Finally, I managed to integrate the SmartOS zone authentication with FreeIPA. I realise that finding the right information on this topic is rather hard; myself I ran over a lot of different sources of information on the web but without success for a long time.

I'm actually so happy about this that I couldn't wait to post this as the very first post on my new blog. And, guess what... it is even not that difficult at all to integrate SmartOS zones with FreeIPA.

These few steps presented here below start from the assumption that FreeIPA is installed and working properly and that Linux clients are able to authenticate against the FreeIPA server.

Now head over to a SmartOS zone to set up the ldapclient.

As stated in the FreeIPA documentation, it's advised to make sure that DNS is working properly and that the hostname of the zone is a FQDN (Fully Qualified Domain Name). However, I didn't try to figure out what happens when this advice is ignored.

First of all, edit /etc/nsswitch.conf and /etc/nsswitch.ldap files to make sure you have "files dns" on the lines that start with "hosts:" and "ipnodes:". This is important otherwise this procedure wont work due to name resolution problems. During this procedure the /etc/nsswitch.conf file will be overwritten with the contents of the /etc/nsswitch.ldap file.

vi /etc/nsswitch.conf /etc/nsswitch.ldap

Next, obtain the CA certificate form the FreeIPA server via the FreeIPA GUI via the link, and copy/paste it in /var/tmp/cert.pem. Where is supposed to be replaced by the host name of the FreeIPA server in your own domain.

Enable the LDAP client on the SmartOS zone, no need to install extra software it is already available although disabled by default.

svcadm enable svc:/network/ldap/client:default

Verify if you can still ping the FreeIPA server by using it's hostname. If not verify the /etc/resolv.conf file, and see if nslookup resolves the FreeIPA server hostname.


Get this sorted out first in case of any issues here.

cd /var/ldap
rm key3.db secmod.db cert8.db
certutil -N -d /var/ldap

Enter twice an empty password at the prompt of the last command.

certutil -A -d /var/ldap -n "Example root CA" -i /var/tmp/cert.pem -a -t CT

ldapclient -v init -a profileName=default \
-a \
-a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
-a proxyPassword="strongPassword"  \

Where is the IP address of the FreeIPA server.
The proxyPassword is literally "strongPassword" for this proxy account.

svcadm enable svc:/system/name-service-cache

That's all, as from now you should be able to authenticate with a user that is defined in the FreeIPA server, under the assumption that the FreeIPA default roles and access rules are still applicable (allows any user on any host).