Chapter 15 Setting Up Sun ONE Directory Server 5.1 (Tasks)

This chapter describes how to configure Sun^TM ONE Directory Server 5.1 (formerly iPlanet^TM Directory Server 5.1) to support a network of Solaris LDAP naming services clients. The information is specific to the Sun ONE Directory Server.

You must have already performed all the procedures described in Chapter 11 before you can configure Sun ONE Directory Server 5.1 to work with Solaris LDAP clients.

A directory server (an LDAP server) cannot be its own client.

This chapter covers the following topics.

• Configuring Sun ONE Directory Server 5.1 Using idsconfig

• Using Service Search Descriptors to Modify Client Access to Various Services

• Running idsconfig

• Populating the Directory Server Using ldapaddent

• Managing Printer Entries

• Populating the Directory Server With Additional Profiles

• Configuring the Directory Server to Enable Password Management

Configuring Sun ONE Directory Server 5.1 Using idsconfig

Creating a Checklist Based on Your Server Installation

During the server installation process, you will have defined crucial variables, with which you should create a checklist similar to the one below before launching idsconfig. You can use the blank checklist provided in Blank Checklists.

The information included below will serve as the basis for all examples that follow in the LDAP related chapters. The example domain is of an widget company, Example, Inc. with stores nationwide. The examples will deal with the West Coast Division, with the domain west.example.com

If you are using hostnames in defining defaultServerList or preferredServerList, you MUST ensure LDAP is not used for hosts lookup. This means ldap must not be in /etc/nsswitch.conf hosts line.

Client profiles are defined per domain. At least one profile must be defined for a given domain.

Attribute Indexes

idsconfig indexes the following list of attributes for improved performance.

Schema Definitions

idsconfig(1M) automatically adds the necessary schema definitions. Unless you are very experienced in LDAP administration, do not manually modify the server schema. See Chapter 18, LDAP General Reference (Reference) for an extended list of schemas used by the LDAP naming service.

Using Browsing Indices

The browsing index functionality of the Sun ONE Directory Server, otherwise known as the virtual list view, provides a way in which a client can view a select group or number of entries from very long list, thus making the search process less time consuming for each client. Browsing Indexes provide optimized, predefined search parameters with which the Solaris LDAP naming client can access specific information from the various services more quickly. Keep in mind that if you do not create browsing indexes, the clients may not get all the entries of a given type because the server limits for search time or number of entries might not be enforced.

Indexes are configured on the directory server and the proxy user has read access to these indexes.

Refer to the Sun ONE Directory Server Administrators Guide 5.1 for information on configuring indexes on the Sun ONE Directory Server as well as the performance cost associated with using them.

In the following example, note that the -n option denotes the name of the database with the entries to be indexed and and the -s option denotes the instance of the directory server.

idsconfig creates all the default VLV indices.

directoryserver -s ipdserver vlvindex -n userRoot -T getgrent
directoryserver -s ipdserver vlvindex -n userRoot -T gethostent
directoryserver -s ipdserver vlvindex -n userRoot -T getnetent
directoryserver -s ipdserver vlvindex -n userRoot -T getpwent
directoryserver -s ipdserver vlvindex -n userRoot -T getrpcent
directoryserver -s ipdserver vlvindex -n userRoot -T getspent

Using Service Search Descriptors to Modify Client Access to Various Services

A service search descriptor (SSD) changes the default search request for a given operation in LDAP to a search you define. SSDs are particularly useful if, for example, you have been using LDAP with customized container definitions or another operating system and are now transitioning to Solaris 9. Using SSDs, you can configure Solaris 9 LDAP naming services without having to change your existing LDAP database and data.

Setting Up SSDs Using idsconfig

Assume your predecessor at Example, Inc. had configured LDAP, storing users in ou=Users container. You are now upgrading to Solaris 9. By definition, Solaris 9 LDAP assumes that user entries are stored in ou=People container. Thus, when it comes to searching the passwd service, LDAP will search the ou=people level of the DIT and not find the correct values.

