Chapter 5 Configuring LDAP for Trusted Extensions (Tasks)

This chapter covers how to configure the Sun Java^TM System Directory Server and the Solaris Management Console for use with Solaris Trusted Extensions. The Directory Server provides LDAP services. LDAP is the supported naming service for Trusted Extensions. The Solaris Management Console is the administrative GUI for local and LDAP databases.

You have two options when configuring the Directory Server. You can configure an LDAP server on a Trusted Extensions system, or you can use an existing server and connect to it by using a Trusted Extensions proxy server. Follow the instructions in one of the following task maps:

• Configuring an LDAP Server on a Trusted Extensions Host (Task Map)

• Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)

Configuring an LDAP Server on a Trusted Extensions Host (Task Map)

Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)

Use this task map if you have an existing Sun Java System Directory Server that is running on a Solaris system.

Configuring the Sun Java System Directory Server on a Trusted Extensions System

The LDAP naming service is the supported naming service for Trusted Extensions. If your site is not yet running the LDAP naming service, configure a Sun Java System Directory Server (Directory Server) on a system that is configured with Trusted Extensions. If your site is already running a Directory Server, then you need to add the Trusted Extensions databases to the server. To access the Directory Server, you then set up an LDAP proxy on a Trusted Extensions system.

If you do not use this LDAP server as an NFS server or as a server for Sun Ray^TM clients, then you do not need to install any labeled zones on this server.

Collect Information for the Directory Server for LDAP

1. Determine the values for the following items.

   The items are listed in the order of their appearance in the Sun Java Enterprise System Install Wizard.

   Install Wizard Prompt	Action or Information
   Sun Java System Directory Server version
   Administrator User ID	The default value is admin.
   Administrator Password	Create a password, such as admin123.
   Directory Manager DN	The default value is cn=Directory Manager.
   Directory Manager Password	Create a password, such as dirmgr89.
   Directory Server Root	The default value is /var/Sun/mps. This path is also used later if the proxy software is installed.
   Server Identifier	The default value is the local system.
   Server Port	If you plan to use the Directory Server to provide standard LDAP naming services to client systems, use the default value, 389. If you plan to use the Directory Server to support a subsequent installation of a proxy server, enter a nonstandard port, such as 10389.
   Suffix	Include your domain component, as in dc=example-domain,dc=com.
   Administration Domain	Construct to correspond to the Suffix, as in, example-domain.com.
   System User	The default value is root.
   System Group	The default value is root.
   Data Storage Location	The default value is Store configuration data on this server.
   Data Storage Location	The default value is Store user data and group data on this server.
   Administration Port	The default value is the Server Port. A suggested convention for changing the default is software-version TIMES 1000. For software version 5.2, this convention would result in port 5200.

Install the Sun Java System Directory Server

The Directory Server packages are available from the Sun Software Gateway web site.

1. Find the Sun Java System Directory Server packages on the Sun web site.

   1. On the Sun Software Gateway page, click the Get It tab.

   2. Click the checkbox for the Sun Java Identity Management Suite.

   3. Click the Submit button.

   4. If you are not registered, register.

   5. Log in to download the software.

   6. Click the Download Center at the upper left of the screen.

   7. Under Identity Management, download the most recent software that is appropriate for your platform.

2. In the /etc/hosts file, add the FQDN to your system's hostname entry.

   The FQDN is the Fully Qualified Domain Name. This name is a combination of the host name and the administration domain, as in:

   192.168.5.5 myhost myhost.example-domain.com

3. Install the Directory Server packages.

   Answer the questions by using the information from Collect Information for the Directory Server for LDAP.

4. Ensure that the Directory Server starts at every boot.

   1. Add an init.d script.

      In the following example, change the SERVER_ROOT and SERVER_INSTANCE variables to match your installation.

      /etc/init.d/ldap.directory-myhost --------------------------------------- #!/sbin/sh SERVER_ROOT=/var/Sun/mps SERVER_INSTANCE=myhost case "$1" in start) ${SERVER_ROOT}/slapd-${SERVER_INSTANCE}/start-slapd ;; stop) ${SERVER_ROOT}/slapd-${SERVER_INSTANCE}/stop-slapd ;; *) echo "Usage: $0 { start | stop }" exit 1 esac exit 0

   2. Link the init.d script to the rc2.d directory.

      /usr/bin/ln \ /etc/init.d/ldap.directory-myhost \ /etc/rc2.d/S70ldap.directory-myhost

5. Verify your installation.

   1. Examine your installation directory.

      A subdirectory that is named slapd-server-hostname must exist.

