1ldapclient(1M)          System Administration Commands          ldapclient(1M)
2
3
4

NAME

6       ldapclient  -  initialize  LDAP client machine or output an LDAP client
7       profile in LDIF format
8

SYNOPSIS

10       /usr/sbin/ldapclient [-v | -q] init [-a profileName=profileName]
11            [-a domainName=domain] [-a proxyDN=proxyDN]
12            [-a proxyPassword=password]
13            [-a authenticationMethod=authenticationMethod]
14            [-a enableShadowUpdate=true | false]
15            [-a adminDN=adminDN]
16            [-a adminPassword=adminPassword]
17            [-a certificatePath=path] [-d bindDN] [-w bindPassword]
18            [-j passwdFile] [-y passwdFile]
19            [-z adminrPasswdFile] LDAP_server[:port_number]
20
21
22       /usr/sbin/ldapclient [-v | -q] manual [-a attrName=attrVal]
23
24
25       /usr/sbin/ldapclient [-v | -q] mod [-a attrName=attrVal]
26
27
28       /usr/sbin/ldapclient [-v | -q] list
29
30
31       /usr/sbin/ldapclient [-v | -q] uninit
32
33
34       /usr/sbin/ldapclient [-v | -q] genprofile -a profileName=profileName
35            [-a attrName=attrVal]
36
37

