1ldapclient(1M) System Administration Commands ldapclient(1M)
2
3
4
6 ldapclient - initialize LDAP client machine or output an LDAP client
7 profile in LDIF format
8
10 /usr/sbin/ldapclient [-v | -q] init [-a profileName=profileName]
11 [-a domainName=domain] [-a proxyDN=proxyDN]
12 [-a proxyPassword=password]
13 [-a authenticationMethod=authenticationMethod]
14 [-a enableShadowUpdate=true | false]
15 [-a adminDN=adminDN]
16 [-a adminPassword=adminPassword]
17 [-a certificatePath=path] [-d bindDN] [-w bindPassword]
18 [-j passwdFile] [-y passwdFile]
19 [-z adminrPasswdFile] LDAP_server[:port_number]
20
21
22 /usr/sbin/ldapclient [-v | -q] manual [-a attrName=attrVal]
23
24
25 /usr/sbin/ldapclient [-v | -q] mod [-a attrName=attrVal]
26
27
28 /usr/sbin/ldapclient [-v | -q] list
29
30
31 /usr/sbin/ldapclient [-v | -q] uninit
32
33
34 /usr/sbin/ldapclient [-v | -q] genprofile -a profileName=profileName
35 [-a attrName=attrVal]
36
37
39 The ldapclient utility can be used to:
40
41 o initialize LDAP client machines
42
43 o restore the network service environment on LDAP clients
44
45 o list the contents of the LDAP client cache in human readable
46 format.
47
48
49 The init form of the ldapclient utility is used to initialize an LDAP
50 client machine, using a profile stored on an LDAP server specified by
51 LDAP_server. The LDAP client will use the attributes in the specified
52 profile to determine the configuration of the LDAP client. Using a con‐
53 figuration profile allows for easy installation of LDAP client and
54 propagation of configuration changes to LDAP clients. The
55 ldap_cachemgr(1M) utility will update the LDAP client configuration
56 when its cache expires by reading the profile. For more information on
57 the configuration profile refer to IETF document A Configuration Schema
58 for LDAP Based Directory User Agents.
59
60
61 The manual form of the ldapclient utility is used to initialize an LDAP
62 client machine manually. The LDAP client will use the attributes speci‐
63 fied on the command line. Any unspecified attributes will be assigned
64 their default values. At least one server must be specified in the
65 defaultServerList or the preferredServerList attributes.The domainName
66 attribute must be specified if the client's domainName is not set.
67
68
69 The mod form of the ldapclient utility is used to modify the configura‐
70 tion of an LDAP client machine that was setup manually. This option
71 modifies only those LDAP client configuration attributes specified on
72 the command line. The mod option should only be used on LDAP clients
73 that were initialized using the manual option.
74
75
76 Regardless of which method is used for initialization, if a client is
77 to be configured to use a proxy credentialLevel, proxy credentials must
78 be provided using -a proxyDN=proxyDN and -a proxyPassword=proxyPassword
79 options. However, if -a proxyPassword=proxyPassword is not specified,
80 ldapclient will prompt for it. Note that NULL passwords are not allowed
81 in LDAP. If a self credentialLevel is configured, authenticationMethod
82 must be sasl/GSSAPI.
83
84
85 Similarily, if a client is to be configured to enable shadow informa‐
86 tion update and use a proxy credentialLevel, administrator credentials
87 must be provided using -a adminDN=adminDN and -a adminPassword=admin‐
88 Password. However, the shadow information update does not need the
89 administrator credentials if a self credentialLevel is configured.
90
91
92 If any file is modified during installation, it will be backed up to
93 /var/ldap/restore. The files that are typically modified during ini‐
94 tialization are:
95
96 o /etc/nsswitch.conf
97
98 o /etc/defaultdomain (if it exists)
99
100 o /var/yp/binding/`domainname` (for a NIS(YP) client)
101
102 o /var/nis/NIS_COLD_START (for a NIS+ client)
103
104 o /var/ldap/ldap_client_file (for an existing LDAP client)
105
106 o /var/ldap/ldap_client_cred (for an existing LDAP client)
107
108
109 ldapclient does not set up a client to resolve hostnames using DNS. It
110 simply copies /etc/nsswitch.ldap to /etc/nsswitch.conf. If you prefer
111 to use DNS for host resolution, please refer to the DNS documentation
112 for information on setting up DNS. See resolv.conf(4). If you want to
113 use sasl/GSSAPI as the authentication method, you have to use DNS for
114 hosts and ipnodes resolution.
