Chapter 3 iPlanet Directory Server Setup

This chapter describes how to set up the iPlanet Directory Server to support Solaris LDAP clients for Naming information lookup. The information is specific to version 4.11 of the iPlanet Directory Server.

If you are using the iPlanet Directory Server, see the following iPlanet documents:

• Netscape Directory Server Schema Reference Guide

• Netscape Server Deployment Manual

• Managing Servers with Netscape Console 4.0

• Directory Server Administrator's Guide

This chapter has the following organization:

• Add Object Class Definitions to the Configuration Directory

• Load Data Into the Directory Server

Add Object Class Definitions to the Configuration Directory

Prepare the Environment.

1. Stop the directory server.

Modify the slapd.oc.conf File.

1. Modify the ipNetwork object class so cn is no longer required, but is still a member.

   ipNetwork before the change:

   objectclass ipNetwork oid 1.3.6.1.1.1.2.7 requires objectClass, ipNetworkNumber, cn allows ipNetmaskNumber, manager, l, description

   Remove the cn line from requires; add the cn line to allows. ipNetwork after the change:

   objectclass ipNetwork oid 1.3.6.1.1.1.2.7 requires objectClass, ipNetworkNumber allows cn, ipNetmaskNumber, manager, l, description

Add Object Class Definitions to the slapd.user_oc.conf File

1. Add the NisKeyObject objectclass.

   # NIS publickey objectclass objectclass NisKeyObject oid 1.3.6.1.1.1.2.14 superior top requires cn, nisPublickey, nisSecretkey allows uidNumber, description

2. Add the nisDomainObject objectclass.

   # NIS domain objectclass objectclass nisDomainObject oid 1.3.1.6.1.1.1.2.15 superior top requires nisDomain

3. Add the SolarisNamingProfile objectclass.

   # LDAP client profile objectclass objectclass SolarisNamingProfile oid 1.3.6.1.4.1.42.2.27.5.2.7 superior top requires cn, SolarisLDAPservers, SolarisSearchBaseDN allows SolarisBindDN, SolarisBindPassword, SolarisAuthMethod, SolarisTransportSecurity, SolarisCertificatePath, SolarisDataSearchDN, SolarisSearchScope, SolarisSearchTimelimit, SolarisPreferredServer, SolarisPreferredServerOnly, SolarisCacheTTL, SolarisSearchReferral

4. Add the mailGroup objectclass.

   # mailGroup objectclass objectclass mailGroup oid 2.16.840.1.113730.3.2.4 superior top requires mail allows cn, mgrpRFC822MailMember

5. Add the nisMailAlias objectclass.

   # nisMailAlias objectclass objectClass nisMailAlias oid 1.3.6.1.4.1.42.2.27.1.2.5 superior top requires cn allows rfc822mailMember

6. Add the nisNetId objectclass.

   # nisNetId objectclass objectClass nisNetId oid 1.3.6.1.4.1.42.2.27.1.2.6 superior top requires cn allows nisNetIdUser, nisNetIdGroup, nisNetIdHost

7. Add the SolarisAuditUser objectclass.

   # User auditing objectclass objectclass SolarisAuditUser oid 1.3.6.1.4.1.42.2.27.5.2.2 superior top allows SolarisAuditAlways, SolarisAuditNever

8. Add the SolarisUserAttr objectclass.

   # RBAC User attributes objectclass objectclass SolarisUserAttr oid 1.3.6.1.4.1.42.2.27.5.2.3 superior top allows SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue

9. Add the SolarisAuthAttr objectclass.

   # RBAC Authorizations Objectclass objectclass SolarisAuthAttr oid 1.3.6.1.4.1.42.2.27.5.2.4 superior top requires cn allows SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrShortDesc, SolarisAttrLongDesc, SolarisAttrKeyValue

10. Add the SolarisProfAttr objectclass.

    # RBAC Profile objectclass objectClass SolarisProfAttr oid 1.3.6.1.4.1.42.2.27.5.2.5 superior top requires cn allows SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrLongDesc, SolarisAttrKeyValue

11. Add the SolarisExecAttr objectclass.

    # RBAC Execution objectlcass objectClass SolarisExecAttr oid 1.3.6.1.4.1.42.2.27.5.2.6 superior top allows SolarisKernelSecurityPolicy, SolarisProfileType, SolarisAttrReserved1, SolarisAttrReserved2, SolarisProfileID, SolarisAttrKeyValue

12. Add the nisKeyObject objectclass.

    # Publickey objectclass objectClass nisKeyObject oid 1.3.6.1.1.1.2.14 superior top requires cn, nisPublicKey, nisSecretKey allows uidNumber, description

