Solaris LDAP ネームサービスクライアントをサポートするには、Solaris 固有のスキーマと IETF 定義のスキーマがいくつか必要です。
この付録の内容は次のとおりです。
LDAP は IETF 定義の 2 つのスキーマを必要とします。改訂版 RFC 2307 NIS スキーマと LDAP メールグループインターネットドラフトの 2 つです。
LDAP サーバーは改訂版 RFC 2307 をサポートするように構成する必要があります。
nisSchema OID は 1.3.6.1.1 です。RFC 2307 の属性は、次のとおりです。
( nisSchema.1.0 NAME 'uidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.1 NAME 'gidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5SubstringsMatch SYNTAX 'IA5String' SINGLE-VALUE ) ( nisSchema.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( nisSchema.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( nisSchema.1.5 NAME 'shadowLastChange' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.6 NAME 'shadowMin' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.7 NAME 'shadowMax' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.8 NAME 'shadowWarning' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.9 NAME 'shadowInactive' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.11 NAME 'shadowFlag' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String' ) ( nisSchema.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String' ) ( nisSchema.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 'nisNetgroupTripleSyntax' ) ( nisSchema.1.15 NAME 'ipServicePort' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.16 NAME 'ipServiceProtocol' SUP name ) ( nisSchema.1.17 NAME 'ipProtocolNumber' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.18 NAME 'oncRpcNumber' EQUALITY integerMatch SYNTAX 'INTEGER' SINGLE-VALUE ) ( nisSchema.1.19 NAME 'ipHostNumber' DESC 'IP address as a dotted decimal, eg. 192.168.1.1 omitting leading zeros' SUP name ) ( nisSchema.1.20 NAME 'ipNetworkNumber' DESC 'IP network as a dotted decimal, eg. 192.168, omitting leading zeros' SUP name SINGLE-VALUE ) ( nisSchema.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' SINGLE-VALUE ) ( nisSchema.1.22 NAME 'macAddress' DESC 'MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:ee:e2' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String{128}' ) ( nisSchema.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' SYNTAX 'bootParameterSyntax' ) ( nisSchema.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) ( nisSchema.1.26 NAME 'nisMapName' SUP name ) ( nisSchema.1.27 NAME 'nisMapEntry' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String{1024}' SINGLE-VALUE ) ( nisSchema.1.28 NAME 'nisPublicKey' DESC 'NIS public key' SYNTAX 'nisPublicKeySyntax' ) ( nisSchema.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' SYNTAX 'nisSecretKeySyntax' ) ( nisSchema.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 'IA5String' ) |
nisSchema OID は 1.3.6.1.1 です。RFC 2307 定義のオブジェクトクラスは、次のとおりです。
( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) ( nisSchema.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the service's canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) ) ( nisSchema.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocol's canonical name' MUST ( cn $ ipProtocolNumber ) MAY description ) ( nisSchema.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC service's canonical name' MUST ( cn $ oncRpcNumber $ description ) MAY description ) ( nisSchema.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the host's canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager $ userPassword ) ) ( nisSchema.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the network's canonical name' MUST ipNetworkNumber MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) ( nisSchema.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) ( nisSchema.2.9 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description ) ( nisSchema.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) ( nisSchema.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY macAddress ) ( nisSchema.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters; device SHOULD be used as a structural class' MAY ( bootFile $ bootParameter ) ) ( nisSchema.2.14 NAME 'nisKeyObject' SUP top AUXILIARY DESC 'An object with a public and secret key' MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) ( nisSchema.2.15 NAME 'nisDomainObject' SUP top AUXILIARY DESC 'Associates a NIS domain with a naming context' MUST nisDomain ) |