DESCRIPTION

39       The ldapclient utility can be used to:
40
41           o      initialize LDAP client machines
42
43           o      restore the network service environment on LDAP clients
44
45           o      list the contents of the LDAP client cache in human readable
46                  format.
47
48
49       The  init  form of the ldapclient utility is used to initialize an LDAP
50       client machine, using a profile stored on an LDAP server  specified  by
51       LDAP_server.  The  LDAP client will use the attributes in the specified
52       profile to determine the configuration of the LDAP client. Using a con‐
53       figuration  profile  allows  for  easy  installation of LDAP client and
54       propagation   of   configuration   changes   to   LDAP   clients.   The
55       ldap_cachemgr(1M)  utility  will  update  the LDAP client configuration
56       when its cache expires by reading the profile. For more information  on
57       the configuration profile refer to IETF document A Configuration Schema
58       for LDAP Based Directory User Agents.
59
60
61       The manual form of the ldapclient utility is used to initialize an LDAP
62       client machine manually. The LDAP client will use the attributes speci‐
63       fied on the command line. Any unspecified attributes will  be  assigned
64       their  default  values.  At  least  one server must be specified in the
65       defaultServerList or the preferredServerList attributes.The  domainName
66       attribute must be specified if the client's domainName is not set.
67
68
69       The mod form of the ldapclient utility is used to modify the configura‐
70       tion of an LDAP client machine that was  setup  manually.  This  option
71       modifies  only  those LDAP client configuration attributes specified on
72       the command line. The mod option should only be used  on  LDAP  clients
73       that were initialized using the manual option.
74
75
76       Regardless  of  which method is used for initialization, if a client is
77       to be configured to use a proxy credentialLevel, proxy credentials must
78       be provided using -a proxyDN=proxyDN and -a proxyPassword=proxyPassword
79       options. However, if -a proxyPassword=proxyPassword is  not  specified,
80       ldapclient will prompt for it. Note that NULL passwords are not allowed
81       in LDAP. If a self credentialLevel is configured,  authenticationMethod
82       must be sasl/GSSAPI.
83
84
85       Similarily,  if  a client is to be configured to enable shadow informa‐
86       tion update and use a proxy credentialLevel, administrator  credentials
87       must  be  provided using -a adminDN=adminDN and -a adminPassword=admin‐
88       Password. However, the shadow information  update  does  not  need  the
89       administrator credentials if a self credentialLevel is configured.
90
91
92       If  any  file  is modified during installation, it will be backed up to
93       /var/ldap/restore. The files that are typically  modified  during  ini‐
94       tialization are:
95
96           o      /etc/nsswitch.conf
97
98           o      /etc/defaultdomain (if it exists)
99
100           o      /var/yp/binding/`domainname` (for a NIS(YP) client)
101
102           o      /var/nis/NIS_COLD_START (for a NIS+ client)
103
104           o      /var/ldap/ldap_client_file (for an existing LDAP client)
105
106           o      /var/ldap/ldap_client_cred (for an existing LDAP client)
107
108
109       ldapclient  does not set up a client to resolve hostnames using DNS. It
110       simply copies /etc/nsswitch.ldap to /etc/nsswitch.conf. If  you  prefer
111       to  use  DNS for host resolution, please refer to the DNS documentation
112       for information on setting up DNS. See resolv.conf(4). If you  want  to
113       use  sasl/GSSAPI  as the authentication method, you have to use DNS for
114       hosts and ipnodes resolution.
115
116
117       The list form of the ldapclient utility is used to list the LDAP client
118       configuration.  The  output  will be human readable. LDAP configuration
119       files are not guaranteed to be human readable. Note that  for  security
120       reason, the values for adminDN and adminPassword will not be displayed.
121
122
123       The  uninit  form of the ldapclient utility is used to uninitialize the
124       network service environment, restoring it to the state it was in  prior
125       to  the last execution of ldapclient using init or manual. The restora‐
126       tion will succeed only if the machine was initialized with the init  or
127       manual form of ldapclient, as it uses the backup files created by these
128       options.
129
130
131       The genprofile option is used to write an LDIF formatted  configuration
132       profile  based on the attributes specified on the command line to stan‐
133       dard output. This profile can then be loaded into an LDAP server to  be
134       used  as  the  client  profile, which can be downloaded by means of the
135       ldapclient init command. Loading the  LDIF  formatted  profile  to  the
136       directory  server can be done through ldapadd(1), or through any server
137       specific import tool. Note that the attributes proxyDN,  proxyPassword,
138       certificatePath,  domainName,  enableShadowUpdate,  adminDN, and admin‐
139       Password are not part of the configuration profile  and  thus  are  not
140       permitted.
141
142
143       You  must  have  superuser  privileges  to  run the ldapclient command,
144       except with the genprofile option.
145
146
147       To access the information stored in the directory, clients  can  either
148       authenticate  to  the  directory, or use an unauthenticated connection.
149       The LDAP client is configured to have  a  credential  level  of  either
150       anonymous or proxy. In the first case, the client does not authenticate
151       to the directory. In the  second  case,  client  authenticates  to  the
152       directory  using a proxy identity for read access, and using a adminis‐
153       trator identity for write access if enableShadowUpdate  is  configured.
154       In  the  third case, client authenticates to the directory using a Ker‐
155       beros principal that is mapped to an LDAP identity by the LDAP  server.
156       Refer to the chapter on implementing security in the System Administra‐
157       tion Guide: Naming and Directory Services (DNS, NIS, and LDAP) or  your
158       appropriate   directory   server  documentation  for  identity  mapping
159       details.
160
161
162       If a client is configured to use an identity, you can  configure  which
163       authentication method the client will use. The LDAP client supports the
164       following authentication methods:
165         none
166         simple
167         sasl/CRAM-MD5
168         sasl/DIGEST-MD5
169         sasl/GSSAPI
170         tls:simple
171         tls:sasl/CRAM-MD5
172         tls:sasl/DIGEST-MD5
173
174
175       Note that some directory servers may not support all of these authenti‐
176       cation  methods.  For  simple,  be aware that the bind password will be