13. Add the SolarisProject objectclass.

    # Project Accounting objectclass objectclass SolarisProject oid 1.3.6.1.4.1.42.2.27.5.2.1 superior top requires SolarisProjectID, SolarisProjectName allows memberUid, memberGid, description, SolarisProjectAttr

Add Attribute Definitions to the slapd.user_at.conf File

1. Add the nisMapEntry attribute.

   # Sun nisMapEntry attributes attribute nisDomain 1.3.6.1.1.1.1.30 cis

2. Add the LDAP client profile attributes.

   # attributes for LDAP client profile attribute SolarisLDAPServers 1.3.6.1.4.1.42.2.27.5.1.15 cis attribute SolarisSearchBaseDN 1.3.6.1.4.1.42.2.27.5.1.16 dn single attribute SolarisCacheTTL 1.3.6.1.4.1.42.2.27.5.1.17 cis single attribute SolarisBindDN 1.3.6.1.4.1.42.2.27.5.1.18 dn single attribute SolarisBindPassword 1.3.6.1.4.1.42.2.27.5.1.19 ces single attribute SolarisAuthMethod 1.3.6.1.4.1.42.2.27.5.1.20 cis attribute SolarisTransportSecurity 1.3.6.1.4.1.42.2.27.5.1.21 cis attribute SolarisCertificatePath 1.3.6.1.4.1.42.2.27.5.1.22 ces single attribute SolarisDataSearchDN 1.3.6.1.4.1.42.2.27.5.1.24 cis attribute SolarisSearchScope 1.3.6.1.4.1.42.2.27.5.1.25 cis single attribute SolarisSearchTimeLimit 1.3.6.1.4.1.42.2.27.5.1.26 int single attribute SolarisPreferredServer 1.3.6.1.4.1.42.2.27.5.1.27 cis attribute SolarisPreferredServerOnly 1.3.6.1.4.1.42.2.27.5.1.28 cis single attribute SolarisSearchReferral 1.3.6.1.4.1.42.2.27.5.1.29 cis single

3. Add the mailGroup attributes.

   # Sun additional attributes to RFC2307 attributes (NIS) attribute mgrpRFC822MailMember 2.16.840.1.113730.3.1.30 cis attribute rfc822MailMember ces

4. Add the nisKeyObject attributes.

   # Sun nisKeyObject attributes attribute nisPublickey 1.3.6.1.1.1.1.28 cis attribute nisSecretkey 1.3.6.1.1.1.1.29 cis

5. Add the nisNetId attributes.

   # Sun nisNetId attributes attribute nisNetIdUser 1.3.6.1.4.1.42.2.27.1.1.12 ces attribute nisNetIdGroup 1.3.6.1.4.1.42.2.27.1.1.13 ces attribute nisNetIdHost 1.3.6.1.4.1.42.2.27.1.1.14 ces

6. Add the auditing attributes.

   # attributes for auditing attribute SolarisAuditAlways 1.3.6.1.4.1.42.2.27.5.1.5 cis single attribute SolarisAuditNever 1.3.6.1.4.1.42.2.27.5.1.6 cis single

7. Add the RBAC attributes.

   # attributes for RBAC attribute SolarisAttrKeyValue 1.3.6.1.4.1.42.2.27.5.1.4 cis single attribute SolarisAttrShortDesc 1.3.6.1.4.1.42.2.27.5.1.7 cis single attribute SolarisAttrLongDesc 1.3.6.1.4.1.42.2.27.5.1.8 cis single attribute SolarisKernelSecurityPolicy 1.3.6.1.4.1.42.2.27.5.1.9 cis single attribute SolarisProfileType 1.3.6.1.4.1.42.2.27.5.1.10 cis single attribute SolarisProfileId 1.3.6.1.4.1.42.2.27.5.1.11 ces single attribute SolarisUserQualifier 1.3.6.1.4.1.42.2.27.5.1.12 cis single attribute SolarisAttrReserved1 1.3.6.1.4.1.42.2.27.5.1.13 cis single attribute SolarisAttrReserved2 1.3.6.1.4.1.42.2.27.5.1.14 cis single

8. Add the nisKeyObject attributes.

   # attributes for nisKeyObject attribute nisPublicKey 1.3.6.1.1.1.1.28 cis attribute nisSecretKey 1.3.6.1.1.1.1.29 cis

9. Add the project accounting attributes.

   # attributes for Project Accounting attribute SolarisProjectID 1.3.6.1.4.1.42.2.27.5.1.1 int single attribute SolarisProjectName 1.3.6.1.4.1.42.2.27.5.1.2 ces single attribute SolarisProjectAttr 1.3.6.1.4.1.42.2.27.5.1.3 ces attribute memberGid 1.3.6.1.4.1.42.2.27.5.1.30 ces

Load Data Into the Directory Server

If not already configured, configure directory server to store passwords in Unix Crypt format. For more information on setting the password Unix Crypt format, see the iPlanet documents.