115
116
117 The list form of the ldapclient utility is used to list the LDAP client
118 configuration. The output will be human readable. LDAP configuration
119 files are not guaranteed to be human readable. Note that for security
120 reason, the values for adminDN and adminPassword will not be displayed.
121
122
123 The uninit form of the ldapclient utility is used to uninitialize the
124 network service environment, restoring it to the state it was in prior
125 to the last execution of ldapclient using init or manual. The restora‐
126 tion will succeed only if the machine was initialized with the init or
127 manual form of ldapclient, as it uses the backup files created by these
128 options.
129
130
131 The genprofile option is used to write an LDIF formatted configuration
132 profile based on the attributes specified on the command line to stan‐
133 dard output. This profile can then be loaded into an LDAP server to be
134 used as the client profile, which can be downloaded by means of the
135 ldapclient init command. Loading the LDIF formatted profile to the
136 directory server can be done through ldapadd(1), or through any server
137 specific import tool. Note that the attributes proxyDN, proxyPassword,
138 certificatePath, domainName, enableShadowUpdate, adminDN, and admin‐
139 Password are not part of the configuration profile and thus are not
140 permitted.
141
142
143 You must have superuser privileges to run the ldapclient command,
144 except with the genprofile option.
145
146
147 To access the information stored in the directory, clients can either
148 authenticate to the directory, or use an unauthenticated connection.
149 The LDAP client is configured to have a credential level of either
150 anonymous or proxy. In the first case, the client does not authenticate
151 to the directory. In the second case, client authenticates to the
152 directory using a proxy identity for read access, and using a adminis‐
153 trator identity for write access if enableShadowUpdate is configured.
154 In the third case, client authenticates to the directory using a Ker‐
155 beros principal that is mapped to an LDAP identity by the LDAP server.
156 Refer to the chapter on implementing security in the System Administra‐
157 tion Guide: Naming and Directory Services (DNS, NIS, and LDAP) or your
158 appropriate directory server documentation for identity mapping
159 details.
160
161
162 If a client is configured to use an identity, you can configure which
163 authentication method the client will use. The LDAP client supports the
164 following authentication methods:
165 none
166 simple
167 sasl/CRAM-MD5
168 sasl/DIGEST-MD5
169 sasl/GSSAPI
170 tls:simple
171 tls:sasl/CRAM-MD5
172 tls:sasl/DIGEST-MD5
173
174
175 Note that some directory servers may not support all of these authenti‐
176 cation methods. For simple, be aware that the bind password will be
177 sent in the clear to the LDAP server. For those authentication methods
178 using TLS (transport layer security), the entire session is encrypted.
179 You will need to install the appropriate certificate databases to use
180 TLS.
181
182 Commands
183 The following commands are supported:
184
185 init
186
187 Initialize client from a profile on a server.
188
189
190 manual
191
192 Manually initialize client with the specified attribute values.
193
194
195 mod
196
197 Modify attribute values in the configuration file after a manual
198 initialization of the client.
199
200
201 list
202
203 Write the contents of the LDAP client cache to standard output in
204 human readable form.
205
206
207 uninit
208
209 Uninitialize an LDAP client, assuming that ldapclient was used to
210 initialize the client.
211
212
213 genprofile
214
215 Generate a configuration profile in LDIF format that can then be
216 stored in the directory for clients to use, with the init form of
217 this command.
218
219
220 Attributes
221 The following attributes are supported:
222
223 adminDN
224
225 Specify the Bind Distinguished Name for the administrator identity
226 that is used for shadow information update. This option is required
227 if the credential level is proxy, and enableShadowUpdate is set to
228 true. There is no default value.
229
230
231 adminPassword
232
233 Specify the administrator password. This option is required if the
234 credential level is proxy, and enableShadowUpdate is set to true.
235 There is no default value.
236
237
238 attributeMap
239
240 Specify a mapping from an attribute defined by a service to an
241 attribute in an alternative schema. This can be used to change the
242 default schema used for a given service. The syntax of attributeMap
243 is defined in the profile IETF draft. This option can be specified
244 multiple times. The default value for all services is NULL. In the
245 example,
246
247 attributeMap: passwd:uid=employeeNumber
248
249
250 the LDAP client would use the LDAP attribute employeeNumber rather
251 than uid for the passwd service. This is a multivalued attribute.