177       sent in the clear to the LDAP server. For those authentication  methods
178       using  TLS (transport layer security), the entire session is encrypted.
179       You will need to install the appropriate certificate databases  to  use
180       TLS.
181
182   Commands
183       The following commands are supported:
184
185       init
186
187           Initialize client from a profile on a server.
188
189
190       manual
191
192           Manually initialize client with the specified attribute values.
193
194
195       mod
196
197           Modify  attribute  values  in the configuration file after a manual
198           initialization of the client.
199
200
201       list
202
203           Write the contents of the LDAP client cache to standard  output  in
204           human readable form.
205
206
207       uninit
208
209           Uninitialize  an  LDAP client, assuming that ldapclient was used to
210           initialize the client.
211
212
213       genprofile
214
215           Generate a configuration profile in LDIF format that  can  then  be
216           stored  in  the directory for clients to use, with the init form of
217           this command.
218
219
220   Attributes
221       The following attributes are supported:
222
223       adminDN
224
225           Specify the Bind Distinguished Name for the administrator  identity
226           that is used for shadow information update. This option is required
227           if the credential level is proxy, and enableShadowUpdate is set  to
228           true. There is no default value.
229
230
231       adminPassword
232
233           Specify  the administrator password. This option is required if the
234           credential level is proxy, and enableShadowUpdate is set  to  true.
235           There is no default value.
236
237
238       attributeMap
239
240           Specify  a  mapping  from  an  attribute defined by a service to an
241           attribute in an alternative schema. This can be used to change  the
242           default schema used for a given service. The syntax of attributeMap
243           is defined in the profile IETF draft. This option can be  specified
244           multiple  times. The default value for all services is NULL. In the
245           example,
246
247             attributeMap: passwd:uid=employeeNumber
248
249
250           the LDAP client would use the LDAP attribute employeeNumber  rather
251           than uid for the passwd service. This is a multivalued attribute.
252
253
254       authenticationMethod
255
256           Specify  the  default  authentication  method  used by all services
257           unless overridden  by  the  serviceAuthenticationMethod  attribute.
258           Multiple  values  can  be  specified by using a semicolon-separated
259           list. The default value is none. For those services that  use  cre‐
260           dentialLevel  and  credentialLevel  is anonymous, this attribute is
261           ignored. Services such as pam_ldap will use this attribute, even if
262           credentialLevel  is anonymous. The supported authentication methods
263           are described above. If the  authenticationMethod  is  sasl/GSSAPI,
264           the hosts and ipnodes of /etc/nsswitch.conf must be configured with
265           DNS support, for example:
266
267             hosts: dns files
268             ipnodes: dns files
269
270
271
272       bindTimeLimit
273
274           The maximum time in seconds that a client should spend performing a
275           bind  operation.  Set this to a positive integer. The default value
276           is 30.
277
278
279       certificatePath
280
281           The certificate path for the location of the certificate  database.
282           The value is the path where security database files reside. This is
283           used for TLS support, which is  specified  in  the  authentication‐
284           Method  and  serviceAuthenticationMethod attributes. The default is
285           /var/ldap.
286
287
288       credentialLevel
289
290           Specify the credential level the client should use to  contact  the
291           directory.  The credential levels supported are either anonymous or
292           proxy. If a proxy credential level is specified, then the authenti‐
293           cationMethod attribute must be specified to determine the authenti‐
294           cation mechanism. Also, if the credential level  is  proxy  and  at
295           least  one  of  the  authentication  methods require a bind DN, the
296           proxyDN and proxyPassword attribute values must be  set.  In  addi‐
297           tion,  if enableShadowUpdate is set to true, the adminDN and admin‐
298           Password values must be set. If a self credential level  is  speci‐
299           fied, the authenticationMethod must be sasl/GSSAPI.
300
301
302       defaultSearchBase
303
304           Specify  the  default search base DN. There is no default. The ser‐
305           viceSearchDescriptor attribute can be used to override the default‐
306           SearchBase for given services.
307
308
309       defaultSearchScope=one | sub
310
311           Specify  the  default  search  scope for the client's search opera‐
312           tions. This default can be overridden for a given service by speci‐
313           fying a serviceSearchDescriptor. The default is one level search.
314
315
316       defaultServerList
317
318           A  space separated list of server names or server addresses, either
319           IPv4 or IPv6. If you specify server names, be sure  that  the  LDAP
320           client can resolve the name without the LDAP name service. You must
321           resolve the LDAP servers' names by using either files  or  dns.  If
322           the  LDAP  server name cannot be resolved, your naming service will
323           fail.
324
325           The port number is optional. If not  specified,  the  default  LDAP
326           server port number 389 is used, except when TLS is specified in the
327           authentication method. In this case, the default LDAP  server  port
328           number is 636.
329
330           The format to specify the port number for an IPv6 address is:
331
332             [ipv6_addr]:port
333
334           To  specify  the port number for an IPv4 address, use the following
335           format:
336
337             ipv4_addr:port
338
339           If the host name is specified, use the format:
340
341             host_name:port
342
343           If you use TLS, the LDAP server's hostname must match the  hostname
344           in the TLS certificate. Typically, the hostname in the TLS certifi‐
345           cate is a fully qualified domain name. With TLS,  the  LDAP  server
346           host  addresses  must  resolve to the hostnames in the TLS certifi‐
347           cate. You must use files or dns to resolve the host address.
348
349
350       domainName
351
352           Specify the DNS domain name. This becomes the  default  domain  for
353           the machine. The default is the current domain name. This attribute
354           is only used in client initialization.
355
356
