Solaris 10 Directory Server Installation

Posted November 8, 2006 by mcdsco in Solaris

This Tech-Recipe details an installation of Directory Server 5.2 p4 from Sun Microsystems into a Solaris 10 whole-root zone. Good Directory Server installation instructions are VERY difficult to find. This tutorial also covers configuring systems as local LDAP clients and using the directory server to store automount maps for automatically mounting user home directories.


Sun Directory Server Installation for Solaris 10

This tutorial starts with an installed Solaris 10 server and covers the installation of a Whole-Root Zone, the custom configuration for the zone, and the installation of sudo.

This document was created by Scott McDuff, CISSP SCSA MCSE+I TCA. Comments or questions can be sent to [email protected] I am a freelance consultant with 20 years of consistant humbling.

We will begin by downloading all of the necessary files.
To do this, go to http://www.sunfreeware.com, and download the latest version of sudo for Solaris 10.

If you want Windows authentication, you might want to download pGina from http://pgina.sourceforge.net.

Go to http://www.sun.com/download. Go under the heading Identity Management, and click on Directory Server. Click on Directory Server 5 2005Q4 (5.2 P4). Click download, and sign in with your Sun access account. Accept the License Agreement and download.

Place all of the software in the /zones/pub directory (accept for pGina, of course).

Create a zone

Within the directory which will be holding the zones, create a directory called ldapserver1. In this example, I will assume that the mount point is /zones/ldapserver1. Also, create a directory to share between the global and whole-root zone. Typically, I make the /zones directory a mount to a SAN or something other than mounted off the root (/). I utilize /zones/pub as a common storage area for patches and software.

# mkdir /zones/ldapserver1
# mkdir /zones/pub

Prepare a zone creation script which is called ldapserver1.zone. I typically keep this file in the directory of the zone being created (/zones/ldapserver1). Notice what your physical network interface is beforehand by issuing the following command:

[email protected]# ifconfig -a

# vi /zones/ldapserver1/ldapserver1.zone
create -b
set zonepath=/zones/ldapserver1
set autoboot=true
add fs
set dir=/pub
set special=/zones/pub
set type=lofs
end
# only add if CDROM exists
add fs
set dir=/cdrom
set special=/cdrom
set type=lofs
end
add net
set address=192.168.1.XXX
set physical=pcn0 #whatever your physical interface is
end

Install the zone
# cd /zones/ldapserver1
# zonecfg –z ldapserver1 –f ldapserver1.zone
# chmod 700 /zones/ldapserver1
# zonecfg –z ldapserver1 info
# zonecfg –z ldapserver1 verify
# zoneadm –z ldapserver1 install
# zoneadm list –icv
# zoneadm –z ldapserver1 ready
# zoneadm –z ldapserver1 boot
# zlogin –C ldapserver1 --> ensure it works and then exit ...

You must have the zone configured to resolve its name through /etc/hosts or through a DNS server. Fix this first, if you are not using DNS. Then put an entry into your /etc/hosts that looks like this:

# vi /etc/hosts
127.0.0.1 localhost loghost
192.168.1.XXX ldapserver1.domain.com ldapserver1

Reboot or restart network service …

Let’s Configure the ldapserver1

1. zlogin -z ldapserver1

2. vi /etc/passwd --> change shell from /sbin/sh to /bin/bash

3. vi /root/.profile and add custom prompt and add path
export PS1=\033[32;2m\[email protected]\h \e[31;2m\t\n \e[30;0m\w $
PATH=$PATH:/usr/local/bin:/usr/local/sbin
:wq then su – to see changes

4. vi /etc/hosts and add all of the machines
# cat /net//jumpstart/config/hosts >> /etc/hosts

5. vi /etc/resolv.conf and change server to

6. SUDO Setup
# gunzip /pub/sudo-1.6.8p9-sol10-sparc-local.gz
# pkgadd -d /pub/sudo-1.6.8p9-sol10-sparc-local
--> select 1 --> y --> y (add local admin user accounts by issuing
visudo command)
# groupadd -g 101 ldap
# mkdir /var/Sun
# useradd -g 101 -u 101 -c “ldap privsep” -d /var/Sun/mps -m -s /bin/bash ldap
# passwd ldap --> Password#1
# usermod -K defaultpriv=basic,net_privaddr ldap

7. Installation of iPlanet LDAP
# cd /pub
# gunzip ds* ; tar xvf ds*
# ./setup --> Enter --> Enter --> Enter --> yes

Fully Qualified Computer Name [ldapserver1.domain.com] Enter --> Enter --> Enter --> Enter --> Enter --> System User: ldap --> System Group: ldap --> Enter --> Enter --> Enter --> Enter --> Enter -->

admin Enter --> Password (twice) = Password#1 --> Enter --> Enter --> Password#1 --> Enter --> Enter --> watch progress bar ...

