Purpose of this document:
Don't deploy Solaris Native LDAP client without the help of my scripts.
This is as easy as 1-2-3 with the help of a few automated scripts as attached in Appendix.
Step 1: Pre-Build the needed software at a build server
Pre-Build means Pre-Configure, Pre-Compile, Pre-Test, Archive and Zip them up.
Build location is /var/tmp, make sure /var file system has enough disk space, software to be pre-built are:
/var/tmp/openssl-0.9.7e
/var/tmp/openssh-3.9p1
/var/tmp/zlib-1.2.1-sol8-sparc-local
/var/tmp/zlib-1.2.1-sol9-sparc-local
After building and tested them at the build server, "tar" them up:
# cd /var/tmp
# tar cvf openssl-0.9.7e_compiled.tar openssl-0.9.7e
# tar cvf openssh-3.9p1_compiled.tar openssh-3.9p1
"tar" all of them up into a tar file and ”°gzip”± this single build image, called native_client_files.tar.gz using this script "cr_native_client_files.sh"
The following is an example of the run on a Solaris9 build server:
# cd /var/tmp
# ./cr_native_client_files.sh
Copying/Preparing tested configuration files...
Creating file list...
Creating Archive...
a /var/ldap/cert7.db.native_client 188K
a /var/ldap/key3.db.native_client 16K
a /var/ldap/ldap_client_file.native_client 2K
a /var/ldap/ldap_client_cred.native_client 1K
a /var/ldap/test_native_client_tls.sh 1K
a /var/ldap/ldapclient_init_tlsprofile_sol9.sh 1K
a /etc/pam.conf.native_client 4K
a /etc/nsswitch.conf.native_client 2K
a /etc/defaultdomain 1K
a /var/tmp/openssh-3.9p1_compiled.tar 50024K
a /var/tmp/openssl-0.9.7e_compiled.tar 23487K
a /var/tmp/zlib-1.2.1-sol8-sparc-local 308K
a /var/tmp/zlib-1.2.1-sol9-sparc-local 310K
a /etc/ssh/sshd_config.native_client 3K
a /etc/ssh/ssh_config.native_client 2K
a /etc/init.d/openssh.server 1K
Compressing Archive...
Done.
Note 1: if you happened to rebuild any of the software, re-generate the <software>_compiled.tar file and re-run the "cr_native_client_files.sh" script
Note 2: if you are only interested to deploy changes in configuration files, then run "cr_native_client_config_files.sh" to create native_client_config_files.tar.
# ./cr_native_client_config_files.sh
Copying/Preparing tested configuration files...
Creating file list...
Creating Archive...
a /var/ldap/cert7.db.native_client 188K
a /var/ldap/key3.db.native_client 16K
a /var/ldap/ldap_client_file.native_client 2K
a /var/ldap/ldap_client_cred.native_client 1K
a /etc/nsswitch.conf.native_client 2K
a /etc/pam.conf.native_client 4K
Done.
Step 2: Copying the build image over to the target LDAP Client
Using "ftp" or automated SSH's "scp" command, copy the single build image, native_client_files.tar.gz, or the configuration files image native_client_config_files.tar (if you are only interested to deploy configuration changes), as well as the deployment scripts, namely dx_native_client_files.sh, deploy_native_client.sh, deploy_native_client_config_files.sh and deploy_openssh.sh, over to the target LDAP client, into /var/tmp directory. Subsequently, only the build or configuration files image needs to be copied over unless the scripts have been changed.
Step 3: Run the deployment scripts at the target LDAP Client
It is highly recommended that "root" login be used at the text console to perform the following steps, so that issue could be fixed by going to Single User mode later.
Go to /var/tmp and:
3.1) Run the un-packing (Decompress and eXtract) script
# ./dx_native_client_files.sh
Decompressing...
