System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Initializing an LDAP Client

ldapclient(1M) is a utility used to set up LDAP clients in the Solaris system. ldapclient assumes the server has already been configured with the appropriate client profiles. You must install and configure the server with the appropriate profiles before you can set up clients.


Note –

The Solaris OS does not support a configuration in which an NIS client and a native LDAP client co-exist on the same client system.


There are two main ways to set up a client by using ldapclient.


Note –

Though you can manually configure clients, it is not recommended. Using the configuration profiles decreases the complexity and cost of managing clients.


Using Profiles to Initialize a Client

ProcedureHow to Initialize a Client Using Profiles

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Run ldapclient with init.


    # ldapclient init \
    -a profileName=new \
    -a domainName=west.example.com 192.168.0.1
    System successfully configured

Using Per-User Credentials


Note –

Do not edit either of the client configuration files directly. Use the ldapclient command to create or modify the content of these files.


ProcedureHow to Initialize a Client Using Per-User Credentials

Before You Begin

Before you set up a client with per-user credentials the following items must already be configured:

  1. Run ldapclient init to initialize the client by using the gssapi profile:


    # /usr/sbin/ldapclient init -a profilename=gssapi_SPARKS.COM -a \
    domainname=example.com 9.9.9.50
    
  2. Try to log in as a user:

    Run kinit -p user.

    Run ldaplist -l passwd user in user's login session and you should see “userpassword.”

    But ldaplist -l passwd bar can get the entry without userpassword. By default root can still see userpassword of everybody.

Notes About Using Per-User Credentials

See other references in this guide and in the System Administration Guide: Security Services for details.

Using Proxy Credentials

ProcedureHow to Initialize a Client Using Proxy Credentials


Note –

Do not edit either of the client configuration files directly. Use ldapclient to create or modify the content of these files.


  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Run ldapclient (defining proxy values).


    # ldapclient init \
    -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \
    -a domainName=west.example.com \
    -a profileName=pit1 \
    -a proxyPassword=test1234 192.168.0.1
    System successfully configured

    The -a proxyDN and -a proxyPassword are required if the profile to be used is set up for proxy. As the credentials are not stored in the profile saved on the server, you must supply the information when you initialize the client. This method is more secure than the older method of storing the proxy credentials on the server.

    The proxy information is used to create /var/ldap/ldap_client_cred. The rest of the information is put in /var/ldap/ldap_client_file.

Enabling Shadow Updating in LDAP

ProcedureHow to Initialize a Client to Enable the Updating of Shadow Data

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. To set the enableShadowUpdate switch and define the admin credential, run the ldapclient command.

    • To update an already running client, run this command:


      # ldapclient mod -a enableShadowUpdate=TRUE \
      -a adminDN=cn=admin,ou=profile,dc=west,dc=example,dc=com \
      -a adminPassword=admin-password
      System successfully configured
    • To initialize a client, run this command:


      # ldapclient init \
      -a adminDN=cn=admin,ou=profile,dc=west,dc=example,dc=com \
      -a adminPassword=admin-password
      -a domainName=west.example.com \
      -a profileName=WestUserProfile \
      -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \
      -a proxyPassword=i<proxy_password> \
      192.168.0.1
      System successfully configured
  3. To verify the configuration, display the contents of the /var/ldap/ldap_client_cred file.

    The output should contain lines similar to the following:


    # cat /var/ldap/ldap_client_cred
    
       NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com
       NS_LDAP_BINDPASSWD= {NS1}4a3788f8eb85de11
       NS_LDAP_ENABLE_SHADOW_UPDATE= TRUE
       NS_LDAP_ADMIN_BINDDN= cn=admin,ou=profile,dc=west,dc=example,dc=com
       NS_LDAP_ADMIN_BINDPASSWD= {NS1}4a3788f8c053434f

Initializing a Client Manually

Superusers. or administrators with an equivalent role, can perform manual client configurations. However, many of the checks are bypassed during the process, so it is relatively easy to misconfigure your system. In addition, you must change settings on every machine, instead of in one central place, as is done when using profiles.

ProcedureHow to Initialize a Client Manually

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Use ldapclient manual to initialize the client.


    # ldapclient manual \
    -a domainName=dc=west.example.com \
    -a credentialLevel=proxy \
    -a defaultSearchBase=dc=west,dc=example,dc=com \ 
    -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ 
    -a proxyPassword=testtest 192.168.0.1
    
  3. Use ldapclient list to verify.


    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com
    NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
    NS_LDAP_SERVERS= 192.168.0.1
    NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com
    NS_LDAP_CREDENTIAL_LEVEL= proxy

Modifying a Manual Client Configuration

ProcedureHow to Modify a Manual Configuration

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Use the ldapclient mod command to change the authentication method to simple.


    # ldapclient mod -a authenticationMethod=simple
    
  3. Use ldapclient list to verify the change was made.


    # ldapclient list
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com
    NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
    NS_LDAP_SERVERS= 192.168.0.1
    NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com
    NS_LDAP_AUTH= simple
    NS_LDAP_CREDENTIAL_LEVEL= proxy
Troubleshooting

You cannot change some attributes of an LDAP client configuration by using the mod subcommand. For example, you cannot change the profileName and profileTTL attributes. To change these attributes, create a new profile by using the ldapclient init command, as described in Using Profiles to Initialize a Client. Or, run the ldapclient manual command, as described in Initializing a Client Manually.

Uninitializing a Client

ldapclient uninit restores the client name service to what it was prior to the most recent init, modify, or manual operation. In other words, it performs an “undo” on the last step taken. For example, if the client was configured to use profile1 and was then changed to use profile2, using ldapclient uninit would revert the client back to using profile1.

ProcedureHow to Uninitialize a Client

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Use ldapclient uninit.


    # ldapclient uninit
    System successfully recovered

Setting Up TLS Security


Note –

The security database files must be readable by everyone. Do not include any private keys in the key3.db.


If using TLS, the necessary security databases must be installed. In particular, the certificate and key database files are needed. For example, if you adopt an older database format from Netscape Communicator, two files, cert7.db and key3.db, are required. Or, if you use a newer database format from Mozilla, three files, cert8.db, key3.db and secmod.db are needed. The cert7.db or cert8.db file contains trusted certificates. The key3.db file contains the client's keys. Even if the LDAP naming service client does not use client keys, this file must be present. The secmod.db file contains the security modules such as PKCS#11 module. This file is not required if the older format is used.


Note –

Before running ldapclient, you should set up and install the needed security database files described in this section.


See the section about configuring LDAP clients to use SSL in the “Managing SSL” chapter of the Administrator's Guide for the version of Sun Java System Directory Server you are using. For information on how to create and manage these files. Once configured, these files must be stored in the location expected by the LDAP naming services client. The attribute certificatePath is used to determine this location. This is by default /var/ldap.

For example, after setting up the necessary cert7.db and key3.db files using Netscape CommunicatorTM, copy the files to the default location.


# cp $HOME/.netscape/cert7.db /var/ldap
# cp $HOME/.netscape/key3.db /var/ldap

Next, give everyone read access.


# chmod 444 /var/ldap/cert7.db
# chmod 444 /var/ldap/key3.db

Note –

While Netscape manages the cert7.db and key3.db files in the $HOME/.netscape directory, Mozilla has its cert8.db, key3.db and secmod.db files managed in a sub-directory under $HOME/.mozilla. Copies of these security databases must be stored on a local file system if you are using them for an LDAP naming services client.


Configuring PAM

pam_ldap is one authentication and account management PAM module option for LDAP. See the pam_ldap(5) man page for more information about the features currently supported with pam_ldap.

If you have selected both the per-user mode and the self credentials option, then you must also enable the PAM Kerberos pam_krb5(5) pam modules. See pam_krb5(5) and the System Administration Guide: Security Services documentation for further details.

Configuring PAM to Use UNIX policy

To configure PAM to use UNIX policy, follow the sample in Example pam.conf File for pam_ldap. Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file. For details, see the pam.conf(4) man page.

Configuring PAM to Use LDAP server_policy

To configure PAM to use LDAP server_policy, follow the sample in Example pam_conf file for pam_ldap Configured for Account Management. Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file. In addition, if any PAM module in the sample pam.conf file specifies the binding flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file. Also, add the server_policy option to the line that contains the service module pam_authtok_store.so.1.


Note –

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:


dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config