ldap_gen_profile(1M) (man pages section 1M: System Administration Commands)

man pages section 1M: System Administration Commands

ldap_gen_profile(1M)

NAME

ldapclient, ldap_gen_profile- initialize LDAP client machine or create an LDIF of an LDAP client profile

SYNOPSIS

/usr/sbin/ldapclient

-v

-P

profile_name

-d

domaianname

LDAP_server_addr

/usr/sbin/ldapclient

-i

-m

-O

-v

-a

-b

baseDN

-B

alternate_search_dn

-d

domainname

-D

Bind_DN

-e

client_TTL

-o

timeout_value

-p

server_preference

-r

follow_referals

-w

client_password

LDAP_server_addr

/usr/sbin/ldapclient

-l

/usr/sbin/ldapclient

-u

-v

/usr/sbin/ldap_gen_profile

-P

profile_name

-O

-a

-b

baseDN

-B

alternate_search_dn

-d

domainname

-D

Bind_DN

-e

client_TTL

-o

timeout_value

-p

server_preference

-r

follow_referals

-w

client_password

LDAP_server_addr

DESCRIPTION

The ldapclient utility can be used to:

initialize LDAP client machines
restore the network service environment on LDAP clients
list the contents of the LDAP client cache in human-readable format.

The ldap_gen_profile utility creates (on the standard output) an LDIF file that can be loaded into an LDAP server to be used as the client profile, which can be downloaded by ldapclient .

The synopsis (-P profile_name ) is used to initialize an LDAP client machine, using a profile stored on an LDAP server specified by LDAP_server_addr . This is simplest method and will provide the default format with all the correct settings for talking to the set of servers. It will also ensure that the ldap_cachemgr(1M) can automatically update the configuration file as it changes.

The second synopsis (-i | -m ) is used to initialize a LDAP client machine. The -i option is used to convert machines to use LDAP or to change the machine's domain name. It assigns a default value for the required parameters if they are not specified. You must be logged in as superuser on the machine that is to become a LDAP client. The -m option is used to modify the parameters in the cache file. It updates the parameter specified.

The -i option in conjunction with -a none option can be used to initialize an unauthenticated LDAP client machine without having to specify a password.

If the authentication method such as simple or cram_md5r equires a password and one is not specified with the -w client_password option, the administrator is prompted for the password. If one is not provided, the command will fail.

During the client initialization process, files that are being modified are backed up as files .orig . The files that are usually modified during a client initialization are: /etc/defaultdomain , /etc/nsswitch.conf , and, if they exist, /var/yp/binding/`domainname` for a NIS(YP) client or /var/nis/NIS_COLD_START for a NIS+ client, or if the machine is already an LDAP client, /var/ldap/ldap_client_cache and /var/ldap/ldap_client_cred . Note that a file will not be saved if a backup file already exists.

The -i option does not set up an LDAP client to resolve hostnames using DNS. Refer to the DNS documentation for information on setting up DNS. See resolv.conf(4) .

The third synopsis (-l ) is used to list the LDAP client cache. The output will be human-readable (cache files are not guaranteed to be human-readable.)

The fourth synopsis (-u ) is used to uninitialize the network service environment, restoring it to the one in use before ldapclient -i was executed. You must be logged in as superuser on the machine that is to be restored. The restoration will succeeds only if the machine was initialized with ldapclient -i because it uses the backup files created by the -i option.

The machine must be rebooted after initializing a machine or restoring the network service.

OPTIONS

The following options are supported:

-a none | simple | cram_md5: Specify authentication method. Multiple values can be specified, separated by commas. The default value is none . If simple or cram_md5 is specified, a password must be provided (see -w below).
-b baseDN: Specify search baseDN (for example dc=eng ,dc=sun ,dc=com .) The default is the root naming context on the first server specified.
-B alternate_search_dn: Specify alternative baseDN for LDAP searches (for example, ou=people ,dc=corp ,dc=sun ,dc=com .) An define alternative search baseDN can be defined for each database possible in the /etc/nsswitch.conf file (see nsswitch.conf(4) ). To remove a specific alternate baseDN, specify the database without any argument (for example, "passwd :"). The default value for all databases is NULL .
-d domainname: Specify the domain name (which becomes the defaultdomain for the machine). The default is the current domain name.
-D Bind_DN: Specify the Bind Distinguished Name (for example, cn=proxyagent ,ou=profile ,cd=eng ,dc=sun ,dc=com .)
-e client_TTL: Specify the TTL value for the client information. This is only relevant if the machine was initialized with a client profile. Set client_TTL to 0 (zero) if you do not wish for ldap_cachemgr to attempt an automatic refresh from the servers. The times are specified with either a zero ``0'' (for no expiration) or a positive integer and either ``d'' for days, ``h'' for hours, ``m'' for minutes or ``s'' for seconds. The default is 12h.
-i: Initialize client.
-l (ell): List the contents of the LDAP client cache. The output (sent to standard output) is meant to be easily readable (the direct contents of the cache files might not be easily readable.).
-m: Modify parameters in the configuration file.
-o timeout_value: Specify LDAP operation timeout value. The default is the TCP default (usually 3 minutes.)
-O: Inform the client to contact only the servers on the preferred list (if for instance they are at the wrong end of a WAN). The default is FALSE.
-p server_preference: Specify the server preference list (for example, 129.100.100.0:8080,129.100.200.1:386.) The preferred servers can be defined either by the server specific address or the subnet that the server resides. To remove the server preference, specify "" for the -p option. The default preference is the local subnet.
-P profile_name: Specify a profile that is downloaded from the server and sets all the entries automatically. This option also sets an expiration time that ldap_cachemgr can use to automatically update the file if needed. The default profile_name is 'default ' and is stored in the bind distinguished name. The profile name is also stored in cache file.
-r follow_referals: Specify the search referal option, either followref or noref . The default is followref .
-u: Uninitialize LDAP client. This option is appropriate only if ldapclient was used to initialize client.
-v: Specify verbose mode.
-w client_password: Specify client password for simple and cram_md5 authentication modes. This option is not required if authentication mode is none .

OPERANDS

The following operands are supported:

LDAP_server_addr: Server address (for example, 129.100.100.1:389,129.100.200.1.) The port number is optional; if not specified, the default LDAP server port number ':389' is used.

EXAMPLES

Example 1 Setup a client using the default profile stored on the server specified.

Setup a client using the default profile stored on the server specified. This should list all the correct values for talking to your domain.

example# ldapclient -P default 129.100.100.1

Example 2 Setup a client using only one server and with authentication mode of `none` .

example# ldapclient -i -a none 129.100.100.1

Example 3 Setup a client using only one server and with authentication mode of `cram_md5` .

Setup an LDAP client to use cram_md5 with client password "secret", with the domain information expiring once a week, with no search dereference, with the domain name "xyz.sun.com", and with the LDAP server running on port number 386 at IP address 129.100.100.1.

example# ldapclient -i -a cram_md5 -w secret -d xyz.sun.com. \\
   -r noref 129.100.100.1:386

Example 4 Setup a client using two servers and with authentication mode of `simple` .

Setup an LDAPclient using two servers and with authentication mode of simple . The user will be prompted for a client password.

example# ldapclient -i 129.100.100.1 129.100.234.15:386

Example 5 Setup a client with authentication mode of `none` .

Setup an LDAP client with authentication mode of none that does not try an encrypt the transport with SSL and talks to only one server.

example# ldapclient -i -a none -a 129.140.44.1

Example 6 Use `ldap_gen_profile` to set only the Base DN and the server addresses.

Use ldap_gen_profile to set only the Base DN and the server addresses, usoing all possible default values.

example# ldap_gen_profile \\
   -D cn=proxyagent,ou=profile,cd=eng,dc=sun,dc=com \\
   129.100.100.1 129.100.234.15:386 > ldif_profile

Example 7 Create a profile overriding every default value.

example# ldap_gen_profile -P eng -a cram_md5 -d ge.co.uk -w test123 \\
   -b dc=eng,dc=ge-uk,dc=com -B ou=people,dc=lab,dc=ge-uk,dc=com \\
   -D cn=proxyagent,ou=profile,cd=eng,dc=ge-uk,dc=com -r noref \\
   -e 1h -O -p 129.100.100.0 -o 30s 129.100.200.1 129.100.100.1 \\
   204.34.5.6 > ldif_profile

FILES

/var/ldap/ldap_client_cache: contains a list of servers, their transport addresses, and the security method used to access them
/var/ldap/ldap_client_cred: contains Bind Distinguished Name (see -D above) and the encrypted password
/etc/defaultdomain: system default domainname, matching the domainname of the "NIS data" in the LDAP servers
/etc/nsswitch.conf: configuration file for the name-service switch
/etc/nsswitch.ldap: sample configuration file that uses "files" and "ldap"

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWnisu