User Commands ldap(1)
NAME
ldap - LDAP as a naming repository
DESCRIPTION
LDAP refers to Lightweight Directory Access Protocol, which is an industry standard for accessing directory servers. Byinitializing the client using ldapclient(1M) and using the
keyword ldap in the name service switch file,
/etc/nsswitch.conf, Oracle Solaris clients can obtain naminginformation from an LDAP server. Information such as user-
names, hostnames, and passwords are stored on the LDAPserver in a Directory Information Tree or DIT. The DIT con-
sists of entries which in turn are composed of attributes. Each attribute has a type and one or more values. Oracle Solaris LDAP clients use the LDAP v3 protocol to access naming information from LDAP servers. The LDAP server must support the object classes and attributes defined in RFC2307bis (draft), which maps the naming service model on to LDAP. As an alternate to using the schema defined in RFC2307bis (draft), the system can be configured to useother schema sets and the schema mapping feature is config-
ured to map between the two. Refer to the System Administra-
tion Guide: Naming and Directory Services (DNS, NIS, and LDAP) for more details.The ldapclient(1M) utility can make an Oracle Solaris
machine an LDAP client by setting up the appropriate direc-
tories, files, and configuration information. The LDAP client caches this configuration information in local cache files. This configuration information is accessed throughthe ldap_cachemgr(1M) daemon. This daemon also refreshes the
information in the configuration files from the LDAP server,providing better performance and security. The ldap_cachemgr
must run at all times for the proper operation of the naming services.There are two types of configuration information, the infor-
mation available through a profile, and the information con-
figured per client. The profile contains all the information as to how the client accesses the directory. The credential information for proxy user is configured on a per client basis and is not downloaded through the profile.The profile contains server-specific parameters that are
required by all clients to locate the servers for the desired LDAP domain. This information could be the server's IP address and the search base Distinguished Name (DN), forSunOS 5.11 Last change: 7 Jul 2010 1
User Commands ldap(1)
instance. It is configured on the client from the default profile during client initialization and is periodicallyupdated by the ldap_cachemgr daemon when the expiration time
has elapsed. Client profiles can be stored on the LDAP server and can beused by the ldapclient utility to initialize an LDAP client.
Using the client profile is the easiest way to configure aclient machine. See ldapclient(1M).
Credential information includes client-specific parameters
that are used by a client. This information could be the Bind DN (LDAP "login" name) of the client and the password. If these parameters are required, they are manually definedduring the initialization through ldapclient(1M).
The naming information is stored in containers on the LDAPserver. A container is a non-leaf entry in the DIT that con-
tains naming service information. Containers are similar to maps in NIS. A default mapping between the NIS databases and the containers in LDAP is presented below. The location of these containers as well as their names can be overriddenthrough the use of serviceSearchDescriptors. For more infor-
mation, see ldapclient(1M).
SunOS 5.11 Last change: 7 Jul 2010 2
User Commands ldap(1)
SunOS 5.11 Last change: 7 Jul 2010 3
User Commands ldap(1)
______________________________________________________________________
| Database | Object Class | Container ||____________________|____________________|___________________________|
| passwd | posixAccount | ou=people,dc=... | | | shadowAccount | ||____________________|____________________|___________________________|
| group | posixGroup | ou=Group,dc=... ||____________________|____________________|___________________________|
| services | ipService | ou=Services,dc=... ||____________________|____________________|___________________________|
| protocols | ipProtocol | ou=Protocols,dc=... ||____________________|____________________|___________________________|
| rpc | oncRpc | ou=Rpc,dc=... ||____________________|____________________|___________________________|
| hosts | ipHost | ou=Hosts,dc=... | | ipnodes | ipHost | ou=Hosts,dc=... ||____________________|____________________|___________________________|
| ethers | ieee802Device | ou=Ethers,dc=... ||____________________|____________________|___________________________|
| bootparams | bootableDevice | ou=Ethers,dc=... ||____________________|____________________|___________________________|
| networks | ipNetwork | ou=Networks,dc=... | | netmasks | ipNetwork | ou=Networks,dc=... ||____________________|____________________|___________________________|
| netgroup | nisNetgroup | ou=Netgroup,dc=... ||____________________|____________________|___________________________|
