| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) Oracle Solaris 11 Express 11/10 |
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. The Name Service Switch (Overview)
Part II DNS Setup and Administration
3. DNS Setup and Administration (Reference)
Part III NIS Setup and Administration
4. Network Information Service (NIS) (Overview)
5. Setting Up and Configuring NIS Service
Part IV LDAP Naming Services Setup and Administration
8. Introduction to LDAP Naming Services (Overview/Reference)
9. LDAP Basic Components and Concepts (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP General Reference (Reference)
15. Transitioning From NIS to LDAP (Overview/Tasks)
NIS-to-LDAP Tools and the Service Management Facility
NIS-to-LDAP Audience Assumptions
When Not to Use the NIS-to-LDAP Service
Effects of the NIS-to-LDAP Service on Users
NIS-to-LDAP Transition Terminology
NIS-to-LDAP Commands, Files, and Maps
Transitioning From NIS to LDAP (Task Map)
Prerequisites for the NIS-to-LDAP Transition
Setting Up the NIS-to-LDAP Service
How to Set Up the N2L Service With Standard Mappings
How to Set Up the N2L Service With Custom or Nonstandard Mappings
Example 2-Implementing a Custom Map
NIS-to-LDAP Best Practices With Sun Java System Directory Server
Creating Virtual List View Indexes With Sun Java System Directory Server
VLVs for Custom and Nonstandard Maps
Avoiding Server Timeouts With Sun Java System Directory Server
Avoiding Buffer Overruns With Sun Java System Directory Server
Debugging the NISLDAPmapping File
How to Revert to Maps Based on Old Source Files
How to Revert to Maps Based on Current DIT Contents
Part V Active Directory Naming Service
The N2L service supports Sun Java System Directory Server (formerly Sun ONE Directory Server) and compatible versions of directory servers offered by Sun Microsystems, Inc. Other (third party) LDAP servers might work with the N2L service, but they are not supported by Sun. If you are using an LDAP server other than the Sun Java System Directory Server or compatible Sun servers, you must manually configure the server to support RFC 2307, or its successors', schemas.
If you are using the Sun Java System Directory Server, you can enhance the directory server to improve performance. To make these enhancements, you must have LDAP administrator privileges on the Sun Java System Directory Server. In addition, the directory server might need to be rebooted, a task that must be coordinated with the server's LDAP clients. The Sun Java System Directory Server (and Sun ONE and iPlanet Directory Server) documentation is available on the Sun Java System Directory Server Enterprise Edition 6.2 web site.
For large maps, LDAP virtual list view (VLV) indexes must be used to ensure LDAP searches return complete results. For information about setting up VLV indexes on the Sun Java System Directory Server, see the Sun Java System Directory Server Enterprise Edition 6.2 documentation.
VLV search results use a fixed page size of 50000. If VLVs are used with Sun Java System Directory Server, both the LDAP server and N2L server must be able to handle transfers of this size. If all of your maps are known to be smaller than this limit, you do not need to use VLV indexes. However, if your maps are larger than the size limit, or you are unsure of the size of all maps, use VLV indexes to avoid incomplete returns.
If you are using VLV indexes, set up the appropriate size limits as follows.
On the Sun Java System Directory Server: nsslapd-sizelimit attribute must be set greater than or equal to 50000 or -1. See the idsconfig(1M) man page.
On the N2L server: nisLDAPsearchSizelimit attribute must be set greater than or equal to 50000 or zero. For more information, see the NISLDAPmapping(4) man page.
Once VLV indexes have been created, activate them by running directoryserver with the vlvindex option on the Sun Java System Directory Server. See the directoryserver(1M) man page for more information.
Use the Sun Java System Directory Server idsconfig command to set up VLVs if the following conditions apply:
You are using the Sun Java System Directory Server.
You are mapping standard maps to RFC 2307 LDAP entries.
VLVs are domain specific, so each time idsconfig is run, VLVs are created for one NIS domain. Therefore, during the NIS–to–LDAP transition, you must run idsconfig once for each nisLDAPdomainContext attribute included in the NISLDAPmapping file.
You must manually create new Sun Java System Directory Server VLVs for maps, or copy and modify existing VLV indexes, if the following conditions apply:
You are using the Sun Java System Directory Server.
You have large custom maps or have standard maps that are mapped to nonstandard DIT locations.
To view existing VLV indexes, type the following:
# ldapsearch -h hostname -s sub -b "cn=ldbm database,cn=plugins,cn=config" \ "objectClass=vlvSearch"
When the N2L server refreshes a map, the result might be a large LDAP directory access. If the Sun Java System Directory Server is not correctly configured, the refresh operation might time out before completion. To avoid directory server timeouts, modify the following Sun Java System Directory Server attributes manually or by running the idsconfig command.
For example, to increase the minimum amount of time in seconds that the server should spend performing the search request, modify these attributes:
dn: cn=config nsslapd-timelimit: -1
For testing purposes, you can use an attribute value of -1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at -1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.
For more information about configuring Sun Java System Directory Server with LDAP, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks) of this book.
To avoid buffer overruns, modify the Sun Java System Directory Server attributes manually or by running the idsconfig command.
For example, to increase the maximum number of entries that are returned for a client search query, modify these attributes:
dn: cn=config nsslapd-sizelimit: -1
To increase the maximum number of entries that are verified for a client search query, modify these attributes:
dn: cn=config, cn=ldbm database, cn=plugins, cn=config nsslapd-lookthroughlimit: -1
For testing purposes, you can use an attribute value of -1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at -1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.
If VLVs are being used, the sizelimit attribute values should be set as defined in Creating Virtual List View Indexes With Sun Java System Directory Server. If VLVs are not being used, the size limit should be set large enough to accommodate the largest container.
For more information about configuring Sun Java System Directory Server with LDAP, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks).
|