test

LDAP Setup and Configuration Guide

Load Data Into the Directory Server

If not already configured, configure directory server to store passwords in Unix Crypt format. For more information on setting the password Unix Crypt format, see the iPlanet documents.

Set the ACI

  1. Set the ACI for the top entry of your tree. This ACI controls an owners ability to modify their own entry. For instance, the default ACI allows a user to modify their home directory value. The modified ACI does not. You might need to set the ACI specific to your environment.

    Change the "Allow self entry modification" ACI of the top entry of your tree from:


    aci=(targetattr = "*")(version 3.0; acl "Allow self entry modification";
allow (write)userdn = "ldap:///self";)

    The modified ACI is:


    aci=(targetattr!="cn || uid || uidNumber || gidNumber || homeDirectory
|| shadowLastChange || shadowMin || shadowMax || shadowWarning ||
shadowInactive || shadowExpire || shadowFlag || memberUid")
(version 3.0; acl "Allow self entry modification"; allow
(write) userdn = "ldap:///self"; )
    Note –

    Do not give modify permission for attributes which the user should not be able to change, such as uid. Doing so allows the user to become super user by setting the attribute to 0.

Add the Naming Container Entries.

For a list of naming containers, see Directory Information Tree.

Note –

The following container entries are based on the nisDomain example used in NIS Domain. Change the container entries as they apply to your environment.

  1. Add the domain entry.


    dn: dc=mkt,dc=mainstore,dc=com
dc: mkt
associatedDomain: mkt.mainstore.com
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
objectclass: nisDomainObject
nisdomain: mkt.mainstore.com

  2. Add the naming container entries.


    dn: ou=people,dc=mkt,dc=mainstore,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=mkt,dc=mainstore,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
	
dn: ou=rpc,dc=mkt,dc=mainstore,dc=com
ou: rpc
objectClass: top
objectClass: organizationalUnit

dn: ou=protocols,dc=mkt,dc=mainstore,dc=com
ou: protocols
objectClass: top
objectClass: organizationalUnit

dn: ou=networks,dc=mkt,dc=mainstore,dc=com
ou: networks
objectClass: top
objectClass: organizationalUnit

dn: ou=netgroup,dc=mkt,dc=mainstore,dc=com
ou: netgroup
objectClass: top
objectClass: organizationalUnit

dn: ou=aliases,dc=mkt,dc=mainstore,dc=com
ou: aliases
objectClass: top
objectClass: organizationalUnit

dn: ou=Hosts,dc=mkt,dc=mainstore,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=services,dc=mkt,dc=mainstore,dc=com
ou: services
objectClass: top
objectClass: organizationalUnit

dn: ou=Ethers,dc=mkt,dc=mainstore,dc=com
ou: Ethers
objectClass: top
objectClass: organizationalUnit

dn: ou=profile,dc=mkt,dc=mainstore,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit

dn: nismapname=auto_home,dc=mkt,dc=mainstore,dc=com
nismapname: auto_home
objectClass: top
		objectClass: nisMap

dn: nismapname=auto_direct,dc=mkt,dc=mainstore,dc=com
nismapname: auto_direct
objectClass: top
objectClass: nisMap

dn: nismapname=auto_master,dc=mkt,dc=mainstore,dc=com
nismapname: auto_master
objectClass: top
objectClass: nisMap

dn: nismapname=auto_shared,dc=mkt,dc=mainstore,dc=com
nismapname: auto_shared
objectClass: top
objectClass: nisMap
Set Performance and Limit Parameters

The value of each of these parameter varies from server to server; such as how much data is loaded, usage pattern, the available hardware and so forth.

  1. Set the following performance parameters: Maximum entries in cache, Maximum cache size (bytes), and look through limit.

    Modify the caching parameters to accomodate the memory and disk space available on your system.

  2. Set the following limits parameters: size and time limit for your environment.

    Specifying sizelimit or timelimit to -1, sets them to their maximum value. Select values to accomodate your system.

Give the Proxy Agent Read Permission for Password
Note –

The following proxy agent ACI information is based on the nisDomain example used in NIS Domain. Change the proxy agent ACI as it applies to your environment.

  1. Use ldapmodify to give proxy agent read permission for password by setting read ACI at base search DN if pam_unix is to be used on all clients for authentication.


