Solaris Naming Administration Guide

Federating Under X.500/LDAP

In order to federate a subordinate naming system (either NIS+ or NIS) in X.500/LDAP:

Specifying an X.500 Root Reference

  1. Obtain the NIS+ root reference for your NIS+ hierarchy.

    See "Obtaining the Root Reference".

  2. Create an X.500 entry that supports XFN reference attributes.

    For example, the following command creates a new X.500 entry called c=us/o=doc with the object classes top, organization, and XFN-supplement (1.2.840.113536.25). The XFN-supplement object class allows the c=us/o=doc entry to store reference information for a subordinate naming system.

    # fnattr -a .../c=us/o=doc object-class \
    top organization XFN-supplement

    If the X.500 entry already existed and was not defined with the XFN-supplement object class, it must be removed and re-created with the additional object class. Otherwise, it will not be able to hold reference information about the subordinate naming system.

  3. Add the reference information about the subordinate system to the entry.

    After creating the X.500 entry, you can then add information about the subordinate system by binding the appropriate root reference to the named entry.

    For example, if your subordinate naming system is NIS+, and the NIS+ server you want to use is nismaster, your would enter:

    # fnbind -r .../c=us/o=doc/ onc_fn_enterprise onc_fn_nisplus_root \
    " nismaster

    If your subordinate naming system is NIS, and the NIS server you want to use is ypmaster, your would enter:

    # fnbind -r .../c=us/o=doc/ onc_fn_enterprise onc_fn_nis_root \
    " ypmaster"

    These examples bind the reference for the NIS+ or NIS hierarchy with the root domain name, to the next naming system pointer (NNSP) of the X.500 entry c=us/o=doc, thus linking the X.500 namespace with the namespace.

    The address format used is that of the root reference described in "Obtaining the Root Reference". Note the use of the trailing slash in the name argument to fnbind, .../c=us/o=doc/, to signify that the reference is being bound to the NNSP of the entry, rather than to the entry itself.

    For further information on X.500 entries and XFN references, see "X.500 Attribute Syntax for XFN References".

Specifying an X.500 Client API

An X.500 client API is required in order to access X.500 using FNS. You can use one of two different clients:

The API that you use is specified in each machine's /etc/fn/x500.conf file. This file contains configuration information for X.500 and LDAP. This file can be edited directly. The default x500.conf file contains two entries:

x500-access: xds ldap 
ldap-servers: localhost ldap

Where localhost and ldap are the IP addresses or hostnames of one or more LDAP servers.

The first entry specifies the order in which X.500 accesses APIs. In the example above, X.500 will first try to use XDS/XOM. If XDS/XOM is not available, it will default to using LDAP. If the entry read: x500-access: ldap xds, X.500 would use LDAP and only fall back on XDS if LDAP were not available.

The second entry lists the IP addresses or hostnames of servers running LDAP. Each server is tried in turn until a successful LDAP connection is achieved. In the example above, the localhost is tried first. If LDAP is not available on that server, the next one is tried.