Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019

How to Debug a Client's Connection to the LDAP Server

Misconfiguration of a client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.

Before You Begin

You must be in the Security Administrator role in the global zone on the LDAP client.

  1. Check that the remote host template for the LDAP server and for the gateway to the LDAP server are correct.
    1. Use the tncfg or tninfo command to view information.
      # tncfg get host=LDAP-server
      # tncfg get host=gateway-to-LDAP-server
      # tninfo -h LDAP-server
      # tninfo -h gateway-to-LDAP-server
    2. Determine the route to the server.
      # route get LDAP-server

    If a template assignment is incorrect, add the host to the correct template.

  2. Check and if necessary, correct the /etc/hosts file.

    Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.

    Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from the /etc/hosts file.

  3. If you are using DNS, check the configuration of the svc:/network/dns/client service.
    # svccfg -s dns/client listprop config
    config                       application
    config/value_authorization   astring       solaris.smf.value.name-service.dns.switch
    config/nameserver            astring
  4. To change the values, use the svccfg command.
    # svccfg -s dns/client setprop config/search = astring: example1.domain.com
    # svccfg -s dns/client setprop config/nameserver = net_address:
    # svccfg -s dns/client:default refresh
    # svccfg -s dns/client:default validate
    # svcadm enable dns/client
    # svcadm refresh name-service/switch
    # nslookup some-system
    Name:   some-system.example1.domain.com
    Name:   some-system.example1.domain.com
  5. Verify that the tnrhdb and tnrhtp entries in the name-service/switch service are accurate.

    In the following output, the tnrhdb and tnrhtp entries are not listed. Therefore, these databases are using the default, files ldap naming services, in that order.

    # svccfg -s name-service/switch listprop config
    config                       application
    config/value_authorization   astring       solaris.smf.value.name-service.switch
    config/default               astring       "files ldap"
    config/host                  astring       "files dns"
    config/netgroup              astring       ldap
  6. Check that the client is correctly configured on the server.
    # ldaplist -l tnrhdb client-IP-address
  7. Check that the interfaces for your labeled zones are correctly configured on the LDAP server.
    # ldaplist -l tnrhdb client-zone-IP-address
  8. Verify that you can contact the LDAP server from all currently running zones.
    # ldapsearch -x query
    NS_LDAP_SERVERS= LDAP-server-address
    # zlogin zone-name1 ping LDAP-server-address
    LDAP-server-address is alive
    # zlogin zone-name2 ping LDAP-server-address
    LDAP-server-address is alive

    For more information, see the ldapsearch(8) man page.

  9. Configure LDAP and reboot.
    1. For the procedure, see Make the Global Zone an LDAP Client in Trusted Extensions.
    2. In every labeled zone, re-establish the zone as a client of the LDAP server.
      # zlogin zone-name1
      # ldapclient init \
      -a profileName=profileName \
      -a domainName=domain \
      -a proxyDN=proxyDN \
      -a proxyPassword=password LDAP-Server-IP-Address
      # exit
      # zlogin zone-name2 ...
    3. Halt all zones and reboot.
      # zoneadm list
      # zoneadm -z zone1 halt
      # zoneadm -z zone2 halt
      # reboot

      You could instead use the txzonemgr GUI to halt the labeled zones.