Enter to end installation

8. Add the following Startup script:
# vi /etc/init.d/dscontrol
#!/sbin/sh
#
# Copyright (c) 2001 by Sun Microsystems, Inc
# All rights reserved.
#
#ident "@(#)slapd and admin 5.2p4 09/29/06"

case "$1" in
start)

/var/Sun/mps/slapd-ldapserver1/start-slapd
/var/Sun/mps/start-admin
;;

restart)

/var/Sun/mps/slapd-ldapserver1/restart-slapd
/var/Sun/mps/restart-admin
;;

stop)

/var/Sun/mps/slapd-ldapserver1/stop-slapd
/var/Sun/mps/stop-admin
;;
*)
echo "Usage: $0 { start | restart | stop }"
exit 1
;;
esac
exit 0

# chmod 755 /etc/init.d/dscontrol
# ln -s /etc/init.d/dscontrol /etc/rc3.d/S90dscontrol
# ln -s /etc/init.d/dscontrol /etc/rc1.d/K90dscontrol

9. Configuration of IDS
# cd /usr/lib/ldap
# ./idsconfig --> y
hostname to setup: ldapserver1 --> Enter --> Enter --> passwd = Password#1 --> Enter -->
Enter --> Enter --> Enter --> Enter --> Enter --> Credential level = 2 --> Authentication Methods = 2 --> another Auth Method = n --> Enter --> Enter --> crypt format = y --> Enter --> Enter --> Enter --> Enter --> Enter --> Enter --> Enter --> passwd for proxyagent = differentpasswd (twice) --> committing changes = y

Exit the ldap server completely

10. Launching LDAP GUI and adding users (from SunRay or other Sun box)
# ssh -X [email protected]
# sudo mkdir /export/home/ ; chown /export/home/
# sudo /var/Sun/mps/startconsole & (is your local user in the sudoers file?)
--> Login using admin and Password#1
--> Open ldapserver1.domain.com
--> Open Server Group
--> Click on Directory Server and click on the Open button, this will launch a new window.
--> Click on the Directory Tab and Open dc=domain,dc=com
--> Open the last user created --> click on Posix User and note the UID
--> Right Click on People and select New --> User (opens a new window)
--> Fill in all of the blanks allowing the username to be first initial lastname.
--> Click on Posix user in the left sidebar menu
--> Click on Enable Posix User Attributes and enter the information, Gecos is optional information, usually I put the whole user's name like the comment field when doing useradd. --> Click the OK button.
--> Right Click on new user's name --> Edit with Generic Editor --> Click on gray area called Object class and then click on the Add Value button on the Right.
--> Within the open window, select shadowaccount and click the OK button --> and OK again to close the user window.

11. Initiating a Solaris 10 server as an LDAP Client
# Ensure that LDAP Client can resolve LDAP server name
# ssh @
# su -
# ldapclient init -a profileName=default \
-a domainName=domain.com \
-a proxyDN=cn=proxyagent,ou=profile,dc=domain,dc=com \
-a proxyPassword=differentpasswd \
-a defaultServerList=192.168.1.XXX (should get successfully configured)
# vi /etc/nssitch.conf --> should look like this ...

passwd: files ldap
group: files ldap
hosts: files
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap

Autohome Installation within LDAP
Login in to the native LDAP (Light-Weight Directory Access Protocol) client
and perform the following steps.

1.Create an auto_master file:
[email protected]# vi /tmp/auto_master

# Master map for automounter
/home auto_home -nobrowse

2.Add it to LDAP database:
[email protected]# /usr/sbin/ldapaddent -D "cn=directory manager" -w password -f /tmp/auto_master auto_master
1 entries added

3. Create an auto_home file
[email protected]# vi /tmp/auto_home
# Home directory map for automounter
* nfsserver:/nfs/home/&

4. Add to LDAP database:
[email protected]# /usr/sbin/ldapaddent -D "cn=directory manager" -w dirmanager -f
/etc/auto_home auto_home
1 entries added

The automount maps will be stored as below in the directory server

[email protected]# ldaplist -l auto_master
dn: automountKey=/test,automountMapName=auto_master,o=sun.com
objectClass: automount
objectClass: top
automountKey: /home
automountInformation: auto_home -nobrowse

[email protected]# ldaplist -l auto_home
dn: automountKey=*,automountMapName=auto_home,o=sun.com
objectClass: automount
objectClass: top
automountKey: *
automountInformation: snoopy:/nfs/home/&

5. Start automount daemon
/etc/init.d/autofs start

6. Create a user in directory server and specify user's home directory
[email protected]# /usr/bin/ldapsearch -b "o=domain.com" uid=ldapuser homedirectory

uid=ldapuser,ou=people,o=domain.com
homedirectory=/home/ldapuser

7. Login as a user and automount will mount the user's home directory.

The Conversation

Follow the reactions below and share your own thoughts.