1 2 Previous Next 20 Replies Latest reply on Jul 27, 2018 8:54 PM by DougL-Oracle Go to original post
      • 15. Re: Solaris 11.4 beta autofs maps from ldap no longer functioning.
        DougL-Oracle

        First, thanks for all the help tracking down this issue.

         

        The root cause is a regression between the behavior of automount lookups in LDAP between 11.3 and 11.4

         

        I have logged CR: 27578660 - LDAP objectclass/attribute mappings for automount behavior regression

         

        The root of the problem is that in Solaris 11.3, automount, the code uses the service name "automount" for objectclass
        and attribute mappings when creating LDAP searches for LDAP automount  entries.

        Such as:
        NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=nisMapName
        NS_LDAP_OBJECTCLASSMAP= automount:automountMap=nisMap

        Where as currently in 11.4 beta, the newer code (that caches) is using the container name
        such as "auto_home": and not "automount" for mappings.  So this is what it expects:

        NS_LDAP_ATTRIBUTEMAP= auto_home:automountMapName=nisMapName
        NS_LDAP_OBJECTCLASSMAP= auto_home:automountMap=nisMap

        The code needs to be fixed to preserve the 11.3 behavior, and potentially also allow

        specific container mappings.

        While we fix this, the workaround for 11.4 beta:
        temporarily add additional mappings of the form:
        auto_home:automountMapName=nisMapName
        auto_home:automountMap=nisMap

         

        If you are using LDAP automount entries, but do not define specific objectclass/attribute mappings the automount will work as expected.

         

        • 16. Re: Solaris 11.4 beta autofs maps from ldap no longer functioning.
          Andris Perkons-Oracle

          I must be doing something differently. I just installed S11.4 beta, ran my "ldapclient" script to connect to an OpenLDAP server running in an S11.3 zone and at first glance everything looks OK. automounts/auto_home etc. just work.

           

          Andris

          • 17. Re: Solaris 11.4 beta autofs maps from ldap no longer functioning.
            Andrew Watkins

            You are NOT doing anything wrong since at the end of the last note it said: "If you are using LDAP automount entries, but do not define specific objectclass/attribute mappings the automount will work as expected." which I guess is your setup.

             

            For example, I connect to AD, so my ldapclient command is a mess! Now it looks like:

            # ldapclient manual \    -a credentialLevel=proxy \    -a authenticationMethod=simple \    -a proxyDN=cn=srv_ldapproxy,cn=Users,dc=dcs,dc=example,dc=com \    -a proxyPassword=XXXXXXXXXX \    -a defaultSearchBase=dc=dcs,dc=example,dc=com \    -a domainName=DomainName \    -a followReferrals=false \    -a "defaultServerList=ad1.example.com ad2.example.com" \    -a attributeMap=group:userpassword=userPassword \    -a attributeMap=group:memberuid=memberUid \    -a attributeMap=group:gidnumber=gidNumber \    -a attributeMap=passwd:gecos=description \  -a attributeMap=passwd:gidnumber=gidNumber \    -a attributeMap=passwd:uidnumber=uidNumber \    -a attributeMap=passwd:homedirectory=unixHomeDirectory \    -a attributeMap=passwd:loginshell=loginShell \    -a attributeMap=shadow:shadowflag=shadowFlag \    -a attributeMap=shadow:userpassword=userPassword \    -a objectClassMap=group:posixGroup=group \  -a objectClassMap=passwd:posixAccount=user \    -a objectClassMap=shadow:shadowAccount=user \  -a serviceSearchDescriptor=passwd:dc=dcs,dc=example,dc=com?sub \  -a serviceSearchDescriptor=group:dc=dcs,dc=example,dc=com?sub \  -a serviceSearchDescriptor=auto_local:cn=auto.local,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=example,dc=com \  -a serviceSearchDescriptor=auto_direct:cn=auto.direct,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=example,dc=com \  -a serviceSearchDescriptor=auto_home:cn=auto.home,cn=dcs,cn=DefaultMigrationContainer30,dc=dcs,dc=example,dc=com \  -a objectclassMap=automount:automountMap=nisMap \  -a objectclassMap=automount:automount=nisObject \  -a attributeMap=automount:automountMapName=nisMapName \  -a attributeMap=automount:automountKey=cn \  -a attributeMap=automount:automountInformation=nisMapEntry \  -a objectclassMap=auto_home:automount=nisObject \  -a attributeMap=auto_home:automountMapName=nisMapName \  -a attributeMap=auto_home:automountKey=cn \  -a attributeMap=auto_home:automountInformation=nisMapEntry \  -a objectclassMap=auto_local:automount=nisObject \  -a attributeMap=auto_local:automountMapName=nisMapName \  -a attributeMap=auto_local:automountKey=cn \  -a attributeMap=auto_local:automountInformation=nisMapEntry \  -a attributeMap=auto_local:automountMap=nisMap \  -a objectclassMap=auto_direct:automount=nisObject \  -a attributeMap=auto_direct:automountMapName=nisMapName \  -a attributeMap=auto_direct:automountKey=cn \  -a attributeMap=auto_direct:automountInformation=nisMapEntry \  -a attributeMap=auto_direct:automountMap=nisMap 
            • 18. Re: Solaris 11.4 beta autofs maps from ldap no longer functioning.
              3208603