357       enableShadowUpdate=true | false
358
359           Specify whether the client is allowed to update shadow information.
360           If  set  to  true  and  the  credential level is proxy, adminDN and
361           adminPassword must be specified.
362
363
364       followReferrals=true | false
365
366           Specify the referral setting. A setting of true implies that refer‐
367           rals  will  be  automatically  followed  and  false would result in
368           referrals not being followed. The default is true.
369
370
371       objectclassMap
372
373           Specify a mapping from an objectclass defined by a  service  to  an
374           objectclass  in  an  alternative schema. This can be used to change
375           the default schema used for a given service. The syntax of  object‐
376           classMap  is  defined in the profile IETF draft. This option can be
377           specified multiple times. The default value  for  all  services  is
378           NULL. In the example,
379
380             objectclassMap=passwd:posixAccount=unixAccount
381
382
383           the  LDAP  client  would  use  the  LDAP objectclass of unixAccount
384           rather than the posixAccount for the passwd service. This is a mul‐
385           tivalued attribute.
386
387
388       preferredServerList
389
390           Specify  the  space  separated  list  of  server  names  or  server
391           addresses, either IPv4 or IPv6,  to  be  contacted  before  servers
392           specified by the defaultServerList attribute. If you specify server
393           names, be sure that the LDAP client can resolve  the  name  without
394           the  LDAP name service. You must resolve the LDAP servers' names by
395           using either files or dns.  If  the  LDAP  server  name  cannot  be
396           resolved, your naming service will fail.
397
398           The  port  number  is  optional. If not specified, the default LDAP
399           server port number 389 is used, except when TLS is specified in the
400           authentication  method.  In this case, the default LDAP server port
401           number is 636.
402
403           The format to specify the port number for an IPv6 address is:
404
405             [ipv6_addr]:port
406
407           To specify the port number for an IPv4 address, use  the  following
408           format:
409
410             ipv4_addr:port
411
412           If the host name is specified, use the format:
413
414             host_name:port
415
416           If  you use TLS, the LDAP server's hostname must match the hostname
417           in the TLS certificate. Typically, the hostname in the TLS certifi‐
418           cate  is  a  fully qualified domain name. With TLS, the LDAP server
419           host addresses must resolve to the hostnames in  the  TLS  certifi‐
420           cate. You must use files or dns to resolve the host address.
421
422
423       profileName
424
425           Specify  the  profile  name. For ldapclient init, this attribute is
426           the name of an existing profile which may  be  downloaded  periodi‐
427           cally depending on the value of the profileTTL attribute. For ldap‐
428           client genprofile, this is the name of the profile to be generated.
429           The default value is default.
430
431
432       profileTTL
433
434           Specify  the  TTL value in seconds for the client information. This
435           is only relevant if the machine was initialized with a client  pro‐
436           file.  If  you  do not want ldap_cachemgr(1M) to attempt to refresh
437           the LDAP client configuration from the LDAP server, set  profileTTL
438           to  0 (zero). Valid values are either zero 0 (for no expiration) or
439           a positive integer in seconds. The default value is 12 hours.
440
441
442       proxyDN
443
444           Specify the Bind Distinguished Name for the  proxy  identity.  This
445           option  is  required if the credential level is proxy, and at least
446           one of the authentication methods requires a bind DN. There  is  no
447           default value.
448
449
450       proxyPassword
451
452           Specify  client proxy password. This option is required if the cre‐
453           dential level is proxy, and at  least  one  of  the  authentication
454           methods requires a bind DN. There is no default.
455
456
457       searchTimeLimit
458
459           Specify maximum number of seconds allowed for an LDAP search opera‐
460           tion. The default is 30 seconds. The server may have its own search
461           time limit.
462
463
464       serviceAuthenticationMethod
465
466           Specify  authentication methods to be used by a service in the form
467           servicename:authenticationmethod, for example:
468
469             pam_ldap:tls:simple
470
471           For multiple  authentication  methods,  use  a  semicolon-separated
472           list.  The  default  value is no service authentication methods, in
473           which case, each service would default to the  authenticationMethod
474           value. The supported authentications are described above.
475
476           Three  services  support  this  feature:  passwd-cmd,  keyserv, and
477           pam_ldap. The passwd-cmd service is used to define the  authentica‐
478           tion  method  to be used by passwd(1) to change the user's password
479           and other attributes. The keyserv service is used to  identify  the
480           authentication  method  to  be  used by the chkey(1) and newkey(1M)
481           utilities. The pam_ldap service defines the  authentication  method
482           to be used for authenticating users when pam_ldap(5) is configured.
483           If this attribute is not set for any of these services, the authen‐
484           ticationMethod  attribute  is  used  to  define  the authentication
485           method. This is a multivalued attribute.
486
487
488       serviceCredentialLevel
489
490           Specify credential level to be used by a service.  Multiple  values
491           can  be  specified in a space-separated list. The default value for
492           all services is NULL. The supported credential levels  are:  anony‐
493           mous  or proxy. At present, no service uses this attribute. This is
494           a multivalued attribute.
495
496
497       serviceSearchDescriptor
498
499           Override the default base DN for LDAP searches for a given service.
500           The  format  of  the  descriptors also allow overriding the default
501           search scope and search filter for each service. The syntax of ser‐
502           viceSearchDescriptor  is  defined  in  the  profile IETF draft. The
503           default value for all services  is  NULL.  This  is  a  multivalued
504           attribute. In the example,
505
506             serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one
507
508
509           the   LDAP   client   would  do  a  one  level  search  in  ou=peo‐
510           ple,dc=a1,dc=acme,dc=com  rather  than  ou=people,defaultSearchBase
511           for the passwd service.
512
513

