| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: Naming and Directory Services Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: Naming and Directory Services Oracle Solaris 11 Information Library |
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. Name Service Switch (Overview)
4. Setting Up Oracle Solaris Active Directory Clients (Tasks)
Part II NIS Setup and Administration
5. Network Information Service (Overview)
6. Setting Up and Configuring NIS (Tasks)
9. Introduction to LDAP Naming Services (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)
Configuring Oracle Directory Server Enterprise Edition by Using the idsconfig Command
Creating a Checklist Based on Your Server Installation
Using Service Search Descriptors to Modify Client Access to Various Services
Setting Up SSDs by Using the idsconfig Command
How to Configure Oracle Directory Server Enterprise Edition by Using the idsconfig Command
Populating the Directory Server by Using the ldapaddent Command
Populating the Directory Server With Additional Profiles
How to Populate the Directory Server With Additional Profiles by Using the ldapclient Command
Configuring the Directory Server to Enable Account Management
For Clients That Use the pam_ldap Module
For Clients That Use the pam_unix_* Modules
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP Naming Service (Reference)
The Internet-Draft rfc2307bis specifies that the groupOfMembers object class can also be used as the convenient structural class for the LDAP entries of the group service. Such group entries can then have member attribute values specifying group membership in Distinguished Names (DNs). Oracle Solaris LDAP clients support such group entries and use the member attribute values for group membership resolution.
The LDAP clients also support group entries that use the groupOfUniqueNames object class and the uniqueMember attribute. However, using this object class and attribute is not recommended.
The existing way of defining the group entries with the posixGroup object class and the memberUid attribute is still supported. This type of group entries are still what the ldapaddent command creates when populating the LDAP servers for the group services. It does not add the member attribute to the group entries.
To add group entries with the groupOfMembers object class and member attribute values, use the ldapadd tool and an input file similar to the following:
dn: cn=group1,ou=group,dc=mkg,dc=example,dc=com objectClass: posixGroup objectClass: groupOfNames objectClass: top cn: group1 gidNumber: 1234 member: uid=user1,ou=people,dc=mkg,dc=example,dc=com member: uid=user2,ou=people,dc=mkg,dc=example,dc=com member: cn=group2,ou=group,dc=mkg,dc=example,dc=com
LDAP clients will handle group entries with a mix of none, any or all of the memberUid, member, and uniqueMember attributes. The membership evaluation result will be that a group has membership that is the union of all three with duplicates removed. That is, if a group entry G has a memberUid value referring to user U1 and U2, a member value referring to user U2, and a uniqueMember value referring to user U3, then group G has three members, U1, U2, and U3. Nested groups are also supported, that is, a member attribute can have values pointing to other groups.
To efficiently evaluate group membership to determine the groups (including the nested ones) that a user is a member of, the memberOf plug-in must be configured and enabled on the LDAP servers. If not, only the containing groups, not nested ones, will be resolved. By default, the memberOf plug-in is enabled by the ODSEE server. If the plug-in is not enabled, use ODSEE's dsconf tool to enable it.
|