Create an LDAP Client for the Directory Server

You use this client to populate your Directory Server for LDAP. You must perform this task before you populate the Directory Server.

You can create the client temporarily on the Trusted Extensions Directory Server, then remove the client on the server, or you can create an independent client.

1. Install Trusted Extensions on a system.

   You can use the Trusted Extensions Directory Server, or install Trusted Extensions on a separate system.

   ---

   Note –

   If you are not running the latest release of the Solaris OS, you must have the following patches installed. The first number is a SPARC patch. The second number is an X86 patch.

   • 138874–05, 138875–05: Native LDAP, PAM, name-service-switch patch

   • 119313-35, 119314-36: WBEM patch

   • 121308-21, 121308-21: Solaris Management Console patch

   • 119315-20, 119316-20: Solaris Management Applications patch

   ---

2. On the client, modify the default /etc/nsswitch.ldap file.

   The entries in bold indicate the modifications. The file appears similar to the following:

   # /etc/nsswitch.ldap # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # LDAP service requires that svc:/network/ldap/client:default be enabled # and online. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap # consult /etc "files" only if ldap is down. hosts: files ldap dns [NOTFOUND=return] files # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: files ldap [NOTFOUND=return] files networks: files ldap [NOTFOUND=return] files protocols: files ldap [NOTFOUND=return] files rpc: files ldap [NOTFOUND=return] files ethers: files ldap [NOTFOUND=return] files netmasks: files ldap [NOTFOUND=return] files bootparams: files ldap [NOTFOUND=return] files publickey: files ldap [NOTFOUND=return] files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap tnrhtp: files ldap tnrhdb: files ldap

3. In the global zone, run the ldapclient init command.

   This command copies the nsswitch.ldap file to the nsswitch.conf file.

   In this example, the LDAP client is in the example-domain.com domain. The server's IP address is 192.168.5.5.

   # ldapclient init -a domainName=example-domain.com -a profileNmae=default \ > -a proxyDN=cn=proxyagent,ou=profile,dc=example-domain,dc=com \ > -a proxyDN=cn=proxyPassword={NS1}ecc423aad0 192.168.5.5 System successfully configured

4. Set the server's enableShadowUpdate parameter to TRUE.

   # ldapclient -v mod -a enableShadowUpdate=TRUE \ > -a adminDN=cn=admin,ou=profile,dc=example-domain,dc=com System successfully configured

   For information about the enableShadowUpdate parameter, see enableShadowUpdate Switch in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) and the ldapclient(1M) man page.