
sun.com \| docs.sun.com	How To Buy \| My Sun \| Worldwide Sites

Previous Contents Index Next Next

Chapter 18

LDAP General Reference (Reference)

This chapter covers the following topics.

Blank Checklists

Table 18-1 Server Variable Definitions

Variable	Definition for _______ Network
Port number at which an instance of the directory server is installed (389)
Name of server
Replica server(s) (IP number:port number)
Directory manager [`dn: cn=directory manager`]
Domain name to be served
Maximum time (in seconds) to process client requests before timing out
Maximum number of entries returned for each search request

Table 18-2 Client Profile Variable Definitions

Variable	Definition for ________ Network
Profile name
Server list (defaults to the local subnet)
Preferred server list (listed in order of which server to try first, second, and so on)
Search scope (number of levels down through the directory tree. '`One`' or '`Sub`')
Credential used to gain access to server. The default is `anonymous`
Follow Referrals? ( a pointer to another server if the main server is unavailable) The default is `no`.
Search time limit (in seconds, default `30`) for waiting for server to return information.
Bind time limit (in seconds, default `30`) for contacting server. The default is seconds.
Authentication method Default is `none`.

Upgrade Information

Solaris 9 clients are compatible with directory servers set up to serve Solaris 9 clients. ldapclient(1M) can download such a profile and configure the client using version 1 profiles. To take advantage of new features built into Solaris 9 and to use the new security model, you must use version 2 profiles.

Servers can serve a mix of both old and new clients so that both clients see the same results from the server as long as schema mapping is not enabled and version 2 profiles are not configured to use special filters in serviceSearchDescriptors. Obviously if the server is not using the default schema, older clients cannot use that server as Solaris 9 clients cannot arbitrarily map their schema.

One additional change is that in Solaris naming clients, running ldap_cachemgr() was recommended, but optional. The ldap_cachemgr() must be running at all times. The daemon is required for the client to function properly.

New `automount` Schema

By default, Solaris 9 uses a new schema for automount entries instead of using generic NIS map schema which Solaris 8 clients used. This means that if you set up a server with Solaris 9 tools, Solaris 8 clients cannot see the automount entries. For sites where the server being setup is to serve both Solaris 8 and Solaris 9 clients, a profile can be created to map the schema to the old one before adding automounter entries. This would ensure that ldapaddent(1M) adds the entries using the old schema. However, note that this would also mean that all Solaris 9 clients must use a profile where the schema for automount is mapped.

You need to add the following mapping attributes to your profile for this mapping to take effect.

attributeMap: 		automount:automountMapName=nisMapName
attributeMap: 		automount:automountKey=cn
attributeMap: 		automount:automountInformation=nisMapEntry
objectclassMap: 	  automount:automountMap=nisMap
objectclassMap: 	  automount:automount=nisObject

LDAP Commands

There are two sets of LDAP-related commands in the Solaris operating environment. One set is the general LDAP tools, which do not require the client to be configured with LDAP naming services. The second set uses the common LDAP configuration on the client and therefore can only be used if the client is configured to use LDAP as its naming service.

General LDAP Tools

LDAP command-line tools support a common set of options, including authentication and bind parameters.

These commands can be used to manipulate directory entries directly. The ldapsearch(1), ldapmodify(1), ldapadd(1), and ldapdelete(1) tools support a common text-based format for representing directory information called the LDAP Data Interchange Format (LDIF).

LDAP Tools Requiring LDAP Naming Services

Table 18-3 Tools (From Section 1 Man Pages)

Tool	Function
`ldapaddent`(1M)	Used to create entries in LDAP containers from the corresponding `/etc` files. This tool allows populating the directory from files. For example, it reads `/etc/passwd` format file and populates `passwd` entries in the directory.
`ldaplist`(1)	Used to list contents of various services from the directory.
`idsconfig`(1M)	Used to set up Sun ONE Directory Server to serve LDAP naming service clients.

Example `pam.conf` File for `pam_ldap`

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass