System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Enabling Shadow Updating in LDAP

Starting in the Solaris 10 10/09 release, the enableShadowUpdate switch is available.

ProcedureHow to Initialize a Client to Enable the Updating of Shadow Data

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. To set the enableShadowUpdate switch and define the admin credential, run the ldapclient command.

    • To update an already running client, run this command:

      # ldapclient mod -a enableShadowUpdate=TRUE \
      -a adminDN=cn=admin,ou=profile,dc=west,dc=example,dc=com \
      -a adminPassword=admin-password
      System successfully configured
    • To initialize a client, run this command:

      # ldapclient init \
      -a adminDN=cn=admin,ou=profile,dc=west,dc=example,dc=com \
      -a adminPassword=admin-password
      -a \
      -a profileName=WestUserProfile \
      -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \
      -a proxyPassword=i<proxy_password> \
      System successfully configured
  3. To verify the configuration, display the contents of the /var/ldap/ldap_client_cred file.

    The output should contain lines similar to the following:

    # cat /var/ldap/ldap_client_cred
       NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com
       NS_LDAP_BINDPASSWD= {NS1}4a3788f8eb85de11
       NS_LDAP_ADMIN_BINDDN= cn=admin,ou=profile,dc=west,dc=example,dc=com
       NS_LDAP_ADMIN_BINDPASSWD= {NS1}4a3788f8c053434f