If not already configured, configure directory server to store passwords in Unix Crypt format. For more information on setting the password Unix Crypt format, see the iPlanet documents.
Set the ACI for the top entry of your tree. This ACI controls an owners ability to modify their own entry. For instance, the default ACI allows a user to modify their home directory value. The modified ACI does not. You might need to set the ACI specific to your environment.
Change the "Allow self entry modification" ACI of the top entry of your tree from:
aci=(targetattr = "*")(version 3.0; acl "Allow self entry modification"; allow (write)userdn = "ldap:///self";) |
The modified ACI is:
aci=(targetattr!="cn || uid || uidNumber || gidNumber || homeDirectory || shadowLastChange || shadowMin || shadowMax || shadowWarning || shadowInactive || shadowExpire || shadowFlag || memberUid") (version 3.0; acl "Allow self entry modification"; allow (write) userdn = "ldap:///self"; ) |
Do not give modify permission for attributes which the user should not be able to change, such as uid. Doing so allows the user to become super user by setting the attribute to 0.
For a list of naming containers, see Directory Information Tree.
The following container entries are based on the nisDomain example used in NIS Domain. Change the container entries as they apply to your environment.
Add the domain entry.
dn: dc=mkt,dc=mainstore,dc=com dc: mkt associatedDomain: mkt.mainstore.com objectClass: top objectClass: domain objectClass: domainRelatedObject objectclass: nisDomainObject nisdomain: mkt.mainstore.com |
Add the naming container entries.
dn: ou=people,dc=mkt,dc=mainstore,dc=com ou: people objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=mkt,dc=mainstore,dc=com ou: Group objectClass: top objectClass: organizationalUnit dn: ou=rpc,dc=mkt,dc=mainstore,dc=com ou: rpc objectClass: top objectClass: organizationalUnit dn: ou=protocols,dc=mkt,dc=mainstore,dc=com ou: protocols objectClass: top objectClass: organizationalUnit dn: ou=networks,dc=mkt,dc=mainstore,dc=com ou: networks objectClass: top objectClass: organizationalUnit dn: ou=netgroup,dc=mkt,dc=mainstore,dc=com ou: netgroup objectClass: top objectClass: organizationalUnit dn: ou=aliases,dc=mkt,dc=mainstore,dc=com ou: aliases objectClass: top objectClass: organizationalUnit dn: ou=Hosts,dc=mkt,dc=mainstore,dc=com ou: Hosts objectClass: top objectClass: organizationalUnit dn: ou=services,dc=mkt,dc=mainstore,dc=com ou: services objectClass: top objectClass: organizationalUnit dn: ou=Ethers,dc=mkt,dc=mainstore,dc=com ou: Ethers objectClass: top objectClass: organizationalUnit dn: ou=profile,dc=mkt,dc=mainstore,dc=com ou: profile objectClass: top objectClass: organizationalUnit dn: nismapname=auto_home,dc=mkt,dc=mainstore,dc=com nismapname: auto_home objectClass: top objectClass: nisMap dn: nismapname=auto_direct,dc=mkt,dc=mainstore,dc=com nismapname: auto_direct objectClass: top objectClass: nisMap dn: nismapname=auto_master,dc=mkt,dc=mainstore,dc=com nismapname: auto_master objectClass: top objectClass: nisMap dn: nismapname=auto_shared,dc=mkt,dc=mainstore,dc=com nismapname: auto_shared objectClass: top objectClass: nisMap |
The value of each of these parameter varies from server to server; such as how much data is loaded, usage pattern, the available hardware and so forth.
Set the following performance parameters: Maximum entries in cache, Maximum cache size (bytes), and look through limit.
Modify the caching parameters to accomodate the memory and disk space available on your system.
Set the following limits parameters: size and time limit for your environment.
Specifying sizelimit or timelimit to -1, sets them to their maximum value. Select values to accomodate your system.
The following proxy agent ACI information is based on the nisDomain example used in NIS Domain. Change the proxy agent ACI as it applies to your environment.
Use ldapmodify to give proxy agent read permission for password by setting read ACI at base search DN if pam_unix is to be used on all clients for authentication.
