[nssldap] nss_ldap under Solaris 10

["Paul B. Henson" <henson [at] acm.org>]

We are trying to integrate Solaris 10 into an existing openLDAP based
system currently used by our Linux servers. We use nss_ldap for Linux
(obviously) which has worked very well for us.

I thought I'd try to get the native client working under Solaris just for
support purposes (even though I didn't like it upon first sight), but have
run into two showstopper problems.

First, there is no way to use TLS encryption for the client unless you are
also authenticating to the LDAP server.

It seems to me these two options should not be intertwined and serve
different purposes. The only reason to authenticate to the LDAP server is
if the naming services information required is not publicly readable.
However, you should *always* use TLS to verify the authenticity of the LDAP
server and prevent a malicious man in the middle from spoofing your
directory and feeding you invalid information. We are not going to deal
with the management overhead of creating/maintaining service accounts for
every Solaris server on campus that wishes to avail of central naming
services, that is ridiculous. However, it is unacceptable to run the client
in a mode that does not verify the server.

Second, our LDAP group implementation is based on rfc2307bis, and uses
groupOfName/member to store group information, not posixGroup/memberUid.
nss_ldap supports this perfectly, and in general I think it's a better
approach. The Solaris client does not support this, and hence is unable to
determine group memberships.

So, at this point I decided to try and rip out the native client and
install nss_ldap. Reviewing the documentation for the current version, the
ANNOUNCE file only mentions Solaris 2.4-9. The README file indicates it has
been built under Solaris 10 though.

I was able to compile it successfully with the Sun bundled gcc using the
Sun LDAP libraries, and some initial testing with plaintext looks
promising. I haven't gotten TLS working yet, as the Sun libraries require
annoying cert8.db and key3.db files rather than simple plain text PEM
certificate files.

Are there any caveats or potential problems with running nss_ldap under
Solaris 10? I found some problem reports via Google but it wasn't clear
whether those were actual issues are simply local configuration mistakes.
Any commentary be much appreciated...

I apologize if this has been recently discussed, I tried to search the
archives at http://www.netsys.com/nssldap/, but that server seems
unresponsive.

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768