Make the Global Zone an LDAP Client in Trusted Extensions

For LDAP, this procedure establishes the naming service configuration for the global zone. If you are not using LDAP, you can skip this procedure.

Starting in the Solaris 10 5/08 release, if you are in a Solaris Trusted Extensions (CDE) workspace, you can use the txzonemgr script or a Trusted CDE action to create an LDAP client. If you are in a Solaris Trusted Extensions (JDS) or a Solaris Trusted Extensions (GNOME) workspace, you must use the txzonemgr script.

If you plan to set up a name server in each labeled zone, you are responsible for establishing the LDAP client connection to each labeled zone.

Before You Begin

The Sun Java^TM System Directory Server, that is, the LDAP server, must exist. The server must be populated with Trusted Extensions databases, and this system must be able to contact the server. So, the system that you are configuring must have an entry in the tnrhdb database on the LDAP server, or this system must be included in a wildcard entry before you perform this procedure.

If an LDAP server that is configured with Trusted Extensions does not exist, you must complete the procedures in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks) before you perform this procedure.

1. If you are using DNS, modify the nsswitch.ldap file.

   1. Save a copy of the original nsswitch.ldap file.

      The standard naming service switch file for LDAP is too restrictive for Trusted Extensions.

      # cd /etc # cp nsswitch.ldap nsswitch.ldap.orig

   2. Change the nsswitch.ldap file entries for the following services.

      The correct entries are similar to the following:

      hosts: files dns ldap ipnodes: files dns ldap networks: ldap files protocols: ldap files rpc: ldap files ethers: ldap files netmasks: ldap files bootparams: ldap files publickey: ldap files services: files

      Note that Trusted Extensions adds two entries:

      tnrhtp: files ldap tnrhdb: files ldap

   3. Copy the modified nsswitch.ldap file to nsswitch.conf.

      # cp nsswitch.ldap nsswitch.conf

2. Perform one of the following steps to create an LDAP client.

   • Run the txzonemgr script and answer the prompts about LDAP.

     The Create LDAP Client menu item configures the global zone only.

     1. Follow the instructions in Run the txzonemgr Script.

        The title of the dialog box is Labeled Zone Manager.

     2. Select Create LDAP Client.

     3. Answer the following prompts and click OK after each answer:

        Enter Domain Name: Type the domain name Enter Hostname of LDAP Server: Type the name of the server Enter IP Address of LDAP Server servername: Type the IP address Enter LDAP Proxy Password: Type the password to the server Confirm LDAP Proxy Password: Retype the password to the server Enter LDAP Profile Name: Type the profile name

     4. Confirm or cancel the displayed values.

        Proceed to create LDAP Client?

        When you confirm, the txzonemgr script adds the LDAP client. Then, a window displays the command output.

   • In a Trusted CDE workspace, find and use the Create LDAP Client action.

     1. Navigate to the Trusted_Extensions folder by clicking mouse button 3 on the background.

     2. From the Workspace menu, choose Applications -> Application Manager.

     3. Double-click the Trusted_Extensions folder icon.

        This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

     4. Double-click the Create LDAP Client action.

        Answer the following prompts:

        Domain Name: Type the domain name Hostname of LDAP Server: Type the name of the server IP Address of LDAP Server: Type the IP address LDAP Proxy Password: Type the password to the server Profile Name: Type the profile name

     5. Click OK.

        The following completion message appears:

        global zone will be LDAP client of LDAP-server System successfully configured. *** Select Close or Exit from the window menu to close this window ***

     6. Close the action window.

3. In a terminal window, set the enableShadowUpdate parameter to TRUE.

   # ldapclient -v mod -a enableShadowUpdate=TRUE \ > -a adminDN=cn=admin,ou=profile,dc=domain,dc=suffix System successfully configured

   The Create LDAP Client action and the txzonemgr script run the ldapclient init command only. In Trusted Extensions, you must also modify an initialized LDAP client to enable shadow updates.

4. Verify that the information on the server is correct.

   1. Open a terminal window, and query the LDAP server.

      # ldapclient list

      The output looks similar to the following:

      NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain-name ... NS_LDAP_BIND_TIME= number

   2. Correct any errors.

      If you get an error, create the LDAP client again and supply the correct values. For example, the following error can indicate that the system does not have an entry on the LDAP server:

      LDAP ERROR (91): Can't connect to the LDAP server. Failed to find defaultSearchBase for domain domain-name

      To correct this error, you need to check the LDAP server.

Example 4–2 Using Host Names After Loading a resolv.conf File

In this example, the administrator wants a particular set of DNS servers to be available to the system. The administrator copies a resolv.conf file from a server on a trusted net. Because DNS is not yet active, the administrator uses the server's IP address to locate the server.

# cd /etc
# cp /net/10.1.1.2/export/txsetup/resolv.conf resolv.conf

After the resolv.conf file is copied and the nsswitch.conf file includes dns in the hosts entry, the administrator can use host names to locate systems.