Configuring the Solaris Management Console for LDAP (Task Map)

The Solaris Management Console is the GUI for administering the network of systems that are running Trusted Extensions.

Register LDAP Credentials With the Solaris Management Console

Before You Begin

You must be the root user on an LDAP server that is running Trusted Extensions. The server can be a proxy server.

Your Sun Java System Directory Server must be configured. You have completed one of the following configurations:

• Configuring an LDAP Server on a Trusted Extensions Host (Task Map)

• Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)

1. Register the LDAP administrative credentials.

   # /usr/sadm/bin/dtsetup storeCred Administrator DN:Type the value for cn on your system Password:Type the Directory Manager password Password (confirm):Retype the password

2. Verify communications with the Directory Server.

   # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:Displays name of file scope Scope 2 ldap:Displays name of ldap scope

   Your LDAP server setup determines the LDAP scopes that are listed. After the server is registered, the LDAP toolbox can be edited, and then used.

Example 5–1 Registering LDAP Credentials

In this example, the name of the LDAP server is LDAP1, the name of the LDAP client is myhost, and the value for cn is the default, Directory Manager.

# /usr/sadm/bin/dtsetup storeCred
Administrator DN:cn=Directory Manager
Password:abcde1;!
Password (confirm):abcde1;!
# /usr/sadm/bin/dtsetup scopes
Getting list of manageable scopes...
Scope 1 file:/myhost/myhost
Scope 2 ldap:/myhost/cd=myhost,dc=example,dc=com

Enable an LDAP Client to Administer LDAP

By default, systems are installed to not listen on ports that present security risks. Therefore, you must explicitly turn on network communications with the LDAP server. Perform this procedure only on systems from which you plan to administer your network of systems and users.

Before You Begin

You must be superuser or in the Security Administrator role in the global zone.

1. Enable the system to administer LDAP.

   # svccfg -s wbem setprop options/tcp_listen=true

   To view the LDAP toolbox, you must complete Edit the LDAP Toolbox in the Solaris Management Console.

Edit the LDAP Toolbox in the Solaris Management Console

Before You Begin

You must be superuser. The LDAP credentials must be registered with the Solaris Management Console, and you must know the output of the /usr/sadm/bin/dtsetup scopes command. For details, see Register LDAP Credentials With the Solaris Management Console.

1. Find the LDAP toolbox.

   # cd /var/sadm/smc/toolboxes/tsol_ldap # ls *tbx tsol_ldap.tbx

2. Provide the LDAP server name.

   1. Open the trusted editor.

   2. Copy and paste the full pathname of the tsol_ldap.tbx toolbox as the argument to the editor.

      For example, the following path is the default location of the LDAP toolbox:

      /var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx

   3. Replace the scope information.

      Replace the server tags between the <Scope> and </Scope> tags with the output of the ldap:/...... line from the /usr/sadm/bin/dtsetup scopes command.

      <Scope>ldap:/<myhost>/<dc=domain,dc=suffix></Scope>

   4. Replace every instance of <?server?> or <?server ?> with the LDAP server.

      <Name> ldap-server-name: Scope=ldap, Policy=TSOL</Name> services and configuration of ldap-server-name.</Description> and configuring ldap-server-name.</Description> <ServerName>ldap-server-name</ServerName> <ServerName>ldap-server-name</ServerName>

   5. Save the file, and exit the editor.

3. Stop and start the wbem service.

   The smc daemon is controlled by the wbem service.

   # svcadm disable wbem # svcadm enable wbem

Example 5–2 Configuring the LDAP Toolbox

In this example, the name of the LDAP server is LDAP1. To configure the toolbox, the administrator replaces the instances of server with LDAP1.

<Name>LDAP1: Scope=ldap, Policy=TSOL</Name>
services and configuration of LDAP1.</Description>
and configuring LDAP1.</Description>
<ServerName>LDAP1</ServerName>
<ServerName>LDAP1</ServerName>

Verify That the Solaris Management Console Contains Trusted Extensions Information

Before You Begin

You must be logged in to an LDAP client in an administrative role, or as superuser. To make a system an LDAP client, see Make the Global Zone an LDAP Client in Trusted Extensions.

To use the LDAP toolbox, you must have completed Edit the LDAP Toolbox in the Solaris Management Console and Initialize the Solaris Management Console Server in Trusted Extensions.

1. Start the Solaris Management Console.

   # /usr/sbin/smc &

2. Open a Trusted Extensions toolbox.

   A Trusted Extensions toolbox has the value Policy=TSOL.

   • To check that local files can be accessed, open the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.

   • To check that databases on the LDAP server can be accessed, open the This Computer (this-host: Scope=LDAP, Policy=TSOL) toolbox.

3. Under System Configuration, navigate to Computers and Networks, then Security Templates.

4. Check that the correct templates and labels have been applied to the remote systems.

Troubleshooting

To troubleshoot LDAP configuration, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).