              Seems this is working now on the second refresh. Thanks.

               

              Sorry for not opening a new thread for this but I couldn't find the button to do so I'm guessing the board is locked.

               

              However, we are encountering an issue when it comes to do 'getent passwd' where it hangs if done with any user besides root.

              I can see this going on at /var/ldap/cachemgr.log when doing 'getent passwd' or 'ldaplist passwd'

               

              /var/ldap/cachemgr.log

              Thu Jul 19 16:04:47.8934    Warning: Unauthorized Access attempt pid: 2690 (/usr/bin/ldaplist) euid: 101
              Thu Jul 19 16:08:01.3982    Warning: Unauthorized Access attempt pid: 2705 (/usr/bin/getent) euid: 101

               

              'ldaplist passwd output'

              ldaplist: LDAP error (LDAP ERROR (50): Error occurred during receiving results. Insufficient access.)

               

              We think this is related to RBAC but we haven't figured out how to fix it or why it's happening

               

              [root@hostname]$ auths

              solaris.*

               

              [root@hostname]$ auths username

              solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read

               

              We created another user called 'test' to assign some extra permissions on it

              [root@hostname:/etc/security/exec_attr.d]$ auths test

              solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.smf.manage.name-service.ldap.server,solaris.smf.read.name-service.ldap.server,solaris.smf.value.name-service.ldap.server

               

              output of /etc/security/auth_attr

              test::::auths=solaris.smf.read.name-service.ldap.server,solaris.smf.value.name-service.ldap.server,solaris.smf.manage.name-service.ldap.server;profiles=test;type=normal

               

              Any insight will be appreciated.

               

              Regards.

              • 19. Re: Solaris 11.4 beta autofs maps from ldap no longer functioning.
                3208603

                Other weird behavior is that I'm able to look-up users directly using ldaplist when they are inside a netgroup defined inside /etc/passwd but not able to look up the netgroup of see all the users enabled to login with getent passwd.

                • 20. Re: Solaris 11.4 beta autofs maps from ldap no longer functioning.
                  DougL-Oracle

                  A long standing security bug has been fixed in 11.4.  The LDAP bind credentials are no longer given to un authorized users. In order to get access to those bind credentials, the user must have this RBAC authorization: solaris.smf.value.name-service.ldap.client

                   

                  In 11.4 all name service lokups are handled by nscd, so if the name-service.cache is enabled (as it should always be) then all normal opertaions such as getent will work as expected.  In the case of ldaplist, since ldaplist does not use naming services for lookups, but contacts LDAP directly, it will only function as far as the system and LDAP configuration will allow without LDAP credentials, unless the user executing the command has the proper authorization.

                   

                  Example, if the LDAP servers are setup to allow a bind without credentials, then ldaplist will be able to do partial lookups within the ACL restrictions of the LDAP servers.  If connections cannot be made without a bind, then ldaplist will not be able to retrieve and data without the proper authorization.

                   

                  nscd runs with the proper authorization and can lookup data.  If nscd is disabled, then things like getent would have issues.

                  1 2 Previous Next