Xtracting...
x /var/ldap/cert7.db.native_client, 192512 bytes, 376 tape blocks
x /var/ldap/key3.db.native_client, 16384 bytes, 32 tape blocks
x /var/ldap/ldap_client_file.native_client, 1596 bytes, 4 tape blocks
x /var/ldap/ldap_client_cred.native_client, 207 bytes, 1 tape blocks
x /var/ldap/test_native_client_tls.sh, 457 bytes, 1 tape blocks
x /var/ldap/ldapclient_init_tlsprofile_sol9.sh, 773 bytes, 2 tape blocks
x /etc/pam.conf.native_client, 3640 bytes, 8 tape blocks
x /etc/nsswitch.conf.native_client, 1433 bytes, 3 tape blocks
x /etc/defaultdomain, 15 bytes, 1 tape blocks
x /var/tmp/openssh-3.9p1_compiled.tar, 51224576 bytes, 100048 tape blocks
”
Done
3.2) Run deploy_native_client.sh script to deploy LDAP Authentication
# ./deploy_native_client.sh
...
CheckList:
1) make sure that IPs of LDAP Servers could be looked up via DNS/hosts
2) make sure that domain in /etc/resolv.conf is set
3) make sure that all the pre-configured and pre-compiled .tar files
have been prepared in /var/tmp
4) make sure that LDAP domain in /etc/defaultdomain is set
5) make sure OpenSSL 0.9.7x package has been installed
...
Have you checked the above (Y/N) default is Y
Setting LDAP domain...
Check Solaris LDAP domain name...
Configuring Solaris Native Client...
Configuring NSS_LDAP...
Configuring PAM_LDAP...
Re-start Solaris LDAP Client cachemgr daemon...
Re-start NAME SERVICE cache daemon...
...
Solaris Native LDAP client deployment done.
Please proceed to deploy OpenSSH
...
If you are only interested to deploy changes in configuration files, then run deploy_native_client_config_files.sh
# ./deploy_native_client_config_files.sh
x /var/ldap/cert7.db.native_client, 192512 bytes, 376 tape blocks
x /var/ldap/key3.db.native_client, 16384 bytes, 32 tape blocks
x /var/ldap/ldap_client_file.native_client, 1596 bytes, 4 tape blocks
x /var/ldap/ldap_client_cred.native_client, 207 bytes, 1 tape blocks
x /etc/nsswitch.conf.native_client, 1433 bytes, 3 tape blocks
x /etc/pam.conf.native_client, 3640 bytes, 8 tape blocks
Configuring Solaris Native Client...
Configuring NSS_LDAP...
Configuring PAM_LDAP...
Re-start Solaris LDAP Client cachemgr daemon...
Re-start NAME SERVICE cache daemon...
...
Solaris Native LDAP Client config files deployment done.
...
3.3) Run deploy_openssh.sh script to deploy OpenSSH Server
# ./deploy_openssh.sh
Backing up SSH configuration files and host keys to /etc/ssh.orig...
Deploying OpenSSH”
Configuring OpenSSH...
Setting up Solaris Run Control startup script...
Creating sshd privilege separation account...
Restarting OpenSSH Server...
./deploy_openssh.sh: /etc/init.d/sshd: not found
...
OpenSSH Server deployment done.
...
That's all.
At the end of it, reboot of LDAP Client is OPTIONAL
Appendix:
Content of cr_native_client_files.sh
#! /bin/sh
#
# cr_native_client_files.sh
#
# Create a single Solaris Native LDAP Client installation .gz file
#
# Gary Tay, 11-Apr-2005, written
#
TMPDIR=/var/tmp
cd $TMPDIR
echo "Copying/Preparing tested configuration files..."
cp /var/ldap/cert7.db /var/ldap/cert7.db.native_client
cp /var/ldap/key3.db /var/ldap/key3.db.native_client
cp /var/ldap/ldap_client_file /var/ldap/ldap_client_file.native_client
cp /var/ldap/ldap_client_cred /var/ldap/ldap_client_cred.native_client
cp /etc/pam.conf /etc/pam.conf.native_client
cp /etc/nsswitch.conf /etc/nsswitch.conf.native_client
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.native_client
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.native_client
echo "Creating file list..."
