Go to main content

Working With Oracle® Solaris 11.3 Directory and Naming Services: LDAP

Exit Print View

Updated: September 2018
 
 

LDAP Planning Overview

An LDAP client uses the collection of configuration information in the LDAP client profile to access naming service information from the LDAP server. You must specify the configuration information when you build the profile on the LDAP server. During the server setup, you are prompted for the configuration information. Some of the information that is prompted is required, while other information is optional. In most cases, you accept the default values that are already provided. The individual types of information that are prompted for the profile are called client attributes.

As you gather the configuration information for the profile, you can refer to the template checklists used for configuring LDAP in Checklists for Configuring LDAP.

The LDAP client profile attributes are as follows:

  • cn – Specifies the profile name. The attribute has no default value. You must specify a value for the attribute.

  • preferredServerList – Specifies the host addresses of the preferred servers as a space-separated list of server addresses. Do not use host names of the servers in this list. The servers in this list are tried in order before those in defaultServerList until a successful connection is made. This attribute has no default value. You must specify at least one server in either preferredServerList or defaultServerList.

    Note -  If you are using host names to define both defaultServerList and preferredServerList, then you must not use LDAP for host server lookup searches. Do not configure the config/host property of the svc:/network/name-service/switch service with the value ldap. For more information about LDAP and service management facility (SMF), see LDAP and the Service Management Facility.

  • defaultServerList – Specifies the host addresses of the default servers as a space-separated list of server addresses. Do not use host names of the servers in this list. After the servers in preferredServerList are tried, the default servers on the client’s subnet are tried, followed by the remaining default servers, until a connection is made. You must specify at least one server in either preferredServerList or defaultServerList. The servers in this list are tried only after the servers in the preferred server list. This attribute has no default value.

  • defaultSearchBase – Specifies the DN relative to which to locate the well-known containers. This attribute has no default value. However, this value can be overridden for a given service by the serviceSearchDescriptor attribute.

  • defaultSearchScope – Defines the scope of a database search by an LDAP client. It can be overridden by the serviceSearchDescriptor attribute. The possible values are one or sub. The default value is a single-level search.

  • authenticationMethod – Identifies the method of authentication used by the LDAP client. The default value is none. For more information, see Authentication Methods for the LDAP Naming Service.

  • credentialLevel – Identifies the type of credentials an LDAP client must use to authenticate. The possible values are anonymous, proxy, or self. self is also known as "per-user". The default value is anonymous

  • serviceSearchDescriptor – Defines how and where an LDAP client should search for a naming database, for example, whether the LDAP client should look in one or more points in the DIT. By default, no SSDs are defined.

  • serviceAuthenticationMethod – Defines the authentication method used by an LDAP client for the specified service. By default, no service authentication methods are defined. If a service does not have serviceAuthenticationMethod defined, it defaults to the value of authenticationMethod.

  • attributeMap – Defines the attribute mappings that the LDAP client uses. By default, no attributeMap is defined.

  • objectclassMap – Defines object class mappings that the LDAP client uses. By default, no objectclassMap is defined.

  • searchTimeLimit – Specifies the maximum time, in seconds, that an LDAP client must allow for a search to complete before timing out. This value does not affect the time the LDAP server will allow for a search to complete. The default value is 30 seconds.

  • bindTimeLimit – Specifies maximum time in seconds an LDAP client must allow to bind with a server before timing out. The default value is 30 seconds.

  • followReferrals – Specifies whether an LDAP client should follow an LDAP referral. Possible values are TRUE or FALSE. The default value is TRUE.

  • profileTTL – Specifies time between refreshes of the LDAP client profile from the LDAP server by the ldap_cachemgr daemon. The default value is 43200 seconds or 12 hours. If given a value of 0, the profile will never be refreshed. For more information, see the ldap_cachemgr(1M) man page.

The LDAP client profile attributes are automatically set up when you run the idsconfig command on the server.

You can use the ldapclient command to set up local client attributes. For more information, see Defining LDAP Local Client Attributes.

Copyright © 2002, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next