    #ldapmodify -D "cn=Directory Manager" -w nssecret -f aci.ldif

    The contents of aci.ldif are:


    dn: dc=mkt,dc=mainstore,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=mkt,dc=mainstore,dc=com")
 (targetattr="userPassword")(version 3.0; acl "password read";
 allow (compare,read,search) userdn = "ldap:///cn=proxyagent,
 ou=profile,dc=mkt,dc=mainstore,dc=com"; )

  2. Use ldapsearch to see the new ACI setting.

    ldapsearch shows the modified ACI:


    #ldapsearch -L -h <servername> -b "dc=mkt,dc=mainstore,dc=com" \
  -s base "objectclass=*"

    The ACI returned by ldapsearch would look like:


    dn: dc=mkt,dc=mainstore,dc=com
dc: mkt
associateddomain: mkt.mainstore.com
objectclass: top
objectclass: domain
objectclass: domainRelatedObject
objectclass: nisDomainObject
nisdomain: mkt.mainstore.com
aci: (target="ldap:///dc=mkt,dc=mainstore,dc=com")
 (targetattr="userPassword")(version 3.0; acl "password read";
 allow (compare,read,search) userdn = "ldap:///cn=proxyagent,
 ou=profile,dc=mkt,dc=mainstore,dc=com"; )

    Because pam_ldap authentication is done at server side, there is no need to give read permission for password attribute to proxy agent. For information about pam_ldap, see Pluggable Authentication Module (PAM).

Convert NIS Data to LDIF Format.

If you are migrating from a NIS(YP) to an LDAP environment, use dsimport to convert NIS data into LDIF format. dsimport is part of NIS extension available on iPlanet Advantage Software vol. 1 CD. You can access the documentation from the following web site: http://docs.iplanet.com/docs/manuals/directory.html

  1. Convert the NIS password data to LDIF format.


    # cat passwd.nis | dsimport -n -m nis.mapping -t passwd \
	-M SIMPLE -D "" -w "" >passwd.ldif

    Load the passwd.ldif file into the LDAP server.

  2. Convert the NIS group data to LDIF format.


    # cat group.nis | dsimport -n -m nis.mapping -t group \
-M SIMPLE -D "" -w "" > group.ldif

    Load the group.ldif file into the LDAP server.

  3. Repeat the above step to convert all naming container files.

  4. Use the ns-slapd ldif2db command or the ldapadd command to import the LDIF format files into the directory database.

    For information about the ns-slapd ldif2db command, see “Managing Directory Server Databases” in the Directory Server Administrator's Guide. For information about ldapadd, see ldapadd(1)

    Note –

    To convert file data to LDIF format, dsimport requires a modification to the mapping file to define how the entries are stored.

Create Indexes to Improve Search Performance
Note –

For information about how to create an index, see “Managing Indexes” in the iPlanet Directory Server Administrator's Guide.

  1. Index the following list of Solaris client attributes.


    membernisnetgroup    pres,eq,sub
nisnetgrouptriple    pres,eq,sub
memberuid            pres,eq
macAddress           pres,eq
uid                  pres,eq
uidNumber            pres,eq
gidNumber            pres,eq
ipHostNumber         pres,eq
ipNetworkNumber      pres,eq
ipProtocolNumber     pres,eq
oncRpcNumber         pres,eq
ipServiceProtocol    pres,eq
ipServicePort        pres,eq
nisDomain            pres,eq
nisMapName           pres,eq
mail                 pres,eq

  2. Use ldapsearch to determine if the directory supports Virtual List Views as identified by their OIDs; 1.2.840.113556.1.4.473 VLV control type and 2.16.840.1.113730.3.4.9 VLV control value.


    # ldapsearch -b "" -s base objectclass=\*

    ldapsearch returns:


    objectclass=top
namingcontexts=dc=sun,dc=com
namingcontexts=o=NetscapeRoot
subschemasubentry=cn=schema
supportedcontrol=2.16.840.1.113730.3.4.2
supportedcontrol=2.16.840.1.113730.3.4.3
supportedcontrol=2.16.840.1.113730.3.4.4
supportedcontrol=2.16.840.1.113730.3.4.5
supportedcontrol=1.2.840.113556.1.4.473
supportedcontrol=2.16.840.1.113730.3.4.9
supportedcontrol=2.16.840.1.113730.3.4.12
supportedsaslmechanisms=EXTERNAL
supportedldapversion=2
supportedldapversion=3
dataversion=atitrain2.east.sun.com:389 020000605172910 
netscapemdsuffix=cn=ldap://:389,dc=atitrain2,dc=east,dc=sun,dc=com

  3. Index the following list of Virtual List View attributes.


    getpwent:      vlvFilter: (objectclass=posixAccount),     vlvScope: 1
getspent:      vlvFilter: (objectclass=posixAccount),     vlvScope: 1
getgrent:      vlvFilter: (objectclass=posixGroup),       vlvScope: 1
gethostent:    vlvFilter: (objectclass=ipHost),           vlvScope: 1
getnetent:     vlvFilter: (objectclass=ipNetwork),        vlvScope: 1
getprotoent:   vlvFilter: (objectclass=ipProtocol),       vlvScope: 1
getrpcent:     vlvFilter: (objectclass=oncRpc),           vlvScope: 1
getaliasent:   vlvFilter: (objectclass=rfc822MailGroup),  vlvScope: 1
getserviceent: vlvFilter: (objectclass=ipService),        vlvScope: 1

    Create these indexes for any ou in the tree that contains a large number of objects or for those that are heavily accessed.