OPTIONS

515       The following options are supported:
516
517       -a attrName=attrValue
518
519           Specify attrName and its value. See SYNOPSIS for a complete list of
520           possible attribute names and values.
521
522
523       -D bindDN
524
525           Specifies an entry that has read permission for the requested data‐
526           base.
527
528
529       -j passwdFile
530
531           Specify a file containing the password for the bind DN or the pass‐
532           word for the SSL client's key database. To  protect  the  password,
533           use this option in scripts and place the password in a secure file.
534           This option is mutually exclusive of the -w option.
535
536
537       -q
538
539           Quiet mode. No output is generated.
540
541
542       -v
543
544           Verbose output.
545
546
547       -w bindPassword
548
549           Password to be used for authenticating the bind DN. If this parame‐
550           ter  is missing, the command will prompt for a password. NULL pass‐
551           words are not supported in LDAP.
552
553           When you use -w bindPassword to specify the password to be used for
554           authentication,  the password is visible to other users of the sys‐
555           tem by means of the ps command, in script files, or in  shell  his‐
556           tory.
557
558           If  you  supply "-" (hyphen) as a password, the command will prompt
559           for a password.
560
561
562       -y passwdFile
563
564           Specify a file containing the password for the proxy DN. To protect
565           the  password, use this option in scripts and place the password in
566           a secure file. This option is mutually exclusive of the  -a  proxy‐
567           Password option.
568
569
570       -z adminrPasswdFile
571
572           Specify  a file containing the password for the adminDN. To protect
573           the password, use this option in scripts and place the password  in
574           a  secure  file. This option is mutually exclusive of the -a admin‐
575           Password option.
576
577

