Skip Navigation Links | |
Exit Print View | |
Solaris Trusted Extensions Installation and Configuration for Solaris 10 11/06 and Solaris 10 8/07 Releases |
1. Security Planning for Trusted Extensions
2. Installation and Configuration Roadmap for Trusted Extensions
3. Installing Solaris Trusted Extensions Software (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Configuring an LDAP Server on a Trusted Extensions Host (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)
Configuring the Sun Java System Directory Server on a Trusted Extensions System
Collect Information for the Directory Server for LDAP
Install the Sun Java System Directory Server
Protect Access Logs for the Sun Java System Directory Server
Protect Error Logs for the Sun Java System Directory Server
Configure a Multilevel Port for the Sun Java System Directory Server
Populate the Sun Java System Directory Server
Creating a Trusted Extensions Proxy for an Existing Sun Java System Directory Server
Configuring the Solaris Management Console for LDAP (Task Map)
Register LDAP Credentials With the Solaris Management Console
Enable an LDAP Client to Administer LDAP
Edit the LDAP Toolbox in the Solaris Management Console
Verify That the Solaris Management Console Contains Trusted Extensions Information
6. Configuring a Headless System With Trusted Extensions (Tasks)
B. Using CDE Actions to Install Zones in Trusted Extensions
The Solaris Management Console is the GUI for administering the network of systems that are running Trusted Extensions.
|
You must be the root user on an LDAP server that is running Trusted Extensions. The server can be a proxy server.
Your Sun Java System Directory Server must be configured. You have completed one of the following configurations:
Configuring an LDAP Server on a Trusted Extensions Host (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)
# /usr/sadm/bin/dtsetup storeCred Administrator DN:Type the value for cn on your system Password:Type the Directory Manager password Password (confirm):Retype the password
# /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:Displays name of file scope Scope 2 ldap:Displays name of ldap scope
Your LDAP server setup determines the LDAP scopes that are listed. After the server is registered, the LDAP toolbox can be edited, and then used.
Example 5-1 Registering LDAP Credentials
In this example, the name of the LDAP server is LDAP1, the name of the LDAP client is myhost, and the value for cn is the default, Directory Manager.
# /usr/sadm/bin/dtsetup storeCred Administrator DN:cn=Directory Manager Password:abcde1;! Password (confirm):abcde1;! # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:/myhost/myhost Scope 2 ldap:/myhost/cd=myhost,dc=example,dc=com
By default, systems are installed to not listen on ports that present security risks. Therefore, you must explicitly turn on network communications with the LDAP server. Perform this procedure only on systems from which you plan to administer your network of systems and users.
You must be superuser or in the Security Administrator role in the global zone.
# svccfg -s wbem setprop options/tcp_listen=true
To view the LDAP toolbox, you must complete Edit the LDAP Toolbox in the Solaris Management Console.
You must be superuser. The LDAP credentials must be registered with the Solaris Management Console, and you must know the output of the /usr/sadm/bin/dtsetup scopes command. For details, see Register LDAP Credentials With the Solaris Management Console.
# cd /var/sadm/smc/toolboxes/tsol_ldap # ls *tbx tsol_ldap.tbx
For example, the following path is the default location of the LDAP toolbox:
/var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx
Replace the server tags between the <Scope> and </Scope> tags with the output of the ldap:/...... line from the /usr/sadm/bin/dtsetup scopes command.
<Scope>ldap:/<myhost>/<dc=domain,dc=suffix></Scope>
<Name> ldap-server-name: Scope=ldap, Policy=TSOL</Name> services and configuration of ldap-server-name.</Description> and configuring ldap-server-name.</Description> <ServerName>ldap-server-name</ServerName> <ServerName>ldap-server-name</ServerName>
The smc daemon is controlled by the wbem service.
# svcadm disable wbem # svcadm enable wbem
Example 5-2 Configuring the LDAP Toolbox
In this example, the name of the LDAP server is LDAP1. To configure the toolbox, the administrator replaces the instances of server with LDAP1.
<Name>LDAP1: Scope=ldap, Policy=TSOL</Name> services and configuration of LDAP1.</Description> and configuring LDAP1.</Description> <ServerName>LDAP1</ServerName> <ServerName>LDAP1</ServerName>
You must be logged in to an LDAP client in an administrative role, or as superuser. To make a system an LDAP client, see Make the Global Zone an LDAP Client in Trusted Extensions.
To use the LDAP toolbox, you must have completed Edit the LDAP Toolbox in the Solaris Management Console and Initialize the Solaris Management Console Server in Trusted Extensions.
# /usr/sbin/smc &
A Trusted Extensions toolbox has the value Policy=TSOL.
To troubleshoot LDAP configuration, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).