Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Debug a Client Connection to the LDAP Server

Misconfiguration of the client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.

Before You Begin

You must be in the Security Administrator role in the global zone on the LDAP client.

  1. Check that the remote host template for the LDAP server and for the gateway to the LDAP server are correct.

    # tninfo -h LDAP-server
    # route get LDAP-server
    # tninfo -h gateway-to-LDAP-server

    If a remote host template assignment is incorrect, assign the host to the correct template by using the Security Templates tool in the Solaris Management Console.

  2. Check and correct the /etc/hosts file.

    Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.

    Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from /etc/hosts.

  3. If you are using DNS, check and correct the entries in the resolv.conf file.

    # more resolv.conf
    search list of domains
    domain domain-name
    nameserver IP-address
    nameserver IP-address
  4. Check that the tnrhdb and tnrhtp entries in the nsswitch.conf file are accurate.

  5. Check that the client is correctly configured on the server.

    # ldaplist -l tnrhdb client-IP-address
  6. Check that the interfaces for your labeled zones are correctly configured on the LDAP server.

    # ldaplist -l tnrhdb client-zone-IP-address
  7. Verify that you can ping the LDAP server from all currently running zones.

    # ldapclient list
    NS_LDAP_SERVERS= LDAP-server-address
    # zlogin zone-name1 ping LDAP-server-address
    LDAP-server-address is alive
    # zlogin zone-name2 ping LDAP-server-address
    LDAP-server-address is alive
  8. Configure LDAP and reboot.

    1. For the procedure, see Make the Global Zone an LDAP Client in Trusted Extensions.

    2. In every labeled zone, re-establish the zone as a client of the LDAP server.

      # zlogin zone-name1
      # ldapclient init \
      -a profileName=profileName \
      -a domainName=domain \
      -a proxyDN=proxyDN \
      -a proxyPassword=password LDAP-Server-IP-Address
      # exit
      # zlogin zone-name2 ...
    3. Halt all zones, lock the file systems, and reboot.

      If you are using Solaris ZFS, halt the zones and lock the file systems before rebooting. If you are not using ZFS, you can reboot without halting the zones and locking the file systems.

      # zoneadm list
      # zoneadm -z zone-name halt
      # lockfs -fa
      # reboot