price :-) 

One shocking thing that happened during the trip was that when
we were driving on 101 to Gilroy, we suddenly saw one car going 
at more then 110 mph and was doing cuts and disappeared in couple
of seconds. It was like watching a video game... Not sure what 
exactly that driver was trying to achieve by going at that speed...

Thursday Jul 29, 2004

Features of NFSv4

As mentioned by Adam , one of the cool new features added in Solaris is the next version of NFS - NFSv4. NFSv4 is based on RFC 3530. There are lot of new features in NFSv4:

    \* Unsharing and Resharing a File System 
    \* Volatile File Handles
    \* Delegation
    \* Client-Side Failover
    \* Recovery

For a complete list and details, pl. see here.

Monday Jul 19, 2004

Intro


I am an engineer in Solaris Sustaining and Engineering group working on
NFS & Naming products. Our group supports following products on all
supported versions of Solaris[TM].

   \* NFS 
   \* lofs 
   \* cachefs 
   \* autofs 
   \* RPC 
   \* Native LDAP client 
   \* NIS+ 
   \* NIS 
   \* DNS 
   \* Sendmail 
   \* Kerberos (SEAM) 


I joined Sun Microsystems in Mar, 2000 after completing my Masters at 
Indian Institute of Technology, Mumbai and since then have worked on 
most of the above products except DNS & Sendmail. I am also SEED [1]
member and am mentored by Alec Muffet.

My interests include 

   \* listening music 
   \* watching movies(English, Hindi & Telugu) 
   \* Reading & learning new stuff
   \* trekking
   \* and playing/watching sports. 

I listen to Hindi and Telugu songs, watch most of the movies (HBO was 
my favourite channel) and play games like Chess, Ping Pong/Table Tennis, 
Volley ball, Carroms and watch Cricket, Tennis, Football/Soccer.

---


[1] http://www.sun.com/corp_emp/zone/special.html
About

raja

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Solaris Sustaining team
Misc
Documentation
Solaris Development team