Oracle Solaris Trusted Extensions Configuration Guide

ProcedureCreate an LDAP Client for the Directory Server

You use this client to populate your Directory Server for LDAP. You must perform this task before you populate the Directory Server.

You can create the client temporarily on the Trusted Extensions Directory Server, then remove the client on the server, or you can create an independent client.

  1. Install Trusted Extensions on a system.

    You can use the Trusted Extensions Directory Server, or install Trusted Extensions on a separate system.

    Note –

    If you are not running the latest release of the Solaris OS, you must have the following patches installed. The first number is a SPARC patch. The second number is an X86 patch.

    • 138874–05, 138875–05: Native LDAP, PAM, name-service-switch patch

    • 119313-35, 119314-36: WBEM patch

    • 121308-21, 121308-21: Solaris Management Console patch

    • 119315-20, 119316-20: Solaris Management Applications patch

  2. On the client, modify the default /etc/nsswitch.ldap file.

    The entries in bold indicate the modifications. The file appears similar to the following:

    # /etc/nsswitch.ldap
    # An example file that could be copied over to /etc/nsswitch.conf; it
    # uses LDAP in conjunction with files.
    # "hosts:" and "services:" in this file are used only if the
    # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
    # LDAP service requires that svc:/network/ldap/client:default be enabled
    # and online.
    # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
    passwd:     files ldap
    group:      files ldap
    # consult /etc "files" only if ldap is down. 
    hosts:      files ldap dns [NOTFOUND=return] files
    # Note that IPv4 addresses are searched for in all of the ipnodes databases
    # before searching the hosts databases.
    ipnodes:    files ldap [NOTFOUND=return] files
    networks:   files ldap [NOTFOUND=return] files
    protocols:  files ldap [NOTFOUND=return] files
    rpc:        files ldap [NOTFOUND=return] files
    ethers:     files ldap [NOTFOUND=return] files
    netmasks:   files ldap [NOTFOUND=return] files
    bootparams: files ldap [NOTFOUND=return] files
    publickey:  files ldap [NOTFOUND=return] files
    netgroup:   ldap
    automount:  files ldap
    aliases:    files ldap
    # for efficient getservbyname() avoid ldap
    services:   files ldap
    printers:   user files ldap
    auth_attr:  files ldap
    prof_attr:  files ldap
    project:    files ldap
    tnrhtp:     files ldap
    tnrhdb:     files ldap
  3. In the global zone, run the ldapclient init command.

    This command copies the nsswitch.ldap file to the nsswitch.conf file.

    In this example, the LDAP client is in the domain. The server's IP address is

    # ldapclient init -a -a profileNmae=default \
    > -a proxyDN=cn=proxyagent,ou=profile,dc=example-domain,dc=com \
    > -a proxyDN=cn=proxyPassword={NS1}ecc423aad0
    System successfully configured
  4. Set the server's enableShadowUpdate parameter to TRUE.

    # ldapclient -v mod -a enableShadowUpdate=TRUE \
    > -a adminDN=cn=admin,ou=profile,dc=example-domain,dc=com
    System successfully configured

    For information about the enableShadowUpdate parameter, see enableShadowUpdate Switch in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) and the ldapclient(1M) man page.