Solaris 8
Preliminary
The SUN versions ofcc and make seem to cause endless issues when compiling open source code. You will need to use gcc and GNU make.
These can be downloaded from http://www.sunfreeware.com/.
First, remove the LDAP package that comes with Solaris 8. This will only confuse the issue.
root@ldap> pkgrm SUNWlldap
If it is not already installed you will need patch 112438. This will create /dev/random and /dev/urandom which are necessary for random number generation.
If this patch or something similar is not installed you will have problems with the Pseudo Random Number Generator (PRNG). When you try to make a TLS connection, you will get errors such as "PRNG not seeded".
root@ldap > unzip 112438-01.zip
root@ldap > patchadd 112438-01
OpenSSL
Download the latest version of openssl (0.9.7a) from http://www.openssl.org/.
Then install it. (I was not able to get the complete LDAP software to compile using ./Configure solaris-sparcv9-gcc shared):
root@ldap > gunzip openssl-0.9.7a.tar.gz
root@ldap > tar -xvf openssl-0.9.7a.tar
root@ldap > cd openssl-0.9.7a
root@ldap > ./Configure solaris-sparcv9-gcc
root@ldap > make
root@ldap > make test
root@ldap > make install
If you have any problems and need to make again ensure that you run make clean.
If OpenSSL compiles but you have problems further down the track with OpenLDAP and decide to change the OpenSSL configuration, remove the installation directory (/usr/local/ssl). This may save you a good deal of grief!
OpenLDAP
Some environmental variables may need to be set. These will vary acccording to where you installed OpenSSL:
root@ldap > export LDFLAGS CPPFLAGS
root@ldap > unset LD_LIBRARY_PATH
root@ldap > LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib"
root@ldap > LDFLAGS="$LDFLAGS -R/usr/local/ssl/lib:/usr/local/lib"
root@ldap > CPPFLAGS="-I/usr/local/ssl/include -I/usr/local/include"
Download the latest stable source code (2.1.12) from http://www.openldap.org/
In this case we do not want the openLDAP server (slapd) installed, so we need to explicitly disable it.
root@ldap > gunzip openldap-2.1.12.tgz
root@ldap > tar -xvf openldap-2.1.12.tar
root@ldap > cd openldap-2.1.12
root@ldap > ./configure --with-tls --disable-slapd
root@ldap > make depend
root@ldap > make
root@ldap > make install
Finally, remember to install the CA certificate that you created and edit the ldap.conf file to match your configuration.
You should now have a working LDAP client. You could test it with ldapsearch. For example:
root@ldap >ldapsearch -LLL -x -H ldaps://ldaps://ldap.your.site.com -b dc=your,dc=site,dc=com "uid=l.r*" dn
-
One issue I found when installing openldap related to PATH. The
configurestep found SUN'sccand then gave up:checking for gcc... (cached) cc
checking whether the C compiler (cc ) works... no
configure: error: installation or configuration problem: C compiler cannot create executables.
I had to remove
/usr/ucb/out of the path.root@ldap > echo $PATH
/usr/bin:/etc:/usr/bin:/usr/sbin:/usr/local/bin:/usr/ucb:/usr/openwin/bin:/opt/local/bin:/opt/local/sbin:/usr/dt/bin:/usr/ccs/bin
root@ldap > PATH=/usr/bin:/etc:/usr/bin:/usr/sbin:/usr/local/bin:/usr/openwin/bin:/opt/local/bin:/opt/local/sbin:/usr/dt/bin:/usr/ccs/bin
root@ldap > export PATH
root@ldap > echo $PATH
/usr/bin:/etc:/usr/bin:/usr/sbin:/usr/local/bin:/usr/openwin/bin:/opt/local/bin:/opt/local/sbin:/usr/dt/bin:/usr/ccs/bin
PAM_LDAP
Download the latest source code (1.6.1) from http://www.padl.com/
root@ldap > gunzip pam_ldap.tgz
root@ldap > tar -xvf pam_ldap.tar
root@ldap > cd pam_ldap-161
root@ldap > ./configure
root@ldap > export LD_LIBRARY_PATH
root@ldap > LD_LIBRARY_PATH=/usr/local/lib
root@ldap > make
root@ldap > make install
Don't forget to ensure that pam_ldap's link dependencies are satisfied after installation (you can verify this by doing ldd /usr/lib/security/pam_ldap.so.1). You must ensure that any libraries that it depends on (such as the LDAP client library) can be located by the dynamic linker. Otherwise, libpam may fail to load the pam_ldap module.
