[indiana-discuss] Indiana & RBAC LDAP Schema Q

[Jason J. W. Williams]

Hi Y'all,

Thank you for all of your pointers. After banging at it for awhile, I
seem to have a working solution (this assumes you already have
configured OpenLDAP to work with the Solaris LDAP client):

1.) Update the solaris.schema to this version:
http://www.bolthole.com/solaris/new.solaris.schema
2.) Add SolarisAttrKeyValue as an attribute to the user entries who
need root access.
3.) Set the value of SolarisAttrKeyValue to: profiles=Primary
Administrator;roles=root

Hope this is helpful to someone else.

Best Regards,
Jason

On Mon, Mar 10, 2008 at 1:13 PM, Dave Miner <dminer at opensolaris.org> wrote:
>
> Jason J. W. Williams wrote:
>  > Hi All,
>  >
>  > Has anyone gotten Indiana LDAP authentication working against an
>  > OpenLDAP server? We have a setup that is currently working with all of
>  > our SXCE boxes, but the required RBAC profile enforcement on Indiana
>  > allows our users to login to an Indiana system but not pfexec to root
>  > permissions or su. Under Linux we have a sudo attribute we set, but
>  > I'm having a heck of time figuring out which attribute to set to
>  > assign a Solaris profile in LDAP. Any help is greatly appreciated.
>  >
>
>  Well, the RBAC configuration is not required, it's just the default.
>  You can configure Indiana the same as you have on SXCE, just remove the
>  "type=role;" token from the root entry in /etc/user_attr and remove any
>  "roles=root" tokens from other users in that file.
>
>  I don't have any background on setting up RBAC with LDAP, but the system
>  administrator's guide on docs.sun.com implies that there are several
>  schemas related to RBAC that need to be loaded into LDAP.  You might
>  have better luck asking the question over in the security community.
>
>  Dave
>