| aliases | mailGroup | ou=Aliases,dc=... ||____________________|____________________|___________________________|
| publickey | nisKeyObject | ||____________________|____________________|___________________________|
| generic | nisObject | nisMapName=...,dc=... ||____________________|____________________|___________________________|
| printers | printerService | ou=Printers,dc=... ||____________________|____________________|___________________________|
| auth_attr | SolarisAuthAttr | ou=SolarisAuthAttr,dc=...|
|____________________|____________________|___________________________|
| prof_attr | SolarisProfAttr | ou=SolarisProfAttr,dc=...|
|____________________|____________________|___________________________|
| exec_attr | SolarisExecAttr | ou=SolarisProfAttr,dc=...|
|____________________|____________________|___________________________|
| user_attr | SolarisUserAttr | ou=people,dc=... |
|____________________|____________________|___________________________|
The security model for clients is defined by a combination of the credential level to be used, the authentication method, and the PAM modules to be used. The credential leveldefines what credentials the client should use to authenti-
cate to the directory server, and the authentication method defines the method of choice. Both these can be set with multiple values. The Oracle Solaris LDAP supports theSunOS 5.11 Last change: 7 Jul 2010 4
User Commands ldap(1)
following values for credential level : anonymous proxy self The Oracle Solaris LDAP supports the following values for authentication method: none simplesasl/CRAM-MD5
sasl/DIGEST-MD5
sasl/GSSAPI tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5
When the credential level is configured as self, DNS must be configured and the authentication method must besasl/GSSAPI. The hosts and ipnodes in /etc/nsswitch.conf must be configured to use DNS, for example hosts: dns files and ipnodes: dns files.
sasl/GSSAPI automatically uses GSSAPI confidentiality and integrity options, if they are configured on the directory server.
The credential level of self enables per-user naming service
lookups, or lookups that use the GSSAPI credentials of the user when connecting to the directory server. Currently the only GSSAPI mechanism supported in this model is Kerberos V5. Kerberos must be configured before you can use this credential level. See kerberos(5) for details. More protection can be provided by means of access control, allowing the server to grant access for certain containers or entries. Access control is specified by Access Control Lists (ACLs) that are defined and stored in the LDAP server. The Access Control Lists on the LDAP server are calledAccess Control Instructions (ACIs) by the the SunOne Direc-
tory Server. Each ACL or ACI specifies one or more directoryobjects, for example, the cn attribute in a specific con-
tainer, one or more clients to whom you grant or deny access, and one or more access rights that determine what the clients can do to or with the objects. Clients can be users or applications. Access rights can be specified asread and write, for example. Refer to the System Administra-
tion Guide: Naming and Directory Services (DNS, NIS, andSunOS 5.11 Last change: 7 Jul 2010 5
User Commands ldap(1)
LDAP) regarding the restrictions on ACLs and ACIs when using LDAP as a naming repository.A sample nsswitch.conf(4) file called nsswitch.ldap is pro-
vided in the /etc directory. This is copied to/etc/nsswitch.conf by the ldapclient(1M) utility. This file
uses LDAP as a repository for the different databases in the nsswitch.conf file. The following is a list of the user commands related to LDAP: idsconfig(1M) Prepares a SunOne Directory Server to be ready to support Solaris LDAP clients.ldapaddent(1M) Creates LDAP entries from corresponding
/etc files.ldapclient(1M) Initializes LDAP clients, or generates a
configuration profile to be stored in the directory.ldaplist(1) Lists the contents of the LDAP naming
space. FILES/var/ldap/ldap_client_cred Files that contain the LDAP
/var/ldap/ldap_client_file configuration of the client.
Do not manually modify these files. Their content is notguaranteed to be human read-
able. Use ldapclient(1M) to
update them. /etc/nsswitch.conf Configuration file for thename-service switch.
/etc/nsswitch.ldap Sample configuration file for
the name-service switch con-
figured with LDAP and files. /etc/pam.conf PAM framework configuration file.SunOS 5.11 Last change: 7 Jul 2010 6
User Commands ldap(1)
SEE ALSO
ldaplist(1), idsconfig(1M), ldap_cachemgr(1M),
ldapaddent(1M), ldapclient(1M), nsswitch.conf(4),
pam.conf(4), kerberos(5)pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_ldap(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5)
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) NOTESThe pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
andpam_unix_session(5).
SunOS 5.11 Last change: 7 Jul 2010 7