252
253
254 authenticationMethod
255
256 Specify the default authentication method used by all services
257 unless overridden by the serviceAuthenticationMethod attribute.
258 Multiple values can be specified by using a semicolon-separated
259 list. The default value is none. For those services that use cre‐
260 dentialLevel and credentialLevel is anonymous, this attribute is
261 ignored. Services such as pam_ldap will use this attribute, even if
262 credentialLevel is anonymous. The supported authentication methods
263 are described above. If the authenticationMethod is sasl/GSSAPI,
264 the hosts and ipnodes of /etc/nsswitch.conf must be configured with
265 DNS support, for example:
266
267 hosts: dns files
268 ipnodes: dns files
269
270
271
272 bindTimeLimit
273
274 The maximum time in seconds that a client should spend performing a
275 bind operation. Set this to a positive integer. The default value
276 is 30.
277
278
279 certificatePath
280
281 The certificate path for the location of the certificate database.
282 The value is the path where security database files reside. This is
283 used for TLS support, which is specified in the authentication‐
284 Method and serviceAuthenticationMethod attributes. The default is
285 /var/ldap.
286
287
288 credentialLevel
289
290 Specify the credential level the client should use to contact the
291 directory. The credential levels supported are either anonymous or
292 proxy. If a proxy credential level is specified, then the authenti‐
293 cationMethod attribute must be specified to determine the authenti‐
294 cation mechanism. Also, if the credential level is proxy and at
295 least one of the authentication methods require a bind DN, the
296 proxyDN and proxyPassword attribute values must be set. In addi‐
297 tion, if enableShadowUpdate is set to true, the adminDN and admin‐
298 Password values must be set. If a self credential level is speci‐
299 fied, the authenticationMethod must be sasl/GSSAPI.
300
301
302 defaultSearchBase
303
304 Specify the default search base DN. There is no default. The ser‐
305 viceSearchDescriptor attribute can be used to override the default‐
306 SearchBase for given services.
307
308
309 defaultSearchScope=one | sub
310
311 Specify the default search scope for the client's search opera‐
312 tions. This default can be overridden for a given service by speci‐
313 fying a serviceSearchDescriptor. The default is one level search.
314
315
316 defaultServerList
317
318 A space separated list of server names or server addresses, either
319 IPv4 or IPv6. If you specify server names, be sure that the LDAP
320 client can resolve the name without the LDAP name service. You must
321 resolve the LDAP servers' names by using either files or dns. If
322 the LDAP server name cannot be resolved, your naming service will
323 fail.
324
325 The port number is optional. If not specified, the default LDAP
326 server port number 389 is used, except when TLS is specified in the
327 authentication method. In this case, the default LDAP server port
328 number is 636.
329
330 The format to specify the port number for an IPv6 address is:
331
332 [ipv6_addr]:port
333
334 To specify the port number for an IPv4 address, use the following
335 format:
336
337 ipv4_addr:port
338
339 If the host name is specified, use the format:
340
341 host_name:port
342
343 If you use TLS, the LDAP server's hostname must match the hostname
344 in the TLS certificate. Typically, the hostname in the TLS certifi‐
345 cate is a fully qualified domain name. With TLS, the LDAP server
346 host addresses must resolve to the hostnames in the TLS certifi‐
347 cate. You must use files or dns to resolve the host address.
348
349
350 domainName
351
352 Specify the DNS domain name. This becomes the default domain for
353 the machine. The default is the current domain name. This attribute
354 is only used in client initialization.
355
356
357 enableShadowUpdate=true | false
358
359 Specify whether the client is allowed to update shadow information.
360 If set to true and the credential level is proxy, adminDN and
361 adminPassword must be specified.
362
363
364 followReferrals=true | false
365
366 Specify the referral setting. A setting of true implies that refer‐
367 rals will be automatically followed and false would result in
368 referrals not being followed. The default is true.
369
370
371 objectclassMap
372
373 Specify a mapping from an objectclass defined by a service to an
374 objectclass in an alternative schema. This can be used to change
375 the default schema used for a given service. The syntax of object‐
376 classMap is defined in the profile IETF draft. This option can be
377 specified multiple times. The default value for all services is
378 NULL. In the example,
379
380 objectclassMap=passwd:posixAccount=unixAccount
381
382
383 the LDAP client would use the LDAP objectclass of unixAccount
384 rather than the posixAccount for the passwd service. This is a mul‐
385 tivalued attribute.
