test

LDAP Setup and Configuration Guide

Configuration Problems and Solutions

The following discussion briefly describes LDAP configuration problems and suggested solutions to the problems.

Unresolved Hostname

The Solaris LDAP client backend is designed to return fully qualified hostnames for host lookups, such as hostnames returned by gethostbyname(3N) and getipnodebyname(3N). If the name stored is fully qualified (that is contains at least one dot), the client returns the name as is. For example, if the name stored is hostB.eng, the returned name is hostB.eng.

If the name stored in the LDAP directory is not fully qualified (it does not contain any dot), the client backend appends the domain part to the name. For example, if the name stored is hostA, the returned name is hostA.domainname.

Unable to Reach Systems in the LDAP Domain Remotely

If the DNS domainname is different from the LDAP domainname, change the nsswitch.conf file. In the host entry, specify dnsor put dns before ldap.

Sendmail Fails to Deliver/Receive Mail To/From Remote Users

If your mail domain (commonly the DNS domain) is different from the LDAP domain, you might run into a mail delivering problem. sendmail(1M) derives the mail domain from the domain portion of the hostname returned by gethostname(3N). This means the return address will be in the LDAP domain. Because the mail/DNS domain is different from the LDAP domain, external users cannot respond to the email To fix this problem, change the host entry in the nsswitch.conf file to dns or put dns before ldap.

Login Does Not Work

LDAP clients use the PAM(3) modules for user authentication during the logins. When using the standard unix PAM module, the password is read from the server and checked on the client side. This can fail due to one of the following reasons:

  1. ldap does not exists as a source in the /etc/nsswitch.conf file

  2. Password on the server is not readable by the proxy agent. You need to allow at least the proxy agent to read the password because the proxy agent returns it to the client for comparison

  3. Incorrectly configured proxy agent causes authentication to fail.

  4. The entry does not have the shadowAccount objectclass.

Lookup Too Slow

The LDAP database relies on indexes to improve the performance. A major performance degradation occurs when indexes are not configured properly. As part of the documentation, we have provided a common set of attributes that should be indexed. You can also add your own indexes to improve performance at your site.

ldapclient Cannot Bind to Server

ldapclient failed to initialize the client when using the -P profile option. There are several possible reasons for this failure

  1. Check that the ldap_cachemgr is running (ps -ef |grep ldap) should show it running.

  2. Try running ldapclient -l to check out the contents of the LDAP client cached files.

    Note –

    Do not try to read the configuration and credential files directly as there is no guarantee they are in ASCII readable format.

  3. nisDomain attribute is not set in the DIT to represent the entry point for the specified client domain.

  4. Virtual list view indexing is not set up properly on the server.

  5. Access control information is not set up properly on the server; thus disallowing anonymous search in the LDAP database.

  6. Incorrect server address passed to the ldapclient command. Use ldapsearch(1) to verify the server address

  7. Incorrect profile name passed to the ldapclient command. Use ldapsearch(1) to verify the profile name in the DIT.

  8. Use snoop(1M) on the client's network interface to see what sort of traffic is going out, and determine to which server it is talking.