1ldap(1) User Commands ldap(1)
2
6 ldap - LDAP as a naming repository
7
9 LDAP refers to Lightweight Directory Access Protocol, which is an
10 industry standard for accessing directory servers. By initializing the
11 client using ldapclient(1M) and using the keyword ldap in the name ser‐
12 vice switch file, /etc/nsswitch.conf, Solaris clients can obtain naming
13 information from an LDAP server. Information such as usernames, host‐
14 names, and passwords are stored on the LDAP server in a Directory
15 Information Tree or DIT. The DIT consists of entries which in turn are
16 composed of attributes. Each attribute has a type and one or more val‐
17 ues.
18 Solaris LDAP clients use the LDAP v3 protocol to access naming informa‐
21 tion from LDAP servers. The LDAP server must support the object classes
22 and attributes defined in RFC2307bis (draft), which maps the naming
23 service model on to LDAP. As an alternate to using the schema defined
24 in RFC2307bis (draft), the system can be configured to use other schema
25 sets and the schema mapping feature is configured to map between the
26 two. Refer to the System Administration Guide: Naming and Directory
27 Services (DNS, NIS, and LDAP) for more details.
28 The ldapclient(1M) utility can make a Solaris machine an LDAP client by
31 setting up the appropriate directories, files, and configuration infor‐
32 mation. The LDAP client caches this configuration information in local
33 cache files. This configuration information is accessed through the
34 ldap_cachemgr(1M) daemon. This daemon also refreshes the information in
35 the configuration files from the LDAP server, providing better perfor‐
36 mance and security. The ldap_cachemgr must run at all times for the
37 proper operation of the naming services.
38 There are two types of configuration information, the information
41 available through a profile, and the information configured per client.
42 The profile contains all the information as to how the client accesses
43 the directory. The credential information for proxy user is configured
44 on a per client basis and is not downloaded through the profile.
45 The profile contains server-specific parameters that are required by
48 all clients to locate the servers for the desired LDAP domain. This
49 information could be the server's IP address and the search base Dis‐
50 tinguished Name (DN), for instance. It is configured on the client from
51 the default profile during client initialization and is periodically
52 updated by the ldap_cachemgr daemon when the expiration time has
53 elapsed.
54 Client profiles can be stored on the LDAP server and can be used by the
57 ldapclient utility to initialize an LDAP client. Using the client pro‐
58 file is the easiest way to configure a client machine. See ldap‐
59 client(1M).
60 Credential information includes client-specific parameters that are
63 used by a client. This information could be the Bind DN (LDAP "login"
64 name) of the client and the password. If these parameters are required,
65 they are manually defined during the initialization through ldap‐
66 client(1M).
67 The naming information is stored in containers on the LDAP server. A
70 container is a non-leaf entry in the DIT that contains naming service
71 information. Containers are similar to maps in NIS and tables in NIS+.
72 A default mapping between the NIS databases and the containers in LDAP
73 is presented below. The location of these containers as well as their
74 names can be overridden through the use of serviceSearchDescriptors.
75 For more information, see ldapclient(1M).
76 ┌────────────────────┬────────────────────┬───────────────────────────┐
81 │ Database │ Object Class │ Container │
82 ├────────────────────┼────────────────────┼───────────────────────────┤
83 │passwd │posixAccount │ ou=people,dc=... │
84 │ │shadowAccount │ │
85 ├────────────────────┼────────────────────┼───────────────────────────┤
86 │group │posixGroup │ ou=Group,dc=... │
87 ├────────────────────┼────────────────────┼───────────────────────────┤
88 │services │ipService │ ou=Services,dc=... │
89 ├────────────────────┼────────────────────┼───────────────────────────┤
90 │protocols │ipProtocol │ ou=Protocols,dc=... │
91 ├────────────────────┼────────────────────┼───────────────────────────┤
92 │rpc │oncRpc │ ou=Rpc,dc=... │
93 ├────────────────────┼────────────────────┼───────────────────────────┤
94 │hosts │ipHost │ ou=Hosts,dc=... │
95 │ipnodes │ipHost │ ou=Hosts,dc=... │
96 ├────────────────────┼────────────────────┼───────────────────────────┤
97 │ethers │ieee802Device │ ou=Ethers,dc=... │
98 ├────────────────────┼────────────────────┼───────────────────────────┤
99 │bootparams │bootableDevice │ ou=Ethers,dc=... │
100 ├────────────────────┼────────────────────┼───────────────────────────┤
101 │networks │ipNetwork │ ou=Networks,dc=... │
102 │netmasks │ipNetwork │ ou=Networks,dc=... │
103 ├────────────────────┼────────────────────┼───────────────────────────┤
104 │netgroup │nisNetgroup │ ou=Netgroup,dc=... │
105 ├────────────────────┼────────────────────┼───────────────────────────┤
106 │aliases │mailGroup │ ou=Aliases,dc=... │
107 ├────────────────────┼────────────────────┼───────────────────────────┤
108 │publickey │nisKeyObject │ │