If
/usr/local/libwas not in LD_LIBRARY_PATH, I got the error below. (Alternately you may need to find liblber.so and put its path in LD_LIBRARY_PATH):root@ldap > make gcc -DHAVE_CONFIG_H -I/usr/local/ssl/include -I/usr/local/include -DLDAP_REFERRALS -D_REENTRANT -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ./exports.solaris -G -B group -lc pam_ldap.o md5.o -lldap -llber -lnsl -lcrypt -lresolv -lpam -ldl
ld: fatal: library -llber: not found
ld: fatal: File processing errors. No output written to pam_ldap.so
make: *** [pam_ldap.so] Error 1
Note: Eventually I found I needed to create two symbolic links
/usr/lib/liblber.so.2 -> /usr/local/lib/liblber.so.2and/usr/lib/libldap.so.2 -> /usr/local/lib/libldap.so.2otherwise the system just could not find the libraries on startup. Maybe I did not follow the installation instructions correctly.
/etc/pam.conf
I'm still working through this but the following seems to work in general.
I have tried to keep this as simple as possible. I will only a a specific reference to a service if I find that it requires different treatment.
# PAM configuration
#
# Authentication management
#
rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
#
# Account management
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account sufficient /usr/lib/security/$ISA/pam_unix.so.1
other account required /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
#
# Session management
#
other session sufficient /usr/lib/security/$ISA/pam_unix.so.1
other session optional /usr/lib/security/$ISA/pam_ldap.so.1 use_first_pass
#
# Password management
#
other password sufficient /usr/lib/security/$ISA/pam_ldap.so.1
other password required /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass
NSS_LDAP
Download the latest source code (2.0.3) from http://www.padl.com/
root@ldap > gunzip nss_ldap.tgz
root@ldap > tar -xvf nss_ldap.tar
root@ldap > cd nss_ldap-203
root@ldap > ./configure
root@ldap > make
root@ldap > make install
NOTE: The new version (197) allowed successful compilation under Solaris 9. There was one minor glitch in make install: make[1]: Entering directory `/usr/local/src/padl/nss_ldap-197' ./install-sh -c -o root -g root nss_ldap.so /lib/nss_ldap.so.1 make[1]: execvp: ./install-sh: Permission denied make[1]: *** [install-exec-local] Error 127 make[1]: Leaving directory `/usr/local/src/padl/nss_ldap-197' make: *** [install-am] Error 2 this was easily fixed via chmod +x install-sh but that needs to be corrected in the package. I haven't yet tested since I am having problems compiling pam_ldap. I will report that separately. --Jim Harle
- This was still the case for nss_ldap-203
Now /etc/nsswitch.conf needs to be edited. This is the file that tells the computer to use LDAP.
nsswitch.conf
I haven't really given this much thought but this seems to work:
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf;
#
passwd: files ldap
passwd_compat: ldap
shadow: files ldap
group: files
hosts: files dns
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files
auth_attr: files
prof_attr: files
project: files
SSH
ssh> from http://www.ssh.com/ is available under a non-commercial license to academic institutions.
Download the latest source code (3.2.2) from http://www.ssh.com/
root@ldap > gunzip ssh-3.2.2.tar.gz
root@ldap > tar -xvf ssh-3.2.2.tar
root@ldap > cd ssh-3.2.2
root@ldap > ./configure --enable-pam
root@ldap > make
root@ldap > make install