Set the ACI

1. Set the ACI for the top entry of your tree. This ACI controls an owners ability to modify their own entry. For instance, the default ACI allows a user to modify their home directory value. The modified ACI does not. You might need to set the ACI specific to your environment.

   Change the "Allow self entry modification" ACI of the top entry of your tree from:

   aci=(targetattr = "*")(version 3.0; acl "Allow self entry modification"; allow (write)userdn = "ldap:///self";)

   The modified ACI is:

   aci=(targetattr!="cn || uid || uidNumber || gidNumber || homeDirectory || shadowLastChange || shadowMin || shadowMax || shadowWarning || shadowInactive || shadowExpire || shadowFlag || memberUid") (version 3.0; acl "Allow self entry modification"; allow (write) userdn = "ldap:///self"; )

   ---

   Note –

   Do not give modify permission for attributes which the user should not be able to change, such as uid. Doing so allows the user to become super user by setting the attribute to 0.

   ---

Add the Naming Container Entries.

For a list of naming containers, see Directory Information Tree.

The following container entries are based on the nisDomain example used in NIS Domain. Change the container entries as they apply to your environment.

1. Add the domain entry.

   dn: dc=mkt,dc=mainstore,dc=com dc: mkt associatedDomain: mkt.mainstore.com objectClass: top objectClass: domain objectClass: domainRelatedObject objectclass: nisDomainObject nisdomain: mkt.mainstore.com

2. Add the naming container entries.

   dn: ou=people,dc=mkt,dc=mainstore,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=mkt,dc=mainstore,dc=com ou: Group objectClass: top objectClass: organizationalUnit dn: ou=rpc,dc=mkt,dc=mainstore,dc=com ou: rpc objectClass: top objectClass: organizationalUnit dn: ou=protocols,dc=mkt,dc=mainstore,dc=com ou: protocols objectClass: top objectClass: organizationalUnit dn: ou=networks,dc=mkt,dc=mainstore,dc=com ou: networks objectClass: top objectClass: organizationalUnit dn: ou=netgroup,dc=mkt,dc=mainstore,dc=com ou: netgroup objectClass: top objectClass: organizationalUnit dn: ou=aliases,dc=mkt,dc=mainstore,dc=com ou: aliases objectClass: top objectClass: organizationalUnit dn: ou=Hosts,dc=mkt,dc=mainstore,dc=com ou: Hosts objectClass: top objectClass: organizationalUnit dn: ou=services,dc=mkt,dc=mainstore,dc=com ou: services objectClass: top objectClass: organizationalUnit dn: ou=Ethers,dc=mkt,dc=mainstore,dc=com ou: Ethers objectClass: top objectClass: organizationalUnit dn: ou=profile,dc=mkt,dc=mainstore,dc=com ou: profile objectClass: top objectClass: organizationalUnit dn: nismapname=auto_home,dc=mkt,dc=mainstore,dc=com nismapname: auto_home objectClass: top objectClass: nisMap dn: nismapname=auto_direct,dc=mkt,dc=mainstore,dc=com nismapname: auto_direct objectClass: top objectClass: nisMap dn: nismapname=auto_master,dc=mkt,dc=mainstore,dc=com nismapname: auto_master objectClass: top objectClass: nisMap dn: nismapname=auto_shared,dc=mkt,dc=mainstore,dc=com nismapname: auto_shared objectClass: top objectClass: nisMap

Set Performance and Limit Parameters

The value of each of these parameter varies from server to server; such as how much data is loaded, usage pattern, the available hardware and so forth.

1. Set the following performance parameters: Maximum entries in cache, Maximum cache size (bytes), and look through limit.

   Modify the caching parameters to accomodate the memory and disk space available on your system.

2. Set the following limits parameters: size and time limit for your environment.

   Specifying sizelimit or timelimit to -1, sets them to their maximum value. Select values to accomodate your system.

Give the Proxy Agent Read Permission for Password

The following proxy agent ACI information is based on the nisDomain example used in NIS Domain. Change the proxy agent ACI as it applies to your environment.

1. Use ldapmodify to give proxy agent read permission for password by setting read ACI at base search DN if pam_unix is to be used on all clients for authentication.