109 ├────────────────────┼────────────────────┼───────────────────────────┤
110 │generic │nisObject │ nisMapName=...,dc=... │
111 ├────────────────────┼────────────────────┼───────────────────────────┤
112 │printers │printerService │ ou=Printers,dc=... │
113 ├────────────────────┼────────────────────┼───────────────────────────┤
114 │auth_attr │SolarisAuthAttr │ ou=SolarisAuthAttr,dc=... │
115 ├────────────────────┼────────────────────┼───────────────────────────┤
116 │prof_attr │SolarisProfAttr │ ou=SolarisProfAttr,dc=... │
117 ├────────────────────┼────────────────────┼───────────────────────────┤
118 │exec_attr │SolarisExecAttr │ ou=SolarisProfAttr,dc=... │
119 ├────────────────────┼────────────────────┼───────────────────────────┤
120 │user_attr │SolarisUserAttr │ ou=people,dc=... │
121 ├────────────────────┼────────────────────┼───────────────────────────┤
122 │audit_user │SolarisAuditUser │ ou=people,dc=... │
123 └────────────────────┴────────────────────┴───────────────────────────┘
124 The security model for clients is defined by a combination of the cre‐
127 dential level to be used, the authentication method, and the PAM mod‐
128 ules to be used. The credential level defines what credentials the
129 client should use to authenticate to the directory server, and the
130 authentication method defines the method of choice. Both these can be
131 set with multiple values. The Solaris LDAP supports the following val‐
132 ues for credential level :
133 anonymous
134 proxy
135 self
136 The Solaris LDAP supports the following values for authentication
139 method:
140 none
141 simple
142 sasl/CRAM-MD5
143 sasl/DIGEST-MD5
144 sasl/GSSAPI
145 tls:simple
146 tls:sasl/CRAM-MD5
147 tls:sasl/DIGEST-MD5
148 When the credential level is configured as self, DNS must be configured
151 and the authentication method must be sasl/GSSAPI. The hosts and ipn‐
152 odes in /etc/nsswitch.conf must be configured to use DNS, for example
153 hosts: dns files and ipnodes: dns files.
154 sasl/GSSAPI automatically uses GSSAPI confidentiality and integrity
157 options, if they are configured on the directory server.
158 The credential level of self enables per-user naming service lookups,
161 or lookups that use the GSSAPI credentials of the user when connecting
162 to the directory server. Currently the only GSSAPI mechanism supported
163 in this model is Kerberos V5. Kerberos must be configured before you
164 can use this credential level. See kerberos(5) for details.
165 More protection can be provided by means of access control, allowing
168 the server to grant access for certain containers or entries. Access
169 control is specified by Access Control Lists (ACLs) that are defined
170 and stored in the LDAP server. The Access Control Lists on the LDAP
171 server are called Access Control Instructions (ACIs) by the the SunOne
172 Directory Server. Each ACL or ACI specifies one or more directory
173 objects, for example, the cn attribute in a specific container, one or
174 more clients to whom you grant or deny access, and one or more access
175 rights that determine what the clients can do to or with the objects.
176 Clients can be users or applications. Access rights can be specified as
177 read and write, for example. Refer to the System Administration Guide:
178 Naming and Directory Services (DNS, NIS, and LDAP) regarding the
179 restrictions on ACLs and ACIs when using LDAP as a naming repository.
180 A sample nsswitch.conf(4) file called nsswitch.ldap is provided in the
183 /etc directory. This is copied to /etc/nsswitch.conf by the ldap‐
184 client(1M) utility. This file uses LDAP as a repository for the differ‐
185 ent databases in the nsswitch.conf file.
186 The following is a list of the user commands related to LDAP:
189 idsconfig(1M) Prepares a SunOne Directory Server to be ready to
191 support Solaris LDAP clients.
192 ldapaddent(1M) Creates LDAP entries from corresponding /etc files.
195 ldapclient(1M) Initializes LDAP clients, or generates a configura‐
198 tion profile to be stored in the directory.
199 ldaplist(1) Lists the contents of the LDAP naming space.
202
205 /var/ldap/ldap_client_cred Files that contain the LDAP configuration
206 /var/ldap/ldap_client_file of the client. Do not manually modify
207 these files. Their content is not guaran‐
208 teed to be human readable. Use ldap‐
209 client(1M) to update them.
210 /etc/nsswitch.conf Configuration file for the name-service
213 switch.
214 /etc/nsswitch.ldap Sample configuration file for the name-
217 service switch configured with LDAP and
218 files.
219 /etc/pam.conf PAM framework configuration file.
222
225 ldaplist(1), idsconfig(1M), ldap_cachemgr(1M), ldapaddent(1M), ldap‐
226 client(1M), nsswitch.conf(4), pam.conf(4), kerberos(5)pam_auth‐
227 tok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
228 pam_ldap(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
229 pam_unix_session(5)
230 System Administration Guide: Naming and Directory Services (DNS, NIS,
233 and LDAP)
234
236 The pam_unix(5) module is no longer supported. Similar functionality is
237 provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
238 tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
239 pam_unix_auth(5), andpam_unix_session(5).
240SunOS 5.11 28 Aug 2006 ldap(1)