One rather laborious solution to the above problem would be to completely overwrite Example, Inc.'s existing DIT and to rewrite all the exiting applications on Example, Inc.'s network so that they are compatible with the new LDAP naming service. A second, far preferable solution would be to use an SSD that would tell LDAP to look for user info in an ou=Users container instead the default ou=people container.

You would define the necessary SSD during the configuration of the Sun ONE Directory Server 5.1 using idsconfig. The prompt line appears as follows.

Do you wish to setup Service Search Descriptors (y/n/h? y
  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit] a
Enter the service id: passwd
Enter the base: service ou=user,dc=west,dc=example,dc=com
Enter the scope: one[default]
  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit] p

Current Service Search Descriptors:
==================================
Passwd:ou=Users,ou=west,ou=example,ou=com?

Hit return to continue.

  A  Add a Service Search Descriptor
  D  Delete a SSD
  M  Modify a SSD
  P  Display all SSD's
  H  Help
  X  Clear all SSD's

  Q  Exit menu
Enter menu choice: [Quit] q

Running idsconfig

You do not need special rights to run idsconfig, nor do you need to be an LDAP naming client. Remember to create a checklist as mentioned in Creating a Checklist Based on Your Server Installation in preparation for running idsconfig. You don not have to run idsconfig from a server or an LDAP naming service client machine. You can run idsconfig from any Solaris machine on the network.

idsconfig sends the Directory Manager's password in the clear. If you do not want this to happen, you must run idsconfig on the directory server itself, not on a client.

How to Configure Sun ONE Directory Server Using idsconfig

1. Make sure the target Sun ONE Directory Server 5.1 is up and running.

2. Run idsconfig.

   # /usr/lib/ldap/idsconfig

3. Answer the questions prompted. Note that 'no' [n] is the default user input. If you need clarification on any given question, type

   h

   and a brief help paragraph will appear.

Refer to the following example run of idsconfig using the definitions listed in the server and client checklists at the beginning of this chapter in Creating a Checklist Based on Your Server Installation. It is an example of a simple setup, without modifying many of the defaults. The most complicated method of modifying client profiles is by creating SSDs. Refer to Using Service Search Descriptors to Modify Client Access to Various Services for a detailed discussion.

A carriage return sign after the prompt means that you are accepting the [default] by hitting enter.

Example 15–1 Running idsconfig for the Example, Inc. Network

(sysadmin@test) [3:10pm] ns_ldap [31] % sh idsconfig.sh

It is strongly recommended that you BACKUP the directory server
before running idsconfig.sh.

Hit Ctrl-C at any time before the final confirmation to exit.

Do you wish to continue with server setup (y/n/h)? [n] Y

Enter the Sun ONE Directory Server's (Sun ONE Directory Server) 
hostname to setup: IPDSERVER

Enter the port number for Sun ONE Directory Server (h=help): [389] 
Enter the directory manager DN: [cn=Directory Manager] 
Enter passwd for cn=Directory Manager : 
Enter the domainname to be served (h=help): [west.example.com] 
Enter LDAP Base DN (h=help): [dc=west,dc=example,dc=com] 
Enter the profile name (h=help): [default] 
Default server list (h=help): [192.168.0.0] 
Preferred server list (h=help): 
Choose desired search scope (one, sub, h=help):  [one] 
The following are the supported credential levels:
  1  anonymous
  2  proxy
  3  proxy anonymous
Choose Credential level [h=help]: [1] 2

The following are the supported Authentication Methods:
  1  none
  2  simple
  3  sasl/DIGEST-MD5
  4  tls:simple
  5  tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2

Current authenticationMethod: simple

Do you want to add another Authentication Method? N

Do you want the clients to follow referrals (y/n/h)? [n] Y

Do you want to modify the server timelimit value (y/n/h)? [n] Y

Enter the time limit for Sun ONE Directory Server (current=3600): [-1]

Do you want to modify the server sizelimit value (y/n/h)? [n] Y

Enter the size limit for Sun ONE Directory Server (current=2000): [-1]

