Misconfiguration of a client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.
Before You Begin
You must be in the Security Administrator role in the global zone on the LDAP client.
# tncfg get host=LDAP-server # tncfg get host=gateway-to-LDAP-server
# tninfo -h LDAP-server # tninfo -h gateway-to-LDAP-server
# route get LDAP-server
If a template assignment is incorrect, add the host to the correct template.
Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.
Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from the /etc/hosts file.
# svccfg -s dns/client listprop config config application config/value_authorization astring solaris.smf.value.name-service.dns.switch config/nameserver astring 192.168.8.25 192.168.122.7
# svccfg -s dns/client setprop config/search = astring: example1.example.com # svccfg -s dns/client setprop config/nameserver = net_address: 192.168.8.35 # svccfg -s dns/client:default refresh # svccfg -s dns/client:default validate # svcadm enable dns/client # svcadm refresh name-service/switch # nslookup some-system Server: 192.168.135.35 Address: 192.168.135.35#53 Name: some-system.example1.example.com Address: 10.138.8.22 Name: some-system.example1.example.com Address: 10.138.8.23
In the following output, the tnrhdb and tnrhtp entries are not listed. Therefore, these databases are using the default, files ldap naming services, in that order.
# svccfg -s name-service/switch listprop config config application config/value_authorization astring solaris.smf.value.name-service.switch config/default astring "files ldap" config/host astring "files dns" config/netgroup astring ldap
# ldaplist -l tnrhdb client-IP-address
# ldaplist -l tnrhdb client-zone-IP-address
# ldapsearch -x query ... NS_LDAP_SERVERS= LDAP-server-address # zlogin zone-name1 ping LDAP-server-address LDAP-server-address is alive # zlogin zone-name2 ping LDAP-server-address LDAP-server-address is alive ...
For more information, see the ldapsearch(8) man page.
# zlogin zone-name1 # ldapclient init \ -a profileName=profileName \ -a domainName=domain \ -a proxyDN=proxyDN \ -a proxyPassword=password LDAP-Server-IP-Address # exit # zlogin zone-name2 ...
# zoneadm list zone1 zone2 , , , # zoneadm -z zone1 halt # zoneadm -z zone2 halt . . . # reboot
You could instead use the txzonemgr GUI to halt the labeled zones.