OPERANDS

579       The following operand is supported:
580
581       LDAP_server
582
583           An address or a name for the LDAP server  from  which  the  profile
584           will  be  loaded.  The current naming service specified in the nss‐
585           witch.conf file is used. Once the profile is loaded, the preferred‐
586           ServerList and defaultServerList specified in the profile are used.
587
588

EXAMPLES

590       Example  1 Setting Up a Client By Using the Default Profile Stored on a
591       Specified LDAP Server
592
593
594       The following example shows how to set up a client  using  the  default
595       profile  stored on the specified LDAP server. This command will only be
596       successful if either the credential level in  the  profile  is  set  to
597       anonymous or the authentication method is set to none.
598
599
600         example# ldapclient init 172.16.100.1
601
602
603
604       Example  2  Setting Up a Client By Using the simple Profile Stored on a
605       Specified LDAP Server
606
607
608       The following example shows how to set up a  client  using  the  simple
609       profile  stored  on the specified LDAP server. The domainname is set to
610       xyz.mycompany.com and the proxyPassword is secret.
611
612
613         example# ldapclient init -a profileName=simple \
614         -a domainName=xyz.mycompany.com \
615         -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \
616         -a proxyPassword=secret '['fe80::a00:20ff:fea3:388']':386
617
618
619
620       Example 3 Setting Up a Client Using Only One Server
621
622
623       The following example shows how to set  up  a  client  using  only  one
624       server.  The  authentication method is set to none, and the search base
625       is dc=mycompany,dc=com.
626
627
628         example# ldapclient manual -a authenticationMethod=none \
629         -a defaultSearchBase=dc=mycompany,dc=com \
630         -a defaultServerList=172.16.100.1
631
632
633
634       Example 4 Setting Up a Client Using Only One Server That Does Not  Fol‐
635       low Referrals
636
637
638       The  following  example  shows  how  to  set up a client using only one
639       server. The credential level is set to proxy. The authentication method
640       of  is  sasl/CRAM-MD5,  with  the  option  not to follow referrals. The
641       domain name is xyz.mycompany.com, and the LDAP  server  is  running  on
642       port number 386 at IP address 172.16.100.1.
643
644
645         example# ldapclient manual \
646         -a credentialLevel=proxy \
647         -a authenticationMethod=sasl/CRAM-MD5 \
648         -a proxyPassword=secret \
649         -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \
650         -a defaultSearchBase=dc=xyz,dc=mycompany,dc=com \
651         -a domainName=xyz.mycompany.com \
652         -a followReferrals=false \
653         -a defaultServerList=172.16.100.1:386
654
655
656
657       Example  5  Using  genprofile to Set Only the defaultSearchBase and the
658       Server Addresses
659
660
661       The following example shows how to use the genprofile  command  to  set
662       the defaultSearchBase and the server addresses.
663
664
665         example# ldapclient genprofile -a profileName=myprofile \
666         -a defaultSearchBase=dc=eng,dc=sun,dc=com \
667         -a "defaultServerList=172.16.100.1 172.16.234.15:386" \
668         > myprofile.ldif
669
670
671
672       Example 6 Creating a Profile on IPv6 servers
673
674
675       The following example creates a profile on IPv6 servers
676
677
678         example# ldapclient genprofile -a profileName=eng \
679         -a credentialLevel=proxy \
680         -a authenticationMethod=sasl/DIGEST-MD5 \
681         -a defaultSearchBase=dc=eng,dc=acme,dc=com \
682         -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one"\
683         -a preferredServerList= '['fe80::a00:20ff:fea3:388']' \
684         -a "defaultServerList='['fec0::111:a00:20ff:fea3:edcf']' \
685             '['fec0::111:a00:20ff:feb5:e41']'" > eng.ldif
686
687
688
689       Example 7 Creating a Profile That Overrides Every Default Value
690
691
692       The  following  example  shows  a  profile that overrides every default
693       value.
694
695
696         example# ldapclient genprofile -a profileName=eng \
697         -a credentialLevel=proxy -a authenticationMethod=sasl/DIGEST-MD5 \
698         -a bindTimeLimit=20 \
699         -a defaultSearchBase=dc=eng,dc=acme,dc=com \
700         -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one"\
701         -a serviceAuthenticationMethod=pam_ldap:tls:simple \
702         -a defaultSearchScope=sub \
703         -a attributeMap=passwd:uid=employeeNumber \
704         -a objectclassMap=passwd:posixAccount=unixAccount \
705         -a followReferrals=false -a profileTTL=6000 \
706         -a preferredServerList=172.16.100.30 -a searchTimeLimit=30 \
707         -a "defaultServerList=172.16.200.1 172.16.100.1 192.168.5.6" > eng.ldif
708
709
710