Do you want to store passwords in "crypt" format (y/n/h)? [n] Y

Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30] 
Profile Time To Live in seconds (h=help): [43200] 

Bind time limit in seconds (h=help): [10] 2

Do you wish to setup Service Search Descriptors (y/n/h)? [n] 
 
              Summary of Configuration

  1  Domain to serve               : west.example.com
  2  Base DN to setup              : dc=west,dc=example,dc=com
  3  Profile name to create        : default
  4  Default Server List           : 192.168.0.0
  5  Preferred Server List         : 
  6  Default Search Scope          : one
  7  Credential Level              : proxy
  8  Authentication Method         : simple
  9  Enable Follow Referrals       : TRUE
 10  Sun ONE Directory Server Time Limit                : -1
 11  Sun ONE Directory Server Size Limit                : -1
 12  Enable crypt password storage : TRUE
 13  Service Auth Method pam_ldap  : 
 14  Service Auth Method keyserv   : 
 15  Service Auth Method passwd-cmd: 
 16  Search Time Limit             : 30
 17  Profile Time to Live          : 43200
 18  Bind Limit                    : 2
 19  Service Search Descriptors Menu

Enter config value to change: (1-19 0=commit changes) [0] 
Enter DN for proxy agent:[cn=proxyagent,ou=profile,dc=west,dc=example,dc=com]
Enter passwd for proxyagent: 
Re-enter passwd: 
 

WARNING: About to start committing changes. (y=continue, n=EXIT) Y

1. Changed timelimit to -1 in cn=config.
  2. Changed sizelimit to -1 in cn=config.
  3. Changed passwordstoragescheme to "crypt" in cn=config.
  4. Schema attributes have been updated.
  5. Schema objectclass definitions have been added.
  6. Created DN component dc=west.
  7. NisDomainObject added to dc=west,dc=example,dc=com.
  8. Top level "ou" containers complete.
  9. Nis maps: auto_home auto_direct auto_master auto_shared processed.
  10. ACI for dc=west,dc=example,dc=com modified to disable self modify.
  11. Add of VLV Access Control Information (ACI).
  12. Proxy Agent cn=proxyagent,ou=profile,dc=west,dc=example,dc=com added.
  13. Give cn=proxyagent,ou=profile,dc=west,dc=example,dc=com read permission for 
password.
  14. Generated client profile and loaded on server.
  15. Processing eq,pres indexes:
      ipHostNumber (eq,pres)   Finished indexing.                  
      uidNumber (eq,pres)   Finished indexing.                  
      ipNetworkNumber (eq,pres)   Finished indexing.                  
      gidnumber (eq,pres)   Finished indexing.                  
      oncrpcnumber (eq,pres)   Finished indexing.                  
  16. Processing eq,pres,sub indexes:
      membernisnetgroup (eq,pres,sub)   Finished indexing.                  
      nisnetgrouptriple (eq,pres,sub)   Finished indexing.                  
  17. Processing VLV indexes:
      getgrent vlv_index   Entry created
      gethostent vlv_index   Entry created
      getnetent vlv_index   Entry created
      getpwent vlv_index   Entry created
      getrpcent vlv_index   Entry created
      getspent vlv_index   Entry created

idsconfig.sh: Setup of Sun ONE Directory Server server ipdserver is complete.


Note: idsconfig has created entries for VLV indexes.  Use the 
      directoryserver(1m) script on ipdserver to stop
      the server and then enter the following vlvindex
      sub-commands to create the actual VLV indexes:

  directoryserver -s ipdserver vlvindex -n userRoot -T getgrent
  directoryserver -s ipdserver vlvindex -n userRoot -T gethostent
  directoryserver -s ipdserver vlvindex -n userRoot -T getnetent
  directoryserver -s ipdserver vlvindex -n userRoot -T getpwent
  directoryserver -s ipdserver vlvindex -n userRoot -T getrpcent
  directoryserver -s ipdserver vlvindex -n userRoot -T getspent

Any parameters left blank in the summary screen will not be set up.

