1ldap(1)                          User Commands                         ldap(1)
2
3
4

NAME

6       ldap - LDAP as a naming repository
7

DESCRIPTION

9       LDAP  refers  to  Lightweight  Directory  Access  Protocol, which is an
10       industry standard for accessing directory servers. By initializing  the
11       client using ldapclient(1M) and using the keyword ldap in the name ser‐
12       vice switch file, /etc/nsswitch.conf, Solaris clients can obtain naming
13       information  from  an LDAP server. Information such as usernames, host‐
14       names, and passwords are stored on  the  LDAP  server  in  a  Directory
15       Information  Tree or DIT. The DIT consists of entries which in turn are
16       composed of attributes. Each attribute has a type and one or more  val‐
17       ues.
18
19
20       Solaris LDAP clients use the LDAP v3 protocol to access naming informa‐
21       tion from LDAP servers. The LDAP server must support the object classes
22       and  attributes  defined  in  RFC2307bis (draft), which maps the naming
23       service model on to LDAP. As an alternate to using the  schema  defined
24       in RFC2307bis (draft), the system can be configured to use other schema
25       sets and the schema mapping feature is configured to  map  between  the
26       two.  Refer  to  the  System Administration Guide: Naming and Directory
27       Services (DNS, NIS, and LDAP) for more details.
28
29
30       The ldapclient(1M) utility can make a Solaris machine an LDAP client by
31       setting up the appropriate directories, files, and configuration infor‐
32       mation. The LDAP client caches this configuration information in  local
33       cache  files.  This  configuration  information is accessed through the
34       ldap_cachemgr(1M) daemon. This daemon also refreshes the information in
35       the  configuration files from the LDAP server, providing better perfor‐
36       mance and security. The ldap_cachemgr must run at  all  times  for  the
37       proper operation of the naming services.
38
39
40       There  are  two  types  of  configuration  information, the information
41       available through a profile, and the information configured per client.
42       The  profile contains all the information as to how the client accesses
43       the directory. The credential information for proxy user is  configured
44       on a per client basis and is not downloaded through the profile.
45
46
47       The  profile  contains  server-specific parameters that are required by
48       all clients to locate the servers for the  desired  LDAP  domain.  This
49       information  could  be the server's IP address and the search base Dis‐
50       tinguished Name (DN), for instance. It is configured on the client from
51       the  default  profile  during client initialization and is periodically
52       updated by the  ldap_cachemgr  daemon  when  the  expiration  time  has
53       elapsed.
54
55
56       Client profiles can be stored on the LDAP server and can be used by the
57       ldapclient utility to initialize an LDAP client. Using the client  pro‐
58       file  is  the  easiest  way  to  configure  a client machine. See ldap‐
59       client(1M).
60
61
62       Credential information includes  client-specific  parameters  that  are
63       used  by  a client. This information could be the Bind DN (LDAP "login"
64       name) of the client and the password. If these parameters are required,
65       they  are  manually  defined  during  the  initialization through ldap‐
66       client(1M).
67
68
69       The naming information is stored in containers on the  LDAP  server.  A
70       container  is  a non-leaf entry in the DIT that contains naming service
71       information. Containers are similar to maps in NIS and tables in  NIS+.
72       A  default mapping between the NIS databases and the containers in LDAP
73       is presented below. The location of these containers as well  as  their
74       names  can  be  overridden through the use of serviceSearchDescriptors.
75       For more information, see ldapclient(1M).
76
77
78
79
80       ┌────────────────────┬────────────────────┬───────────────────────────┐
81       │     Database       │   Object Class     │         Container         │
82       ├────────────────────┼────────────────────┼───────────────────────────┤
83       │passwd              │posixAccount        │ ou=people,dc=...          │
84       │                    │shadowAccount       │                           │
85       ├────────────────────┼────────────────────┼───────────────────────────┤
86       │group               │posixGroup          │ ou=Group,dc=...           │
87       ├────────────────────┼────────────────────┼───────────────────────────┤
88       │services            │ipService           │ ou=Services,dc=...        │
89       ├────────────────────┼────────────────────┼───────────────────────────┤
90       │protocols           │ipProtocol          │ ou=Protocols,dc=...       │
91       ├────────────────────┼────────────────────┼───────────────────────────┤
92       │rpc                 │oncRpc              │ ou=Rpc,dc=...             │
93       ├────────────────────┼────────────────────┼───────────────────────────┤
94       │hosts               │ipHost              │ ou=Hosts,dc=...           │
95       │ipnodes             │ipHost              │ ou=Hosts,dc=...           │
96       ├────────────────────┼────────────────────┼───────────────────────────┤
97       │ethers              │ieee802Device       │ ou=Ethers,dc=...          │
98       ├────────────────────┼────────────────────┼───────────────────────────┤
99       │bootparams          │bootableDevice      │ ou=Ethers,dc=...          │
100       ├────────────────────┼────────────────────┼───────────────────────────┤
101       │networks            │ipNetwork           │ ou=Networks,dc=...        │
102       │netmasks            │ipNetwork           │ ou=Networks,dc=...        │
103       ├────────────────────┼────────────────────┼───────────────────────────┤
104       │netgroup            │nisNetgroup         │ ou=Netgroup,dc=...        │
105       ├────────────────────┼────────────────────┼───────────────────────────┤
106       │aliases             │mailGroup           │ ou=Aliases,dc=...         │
107       ├────────────────────┼────────────────────┼───────────────────────────┤
108       │publickey           │nisKeyObject        │                           │
109       ├────────────────────┼────────────────────┼───────────────────────────┤
110       │generic             │nisObject           │ nisMapName=...,dc=...     │
111       ├────────────────────┼────────────────────┼───────────────────────────┤
112       │printers            │printerService      │ ou=Printers,dc=...        │
113       ├────────────────────┼────────────────────┼───────────────────────────┤
114       │auth_attr           │SolarisAuthAttr     │ ou=SolarisAuthAttr,dc=... │
115       ├────────────────────┼────────────────────┼───────────────────────────┤
116       │prof_attr           │SolarisProfAttr     │ ou=SolarisProfAttr,dc=... │
117       ├────────────────────┼────────────────────┼───────────────────────────┤
118       │exec_attr           │SolarisExecAttr     │ ou=SolarisProfAttr,dc=... │
119       ├────────────────────┼────────────────────┼───────────────────────────┤
120       │user_attr           │SolarisUserAttr     │ ou=people,dc=...          │
121       ├────────────────────┼────────────────────┼───────────────────────────┤
122       │audit_user          │SolarisAuditUser    │ ou=people,dc=...          │
123       └────────────────────┴────────────────────┴───────────────────────────┘
124
125
126       The security model for clients is defined by a combination of the  cre‐
127       dential  level  to be used, the authentication method, and the PAM mod‐
128       ules to be used. The credential  level  defines  what  credentials  the
129       client  should  use  to  authenticate  to the directory server, and the
130       authentication method defines the method of choice. Both these  can  be
131       set  with multiple values. The Solaris LDAP supports the following val‐
132       ues for credential level :
133         anonymous
134         proxy
135         self
136
137
138       The Solaris LDAP  supports  the  following  values  for  authentication
139       method:
140         none
141         simple
142         sasl/CRAM-MD5
143         sasl/DIGEST-MD5
144         sasl/GSSAPI
145         tls:simple
146         tls:sasl/CRAM-MD5
147         tls:sasl/DIGEST-MD5
148
149
150       When the credential level is configured as self, DNS must be configured
151       and the authentication method must be sasl/GSSAPI. The hosts  and  ipn‐
152       odes  in  /etc/nsswitch.conf must be configured to use DNS, for example
153       hosts: dns files and ipnodes: dns files.
154
155
156       sasl/GSSAPI automatically uses  GSSAPI  confidentiality  and  integrity
157       options, if they are configured on the directory server.
158
159
160       The  credential  level of self enables per-user naming service lookups,
161       or lookups that use the GSSAPI credentials of the user when  connecting
162       to  the directory server. Currently the only GSSAPI mechanism supported
163       in this model is Kerberos V5. Kerberos must be  configured  before  you
164       can use this credential level. See kerberos(5) for details.
165
166
167       More  protection  can  be provided by means of access control, allowing
168       the server to grant access for certain containers  or  entries.  Access
169       control  is  specified  by Access Control Lists (ACLs) that are defined
170       and stored in the LDAP server. The Access Control  Lists  on  the  LDAP
171       server  are called Access Control Instructions (ACIs) by the the SunOne
172       Directory Server. Each ACL or  ACI  specifies  one  or  more  directory
173       objects,  for example, the cn attribute in a specific container, one or
174       more clients to whom you grant or deny access, and one or  more  access
175       rights  that  determine what the clients can do to or with the objects.
176       Clients can be users or applications. Access rights can be specified as
177       read  and write, for example. Refer to the System Administration Guide:
178       Naming and Directory  Services  (DNS,  NIS,  and  LDAP)  regarding  the
179       restrictions on ACLs and ACIs when using LDAP as a naming repository.
180
181
182       A  sample nsswitch.conf(4) file called nsswitch.ldap is provided in the
183       /etc directory. This is  copied  to  /etc/nsswitch.conf  by  the  ldap‐
184       client(1M) utility. This file uses LDAP as a repository for the differ‐
185       ent databases in the nsswitch.conf file.
186
187
188       The following is a list of the user commands related to LDAP:
189
190       idsconfig(1M)     Prepares a SunOne Directory Server  to  be  ready  to
191                         support Solaris LDAP clients.
192
193
194       ldapaddent(1M)    Creates LDAP entries from corresponding /etc files.
195
196
197       ldapclient(1M)    Initializes  LDAP  clients, or generates a configura‐
198                         tion profile to be stored in the directory.
199
200
201       ldaplist(1)       Lists the contents of the LDAP naming space.
202
203