  4. For the password entry (getpwent), add the following entries to the directory.


    dn: cn=getpwent,cn=config,cn=ldbm
objectclass: top
objectclass: vlvSearch
cn: getpwent
vlvBase: ou=people,dc=eng,dc=sun,dc=com
vlvScope: 1
vlvFilter: (objectclass=posixAccount)
aci: (target="ldap:///cn=getpwent,cn=config,cn=ldbm")(targetattr="*")
 (version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)

dn: cn=getpwent,cn=getpwent,cn=config,cn=ldbm
cn: getpwent
vlvSort: cn uid
objectclass: top
objectclass: vlvIndex

  5. Create the VLV index for getpwent.


    # cd /usr/netscape/server4/slapd*
# ./vlvindex getpwent
OK# ./vlvindex getgrent
OK# ./vlvindex gethostent
OK# ./vlvindex getspent
OK# 
# ./vlvindex
[05/Jun/2000:15:34:31 -0400] - ldbm2index: Unknown VLV Index named ''
[05/Jun/2000:15:34:31 -0400] - ldbm2index: Known VLV Indexes are: 'getgrent', 
'gethostent', 'getnetent', 'getpwent', 'getspent',

  6. Repeat steps 4 an 5 for the rest of the Virtual List View attributes.

Give “anyone” Read, Search, and Compare Permission on VLV Request Control

  1. Use ldapsearch to show the VLV control ACI.


    #ldapsearch -D "cn=Directory Manager" -w nssecret -b cn=features, \
cn=config objectclass=\*

    The result of the search is:


    cn=features,cn=config
objectclass=top
cn=features

cn=options,cn=features,cn=config
objectclass=top
cn=options

oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectclass=top
objectclass=directoryServerFeature
oid=2.16.840.1.113730.3.4.9
cn=VLV Request Control
aci=(targetattr != "aci")(version 3.0; acl "VLV Request \
 Control"; allow( read, 
search, compare ) userdn = "ldap:///all";)

  2. Use ldapmodify to give "anyone" read, search, compare permission for VLV feature. This ensures anonymous searches do not fail when trying to use VLV control.


    #ldapmodify -D "cn=Directory Manager" -w nssecret -f vlvcntrl.ldif

    the contents of vlvcntrl.ldif are:


    dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
changetype: modify
replace: aci
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
 allow (compare,read,search) userdn = "ldap:///anyone"; )

  3. Use ldapsearch to show the changes to the VLV control ACI.


    #ldapsearch -L -b "cn=features,cn=config" -s one \
oid=2.16.840.1.113730.3.4.9

    The ACI returned by ldapsearch would look like:


    dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectclass: top
objectclass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; 
 allow (compare,read,search) userdn = "ldap:///anyone"; )
Add the proxyagent Entry to the LDAP Server
Note –

This step is required only if a proxyagent entry is used.

  1. Add the proxyagent entry to the LDAP server.


    #ldapadd -D "cn=Directory Manager" -w nssecret -f proxyagent.ldif

    The proxyagent.ldif file would look like: 


    dn: cn=proxyagent,ou=profile,dc=mkt,dc=mainstore,dc=com
cn: proxyagent
sn: proxyagent
objectclass: top
objectclass: person
userpassword: proxy_agent_password
    Note –

    The ou can be set to ou=profile or ou=person.

Generate the Client Profile

  1. Generate the client profile and then add it to the LDAP server.


    ldap_gen_profile -P profile -b baseDN -D bindDN \
  -w bindDNpasswd ldapServer_IP_address(es)[:port#]

    The bindDN is the bind DN of the proxy agent. You can specify more than one LDAP server's IP address if you want to allow fail over to another LDAP server. Capture the above result in a file, such as profile.ldif.

    A typical command looks like:


    ldap_gen_profile -P myProfile -b "dc=mkt,dc=mainstore,dc=com" \
-D "cn=proxyagent,ou=profile,dc=mkt,dc=mainstore,dc=com" \
-w proxy_agent_pswd -a simple 100.100.100.100 > profile.ldif

  2. Add this client profile into LDAP server so that clients can download it.