Académique Documents
Professionnel Documents
Culture Documents
c
This document starts with an installed Solaris 10 server and covers the installation of a Whole-Root Zone, custom configuration for the zone, the
installation of sudo and some other nice to haves.
If you want Windows authentication, you might want to download pGina from http://pgina.sourceforge.net
Go to http://www.sun.com/download to go down under the heading Identity Management and click on Directory Server. Click on Directory Server 5
2005Q4 (5.2 P4) ±> Click on download ±> Sign In with your Sun access account ±> Accept License Agreement ±> and download.
Place all of the software in the /zones/pub directory (accept for pGina of course)
Within the directory which will be holding the zones, create a directory called ldapserver1. In this example, I will assume that the mount point is
/zones/ldapserver1). Also, create a directory to share between the global and whole-root zone. Typically I make the /zones directory a mount to a SAN
or something other than mounted off the root (/). I utilize /zones/pub as a common storage area for patches and software.
# mkdir /zones/ldapserver1
# mkdir /zones/pub
Prepare a zone creation script which is called ldapserver1.zone. I typically keep this file in the directory of the zone being created (/zones/ldapserver1).
Notice what your physical network interface is before hand by issuing the following command:
root@sol10globalzone# ifconfig -a
# vi /zones/ldapserver1/ldapserver1.zone
create -b
set zonepath=/zones/ldapserver1
set autoboot=true
add fs
set dir=/pub
set special=/zones/pub
set type=lofs
end
# only add if CDROM exists
add fs
set dir=/cdrom
set special=/cdrom
set type=lofs
end
add net
set address=192.168.1.XXX
set physical=pcn0 #whatever your physical interface is
end
You must have the zone configured to resolve its name through /etc/hosts or through a DNS server. Fix this first, if not using DNS, then put and entry
into your /etc/hosts that looks like this:
# vi /etc/hosts
127.0.0.1 localhost loghost
192.168.1.XXX ldapserver1.domain.com ldapserver1
=
1. zlogin -z ldapserver1
6. SUDO Setup
# gunzip /pub/sudo-1.6.8p9-sol10-sparc-local.gz
# pkgadd -d /pub/sudo-1.6.8p9-sol10-sparc-local
--> select 1 --> y --> y (add local admin user accounts by issuing
visudo command)
# groupadd -g 101 ldap
# mkdir /var/Sun
# useradd -g 101 -u 101 -c ³ldap privsep´ -d /var/Sun/mps -m -s /bin/bash ldap
# passwd ldap --> Password#1
# usermod -K defaultpriv=basic,net_privaddr ldap
Fully Qualified Computer Name [ldapserver1.domain.com] Enter ±> Enter ±> Enter ±> Enter ±> Enter ±> System User: ldap ±> System Group: ldap ±>
Enter ±> Enter ±> Enter ±> Enter ±> Enter ±>
admin Enter ±> Password (twice) = Password#1 ±> Enter ±> Enter ±> Password#1 ±> Enter ±> Enter ±> watch progress bar «
case ³$1Ǝ in
start)
/var/Sun/mps/slapd-ldapserver1/start-slapd
/var/Sun/mps/start-admin
;;
restart)
/var/Sun/mps/slapd-ldapserver1/restart-slapd
/var/Sun/mps/restart-admin
;;
stop)
/var/Sun/mps/slapd-ldapserver1/stop-slapd
/var/Sun/mps/stop-admin
;;
*)
echo ³Usage: $0 { start | restart | stop }´
exit 1
;;
esac
exit 0
9. Configuration of IDS
# cd /usr/lib/ldap
# ./idsconfig ±> y
hostname to setup: ldapserver1 ±> Enter ±> Enter ±> passwd = Password#1 ±> Enter ±>
Enter ±> Enter ±> Enter ±> Enter ±> Enter ±> Credential level = 2 ±> Authentication Methods = 2 ±> another Auth Method = n ±> Enter ±> Enter ±>
crypt format = y ±> Enter ±> Enter ±> Enter ±> Enter ±> Enter ±> Enter ±> Enter ±> passwd for proxyagent = differentpasswd (twice) ±> committing
changes = y
10. Launching LDAP GUI and adding users (from SunRay or other Sun box)
# ssh -X username@ldapserver1.domain.com
# sudo mkdir /export/home/ ; chown /export/home/
# sudo /var/Sun/mps/startconsole & (is your local user in the sudoers file?)
±> Login using admin and Password#1
±> Open ldapserver1.domain.com
±> Open Server Group
±> Click on Directory Server and click on the Open button, this will launch a new window.
±> Click on the Directory Tab and Open dc=domain,dc=com
±> Open the last user created ±> click on Posix User and note the UID
±> Right Click on People and select New ±> User (opens a new window)
±> Fill in all of the blanks allowing the username to be first initial lastname.
±> Click on Posix user in the left sidebar menu
±> Click on Enable Posix User Attributes and enter the information, Gecos is optional information, usually I put the whole user¶s name like the comment
field when doing useradd. ±> Click the OK button.
±> Right Click on new user¶s name ±> Edit with Generic Editor ±> Click on gray area called Object class and then click on the Add Value button on the
Right.
±> Within the open window, select shadowaccount and click the OK button ±> and OK again to close the user window.
± =
±
Login in to the native LDAP (Light-Weight Directory Access Protocol) client
and perform the following steps.
uid=ldapuser,ou=people,o=domain.com
homedirectory=/home/ldapuser
7. Login as a user and automount will mount the user's home directory.