Solaris Trusted Extensions Installation and Configuration for Solaris 10 11/06 and Solaris 10 8/07 Releases

ProcedureMake the Global Zone an LDAP Client in Trusted Extensions

For LDAP, this procedure establishes the naming service configuration for the global zone. If you are not using LDAP, you can skip this procedure.

Before You Begin

The Sun JavaTM System Directory Server, that is, the LDAP server, must exist. The server must be populated with Trusted Extensions databases, and this system must be able to contact the server. So, the system that you are configuring must have an entry in the tnrhdb database on the LDAP server, or this system must be included in a wildcard entry before you perform this procedure.

If an LDAP server that is configured with Trusted Extensions does not exist, you must complete the procedures in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks) before you perform this procedure.

  1. Save a copy of the original nsswitch.ldap file.

    The standard naming service switch file for LDAP is too restrictive for Trusted Extensions.


    # cd /etc
    # cp nsswitch.ldap nsswitch.ldap.orig
    
  2. If you are using DNS, change the nsswitch.ldap file entries for the following services.

    The correct entries are similar to the following:


    hosts:    files dns ldap
    
    ipnodes:    files dns ldap
    
    networks:   ldap files
    protocols:  ldap files
    rpc:        ldap files
    ethers:     ldap files
    netmasks:   ldap files
    bootparams: ldap files
    publickey:  ldap files
    
    services:   files

    Note that Trusted Extensions adds two entries:


    tnrhtp:    files ldap
    tnrhdb:    files ldap
  3. Copy the modified nsswitch.ldap file to nsswitch.conf.


    # cp nsswitch.ldap nsswitch.conf
    
  4. In a Trusted CDE workspace, navigate to the Trusted_Extensions folder.

    1. Click mouse button 3 on the background.

    2. From the Workspace menu, choose Applications -> Application Manager.

    3. Double-click the Trusted_Extensions folder icon.

      This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

  5. Double-click the Create LDAP Client action.

    Answer the following prompts:


    Domain Name:               Type the domain name
    Hostname of LDAP Server:   Type the name of the server
    IP Address of LDAP Server: Type the IP address
    LDAP Proxy Password:       Type the password to the server
    Profile Name:              Type the profile name
    
  6. Click OK.

    The following completion message appears:


    global zone will be LDAP client of LDAP-server
    System successfully configured.
    
    *** Select Close or Exit from the window menu to close this window ***
  7. Close the action window.

  8. Verify that the information on the server is correct.

    1. Open a terminal window, and query the LDAP server.


      # ldapclient list
      

      The output looks similar to the following:


      NS_LDAP_FILE_VERSION= 2.0
      NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain-name
      ...
      NS_LDAP_BIND_TIME= number
      
    2. Correct any errors.

      If you get an error, run the Create LDAP Client action with the correct values. For example, the following error can indicate that the system does not have an entry on the LDAP server:


      LDAP ERROR (91): Can't connect to the LDAP server.
      Failed to find defaultSearchBase for domain domain-name
      

      To correct this error, you need to check the LDAP server.