FILES

205       /var/ldap/ldap_client_cred    Files that contain the LDAP configuration
206       /var/ldap/ldap_client_file    of  the  client.  Do  not manually modify
207                                     these files. Their content is not guaran‐
208                                     teed  to  be  human  readable.  Use ldap‐
209                                     client(1M) to update them.
210
211
212       /etc/nsswitch.conf            Configuration file for  the  name-service
213                                     switch.
214
215
216       /etc/nsswitch.ldap            Sample  configuration  file for the name-
217                                     service switch configured with  LDAP  and
218                                     files.
219
220
221       /etc/pam.conf                 PAM framework configuration file.
222
223

SEE ALSO

225       ldaplist(1),  idsconfig(1M),  ldap_cachemgr(1M),  ldapaddent(1M), ldap‐
226       client(1M),   nsswitch.conf(4),    pam.conf(4),    kerberos(5)pam_auth‐
227       tok_check(5),  pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
228       pam_ldap(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
229       pam_unix_session(5)
230
231
232       System  Administration  Guide: Naming and Directory Services (DNS, NIS,
233       and LDAP)
234

NOTES

236       The pam_unix(5) module is no longer supported. Similar functionality is
237       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
238       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
239       pam_unix_auth(5), andpam_unix_session(5).
240
241
242
243SunOS 5.11                        28 Aug 2006                          ldap(1)
Impressum