386
387
388 preferredServerList
389
390 Specify the space separated list of server names or server
391 addresses, either IPv4 or IPv6, to be contacted before servers
392 specified by the defaultServerList attribute. If you specify server
393 names, be sure that the LDAP client can resolve the name without
394 the LDAP name service. You must resolve the LDAP servers' names by
395 using either files or dns. If the LDAP server name cannot be
396 resolved, your naming service will fail.
397
398 The port number is optional. If not specified, the default LDAP
399 server port number 389 is used, except when TLS is specified in the
400 authentication method. In this case, the default LDAP server port
401 number is 636.
402
403 The format to specify the port number for an IPv6 address is:
404
405 [ipv6_addr]:port
406
407 To specify the port number for an IPv4 address, use the following
408 format:
409
410 ipv4_addr:port
411
412 If the host name is specified, use the format:
413
414 host_name:port
415
416 If you use TLS, the LDAP server's hostname must match the hostname
417 in the TLS certificate. Typically, the hostname in the TLS certifi‐
418 cate is a fully qualified domain name. With TLS, the LDAP server
419 host addresses must resolve to the hostnames in the TLS certifi‐
420 cate. You must use files or dns to resolve the host address.
421
422
423 profileName
424
425 Specify the profile name. For ldapclient init, this attribute is
426 the name of an existing profile which may be downloaded periodi‐
427 cally depending on the value of the profileTTL attribute. For ldap‐
428 client genprofile, this is the name of the profile to be generated.
429 The default value is default.
430
431
432 profileTTL
433
434 Specify the TTL value in seconds for the client information. This
435 is only relevant if the machine was initialized with a client pro‐
436 file. If you do not want ldap_cachemgr(1M) to attempt to refresh
437 the LDAP client configuration from the LDAP server, set profileTTL
438 to 0 (zero). Valid values are either zero 0 (for no expiration) or
439 a positive integer in seconds. The default value is 12 hours.
440
441
442 proxyDN
443
444 Specify the Bind Distinguished Name for the proxy identity. This
445 option is required if the credential level is proxy, and at least
446 one of the authentication methods requires a bind DN. There is no
447 default value.
448
449
450 proxyPassword
451
452 Specify client proxy password. This option is required if the cre‐
453 dential level is proxy, and at least one of the authentication
454 methods requires a bind DN. There is no default.
455
456
457 searchTimeLimit
458
459 Specify maximum number of seconds allowed for an LDAP search opera‐
460 tion. The default is 30 seconds. The server may have its own search
461 time limit.
462
463
464 serviceAuthenticationMethod
465
466 Specify authentication methods to be used by a service in the form
467 servicename:authenticationmethod, for example:
468
469 pam_ldap:tls:simple
470
471 For multiple authentication methods, use a semicolon-separated
472 list. The default value is no service authentication methods, in
473 which case, each service would default to the authenticationMethod
474 value. The supported authentications are described above.
475
476 Three services support this feature: passwd-cmd, keyserv, and
477 pam_ldap. The passwd-cmd service is used to define the authentica‐
478 tion method to be used by passwd(1) to change the user's password
479 and other attributes. The keyserv service is used to identify the
480 authentication method to be used by the chkey(1) and newkey(1M)
481 utilities. The pam_ldap service defines the authentication method
482 to be used for authenticating users when pam_ldap(5) is configured.
483 If this attribute is not set for any of these services, the authen‐
484 ticationMethod attribute is used to define the authentication
485 method. This is a multivalued attribute.
486
487
488 serviceCredentialLevel
489
490 Specify credential level to be used by a service. Multiple values
491 can be specified in a space-separated list. The default value for
492 all services is NULL. The supported credential levels are: anony‐
493 mous or proxy. At present, no service uses this attribute. This is
494 a multivalued attribute.
495
496
497 serviceSearchDescriptor
498
499 Override the default base DN for LDAP searches for a given service.
500 The format of the descriptors also allow overriding the default
501 search scope and search filter for each service. The syntax of ser‐
502 viceSearchDescriptor is defined in the profile IETF draft. The
503 default value for all services is NULL. This is a multivalued
504 attribute. In the example,
505
506 serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one
507
508
509 the LDAP client would do a one level search in ou=peo‐
510 ple,dc=a1,dc=acme,dc=com rather than ou=people,defaultSearchBase
511 for the passwd service.