After idsconfig has completed the setup of the directory, you need to run the specified commands on the server before the server setup is complete and the server is ready to serve clients.

Populating the Directory Server Using ldapaddent

Before populating the directory server with data, you must configure the server to store passwords in Unix Crypt format if you are using pam_unix. If you are using pam_ldap, you can store passwords in any format. For more information about setting the password in UNIX crypt format, see the Sun ONE Directory Server documents.

ldapaddent(1M) can only run on a client which is already configured for the LDAP naming service.

ldapaddent reads from the standard input (that being an /etc/filename like passwd) and places this data to the container associated with the service. Client configuration determines how the data will be written by default.

How to Populate Sun ONE Directory Server 5.1 With User Password Data Using ldapaddent

1. Use the ldapaddent command to add /etc/passwd entires to the server.

   # ldapaddent -D "cn=directory manager" -f /etc/passwd passwd

See ldapaddent(1M). See Chapter 13, Basic Components and Concepts (Overview) for information about LDAP security and write-access to the directory server.

Managing Printer Entries

Adding Printers

To add printer entries to the LDAP directory, use either the printmgr configuration tool or the lpset -n ldap command-line utility. See lpset(1M). Note that the printer objects added to the directory only define the connection parameter, required by print system clients, of printers. Local print server configuration data is still held in files. A typical printer entry would look like the following:

printer-uri=myprinter,ou=printers,dc=mkg,dc=example,dc=com
objectclass=top
objectclass=printerService
objectclass=printerAbstract
objectclass=sunPrinter
printer-name=myprinter
sun-printer-bsdaddr=printsvr.example.com,myprinter,Solaris
sun-printer-kvp=description=HP LaserJet (PS)
printer-uri=myprinter

Using lpget

lpget(1M) can be used to list all printer entries known by the LDAP client's LDAP directory. If the LDAP client's LDAP server is a replica server, then printers listed might not be the same as that in the master LDAP server depending on the update replication agreement. See lpget(1M) for more information.

For example, to list all printers for a given base DN, type the following:

# lpget -n ldap list

myprinter:
	dn=myprinter,ou=printers,dc=mkt,dc=example,dc=com
	bsdaddr=printsvr.example.com,myprinter,Solaris
	description=HP LaserJet (PS)

Populating the Directory Server With Additional Profiles

Use ldapclient with the genprofile option to create an LDIF representation of a configuration profile, based on the attributes specified. The profile you create can then be loaded into an LDAP server to be used as the client profile. The client profile can be downloaded by the client by using ldapclient init.

Refer to ldapclient(1M) for information about using ldapclient genprofile.

How to Populate the Directory Server With Additional Profiles Using ldapclient

1. Become superuser.

2. Use ldapclient with the genprofile command.

   # ldapclient genprofile -a profileName=myprofile \

   -a defaultSearchBase=dc=west,dc=example,dc=com \

   -a "defaultServerList=192.168.0.0 192.168.0.1:386" \

   > myprofile.ldif

3. Upload the new profile to the server.

   # ldapadd –h 192.168.0.0 —D “cn=directory manager” —f myprofile.ldif

Configuring the Directory Server to Enable Password Management

See the “User Account Management” chapter in the Sun ONE Directory Server 5.1 Administrator's Guide for how to use the Directory Server Console or ldapmodify to configure the password management policy for the LDAP directory. In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server.

Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script.

# ldapmodify -h ldapserver —D administrator DN \
 -w  administrator password <<EOF 
 dn: proxy user DN
 DNchangetype: modify
 replace: passwordexpirationtime 
 passwordexpirationtime: 20380119031407Z 
 EOF

pam_ldap password management relies on Sun ONE Directory Server 5.1 to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. pam_unix, however, examines the shadow data to determine if accounts are locked or if passwords are aged. Since the shadow data is not kept up to date by the LDAP naming services or the directory server, pam_unix should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword Attribute. Denying proxy users read access to userPassword prevents pam_unix from making an invalid account validation.