LDAP サーバーは、メール別名情報をサポートするように構成する必要があります。メール別名情報は、LDAP メールグループインターネットドラフト (draft-steinback-ldap-mailgroups) で定義されたスキーマを使用します。新しいスキーマが使用可能になるまで、Solaris LDAP クライアントは、このメール別名情報のスキーマを使用し続けます。
インターネットドラフトとは、最長 6 ヶ月間有効な草稿文書で、他の文書によっていつでも更新、置換、廃止される可能性があります。
インターネットドラフトに定義された LDAP メールグループスキーマには、多数の属性とオブジェクトクラスが含まれています。このうち、Solaris クライアントが使用するのは、2 つの属性と 1 つのオブジェクトクラスだけです。次にそれらを示します。
( 0.9.2342.19200300.100.1.3 NAME 'mail' DESC 'RFC822 email address for this person' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String(256)' SINGLE-VALUE ) ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'RFC822 mail address of email only member of group' EQUALITY CaseIgnoreIA5Match SYNTAX 'IA5String(256)' ) |
( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top STRUCTURAL MUST mail MAY ( cn $ mailAlternateAddress $ mailHost $ mailRequireAuth $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterModeration $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoMatchAddrs $ mgrpRemoveHeader $ mgrpRFC822MailMember ) ) |
Solaris オペレーティング環境に必要なスキーマは次の 4 つです。
ユーザーと役割に関する拡張属性のシステムごとの設定は、/etc/user_attr に置かれます。詳細は、user_attr(4) のマニュアルページを参照してください。
( 1.3.6.1.4.1.42.2.27.5.1.1 NAME 'SolarisProjectID' DESC 'Unique ID for a Solaris Project entry' EQUALITY integerMatch SYNTAX INTEGER SINGLE ) ( 1.3.6.1.4.1.42.2.27.5.1.2 NAME 'SolarisProjectName' DESC 'Name of a Solaris Project entry' EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE ) ( 1.3.6.1.4.1.42.2.27.5.1.3 NAME 'SolarisProjectAttr' DESC 'Attributes of a Solaris Project entry' EQUALITY caseExactIA5Match SYNTAX IA5String ) ( 1.3.6.1.4.1.42.2.27.5.1.30 NAME 'memberGid' DESC 'Posix Group Name' EQUALITY caseExactIA5Match SYNTAX 'IA5String' ) |
拡張ユーザーアカウントのオブジェクトクラスは、次のとおりです。
( 1.3.6.1.4.1.42.2.27.5.2.1 NAME 'SolarisProject' SUP top STRUCTURAL MUST ( SolarisProjectID $ SolarisProjectName ) MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) ) |
ユーザーと役割に関する拡張属性のシステムごとの設定は、/etc/user_attr に置かれます。詳細は、user_attr(4) のマニュアルページを参照してください。
( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' DESC 'Semi-colon separated key=value pairs of attributes' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.7 NAME 'SolarisAttrShortDesc' DESC 'Short description about an entry, used by GUIs' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.8 NAME 'SolarisAttrLongDesc' DESC 'Detail description about an entry' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.9 NAME 'SolarisKernelSecurityPolicy' DESC 'Solaris kernel security policy' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.10 NAME 'SolarisProfileType' DESC 'Type of object defined in profile' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.11 NAME 'SolarisProfileId' DESC 'Identifier of object defined in profile' EQUALITY caseExactIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' DESC 'Per-user login attributes' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisReserved1' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) ( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisReserved2' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE ) |
役割によるアクセス制御のオブジェクトクラスは、次のとおりです。
( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY DESC 'User attributes' MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ \ SolarisAttrReserved2 $ SolarisAttrKeyValue ) ) ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME 'SolarisAuthAttr' SUP top STRUCTURAL DESC 'Authorizations data' MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ \ SolarisAttrShortDesc $ SolarisAttrLongDesc $ \ SolarisAttrKeyValue ) ) ( 1.3.6.1.4.1.42.2.27.5.2.5 NAME 'SolarisProfAttr' SUP top STRUCTURAL DESC 'Profiles data' MUST cn MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ \ SolarisAttrLongDesc $ SolarisAttrKeyValue ) ) ( 1.3.6.1.4.1.42.2.27.5.2.6 NAME 'SolarisExecAttr' SUP top AUXILIARY DESC 'Profiles execution attributes' MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ \ SolarisAttrReserved1 $ SolarisAttrReserved2 $ \ SolarisProfileId $ SolarisAttrKeyValue ) ) |
