Finally, I managed to integrate the SmartOS zone authentication with FreeIPA. I realise that finding the right information on this topic is rather hard; myself I ran over a lot of different sources of information on the web but without success for a long time.
I'm actually so happy about this that I couldn't wait to post this as the very first post on my new blog. And, guess what... it is even not that difficult at all to integrate SmartOS zones with FreeIPA.
These few steps presented here below start from the assumption that FreeIPA is installed and working properly and that Linux clients are able to authenticate against the FreeIPA server.
Now head over to a SmartOS zone to set up the ldapclient.
As stated in the FreeIPA documentation, it's advised to make sure that DNS is working properly and that the hostname of the zone is a FQDN (Fully Qualified Domain Name). However, I didn't try to figure out what happens when this advice is ignored.
First of all, edit
/etc/nsswitch.ldap files to make sure you have
"files dns" on the lines that start with
"ipnodes:". This is important otherwise this procedure wont work due to name resolution problems. During this procedure the
/etc/nsswitch.conf file will be overwritten with the contents of the
vi /etc/nsswitch.conf /etc/nsswitch.ldap
Next, obtain the CA certificate form the FreeIPA server via the FreeIPA GUI via the link https://ipa.example.com/ipa/ui/#/e/cert/details/1/cacn=ipa, and copy/paste it in /var/tmp/cert.pem. Where
ipa.example.com is supposed to be replaced by the host name of the FreeIPA server in your own domain.
Enable the LDAP client on the SmartOS zone, no need to install extra software it is already available although disabled by default.
svcadm enable svc:/network/ldap/client:default
Verify if you can still ping the FreeIPA server by using it's hostname. If not verify the
/etc/resolv.conf file, and see if nslookup resolves the FreeIPA server hostname.
Get this sorted out first in case of any issues here.
cd /var/ldap rm key3.db secmod.db cert8.db certutil -N -d /var/ldap
Enter twice an empty password at the prompt of the last command.
certutil -A -d /var/ldap -n "Example root CA" -i /var/tmp/cert.pem -a -t CT ldapclient -v init -a profileName=default \ -a domainname=example.com \ -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \ -a proxyPassword="strongPassword" \ 192.168.20.10
192.168.20.10 is the IP address of the FreeIPA server.
The proxyPassword is literally "strongPassword" for this proxy account.
svcadm enable svc:/system/name-service-cache
That's all, as from now you should be able to authenticate with a user that is defined in the FreeIPA server, under the assumption that the FreeIPA default roles and access rules are still applicable (allows any user on any host).