512
513
515 The following options are supported:
516
517 -a attrName=attrValue
518
519 Specify attrName and its value. See SYNOPSIS for a complete list of
520 possible attribute names and values.
521
522
523 -D bindDN
524
525 Specifies an entry that has read permission for the requested data‐
526 base.
527
528
529 -j passwdFile
530
531 Specify a file containing the password for the bind DN or the pass‐
532 word for the SSL client's key database. To protect the password,
533 use this option in scripts and place the password in a secure file.
534 This option is mutually exclusive of the -w option.
535
536
537 -q
538
539 Quiet mode. No output is generated.
540
541
542 -v
543
544 Verbose output.
545
546
547 -w bindPassword
548
549 Password to be used for authenticating the bind DN. If this parame‐
550 ter is missing, the command will prompt for a password. NULL pass‐
551 words are not supported in LDAP.
552
553 When you use -w bindPassword to specify the password to be used for
554 authentication, the password is visible to other users of the sys‐
555 tem by means of the ps command, in script files, or in shell his‐
556 tory.
557
558 If you supply "-" (hyphen) as a password, the command will prompt
559 for a password.
560
561
562 -y passwdFile
563
564 Specify a file containing the password for the proxy DN. To protect
565 the password, use this option in scripts and place the password in
566 a secure file. This option is mutually exclusive of the -a proxy‐
567 Password option.
568
569
570 -z adminrPasswdFile
571
572 Specify a file containing the password for the adminDN. To protect
573 the password, use this option in scripts and place the password in
574 a secure file. This option is mutually exclusive of the -a admin‐
575 Password option.
576
577
579 The following operand is supported:
580
581 LDAP_server
582
583 An address or a name for the LDAP server from which the profile
584 will be loaded. The current naming service specified in the nss‐
585 witch.conf file is used. Once the profile is loaded, the preferred‐
586 ServerList and defaultServerList specified in the profile are used.
587
588
590 Example 1 Setting Up a Client By Using the Default Profile Stored on a
591 Specified LDAP Server
592
593
594 The following example shows how to set up a client using the default
595 profile stored on the specified LDAP server. This command will only be
596 successful if either the credential level in the profile is set to
597 anonymous or the authentication method is set to none.
598
599
600 example# ldapclient init 172.16.100.1
601
602
603
604 Example 2 Setting Up a Client By Using the simple Profile Stored on a
605 Specified LDAP Server
606
607
608 The following example shows how to set up a client using the simple
609 profile stored on the specified LDAP server. The domainname is set to
610 xyz.mycompany.com and the proxyPassword is secret.
611
612
613 example# ldapclient init -a profileName=simple \
614 -a domainName=xyz.mycompany.com \
615 -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \
616 -a proxyPassword=secret '['fe80::a00:20ff:fea3:388']':386
617
618
619
620 Example 3 Setting Up a Client Using Only One Server
621
622
623 The following example shows how to set up a client using only one
624 server. The authentication method is set to none, and the search base
625 is dc=mycompany,dc=com.
626
627
628 example# ldapclient manual -a authenticationMethod=none \
629 -a defaultSearchBase=dc=mycompany,dc=com \
630 -a defaultServerList=172.16.100.1
631
632
633
634 Example 4 Setting Up a Client Using Only One Server That Does Not Fol‐
635 low Referrals
636
637
638 The following example shows how to set up a client using only one
639 server. The credential level is set to proxy. The authentication method
640 of is sasl/CRAM-MD5, with the option not to follow referrals. The
641 domain name is xyz.mycompany.com, and the LDAP server is running on
642 port number 386 at IP address 172.16.100.1.
643
644
645 example# ldapclient manual \
646 -a credentialLevel=proxy \
647 -a authenticationMethod=sasl/CRAM-MD5 \
648 -a proxyPassword=secret \
649 -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \
650 -a defaultSearchBase=dc=xyz,dc=mycompany,dc=com \
651 -a domainName=xyz.mycompany.com \
652 -a followReferrals=false \
653 -a defaultServerList=172.16.100.1:386
654
655
656
657 Example 5 Using genprofile to Set Only the defaultSearchBase and the
658 Server Addresses
659
660
661 The following example shows how to use the genprofile command to set
662 the defaultSearchBase and the server addresses.