   2. Start the Directory Server.

      # installation-directory/slapd-server-hostname/restart-slapd

   3. Verify that the slapd process exists.

      # ps -ef | grep slapd ./ns-slapd -D installation-directory/slapd-server-instance -i installation-directory/slapd-server-instance/

Troubleshooting

For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Protect Access Logs for the Sun Java System Directory Server

The LDIF script that this procedure creates sets up the following rules for access logs:

• Log events at log level 256 and create buffered logs (default).

• Rotate logs daily.

• Keep a maximum of 100 log files, and each file is at most 500 MBytes.

• Expire log files that are older than 3 months.

• Delete oldest logs if less than 500 MBytes free disk space is available.

• All log files use a maximum of 20,000 MBytes of disk space.

1. Create a script to manage access logs.

   Create a /var/tmp/logs-access.ldif file with the following content:

   dn: cn=config changetype: modify replace: nsslapd-accesslog-logging-enabled nsslapd-accesslog-logging-enabled: on - replace: nsslapd-accesslog-level nsslapd-accesslog-level: 256 - replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: on - replace: nsslapd-accesslog-logrotationtime nsslapd-accesslog-logrotationtime: 1 - replace: nsslapd-accesslog-logrotationtimeunit nsslapd-accesslog-logrotationtimeunit: day - replace: nsslapd-accesslog-maxlogsize nsslapd-accesslog-maxlogsize: 500 - replace: nsslapd-accesslog-maxlogsperdir nsslapd-accesslog-maxlogsperdir: 100 - replace: nsslapd-accesslog-logexpirationtime nsslapd-accesslog-logexpirationtime: 3 - replace: nsslapd-accesslog-logexpirationtimeunit nsslapd-accesslog-logexpirationtimeunit: month - replace: nsslapd-accesslog-logmaxdiskspace nsslapd-accesslog-logmaxdiskspace: 20000 - replace: nsslapd-accesslog-logminfreediskspace nsslapd-accesslog-logminfreediskspace: 500

2. Run the script.

   # ldapmodify -h localhost -D 'cn=directory manager' \ -f /var/tmp/logs-access.ldif

3. Type the password.

   Enter bind password: Type the appropriate password modifying entry cn=config

Protect Error Logs for the Sun Java System Directory Server

The LDIF script that this procedure creates sets up the following rules for the error logs:

• Rotate logs weekly.

• Keep a maximum of 30 log files, and each file is at most 500 MBytes.

• Expire log files that are older than 3 months.

• Delete oldest logs if less than 500 MBytes free disk space is available.

• All log files use a maximum of 20,000 MBytes of disk space.

1. Create a script to manage error logs.

   Create a /var/tmp/logs-error.ldif file with the following content:

   dn: cn=config changetype: modify replace: nsslapd-errorlog-logging-enabled nsslapd-errorlog-logging-enabled: on - replace: nsslapd-errorlog-logexpirationtime nsslapd-errorlog-logexpirationtime: 3 - replace: nsslapd-errorlog-logexpirationtimeunit nsslapd-errorlog-logexpirationtimeunit: month - replace: nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtime: 1 - replace: nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit: week - replace: nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsize: 500 - replace: nsslapd-errorlog-maxlogsperdir nsslapd-errorlog-maxlogsperdir: 30 - replace: nsslapd-errorlog-logmaxdiskspace nsslapd-errorlog-logmaxdiskspace: 20000 - replace: nsslapd-errorlog-logminfreediskspace nsslapd-errorlog-logminfreediskspace: 500

2. Run the script.

   # ldapmodify -h localhost -D 'cn=directory manager' -f /var/tmp/logs-error.ldif

3. Answer the prompts.

   Enter bind password: Type the appropriate password modifying entry cn=config

Configure a Multilevel Port for the Sun Java System Directory Server

To work in Trusted Extensions, the server port of the Directory Server must be configured as a multilevel port (MLP) in the global zone.

1. Start the Solaris Management Console.

   # /usr/sbin/smc &

2. Select the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.

3. Click System Configuration, then click Computers and Networks.

   You are prompted for your password.

