1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Configuring an LDAP Server on a Trusted Extensions Host (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)
Configuring the Sun Java System Directory Server on a Trusted Extensions System
Collect Information for the Directory Server for LDAP
Install the Sun Java System Directory Server
Create an LDAP Client for the Directory Server
Configure the Logs for the Sun Java System Directory Server
Configure a Multilevel Port for the Sun Java System Directory Server
Populate the Sun Java System Directory Server
Creating a Trusted Extensions Proxy for an Existing Sun Java System Directory Server
Configuring the Solaris Management Console for LDAP (Task Map)
Register LDAP Credentials With the Solaris Management Console
Enable the Solaris Management Console to Accept Network Communications
Edit the LDAP Toolbox in the Solaris Management Console
Verify That the Solaris Management Console Contains Trusted Extensions Information
6. Configuring a Headless System With Trusted Extensions (Tasks)
B. Using CDE Actions to Install Zones in Trusted Extensions
The Solaris Management Console is the GUI for administering the network of systems that are running Trusted Extensions.
This task map describes the tasks to configure the Solaris Management Console for LDAP, and points to the tasks.
|
You must be the root user on an LDAP server that is running Trusted Extensions. The server can be a proxy server.
Your Sun Java System Directory Server must be configured. You have completed one of the following configurations:
Configuring an LDAP Server on a Trusted Extensions Host (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)
LDAP-Server # /usr/sadm/bin/dtsetup storeCred Administrator DN:Type the value for cn on your system Password:Type the Directory Manager password Password (confirm):Retype the password
LDAP-Server # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:Displays name of file scope Scope 2 ldap:Displays name of ldap scope
Your LDAP server setup determines the scopes that are listed. The LDAP scope is not listed until the LDAP toolbox is edited. The toolbox cannot be edited until after the server is registered.
Example 5-1 Registering LDAP Credentials
In this example, the name of the LDAP server is LDAP1 and the value for cn is the default, Directory Manager.
# /usr/sadm/bin/dtsetup storeCred Administrator DN:cn=Directory Manager Password:abcde1;! Password (confirm):abcde1;! # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:/LDAP1/LDAP1 Scope 2 ldap:/LDAP1/cd=LDAP1,dc=example-domain,dc=com
By default, Solaris systems are not configured to listen on ports that present security risks. Therefore, you must explicitly configure any system that you plan to administer remotely to accept network communications. For example, to administer network databases on the LDAP server from a client, the Solaris Management Console server on the LDAP server must accept network communications.
For an illustration of the Solaris Management Console configuration requirements for a network with an LDAP server, see Client-Server Communication With the Solaris Management Console in Oracle Solaris Trusted Extensions Administrator’s Procedures.
You must be superuser in the global zone on the Solaris Management Console server system. In this procedure, that system is called the remote system. Also, you must have command line access to the client system as superuser.
The smc daemon is controlled by the wbem service. If the options/tcp_listen property to the wbem service is set to true, the Solaris Management Console server accepts remote connections.
# /usr/sbin/svcprop -p options wbem options/tcp_listen boolean false # svccfg -s wbem setprop options/tcp_listen=true
# svcadm refresh wbem # svcadm restart wbem
# svcprop -p options wbem options/tcp_listen boolean true
# /usr/dt/bin/trusted_edit /etc/smc/smcserver.config
## remote.connections=false remote.connections=true
If you restart or enable the wbem service, you must ensure that the remote.connections parameter in the smcserver.config file remains set to true.
You must be superuser on the LDAP server. The LDAP credentials must be registered with the Solaris Management Console, and you must know the output of the /usr/sadm/bin/dtsetup scopes command. For details, see Register LDAP Credentials With the Solaris Management Console.
# cd /var/sadm/smc/toolboxes/tsol_ldap # ls *tbx tsol_ldap.tbx
For example, the following path is the default location of the LDAP toolbox:
/var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx
Replace the server tags between the <Scope> and </Scope> tags with the output of the ldap:/...... line from the /usr/sadm/bin/dtsetup scopes command.
<Scope>ldap:/<ldap-server-name>/<dc=domain,dc=suffix></Scope>
<Name>This Computer (ldap-server-name: Scope=ldap, Policy=TSOL)</Name> services and configuration of ldap-server-name.</Description> and configuring ldap-server-name.</Description> ...
# svcadm refresh wbem # svcadm restart wbem
Example 5-2 Configuring the LDAP Toolbox
In this example, the name of the LDAP server is LDAP1. To configure the toolbox, the administrator replaces the instances of <?server ?> with LDAP1.
# cd /var/sadm/smc/toolboxes/tsol_ldap # /usr/dt/bin/trusted_edit /tsol_ldap.tbx <Scope>ldap:/LDAP1/cd=LDAP1,dc=example-domain,dc=com</Scope ... <Name>This Computer (LDAP1: Scope=ldap, Policy=TSOL)</Name> services and configuration of LDAP1.</Description> and configuring LDAP1.</Description> ...
For an illustration of the Solaris Management Console configuration requirements for a network with an LDAP server and for a network without an LDAP server, see Client-Server Communication With the Solaris Management Console in Oracle Solaris Trusted Extensions Administrator’s Procedures.
You must be logged in to an LDAP client in an administrative role, or as superuser. To make a system an LDAP client, see Make the Global Zone an LDAP Client in Trusted Extensions.
To administer the local system, you must have completed Initialize the Solaris Management Console Server in Trusted Extensions.
To connect to a Console server on a remote system from the local system, you must have completed Initialize the Solaris Management Console Server in Trusted Extensions on both systems. Also, on the remote system, you must have completed Enable the Solaris Management Console to Accept Network Communications.
To administer the databases in the LDAP naming service from the LDAP client, on the LDAP server you must have completed Edit the LDAP Toolbox in the Solaris Management Console, in addition to the preceding procedures.
# /usr/sbin/smc &
A Trusted Extensions toolbox has the value Policy=TSOL.
This Computer (this-host: Scope=Files, Policy=TSOL)
This Computer (ldap-server: Scope=Files, Policy=TSOL)
This Computer (ldap-server: Scope=LDAP, Policy=TSOL)
This Computer (this-host: Scope=Files, Policy=TSOL)
This Computer (remote-system: Scope=Files, Policy=TSOL)
Note - When you try to access network database information from a system that is not the LDAP server, the operation fails. The Console allows you to log in to the remote host and open the toolbox. However, when you try to access or change information, the following error message indicates that you have selected Scope=LDAP on a system that is not the LDAP server:
Management server cannot perform the operation requested. ... Error extracting the value-from-tool. The keys received from the client were machine, domain, Scope. Problem with Scope.
To troubleshoot LDAP configuration, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).