#ldapmodify -D "cn=Directory Manager" -w nssecret -f aci.ldif |
The contents of aci.ldif are:
dn: dc=mkt,dc=mainstore,dc=com changetype: modify add: aci aci: (target="ldap:///dc=mkt,dc=mainstore,dc=com") (targetattr="userPassword")(version 3.0; acl "password read"; allow (compare,read,search) userdn = "ldap:///cn=proxyagent, ou=profile,dc=mkt,dc=mainstore,dc=com"; ) |
Use ldapsearch to see the new ACI setting.
ldapsearch shows the modified ACI:
#ldapsearch -L -h <servername> -b "dc=mkt,dc=mainstore,dc=com" \ -s base "objectclass=*" |
The ACI returned by ldapsearch would look like:
dn: dc=mkt,dc=mainstore,dc=com dc: mkt associateddomain: mkt.mainstore.com objectclass: top objectclass: domain objectclass: domainRelatedObject objectclass: nisDomainObject nisdomain: mkt.mainstore.com aci: (target="ldap:///dc=mkt,dc=mainstore,dc=com") (targetattr="userPassword")(version 3.0; acl "password read"; allow (compare,read,search) userdn = "ldap:///cn=proxyagent, ou=profile,dc=mkt,dc=mainstore,dc=com"; ) |
Because pam_ldap authentication is done at server side, there is no need to give read permission for password attribute to proxy agent. For information about pam_ldap, see Pluggable Authentication Module (PAM).
If you are migrating from a NIS(YP) to an LDAP environment, use dsimport to convert NIS data into LDIF format. dsimport is part of NIS extension available on iPlanet Advantage Software vol. 1 CD. You can access the documentation from the following web site: http://docs.iplanet.com/docs/manuals/directory.html
Convert the NIS password data to LDIF format.
# cat passwd.nis | dsimport -n -m nis.mapping -t passwd \ -M SIMPLE -D "" -w "" >passwd.ldif |
Load the passwd.ldif file into the LDAP server.
Convert the NIS group data to LDIF format.
# cat group.nis | dsimport -n -m nis.mapping -t group \ -M SIMPLE -D "" -w "" > group.ldif |
Load the group.ldif file into the LDAP server.
Repeat the above step to convert all naming container files.
Use the ns-slapd ldif2db command or the ldapadd command to import the LDIF format files into the directory database.
For information about the ns-slapd ldif2db command, see “Managing Directory Server Databases” in the Directory Server Administrator's Guide. For information about ldapadd, see ldapadd(1)
To convert file data to LDIF format, dsimport requires a modification to the mapping file to define how the entries are stored.
For information about how to create an index, see “Managing Indexes” in the iPlanet Directory Server Administrator's Guide.
Index the following list of Solaris client attributes.
membernisnetgroup pres,eq,sub nisnetgrouptriple pres,eq,sub memberuid pres,eq macAddress pres,eq uid pres,eq uidNumber pres,eq gidNumber pres,eq ipHostNumber pres,eq ipNetworkNumber pres,eq ipProtocolNumber pres,eq oncRpcNumber pres,eq ipServiceProtocol pres,eq ipServicePort pres,eq nisDomain pres,eq nisMapName pres,eq mail pres,eq |
Use ldapsearch to determine if the directory supports Virtual List Views as identified by their OIDs; 1.2.840.113556.1.4.473 VLV control type and 2.16.840.1.113730.3.4.9 VLV control value.
# ldapsearch -b "" -s base objectclass=\* |
ldapsearch returns:
objectclass=top namingcontexts=dc=sun,dc=com namingcontexts=o=NetscapeRoot subschemasubentry=cn=schema supportedcontrol=2.16.840.1.113730.3.4.2 supportedcontrol=2.16.840.1.113730.3.4.3 supportedcontrol=2.16.840.1.113730.3.4.4 supportedcontrol=2.16.840.1.113730.3.4.5 supportedcontrol=1.2.840.113556.1.4.473 supportedcontrol=2.16.840.1.113730.3.4.9 supportedcontrol=2.16.840.1.113730.3.4.12 supportedsaslmechanisms=EXTERNAL supportedldapversion=2 supportedldapversion=3 dataversion=atitrain2.east.sun.com:389 020000605172910 netscapemdsuffix=cn=ldap://:389,dc=atitrain2,dc=east,dc=sun,dc=com |
Index the following list of Virtual List View attributes.
