JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
search filter icon
search icon

Document Information


Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  The Name Service Switch (Overview)

Part II DNS Setup and Administration

3.  DNS Setup and Administration (Reference)

Part III NIS Setup and Administration

4.  Network Information Service (NIS) (Overview)

5.  Setting Up and Configuring NIS Service

6.  Administering NIS (Tasks)

7.  NIS Troubleshooting

Part IV LDAP Naming Services Setup and Administration

8.  Introduction to LDAP Naming Services (Overview/Reference)

9.  LDAP Basic Components and Concepts (Overview)

LDAP Data Interchange Format (LDIF)

Using Fully Qualified Domain Names With LDAP

Default Directory Information Tree (DIT)

Default LDAP Schema

Service Search Descriptors (SSDs) and Schema Mapping

Description of SSDs

Attribute Map

objectClass Map

LDAP Client Profiles

Client Profile Attributes

Local Client Attributes

ldap_cachemgr Daemon

LDAP Naming Services Security Model


Transport Layer Security (TLS)

Assigning Client Credential Levels

enableShadowUpdate Switch

Credential Storage

Choosing Authentication Methods

Authentication and Services

Pluggable Authentication Methods

pam_unix Service Modules

pam_krb5 Service Module

pam_ldap Service Module

PAM and Changing Passwords

Account Management

Account Management With pam_unix

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP General Reference (Reference)

15.  Transitioning From NIS to LDAP (Overview/Tasks)

16.  Transitioning From NIS+ to LDAP

A.  Solaris 10 Software Updates to DNS, NIS, and LDAP

Service Management Facility Changes


pam_ldap Changes

Documentation Errors



LDAP Client Profiles

To simplify Solaris client setup, and avoid having to reenter the same information for each and every client, create a single client profile on the directory server. This way, a single profile defines the configuration for all clients configured to use it. Any subsequent change to the profile attributes is propagated to the clients at a rate defined by the refresh interval.

These client profiles should be stored in a well-known location on the LDAP server. The root DN for the given domain must have an object class of nisDomainObject and a nisDomain attribute containing the client's domain. All profiles are located in the ou=profile container relative to this container. These profiles should be readable anonymously.

Client Profile Attributes

The following table shows the Solaris LDAP client's profile attributes, which can be set automatically when you run idsconfig. See Initializing a Client Manually and the idsconfig(1M) man page for information on how to set a client profile manually.

Table 9-2 Client Profile Attributes

The profile name. The attribute has no default value. The value must be specified.
The host addresses of the preferred servers is a space separated list of server addresses. (Do not use host names.) The servers in this list are tried in order before those in defaultServerList until a successful connection is made. This has no default value. At least one server must be specified in either preferredServerList or defaultServerList.
The host addresses of the default servers is a space separated list of server addresses. (Do not use host names.) After the servers in preferredServerlist are tried, those default servers on the client's subnet are tried, followed by the remaining default servers, until a connection is made. At least one server must be specified in either preferredServerList or defaultServerList. The servers in this list are tried only after those on the preferred server list. This attribute has no default value.
The DN relative to which to locate the well-known containers. There is no default for this value. However, this can be overridden for a given service by the serviceSearchDescriptor attribute.
Defines the scope of a database search by a client. It can be overridden by the serviceSearchDescriptor attribute. The possible values are one or sub. The default value is a one level search.
Identifies the method of authentication used by the client. The default is none (anonymous). See Choosing Authentication Methods for more information.
Identifies the type of credentials a client should use to authenticate. The choices are anonymous, proxy, or self (also known as per user). The default is anonymous.
Defines how and where a client should search for a naming database, for example, if the client should look in one or more points in the DIT. By default no SSDs are defined.
Authentication method used by a client for the specified service. By default, no service authentication methods are defined. If a service does not have serviceAuthenticationMethod defined, it will default to the value of authenticationMethod.
Attribute mappings used by client. By default no attributeMap is defined.
Object class mappings used by client. By default no objectclassMap is defined.
Maximum time [in seconds] a client should allow for a search to complete before timing out. This does not affect the time the LDAP server will allow for a search to complete. The default value is 30 seconds.
Maximum time in seconds a client should allow to bind with a server before timing out. Default value is 30 seconds.
Specifies whether a client should follow an LDAP referral. Possible values TRUE or FALSE. The default value is TRUE.
Time between refreshes of the client profile from the LDAP server by the ldap_cachemgr(1M). Default is 43200 seconds or 12 hours. If given a value of 0, the profile will never be refreshed.

Local Client Attributes

The following table lists the client attributes that can be set locally using ldapclient. See the ldapclient(1M) man page for more information.

Starting in the Solaris 10 10/09 release, the enableShadowUpdate switch is available. For more information, see enableShadowUpdate Switch.

Table 9-3 Local Client Attributes

Specifies the administrator entry's distinguished name for the admin credential. If the value of the enableShadowUpdate switch is true on the client system, and credentialLevel has a value other than self, then adminDN must be specified.
Specifies the administrator entry's password for the admin credential. If the value of the enableShadowUpdate switch is true on the client system, and credentialLevel has a value other than self, then adminPassword must be defined.
Specifies the client's domain name (which becomes the default domain for the client system). This attribute has no default value and must be specified.
The proxy's distinguished name. If the client system is configured with credentialLevel of proxy, the proxyDN must be specified.
The proxy's password. If the client system is configured with credentialLevel of proxy, proxyPassword must be defined.
The directory on the local file system containing the certificate databases. If a client system is configured with authenticationMethod or serviceAuthenticationMethod using TLS, then this attribute is used. The default value is /var/ldap.

Note - If the BaseDN in an SSD contains a trailing comma, it is treated as a relative value of the defaultSearchBase. The values of the defaultSearchBase are appended to the BaseDN before a search is performed.