cat >native_client_files.list <<EOF
/var/ldap/cert7.db.native_client
/var/ldap/key3.db.native_client
/var/ldap/ldap_client_file.native_client
/var/ldap/ldap_client_cred.native_client
/var/ldap/test_native_client_tls.sh
/var/ldap/ldapclient_init_tlsprofile_sol9.sh
/etc/pam.conf.native_client
/etc/nsswitch.conf.native_client
/etc/defaultdomain
$TMPDIR/openssh-3.9p1_compiled.tar
$TMPDIR/openssl-0.9.7e_compiled.tar
$TMPDIR/zlib-1.2.1-sol8-sparc-local
$TMPDIR/zlib-1.2.1-sol9-sparc-local
/etc/ssh/sshd_config.native_client
/etc/ssh/ssh_config.native_client
/etc/init.d/openssh.server
EOF
echo "Creating Archive..."
/bin/tar cvf native_client_files.tar `cat native_client_files.list`
rm -f native_client_files.tar.gz
echo "Compressing Archive..."
gzip native_client_files.tar
echo "Done."
Content of cr_native_client_config_files.sh
#! /bin/sh
#
# cr_native_cliient_config_files.sh
#
# Create a single tar containing Solaris Native LDAP Client config files
#
# Gary Tay, 11-Apr-2005, written
#
TMPDIR=/var/tmp
cd $TMPDIR
echo "Copying/Preparing tested configuration files..."
cp /var/ldap/cert7.db /var/ldap/cert7.db.native_client
cp /var/ldap/key3.db /var/ldap/key3.db.native_client
chmod 444 /var/ldap/cert7.db*
chmod 444 /var/ldap/key3.db*
cp /var/ldap/ldap_client_file /var/ldap/ldap_client_file.native_client
cp /var/ldap/ldap_client_cred /var/ldap/ldap_client_cred.native_client
chmod 400 /var/ldap/ldap_client_file*
chmod 400 /var/ldap/ldap_client_cred*
cp /etc/nsswitch.conf /etc/nsswitch.conf.native_client
cp /etc/pam.conf /etc/pam.conf.native_client
echo "Creating file list..."
cat >native_client_config_files.list <<EOF
/var/ldap/cert7.db.native_client
/var/ldap/key3.db.native_client
/var/ldap/ldap_client_file.native_client
/var/ldap/ldap_client_cred.native_client
/etc/nsswitch.conf.native_client
/etc/pam.conf.native_client
EOF
echo "Creating Archive..."
/bin/tar cvf native_client_config_files.tar `cat native_client_config_files.list`
echo "Done."
Content of dx_native_client_files.sh
#! /bin/sh
#
# dx_native_client_files.sh - Decompress/eXtract Solaris Native Client files
#
# Gary Tay, 11-Apr-2005, written
#
TMPDIR=/var/tmp
cd $TMPDIR
# Backup original PAM config file
[ ! -f /etc/pam.conf.orig ] && cp /etc/pam.conf /etc/pam.conf.orig
echo "Decompressing..."
gzip -d native_client_files.tar.gz
echo "Xtracting..."
/usr/sbin/tar xvf native_client_files.tar
/usr/sbin/tar xvf openssh-3.9p1_compiled.tar
echo "Done."
Content of deploy_native_client.sh
#! /bin/sh
#
# deploy_native_client.sh
#
# Deploy Solaris Native LDAP Client
#
# Gary Tay, 11-Apr-2005, written
#
# Execute this script:
# 1) ONLY AT THE TEXT CONSOLE and login as root
# 2) ONLY AFTER native_clienti_files.tar file has been un-tared
#
# Make sure root account is used
if [ -z "`id | egrep 'uid=0|euid=0'`" ]; then
echo "root login needed..."; exit 1
fi
# Make sure it is at TEXT CONSOLE
#if [ -z "`tty | egrep '/dev/console|/dev/tty1'`" ]; then
# echo "not at the text console, i.e. /dev/console or /dev/tty1"; exit 1
#fi
TMPDIR=/var/tmp
echo "..."
