Step 1: Configure an LDAP Repository for PAM (Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide)

Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Step 1: Configure an LDAP Repository for PAM

This section explains how to configure an Identity Synchronization for Windows - supported LDAP repository for PAM, using the following example information:

The LDAP store is a Directory Server system that is hosted in a Solaris environment.
The host machine’s DNS name is LDAPHOST.EXAMPLE.COM.
The machine’s IP address is 192.168.220.219 in the test environment.

In this example, the IP address has a concrete value so that when you configure the PAM clients, you can use the repository’s IP address to avoid potential conflicts based on how the PAM client machine resolves its DNS queries.

Note –

Before you begin, consult the Sun Java System Directory Server Enterprise Edition 6.1 Installation Guide to verify that you are using a supported directory server.

To get PAM to work with Directory Server, edit the /usr/lib/ldap/idsconfig script and change 5 to 6 in the following code:

if [ "${IDS_MAJVER}" != "5" ]; then

Use the following steps to configure an Identity Synchronization for Windows- supported LDAP repository for PAM.

Configure the LDAP store using the Solaris idsconfig command line tool.

The idsconfig tool prompts you for values that are needed to form the Directory Information Tree (DIT) to be contained in the LDAP store. The idsconfig tool will manipulate the requisite LDAP store schema to accommodate the impending user population.

When you configure the test system, the following idsconfig summary screen is displayed:

Note –
While executing the idsconfig command line tool, you need to know the values that have to be provided to the various configuration parameters. If you do not know the values, provide the default values that are prompted (other than the configuration parameters 1,2 and 4).
Change the value of the configuration parameters by selecting the configuration number against them.
Select an option from the list of predefined options that can be supplied to the selected parameter.
Evaluate the following key parameters’ values:
- Domain to serve
- Base DN to setup
- Profile name to create
- Service Auth Method pam_ldap
  
  If necessary, use the idsconfig tool to change the context of these parameter values so they are appropriate for your deployment scenario. If you are working in a test environment where you can change DNS entries and set machine IP addresses to arbitrary values, you could use the names and addresses provided in this appendix.
Continue with the proxy creation initiated by the idsconfig tool. Provide the appropriate values (default or custom) for the various parameters to complete the configuration.
After idsconfig stores the generated configuration, the idsconfig tool will direct you to create virtual list view (VLV) indexes.

Note –
VLV indexes (also called browsing indexes) enable PAM to quickly search for groups, users, and so forth. Refer to the following website for information about creating VLV indexes:

Managing Browsing Indexes in Sun Java System Directory Server Enterprise Edition 6.1 Administration Guide

Pay particular attention to the number of VLV indexes that you are prompted to create. The idsconfig tool will provide a list of VLV indexes that are contextually sensitive to the state in which it finds the LDAP store.

The following figure shows the resulting topology, as seen from the Sun Java System Directory Server console:

When you are finished configuring the LDAP repository for PAM, continue to Step 3: Populating the LDAP Repository.