我花了几天时间寻找这方面的指南。我找到的网站最后一次提到是在 2004 年,但没有给出任何答案。
我有一个在 Mac OSX 10.8 机器上运行的 Open Directory 服务器。
我想让我的 solaris 盒子根据这个 OD 服务器来验证用户身份。
到目前为止,我发现 Solaris 附带了一个名为“ldapclient”的脚本。此脚本使用一系列选项来设置连接。但是,我访问过的不同网站都建议需要其他插件(gecos、Kerberos 等)。我没有找到有关此问题的详尽文档,我想知道 solaris 是否能够针对 OD 进行身份验证。
有人试过吗?有成功的尝试吗?
我试过的是运行
ldapclient -v manual \
-a credentialLevel=anonymous \
-a defaultSearchBase=dc=<server-hostname>,dc=example,dc=com \
-a serviceSearchDescriptor=passwd:cn=users,dc=<server-hostname>,dc=example,dc=com \
-a attributeMap=passwd:gecos=cn \
-a serviceSearchDescriptor=group:cn=groups,dc=<server-hostname>,dc=example,dc=com \
-a serviceAuthenticationMethod=pam_ldap:simple <server-hostname>
-v 标志表示详细程度,据我所知,机器在关闭网络时设置了一堆选项,当它尝试再次启动网络时,它会失败并回滚。
没有 gecos 的线,我得到
Parsing credentialLevel=anonymous
Parsing defaultSearchBase=dc=<server-hostname>,dc=example,dc=com
Parsing serviceSearchDescriptor=passwd:cn=users,dc=<server-hostname>,dc=example,dc=com
Arguments parsed:
defaultSearchBase: dc=<server-hostname>,dc=example,dc=com
credentialLevel: anonymous
serviceSearchDescriptor:
arg[0]: passwd:cn=users,dc=<server-hostname>,dc=example,dc=com
Handling manual option
Manual failed: Missing required defaultServerList or preferredServerList attribute.
使用上面显示的行,我得到
Parsing credentialLevel=anonymous
Parsing defaultSearchBase=dc=<server-hostname>,dc=example,dc=com
Parsing serviceSearchDescriptor=passwd:cn=users,dc=<server-hostname>,dc=example,dc=com
Parsing attributeMap=passwd:gecos=cn
Parsing serviceSearchDescriptor=group:cn=groups,dc=<server-hostname>,dc=example,dc=com
Parsing serviceAuthenticationMethod=pam_ldap:simple
Arguments parsed:
serviceAuthenticationMethod:
arg[0]: pam_ldap:simple
defaultSearchBase: dc=<server-hostname>,dc=example,dc=com
credentialLevel: anonymous
attributeMap:
arg[0]: passwd:gecos=cn
serviceSearchDescriptor:
arg[0]: passwd:cn=users,dc=<server-hostname>,dc=example,dc=com
arg[1]: group:cn=groups,dc=<server-hostname>,dc=example,dc=com
defaultServerList: <server-hostname>
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "<server-hostname>.example.com"
file_backup: stat(/var/yp/binding/<server-hostname>.example.com)=-1
file_backup: No /var/yp/binding/<server-hostname>.example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname <server-hostname>.example.com... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: sleep 6400000 microseconds
stop: sleep 12800000 microseconds
stop: sleep 25600000 microseconds
stop: sleep 8900000 microseconds
stop: network/ldap/client:default... timed out
Stopping ldap failed with (7)
Error (1) while stopping services during reset
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "<server-hostname>.example.com"
recover: stat(/var/ldap/restore/ldap_client_file)=0
recover: file_move(/var/ldap/restore/ldap_client_file, /var/ldap/ldap_client_file)=0
recover: stat(/var/ldap/restore/ldap_client_cred)=0
recover: file_move(/var/ldap/restore/ldap_client_cred, /var/ldap/ldap_client_cred)=0
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/<server-hostname>.example.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname <server-hostname>.example.com... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
我已将实际域名替换为 .example.com。服务器没有错误,因为其他每个平台都可以正常进行身份验证。
输出不一致,因为每次服务失败时输出都不同,但重新启动后,我得到的输出始终是这样的
答案1
是的,我无法对这一切的机制提供任何见解,但我似乎已经解决了这个问题。
需要做的就是,末尾不要使用服务器主机名,而应该使用 IP 地址,如下所示
ldapclient -v manual \
-a credentialLevel=anonymous \
-a defaultSearchBase=dc=<server-hostname>,dc=example,dc=com \
-a serviceSearchDescriptor=passwd:cn=users,dc=<server-hostname>,dc=example,dc=com \
-a attributeMap=passwd:gecos=cn \
-a serviceSearchDescriptor=group:cn=groups,dc=<server-hostname>,dc=example,dc=com \
-a serviceAuthenticationMethod=pam_ldap:simple xxx.xxx.xxx.xxx
现在可以正常工作了:)