   #ldapmodify -D "cn=Directory Manager" -w nssecret -f aci.ldif

   The contents of aci.ldif are:

   dn: dc=mkt,dc=mainstore,dc=com changetype: modify add: aci aci: (target="ldap:///dc=mkt,dc=mainstore,dc=com") (targetattr="userPassword")(version 3.0; acl "password read"; allow (compare,read,search) userdn = "ldap:///cn=proxyagent, ou=profile,dc=mkt,dc=mainstore,dc=com"; )

2. Use ldapsearch to see the new ACI setting.

   ldapsearch shows the modified ACI:

   #ldapsearch -L -h <servername> -b "dc=mkt,dc=mainstore,dc=com" \ -s base "objectclass=*"

   The ACI returned by ldapsearch would look like:

   dn: dc=mkt,dc=mainstore,dc=com dc: mkt associateddomain: mkt.mainstore.com objectclass: top objectclass: domain objectclass: domainRelatedObject objectclass: nisDomainObject nisdomain: mkt.mainstore.com aci: (target="ldap:///dc=mkt,dc=mainstore,dc=com") (targetattr="userPassword")(version 3.0; acl "password read"; allow (compare,read,search) userdn = "ldap:///cn=proxyagent, ou=profile,dc=mkt,dc=mainstore,dc=com"; )

   Because pam_ldap authentication is done at server side, there is no need to give read permission for password attribute to proxy agent. For information about pam_ldap, see Pluggable Authentication Module (PAM).

Convert NIS Data to LDIF Format.

If you are migrating from a NIS(YP) to an LDAP environment, use dsimport to convert NIS data into LDIF format. dsimport is part of NIS extension available on iPlanet Advantage Software vol. 1 CD. You can access the documentation from the following web site: http://docs.iplanet.com/docs/manuals/directory.html

1. Convert the NIS password data to LDIF format.

   # cat passwd.nis | dsimport -n -m nis.mapping -t passwd \ -M SIMPLE -D "" -w "" >passwd.ldif

   Load the passwd.ldif file into the LDAP server.

2. Convert the NIS group data to LDIF format.

   # cat group.nis | dsimport -n -m nis.mapping -t group \ -M SIMPLE -D "" -w "" > group.ldif

   Load the group.ldif file into the LDAP server.

3. Repeat the above step to convert all naming container files.

4. Use the ns-slapd ldif2db command or the ldapadd command to import the LDIF format files into the directory database.

   For information about the ns-slapd ldif2db command, see “Managing Directory Server Databases” in the Directory Server Administrator's Guide. For information about ldapadd, see ldapadd(1)

   ---

   Note –

   To convert file data to LDIF format, dsimport requires a modification to the mapping file to define how the entries are stored.

   ---

Create Indexes to Improve Search Performance

For information about how to create an index, see “Managing Indexes” in the iPlanet Directory Server Administrator's Guide.

1. Index the following list of Solaris client attributes.

   membernisnetgroup pres,eq,sub nisnetgrouptriple pres,eq,sub memberuid pres,eq macAddress pres,eq uid pres,eq uidNumber pres,eq gidNumber pres,eq ipHostNumber pres,eq ipNetworkNumber pres,eq ipProtocolNumber pres,eq oncRpcNumber pres,eq ipServiceProtocol pres,eq ipServicePort pres,eq nisDomain pres,eq nisMapName pres,eq mail pres,eq

2. Use ldapsearch to determine if the directory supports Virtual List Views as identified by their OIDs; 1.2.840.113556.1.4.473 VLV control type and 2.16.840.1.113730.3.4.9 VLV control value.

   # ldapsearch -b "" -s base objectclass=\*

   ldapsearch returns:

   objectclass=top namingcontexts=dc=sun,dc=com namingcontexts=o=NetscapeRoot subschemasubentry=cn=schema supportedcontrol=2.16.840.1.113730.3.4.2 supportedcontrol=2.16.840.1.113730.3.4.3 supportedcontrol=2.16.840.1.113730.3.4.4 supportedcontrol=2.16.840.1.113730.3.4.5 supportedcontrol=1.2.840.113556.1.4.473 supportedcontrol=2.16.840.1.113730.3.4.9 supportedcontrol=2.16.840.1.113730.3.4.12 supportedsaslmechanisms=EXTERNAL supportedldapversion=2 supportedldapversion=3 dataversion=atitrain2.east.sun.com:389 020000605172910 netscapemdsuffix=cn=ldap://:389,dc=atitrain2,dc=east,dc=sun,dc=com

