forked from PADL/nss_ldap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
177 lines (127 loc) · 5.45 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
LDAP NAMESERVICE SWITCH LIBRARY
===============================
This is the nss_ldap library, an LDAP module for the Solaris Nameservice
Switch (NSS), the GNU libc NSS, and the ISC BIND IRS (used on BSDI
and IRS).
The LDAP schema used is described in RFC 2307
Insert this:
passwd: files nis ldap
group: files nis ldap
or something similar in /etc/nsswitch.conf.
The source code is distributed under the GNU General Library Public Licence
(see COPYING.LIB).
Platforms this has been built under:
o Linux
o Solaris 2.4, 2.6, 7, 8, 9, 10
o FreeBSD BIND 8.x (not useful unless you recompile libc)
o AIX 4.3.3 with IRS
If you are willing to use an older, and possibly buggy, version
of nss_ldap, you *might* find patches to get it to work with the
"real" FreeBSD nsswitch at http://www.nectar.com/freebsd/nsswitch.
To install:
% ./configure
% make
% make install
NB: you need to use GNU make! (often called gmake or gnumake)
1. Installation
---------------
You need to ensure libnss_ldap.so.1 (or nss_ldap.so.1, for Solaris) is in
/usr/lib.
2. Building shared LDAP client libraries
----------------------------------------
You can build a position independent LDAP client library by compiling
-fPIC and linking with -shared, or downloading the Mozilla or Netscape
LDAP SDKs. Note that OpenLDAP only appears to build shared libraries
on some platforms (apparently not Solaris?). To build these, configure
with --enable-shared.
Q: Using the Netscape LDAP library with pam_ldap on Solaris 8
- aka Solaris 2.8 - fails to link properly! David Begley writes:
There are two releases of the Netscape LDAP library, one marked
for Solaris 8 and the other marked for Solaris 2.6 - the additional
catch is that the Solaris 8 library is a 64-bit library (this is marked
on Netscape's site) whilst the other is a 32-bit library.
It doesn't matter if you have a 64-bit UltraSPARC processor running
the 64-bit Solaris kernel, if your compiler only works with 32-bit
objects then it won't successfully link the 64-bit Solaris 8
Netscape LDAP library.
GCC (up to version 2.95.2) does not work properly with 64-bit objects
under Solaris, so just use the Solaris 2.6 (32-bit) Netscape LDAP
library and everything should be fine.
Q: Can I use a third-party client LDAP library (such as Netscape's)
on Solaris 7? David Begley writes:
Yes, but if you have the Solaris 7 LDAP library installed (package
SUNWlldap or SUNWldapx) configure will find it before the third-party
library - in this case, you can't rely on the auto-lib-type detection of
configure and must use the "--with-ldap-lib=" parameter.
Q: Why does linking fail on Solaris 2.6 (complaining about
relocations remaining against libcrypt)? David Begley
writes:
In short, the problem is that GCC is looking for a shared libcrypt
(in response to the "--shared" parameter) which doesn't exist on
Solaris 2.6 (but does on Solaris 7). The fix is quite simple, use
"-G" instead of "--shared" (could this be a GCC bug?). This change
should already be included in newer versions of pam_ldap.
It doesn't look like libcrypt is even needed if you're using the
Netscape LDAP client library (maybe it's required for OpenLDAP?).
Scott M. Stone <[email protected]> writes:
Your openldap libs *and* your SSL/RSAREF libs must be DYNAMIC LIBRARIES
or neither nss_ldap nor pam_ldap will work.
3. glibc 2.0 compatibility
--------------------------
Current versions of the nss_ldap library are designed to work with
glibc 2.1, not glibc 2.0. They _may_ work with glibc 2.0. YMMV.
4. RFC2307BIS
-------------
Compiling with -DRFC2307BIS adds rfc2307bis support, which at the
moment just gets you support for groups with distinguished name
members (instead of login names). A posixGroup can thus have the
both memberUid and uniqueMember attributes.
5. Building under FreeBSD
-------------------------
Here's what I do to build it under FreeBSD. You will need to
link it into libbind.a for it actually to be useful.
CPPFLAGS="-I/usr/local/include -I/usr/local/include/bind -DPIC"
export CPPFLAGS
CFLAGS=$CPPFLAGS # this is weird
export CFLAGS
LDFLAGS="-L/usr/local/lib"
LIBS="-lbind_r -lgnuregex -lsasl -lkrb"
export LDFLAGS LIBS
./configure
make
6. Solaris, shadowAccount
-------------------------
Joerg Paysen notes:
> I think its extremly important that you have a
> /etc/shadow file so that an ObjectClass shadowAccount
> will be created in the ldap database. My experience is
> that without shadowAccount nss_ldap does not work on
> solaris!!
http://bugzilla.padl.com/show_bug.cgi?id=287
After some testing of the patch I have found out that programs were crashing
on exit. There is another way to fix this problem, which is also much more
elegant: just link the nss_ldap library with ld -z nodelete, then the nss_ldap
library won't be unmapped when it is dlclosed. Works like a charm and doesn't
leak any sockets.
7. Secret file
--------------
If using /etc/ldap.secret, it must have a newline at the end
of the secret.
8. Mailing lists
----------------
To discuss nss_ldap and related technologies, you may
subscribe to the following mailing lists:
<URL:mailto:[email protected]>
and
<URL:mailto:[email protected]>
Send an electronic mail message with "subscribe" in the
message body to join the list.
9. Commercial support
---------------------
Note that PADL now offer commercial support on a
per-incident basis.
To request a support incident, send email to: [email protected]
--
PADL Software Pty Ltd
http://www.padl.com/