[indiana-discuss] Indiana & RBAC LDAP Schema Q

Jason J. W. Williams jasonjwwilliams at gmail.com
Mon Mar 10 13:06:58 PDT 2008 

Oh...you'll also have to add the SolarisUserAttr objectclass to the
user entry before you can add the SolarisAttrKeyValue.

-J

On Mon, Mar 10, 2008 at 1:57 PM, Jason J. W. Williams
<jasonjwwilliams at gmail.com> wrote:
> Hi Y'all,
>
>  Thank you for all of your pointers. After banging at it for awhile, I
>  seem to have a working solution (this assumes you already have
>  configured OpenLDAP to work with the Solaris LDAP client):
>
>  1.) Update the solaris.schema to this version:
>  http://www.bolthole.com/solaris/new.solaris.schema
>  2.) Add SolarisAttrKeyValue as an attribute to the user entries who
>  need root access.
>  3.) Set the value of SolarisAttrKeyValue to: profiles=Primary
>  Administrator;roles=root
>
>  Hope this is helpful to someone else.
>
>  Best Regards,
>  Jason
>
>
>
>  On Mon, Mar 10, 2008 at 1:13 PM, Dave Miner <dminer at opensolaris.org> wrote:
>  >
>  > Jason J. W. Williams wrote:
>  >  > Hi All,
>  >  >
>  >  > Has anyone gotten Indiana LDAP authentication working against an
>  >  > OpenLDAP server? We have a setup that is currently working with all of
>  >  > our SXCE boxes, but the required RBAC profile enforcement on Indiana
>  >  > allows our users to login to an Indiana system but not pfexec to root
>  >  > permissions or su. Under Linux we have a sudo attribute we set, but
>  >  > I'm having a heck of time figuring out which attribute to set to
>  >  > assign a Solaris profile in LDAP. Any help is greatly appreciated.
>  >  >
>  >
>  >  Well, the RBAC configuration is not required, it's just the default.
>  >  You can configure Indiana the same as you have on SXCE, just remove the
>  >  "type=role;" token from the root entry in /etc/user_attr and remove any
>  >  "roles=root" tokens from other users in that file.
>  >
>  >  I don't have any background on setting up RBAC with LDAP, but the system
>  >  administrator's guide on docs.sun.com implies that there are several
>  >  schemas related to RBAC that need to be loaded into LDAP.  You might
>  >  have better luck asking the question over in the security community.
>  >
>  >  Dave
>  >
>

More information about the indiana-discuss mailing list