3. Index the following list of Virtual List View attributes.

   getpwent: vlvFilter: (objectclass=posixAccount), vlvScope: 1 getspent: vlvFilter: (objectclass=posixAccount), vlvScope: 1 getgrent: vlvFilter: (objectclass=posixGroup), vlvScope: 1 gethostent: vlvFilter: (objectclass=ipHost), vlvScope: 1 getnetent: vlvFilter: (objectclass=ipNetwork), vlvScope: 1 getprotoent: vlvFilter: (objectclass=ipProtocol), vlvScope: 1 getrpcent: vlvFilter: (objectclass=oncRpc), vlvScope: 1 getaliasent: vlvFilter: (objectclass=rfc822MailGroup), vlvScope: 1 getserviceent: vlvFilter: (objectclass=ipService), vlvScope: 1

   Create these indexes for any ou in the tree that contains a large number of objects or for those that are heavily accessed.

4. For the password entry (getpwent), add the following entries to the directory.

   dn: cn=getpwent,cn=config,cn=ldbm objectclass: top objectclass: vlvSearch cn: getpwent vlvBase: ou=people,dc=eng,dc=sun,dc=com vlvScope: 1 vlvFilter: (objectclass=posixAccount) aci: (target="ldap:///cn=getpwent,cn=config,cn=ldbm")(targetattr="*") (version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) dn: cn=getpwent,cn=getpwent,cn=config,cn=ldbm cn: getpwent vlvSort: cn uid objectclass: top objectclass: vlvIndex

5. Create the VLV index for getpwent.

   # cd /usr/netscape/server4/slapd* # ./vlvindex getpwent OK# ./vlvindex getgrent OK# ./vlvindex gethostent OK# ./vlvindex getspent OK# # ./vlvindex [05/Jun/2000:15:34:31 -0400] - ldbm2index: Unknown VLV Index named '' [05/Jun/2000:15:34:31 -0400] - ldbm2index: Known VLV Indexes are: 'getgrent', 'gethostent', 'getnetent', 'getpwent', 'getspent',

6. Repeat steps 4 an 5 for the rest of the Virtual List View attributes.

Give “anyone” Read, Search, and Compare Permission on VLV Request Control

1. Use ldapsearch to show the VLV control ACI.

   #ldapsearch -D "cn=Directory Manager" -w nssecret -b cn=features, \ cn=config objectclass=\*

   The result of the search is:

   cn=features,cn=config objectclass=top cn=features cn=options,cn=features,cn=config objectclass=top cn=options oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectclass=top objectclass=directoryServerFeature oid=2.16.840.1.113730.3.4.9 cn=VLV Request Control aci=(targetattr != "aci")(version 3.0; acl "VLV Request \ Control"; allow( read, search, compare ) userdn = "ldap:///all";)

2. Use ldapmodify to give "anyone" read, search, compare permission for VLV feature. This ensures anonymous searches do not fail when trying to use VLV control.

   #ldapmodify -D "cn=Directory Manager" -w nssecret -f vlvcntrl.ldif

   the contents of vlvcntrl.ldif are:

   dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config changetype: modify replace: aci aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone"; )

3. Use ldapsearch to show the changes to the VLV control ACI.

   #ldapsearch -L -b "cn=features,cn=config" -s one \ oid=2.16.840.1.113730.3.4.9

   The ACI returned by ldapsearch would look like:

   dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectclass: top objectclass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone"; )

Add the proxyagent Entry to the LDAP Server

This step is required only if a proxyagent entry is used.

1. Add the proxyagent entry to the LDAP server.

   #ldapadd -D "cn=Directory Manager" -w nssecret -f proxyagent.ldif

   The proxyagent.ldif file would look like:

   dn: cn=proxyagent,ou=profile,dc=mkt,dc=mainstore,dc=com cn: proxyagent sn: proxyagent objectclass: top objectclass: person userpassword: proxy_agent_password

   ---

   Note –

   The ou can be set to ou=profile or ou=person.

   ---

Generate the Client Profile

1. Generate the client profile and then add it to the LDAP server.

   ldap_gen_profile -P profile -b baseDN -D bindDN \ -w bindDNpasswd ldapServer_IP_address(es)[:port#]

   The bindDN is the bind DN of the proxy agent. You can specify more than one LDAP server's IP address if you want to allow fail over to another LDAP server. Capture the above result in a file, such as profile.ldif.

   A typical command looks like:

   ldap_gen_profile -P myProfile -b "dc=mkt,dc=mainstore,dc=com" \ -D "cn=proxyagent,ou=profile,dc=mkt,dc=mainstore,dc=com" \ -w proxy_agent_pswd -a simple 100.100.100.100 > profile.ldif

2. Add this client profile into LDAP server so that clients can download it.