getpwent: vlvFilter: (objectclass=posixAccount), vlvScope: 1 getspent: vlvFilter: (objectclass=posixAccount), vlvScope: 1 getgrent: vlvFilter: (objectclass=posixGroup), vlvScope: 1 gethostent: vlvFilter: (objectclass=ipHost), vlvScope: 1 getnetent: vlvFilter: (objectclass=ipNetwork), vlvScope: 1 getprotoent: vlvFilter: (objectclass=ipProtocol), vlvScope: 1 getrpcent: vlvFilter: (objectclass=oncRpc), vlvScope: 1 getaliasent: vlvFilter: (objectclass=rfc822MailGroup), vlvScope: 1 getserviceent: vlvFilter: (objectclass=ipService), vlvScope: 1 |
Create these indexes for any ou in the tree that contains a large number of objects or for those that are heavily accessed.
For the password entry (getpwent), add the following entries to the directory.
dn: cn=getpwent,cn=config,cn=ldbm objectclass: top objectclass: vlvSearch cn: getpwent vlvBase: ou=people,dc=eng,dc=sun,dc=com vlvScope: 1 vlvFilter: (objectclass=posixAccount) aci: (target="ldap:///cn=getpwent,cn=config,cn=ldbm")(targetattr="*") (version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";) dn: cn=getpwent,cn=getpwent,cn=config,cn=ldbm cn: getpwent vlvSort: cn uid objectclass: top objectclass: vlvIndex |
Create the VLV index for getpwent.
# cd /usr/netscape/server4/slapd* # ./vlvindex getpwent OK# ./vlvindex getgrent OK# ./vlvindex gethostent OK# ./vlvindex getspent OK# # ./vlvindex [05/Jun/2000:15:34:31 -0400] - ldbm2index: Unknown VLV Index named '' [05/Jun/2000:15:34:31 -0400] - ldbm2index: Known VLV Indexes are: 'getgrent', 'gethostent', 'getnetent', 'getpwent', 'getspent', |
Repeat steps 4 an 5 for the rest of the Virtual List View attributes.
Use ldapsearch to show the VLV control ACI.
#ldapsearch -D "cn=Directory Manager" -w nssecret -b cn=features, \ cn=config objectclass=\* |
The result of the search is:
cn=features,cn=config objectclass=top cn=features cn=options,cn=features,cn=config objectclass=top cn=options oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectclass=top objectclass=directoryServerFeature oid=2.16.840.1.113730.3.4.9 cn=VLV Request Control aci=(targetattr != "aci")(version 3.0; acl "VLV Request \ Control"; allow( read, search, compare ) userdn = "ldap:///all";) |
Use ldapmodify to give "anyone" read, search, compare permission for VLV feature. This ensures anonymous searches do not fail when trying to use VLV control.
#ldapmodify -D "cn=Directory Manager" -w nssecret -f vlvcntrl.ldif |
the contents of vlvcntrl.ldif are:
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config changetype: modify replace: aci aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone"; ) |
Use ldapsearch to show the changes to the VLV control ACI.
#ldapsearch -L -b "cn=features,cn=config" -s one \ oid=2.16.840.1.113730.3.4.9 |
The ACI returned by ldapsearch would look like:
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectclass: top objectclass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone"; ) |
This step is required only if a proxyagent entry is used.
Add the proxyagent entry to the LDAP server.
#ldapadd -D "cn=Directory Manager" -w nssecret -f proxyagent.ldif |
The proxyagent.ldif file would look like:
dn: cn=proxyagent,ou=profile,dc=mkt,dc=mainstore,dc=com cn: proxyagent sn: proxyagent objectclass: top objectclass: person userpassword: proxy_agent_password |
The ou can be set to ou=profile or ou=person.
Generate the client profile and then add it to the LDAP server.
ldap_gen_profile -P profile -b baseDN -D bindDN \ -w bindDNpasswd ldapServer_IP_address(es)[:port#] |
The bindDN is the bind DN of the proxy agent. You can specify more than one LDAP server's IP address if you want to allow fail over to another LDAP server. Capture the above result in a file, such as profile.ldif.
A typical command looks like:
ldap_gen_profile -P myProfile -b "dc=mkt,dc=mainstore,dc=com" \ -D "cn=proxyagent,ou=profile,dc=mkt,dc=mainstore,dc=com" \ -w proxy_agent_pswd -a simple 100.100.100.100 > profile.ldif |
Add this client profile into LDAP server so that clients can download it.