echo "CheckList:"
echo "1) make sure that IPs of LDAP Servers could be looked up via DNS/hosts"
echo "2) make sure that domain in /etc/resolv.conf is set"
echo "3) make sure that all the pre-configured and pre-compiled .tar files"
echo " have been prepared in $TMPDIR"
echo "4) make sure that LDAP domain in /etc/defaultdomain is set"
echo "5) make sure OpenSSL 0.9.7x package has been installed"
echo "..."
echo "Have you checked the above (Y/N) default is Y \c"; read YN
[ "$YN" = "N" ] && exit 1
echo "Setting LDAP domain..."
domainname `cat /etc/defaultdomain`
echo "Check Solaris LDAP domain name..."
domainname
echo "Configuring Solaris Native Client..."
cp /var/ldap/cert7.db.native_client /var/ldap/cert7.db
cp /var/ldap/key3.db.native_client /var/ldap/key3.db
chmod 444 /var/ldap/cert7.db
chmod 444 /var/ldap/key3.db
cp /var/ldap/ldap_client_file.native_client /var/ldap/ldap_client_file
cp /var/ldap/ldap_client_cred.native_client /var/ldap/ldap_client_cred
chmod 400 /var/ldap/ldap_client_file*
chmod 400 /var/ldap/ldap_client_cred*
echo "Configuring NSS_LDAP..."
cp /etc/nsswitch.conf.native_client /etc/nsswitch.conf
echo "Configuring PAM_LDAP..."
cp /etc/pam.conf.native_client /etc/pam.conf
echo "Re-start Solaris LDAP Client cachemgr daemon..."
#/etc/init.d/ldap.client stop
pkill -9 ldap_cachemgr
sleep 1
/etc/init.d/ldap.client start
echo "Re-start NAME SERVICE cache daemon..."
/etc/init.d/nscd stop
sleep 1
/etc/init.d/nscd start
echo "..."
echo "Solaris Native LDAP client deployment done."
echo "Please proceed to deploy OpenSSH"
echo "..."
Content of deploy_native_client_config_files.sh
#! /bin/sh
#
# deploy_native_client_config_files.sh
#
# Deploy Solaris Native LDAP Client config files
#
# Gary Tay, 11-Apr-2005, written
#
# Make sure root account is used
if [ -z "`id | egrep 'uid=0|euid=0'`" ]; then
echo "root login needed..."; exit 1
fi
/usr/sbin/tar xvf /var/tmp/native_client_config_files.tar
echo "Configuring Solaris Native Client..."
cp /var/ldap/cert7.db.native_client /var/ldap/cert7.db
cp /var/ldap/key3.db.native_client /var/ldap/key3.db
chmod 444 /var/ldap/cert7.db
chmod 444 /var/ldap/key3.db
cp /var/ldap/ldap_client_file.native_client /var/ldap/ldap_client_file
cp /var/ldap/ldap_client_cred.native_client /var/ldap/ldap_client_cred
chmod 400 /var/ldap/ldap_client_file*
chmod 400 /var/ldap/ldap_client_cred*
echo "Configuring NSS_LDAP..."
cp /etc/nsswitch.conf.native_client /etc/nsswitch.conf
echo "Configuring PAM_LDAP..."
cp /etc/pam.conf.native_client /etc/pam.conf
echo "Re-start Solaris LDAP Client cachemgr daemon..."
#/etc/init.d/ldap.client stop
pkill -9 ldap_cachemgr
sleep 1
/etc/init.d/ldap.client start
echo "Re-start NAME SERVICE cache daemon..."
/etc/init.d/nscd stop
sleep 1
/etc/init.d/nscd start
echo "..."
echo "Solaris Native LDAP Client config files deployment done."
echo "..."