663
664
665 example# ldapclient genprofile -a profileName=myprofile \
666 -a defaultSearchBase=dc=eng,dc=sun,dc=com \
667 -a "defaultServerList=172.16.100.1 172.16.234.15:386" \
668 > myprofile.ldif
669
670
671
672 Example 6 Creating a Profile on IPv6 servers
673
674
675 The following example creates a profile on IPv6 servers
676
677
678 example# ldapclient genprofile -a profileName=eng \
679 -a credentialLevel=proxy \
680 -a authenticationMethod=sasl/DIGEST-MD5 \
681 -a defaultSearchBase=dc=eng,dc=acme,dc=com \
682 -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one"\
683 -a preferredServerList= '['fe80::a00:20ff:fea3:388']' \
684 -a "defaultServerList='['fec0::111:a00:20ff:fea3:edcf']' \
685 '['fec0::111:a00:20ff:feb5:e41']'" > eng.ldif
686
687
688
689 Example 7 Creating a Profile That Overrides Every Default Value
690
691
692 The following example shows a profile that overrides every default
693 value.
694
695
696 example# ldapclient genprofile -a profileName=eng \
697 -a credentialLevel=proxy -a authenticationMethod=sasl/DIGEST-MD5 \
698 -a bindTimeLimit=20 \
699 -a defaultSearchBase=dc=eng,dc=acme,dc=com \
700 -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one"\
701 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
702 -a defaultSearchScope=sub \
703 -a attributeMap=passwd:uid=employeeNumber \
704 -a objectclassMap=passwd:posixAccount=unixAccount \
705 -a followReferrals=false -a profileTTL=6000 \
706 -a preferredServerList=172.16.100.30 -a searchTimeLimit=30 \
707 -a "defaultServerList=172.16.200.1 172.16.100.1 192.168.5.6" > eng.ldif
708
709
710
712 The following exit values are returned:
713
714 0 The command successfully executed.
715
716
717 1 An error occurred. An error message is output.
718
719
720 2 proxyDN and proxyPassword attributes are required, but they are
721 not provided.
722
723
725 /var/ldap/ldap_client_cred
726 /var/ldap/ldap_client_file
727
728 Contain the LDAP configuration of the client. These files are not
729 to be modified manually. Their content is not guaranteed to be
730 human readable. Use ldapclient to update them.
731
732
733 /etc/defaultdomain
734
735 System default domain name, matching the domain name of the data in
736 the LDAP servers. See defaultdomain(4).
737
738
739 /etc/nsswitch.conf
740
741 Configuration file for the name-service switch. See nss‐
742 witch.conf(4).
743
744
745 /etc/nsswitch.ldap
746
747 Sample configuration file for the name-service switch configured
748 with LDAP and files.
749
750
752 See attributes(5) for descriptions of the following attributes:
753
754
755
756
757 ┌─────────────────────────────┬─────────────────────────────┐
758 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
759 ├─────────────────────────────┼─────────────────────────────┤
760 │Availability │SUNWnisu │
761 ├─────────────────────────────┼─────────────────────────────┤
762 │Interface Stability │Evolving │
763 └─────────────────────────────┴─────────────────────────────┘
764
766 chkey(1), ldap(1), ldapadd(1), ldapdelete(1), ldaplist(1), ldapmod‐
767 ify(1), ldapmodrdn(1), ldapsearch(1), idsconfig(1M), ldapaddent(1M),
768 ldap_cachemgr(1M), suninstall(1M), defaultdomain(4), nsswitch.conf(4),
769 resolv.conf(4), attributes(5)
770
772 Currently StartTLS is not supported by libldap.so.5, therefore the port
773 number provided refers to the port used during a TLS open, rather than
774 the port used as part of a StartTLS sequence. To avoid timeout delays,
775 mixed use of TLS and non-TLS authentication mechanisms is not recom‐
776 mended.
777
778
779 For example:
780
781 -h foo:1000 -a authenticationMethod=tls:simple
782
783
784
785
786 ...or:
787
788 defaultServerList= foo:1000
789 authenticationMethod= tls:simple
790
791
792
793
794 The preceding refers to a raw TLS open on host foo port 1000, not an
795 open, StartTLS sequence on an unsecured port 1000. If port 1000 is
796 unsecured the connection will not be made.
797
798
799 As a second example, the following will incur a significant timeout
800 delay while attempting the connection to foo:636 with an unsecured
801 bind.
802
803 defaultServerList= foo:636 foo:389
804 authenticationMethod= simple
805
806
807
808
809
810SunOS 5.11 14 Feb 2009 ldapclient(1M)