ユーザー、役割、プロファイルに関する拡張属性のシステムごとの設定は、/etc/user_attr に置かれます。詳細は、user_attr(4) のマニュアルページを参照してください。
実行プロファイル名、説明、実行プロファイルのその他の属性のシステムごとの設定は、/etc/security/prof_attr に置かれます。詳細は、prof_attr(4) のマニュアルページを参照してください。
Solaris クライアントネーミングプロファイルの属性は、次のとおりです。
( 1.3.6.1.4.1.42.2.27.5.1.15 NAME 'SolarisLDAPServers' DESC 'LDAP Server address eg. 76.234.3.1:389' EQUALITY caseIgnoreIA5Match SYNTAX SolarisLDAPServerSyntax) ( 1.3.6.1.4.1.42.2.27.5.1.16 NAME 'SolarisSearchBaseDN' DESC 'Search Base Distinguished Name' EQUALITY distinguishedNameMatch SYNTAX DN SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.17 NAME 'SolarisCacheTTL' DESC 'TTL value for the Domain information eg. 1w, 2d, 3h, 10m, or 5s' EQUALITY caseIgnoreMatch SYNTAX IA5String SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.18 NAME 'SolarisBindDN' DESC 'DN to be used to bind to the directory as proxy' EQUALITY distinguishedNameMatch SYNTAX DN SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.19 NAME 'SolarisBindPassword' DESC 'Password for bindDN to authenticate to the directory' EQUALITY caseExactIA5Match SYNTAX OctetString SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.20 NAME 'SolarisAuthMethod' DESC 'Authentication method to be used eg. "NS_LDAP_AUTH_NONE", "NS_LDAP_AUTH_SIMPLE" or "NS_LDAP_AUTH_SASL_CRAM_MD5"' EQUALITY caseIgnoreIA5Match SYNTAX IA5String) ( 1.3.6.1.4.1.42.2.27.5.1.21 NAME 'SolarisTransportSecurity' DESC 'Transport Level Security method to be used eg. "NS_LDAP_SEC_NONE" or "NS_LDAP_SEC_SASL_TLS"' EQUALITY caseIgnoreIA5Match SYNTAX IA5String SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.22 NAME 'SolarisCertificatePath' DESC 'Path to certificate file/device' EQUALITY caseExactIA5Match SYNTAX IA5String SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.23 NAME 'SolarisCertificatePassword' DESC 'Password or PIN that grants access to certificate.' EQUALITY caseExactIA5Match SYNTAX OctetString SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.24 NAME 'SolarisDataSearchDN' DESC 'Search DN for data lookup in "<database>:(DN0),(DN1),..." format' EQUALITY caseIgnoreIA5Match SYNTAX IA5String) ( 1.3.6.1.4.1.42.2.27.5.1.25 NAME 'SolarisSearchScope' DESC 'Scope to be used for search operations eg. "NS_LDAP_SCOPE_BASE", "NS_LDAP_SCOPE_ONELEVEL" or "NS_LDAP_SCOPE_SUBTREE"' EQUALITY caseIgnoreIA5Match SYNTAX IA5String SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.26 NAME 'SolarisSearchTimeLimit' DESC 'Time Limit in seconds for search operations' EQUALITY integerMatch SYNTAX INTEGER SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.27 NAME 'SolarisPreferredServer' DESC 'Preferred LDAP Server address or network number' EQUALITY caseIgnoreIA5Match SYNTAX IAString) ( 1.3.6.1.4.1.42.2.27.5.1.28 NAME 'SolarisPreferredServerOnly' DESC 'Boolean flag for use of preferredServer or not' EQUALITY booleanMatch SYNTAX BOOLEAN SINGLE-VALUE) ( 1.3.6.1.4.1.42.2.27.5.1.29 NAME 'SolarisSearchReferral' DESC 'referral chasing option eg. "NS_LDAP_NOREF" or "NS_LDAP_FOLLOWREF"' EQUALITY caseIgnoreIA5Match SYNTAX IA5String SINGLE-VALUE) |
Solaris クライアントネーミングプロファイルのオブジェクトクラスは、次のとおりです。
( 1.3.6.1.4.1.42.2.27.5.2.7 NAME 'SolarisNamingProfile' SUP top STRUCTURAL DESC 'Solaris LDAP Naming client profile objectClass' MUST ( cn $ SolarisLDAPServers $ SolarisSearchBaseDN ) MAY ( SolarisBindDN $ SolarisBindPassword $ SolarisAuthMethod $ SolarisTransportSecurity $ SolarisCertificatePath $ SolarisCertificatePassword $ SolarisDataSearchDN $ SolarisSearchScope $ SolarisSearchTimeLimit $ SolarisPreferredServer $ SolarisPreferredServerOnly $ SolarisCacheTTL $ SolarisSearchReferral ) ) |