EXIT STATUS

712       The following exit values are returned:
713
714       0    The command successfully executed.
715
716
717       1    An error occurred. An error message is output.
718
719
720       2    proxyDN and proxyPassword attributes are required,  but  they  are
721            not provided.
722
723

FILES

725       /var/ldap/ldap_client_cred
726       /var/ldap/ldap_client_file
727
728           Contain  the  LDAP configuration of the client. These files are not
729           to be modified manually. Their content  is  not  guaranteed  to  be
730           human readable. Use ldapclient to update them.
731
732
733       /etc/defaultdomain
734
735           System default domain name, matching the domain name of the data in
736           the LDAP servers. See defaultdomain(4).
737
738
739       /etc/nsswitch.conf
740
741           Configuration  file  for  the   name-service   switch.   See   nss‐
742           witch.conf(4).
743
744
745       /etc/nsswitch.ldap
746
747           Sample  configuration  file  for the name-service switch configured
748           with LDAP and files.
749
750

ATTRIBUTES

752       See attributes(5) for descriptions of the following attributes:
753
754
755
756
757       ┌─────────────────────────────┬─────────────────────────────┐
758       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
759       ├─────────────────────────────┼─────────────────────────────┤
760       │Availability                 │SUNWnisu                     │
761       ├─────────────────────────────┼─────────────────────────────┤
762       │Interface Stability          │Evolving                     │
763       └─────────────────────────────┴─────────────────────────────┘
764

SEE ALSO

766       chkey(1), ldap(1),  ldapadd(1),  ldapdelete(1),  ldaplist(1),  ldapmod‐
767       ify(1),  ldapmodrdn(1),  ldapsearch(1),  idsconfig(1M), ldapaddent(1M),
768       ldap_cachemgr(1M), suninstall(1M), defaultdomain(4),  nsswitch.conf(4),
769       resolv.conf(4), attributes(5)
770

CAUTION

772       Currently StartTLS is not supported by libldap.so.5, therefore the port
773       number provided refers to the port used during a TLS open, rather  than
774       the  port used as part of a StartTLS sequence. To avoid timeout delays,
775       mixed use of TLS and non-TLS authentication mechanisms  is  not  recom‐
776       mended.
777
778
779       For example:
780
781         -h foo:1000 -a authenticationMethod=tls:simple
782
783
784
785
786       ...or:
787
788         defaultServerList= foo:1000
789         authenticationMethod= tls:simple
790
791
792
793
794       The  preceding  refers  to a raw TLS open on host foo port 1000, not an
795       open, StartTLS sequence on an unsecured port  1000.  If  port  1000  is
796       unsecured the connection will not be made.
797
798
799       As  a  second  example,  the following will incur a significant timeout
800       delay while attempting the connection  to  foo:636  with  an  unsecured
801       bind.
802
803         defaultServerList= foo:636 foo:389
804         authenticationMethod= simple
805
806
807
808
809
810SunOS 5.11                        14 Feb 2009                   ldapclient(1M)
Impressum