Content of deploy_openssh.sh
#! /bin/sh
#
# deploy_openssh.sh - Deploy OpenSSH
#
# Gary Tay, 18-Jul-2004, written
# 28-Jul-2004, Generalized for RedHat Linux and Solaris
# 29-Sep-2004, added zlib .pkg files deployment for Solaris8/9
# 26-Apr-2005, removed nss_ldap/pam_ldap make install steps
#
# Execute this script:
# 1) ONLY AT THE TEXT CONSOLE and login as root
# 2) ONLY AFTER untaring openssl & openssh .tar files
#
# Make sure root account is used
if [ -z "`id | egrep 'uid=0|euid=0'`" ]; then
echo "root login needed..."; exit 1
fi
# Make sure it is at CONSOLE
#if [ -z "`tty | egrep '/dev/console|/dev/tty1'`" ]; then
# echo "not at the text console, i.e. /dev/console or /dev/tty1"; exit 1
#fi
OS=`uname -s`
VER=`uname -r`
TMPDIR=/var/tmp
LD_LIBRARY_PATH=/usr/local/lib; export LD_LIBRARY_PATH
if [ ! -d $TMPDIR/openssl-0.9.7e ]; then
echo "Please first untar $TMPDIR/openssl-0.9.7e_compiled.tar"
exit 1
fi
if [ ! -d $TMPDIR/openssh-3.9p1 ]; then
echo "Please first untar $TMPDIR/openssh-3.9p1_compiled.tar"
exit 1
fi
echo "Backing up SSH configuration files and host keys to /etc/ssh.orig..."
if [ ! -d /etc/ssh.orig ]; then
mkdir -p /etc/ssh.orig
cp /etc/ssh/* /etc/ssh.orig
fi
cd $TMPDIR
if [ "$OS" = "SunOS" -a "$VER" = "5.8" ]; then
echo "y" | pkgrm SMCzlib
echo "all\n\y\n" | pkgadd -d zlib-1.2.1-sol8-sparc-local
fi
if [ "$OS" = "SunOS" -a "$VER" = "5.9" ]; then
echo "y" | pkgrm SMCzlib
echo "all\n\y\n" | pkgadd -d zlib-1.2.1-sol9-sparc-local
fi
PATH=$PATH:/usr/local/bin:/usr/ccs/bin; export PATH
#cd $TMPDIR/openssl-0.9.7e
#echo "Deploying OpenSSL..."
#make install
#echo "Press a key \c"; read a_key
cd $TMPDIR/openssh-3.9p1
echo "Deploying OpenSSH..."
make install
#echo "Press a key \c"; read a_key
echo "Configuring OpenSSH..."
cp /etc/ssh/sshd_config.native_client /etc/ssh/sshd_config
cp /etc/ssh/ssh_config.native_client /etc/ssh/ssh_config
if [ "$OS" = "SunOS" ]; then
echo "Setting up Solaris Run Control startup script..."
[ -f /etc/rc3.d/S99openssh.server ] && rm -f /etc/rc3.d/S99openssh.server
ln -s /etc/init.d/openssh.server /etc/rc3.d/S99openssh.server
fi
echo "Creating sshd privilege separation account..."
[ ! -d /var/empty ] && mkdir /var/empty
if [ -z "`grep sshd /etc/passwd`" ]
then
echo "sshd:x:999:999::/var/empty:/bin/false" >>/etc/passwd
echo "sshd::999:" >>/etc/group
pwconv
fi
# Fix for "scp: FATAL: Executing ssh1 in compatibility mode failed"
[ ! -f /usr/local/bin/scp1 ] && ln -s /usr/local/bin/scp /usr/local/bin/scp1
[ ! -f /usr/bin/scp1 ] && ln -s /usr/local/bin/scp /usr/bin/scp1
echo "Restarting OpenSSH Server..."
[ -f /etc/rc3.d/S89sshd ] && mv /etc/rc3.d/S89sshd /etc/rc3.d/s89sshd
[
-f /etc/init.d/sshd ] && /etc/init.d/sshd stop
[ -f /etc/init.d/openssh.server ] && /etc/init.d/openssh.server stop
sleep 1
[ "$OS" = "Linux" ] && service sshd start
[ "$OS" = "SunOS" ] && /etc/init.d/openssh.server start
echo "..."
echo "OpenSSH Server deployment done."
echo "..."
--- End of Doc ---