4. Type the appropriate password.

5. Double-click Trusted Network Zones.

6. Double-click the global zone.

7. Add a multilevel port for the TCP protocol:

   1. Click Add for the Multilevel Ports for Zone's IP Addresses.

   2. Type 389 for the port number, and click OK.

8. Add a multilevel port for the UDP protocol:

   1. Click Add for the Multilevel Ports for Zone's IP Addresses.

   2. Type 389 for the port number.

   3. Choose the udp protocol, and click OK.

9. Click OK to save the settings.

10. Update the kernel.

    # tnctl -fz /etc/security/tsol/tnzonecfg

Populate the Sun Java System Directory Server

Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information.

1. Create a staging area for files that you plan to use to populate the naming service databases.

   # mkdir -p /setup/files

2. Copy the sample /etc files into the staging area.

   # cd /etc # cp aliases group networks netmasks protocols /setup/files # cp rpc services auto_master /setup/files # cd /etc/security # cp auth_attr prof_attr exec_attr /setup/files/ # # cd /etc/security/tsol # cp tnrhdb tnrhtp /setup/files

   If you are running the Solaris 10 11/06 release without patches, copy the ipnodes file.

   # cd /etc/inet # cp ipnodes /setup/files

3. Remove the +auto_master entry from the /setup/files/auto_master file.

4. Remove the ?:::::? entry from the /setup/files/auth_attr file.

5. Remove the :::: entry from the /setup/files/prof_attr file.

6. Create the zone automaps in the staging area.

   In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.

   • Substitute your zone names for the zone names in these lines.

   • myNFSserver identifies the NFS server for the home directories.

   /setup/files/auto_home_public * myNFSserver_FQDN:/zone/public/root/export/home/& /setup/files/auto_home_internal * myNFSserver_FQDN:/zone/internal/root/export/home/& /setup/files/auto_home_needtoknow * myNFSserver_FQDN:/zone/needtoknow/root/export/home/& /setup/files/auto_home_restricted * myNFSserver_FQDN:/zone/restricted/root/export/home/&

7. Add every system on the network to the /setup/files/tnrhdb file.

   No wildcard mechanism can be used here. The IP address of every system to be contacted, including the IP addresses of labeled zones, must be in this file.

   1. Open the trusted editor and edit /setup/files/tnrhdb.

   2. Add every IP address on a labeled system in the Trusted Extensions domain.

      Labeled systems are of type cipso. Also, the name of the security template for labeled systems is cipso. Therefore, in the default configuration, a cipso entry is similar to the following:

      192.168.25.2:cipso

      ---

      Note –

      This list includes the IP addresses of global zones and labeled zones.

      ---

   3. Add every unlabeled system with which the domain can communicate.

      Unlabeled systems are of type unlabeled. The name of the security template for unlabeled systems is admin_low. Therefore, in the default configuration, an entry for an unlabeled system is similar to the following:

      192.168.35.2:admin_low

   4. Save the file, and exit the editor.

   5. Check the syntax of the file.

      # tnchkdb -h /setup/files/tnrhdb

   6. Fix any errors before continuing.

8. Copy the /setup/files/tnrhdb file to the /etc/security/tsol/tnrhdb file.

9. Use the ldapaddent command to populate every file in the staging area.

   # /usr/sbin/ldapaddent -D "cn=directory manager" \ -w dirmgr123 -a simple -f /setup/files/hosts hosts

Creating a Trusted Extensions Proxy for an Existing Sun Java System Directory Server

First, you need to add the Trusted Extensions databases to the existing Directory Server on a Solaris system. Second, to enable Trusted Extensions systems to access the Directory Server, you then need to configure a Trusted Extensions system to be the LDAP proxy server.

Create an LDAP Proxy Server

If an LDAP server already exists at your site, create a proxy server on a Trusted Extensions system.

Before You Begin

You have added the databases that contain Trusted Extensions information to the LDAP server. For details, see Populate the Sun Java System Directory Server.

1. On a system that is configured with Trusted Extensions, create a proxy server.

   For details, see Chapter 12, Setting Up LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

2. Verify that the Trusted Extensions databases can be viewed by the proxy server.

   # ldaplist -l database

Troubleshooting

For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Configuring the Solaris Management Console for LDAP (Task Map)

The Solaris Management Console is the GUI for administering the network of systems that are running Trusted Extensions.

Register LDAP Credentials With the Solaris Management Console

Before You Begin

You must be the root user on an LDAP server that is running Trusted Extensions. The server can be a proxy server.

Your Sun Java System Directory Server must be configured. You have completed one of the following configurations:

• Configuring an LDAP Server on a Trusted Extensions Host (Task Map)

• Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)

1. Register the LDAP administrative credentials.

   # /usr/sadm/bin/dtsetup storeCred Administrator DN:Type the value for cn on your system Password:Type the Directory Manager password Password (confirm):Retype the password

2. Verify communications with the Directory Server.

   # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:Displays name of file scope Scope 2 ldap:Displays name of ldap scope

   Your LDAP server setup determines the LDAP scopes that are listed. After the server is registered, the LDAP toolbox can be edited, and then used.

Example 5–1 Registering LDAP Credentials

In this example, the name of the LDAP server is LDAP1, the name of the LDAP client is myhost, and the value for cn is the default, Directory Manager.

# /usr/sadm/bin/dtsetup storeCred
Administrator DN:cn=Directory Manager
Password:abcde1;!
Password (confirm):abcde1;!
# /usr/sadm/bin/dtsetup scopes
Getting list of manageable scopes...
Scope 1 file:/myhost/myhost
Scope 2 ldap:/myhost/cd=myhost,dc=example,dc=com

Enable an LDAP Client to Administer LDAP

By default, systems are installed to not listen on ports that present security risks. Therefore, you must explicitly turn on network communications with the LDAP server. Perform this procedure only on systems from which you plan to administer your network of systems and users.

Before You Begin

You must be superuser or in the Security Administrator role in the global zone.

1. Enable the system to administer LDAP.

   # svccfg -s wbem setprop options/tcp_listen=true

   To view the LDAP toolbox, you must complete Edit the LDAP Toolbox in the Solaris Management Console.

Edit the LDAP Toolbox in the Solaris Management Console

Before You Begin

You must be superuser. The LDAP credentials must be registered with the Solaris Management Console, and you must know the output of the /usr/sadm/bin/dtsetup scopes command. For details, see Register LDAP Credentials With the Solaris Management Console.

1. Find the LDAP toolbox.

   # cd /var/sadm/smc/toolboxes/tsol_ldap # ls *tbx tsol_ldap.tbx

2. Provide the LDAP server name.

   1. Open the trusted editor.

   2. Copy and paste the full pathname of the tsol_ldap.tbx toolbox as the argument to the editor.

      For example, the following path is the default location of the LDAP toolbox:

      /var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx

   3. Replace the scope information.

      Replace the server tags between the <Scope> and </Scope> tags with the output of the ldap:/...... line from the /usr/sadm/bin/dtsetup scopes command.

      <Scope>ldap:/<myhost>/<dc=domain,dc=suffix></Scope>

   4. Replace every instance of <?server?> or <?server ?> with the LDAP server.

      <Name> ldap-server-name: Scope=ldap, Policy=TSOL</Name> services and configuration of ldap-server-name.</Description> and configuring ldap-server-name.</Description> <ServerName>ldap-server-name</ServerName> <ServerName>ldap-server-name</ServerName>

   5. Save the file, and exit the editor.

3. Stop and start the wbem service.

   The smc daemon is controlled by the wbem service.

   # svcadm disable wbem # svcadm enable wbem

Example 5–2 Configuring the LDAP Toolbox

In this example, the name of the LDAP server is LDAP1. To configure the toolbox, the administrator replaces the instances of server with LDAP1.

<Name>LDAP1: Scope=ldap, Policy=TSOL</Name>
services and configuration of LDAP1.</Description>
and configuring LDAP1.</Description>
<ServerName>LDAP1</ServerName>
<ServerName>LDAP1</ServerName>

Verify That the Solaris Management Console Contains Trusted Extensions Information

Before You Begin

You must be logged in to an LDAP client in an administrative role, or as superuser. To make a system an LDAP client, see Make the Global Zone an LDAP Client in Trusted Extensions.

To use the LDAP toolbox, you must have completed Edit the LDAP Toolbox in the Solaris Management Console and Initialize the Solaris Management Console Server in Trusted Extensions.

1. Start the Solaris Management Console.

   # /usr/sbin/smc &

2. Open a Trusted Extensions toolbox.

   A Trusted Extensions toolbox has the value Policy=TSOL.

   • To check that local files can be accessed, open the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.

   • To check that databases on the LDAP server can be accessed, open the This Computer (this-host: Scope=LDAP, Policy=TSOL) toolbox.

3. Under System Configuration, navigate to Computers and Networks, then Security Templates.

4. Check that the correct templates and labels have been applied to the remote systems.

Troubleshooting

To troubleshoot LDAP configuration, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).