NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPERANDS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO | NOTES
The ldapclient utility can be used to:
initialize LDAP client machines
restore the network service environment on LDAP clients
list the configuration of the LDAP client in human readable format
Use ldapclient -P profileName to initialize an LDAP client machine. A profile stored on an LDAP server specified by LDAP_server_addr is used. This is the simplest method and provides the default format with the correct setting to talk to the set of servers. Use of this method also ensures that the ldap_cachemgr(1M) can automatically update the configuration file as it changes. If the profile is set to proxy, then the -D proxyBindDN and -w proxyPassword options are required. ldapclient will prompt for the -w option if it is not specified. For more information on the configuration profile refer to IETF document A Configuration Schema for LDAP Based Directory User Agents.
Use the second form of the ldapclient synopsis to set up an LDAP client manually. Use the -i option to convert machines from other naming services to use LDAP. Default values are assigned for the required parameters if they are not specified. You must be logged in as superuser on the machine that is to become the LDAP client. Use the -m option to modify the client configuration parameters that you specify on the command line.
To initialize an unauthenticated LDAP client without having to specify a password, use the -i option in conjunction with the -c anonymous option. Similarly, no proxy password or bind DN is required if the credential level is set to proxy, but the authentication method is set to none.
If the authentication method requires a bind DN and a password, for example, simple or sasl/CRAM-MD5, and one is not specified, the command will fail. If the -w option is not specified, the administrator is prompted for the password. Null passwords are not allowed in LDAP.
During the client initialization process, files that are being modified are backed up as files.orig. Files that are modified during a client initialization include:
/etc/defaultdomain
/etc/nsswitch.conf
/var/yp/binding/domainname, for a NIS(YP) client, if it exists
/var/nis/NIS_COLD_START, for a NIS+ client, if it exists
/var/ldap/ldap_client_cache, if the machine is already an LDAP client
/var/ldap/ldap_client_cred, if the machine is already an LDAP client
A file will not be saved if a backup file already exists.
The -i option does not set up an LDAP client to resolve hostnames using DNS. Refer to the DNS documentation for information on setting up DNS. See resolv.conf(4).
Use the third synopsis form, ldapclient -l to list the LDAP client configuration. The output from this command will be human readable. The configuration files themselves are not always human readable.
Use the fourth synopsis form, ldapclient -u to uninitialize the network service environment. You must be logged in as superuser on the machine that is to be restored. The network service environment is restored to the one in use before ldapclient -i was executed. If the machine was not initialized with ldapclient -i, the machine will not be restored, as ldapclient -u uses the back up files created by the -i option.
The ldap_gen_profile utility creates on the standard output an LDIF file that can be loaded on to an LDAP server to use as the client profile, which can then be downloaded by the ldapclient utility. You can load the LDIF file to the directory server through ldapclient, or through any server specific import tool.
The following options are supported:
Specify the authentication methods to be used by a service. You can specify multiple values in a semicolon-separated list. The default value for all services is NULL. Supported authentication methods include:
Three services support this feature: passwd-cmd, keyserv, and pam_ldap. The passwd-cmd service is used to define the authentication method used by passwd(1) to change the users's password and other attributes. The keyserv service is used to identify the authentication method used by the chkey(1) and newkey(1M) utilities. The pam_ldap service defines the authentication method used for authenticating users when pam_ldap is configured. If this attribute is not set for any of these services, the authenticationMethod attribute is used to define the authentication method. The following example defines the authentication method:
-A "pam_ldap:tls:sasl/DIGEST-MD5" |
This option can be specified multiple times.
Specify the default authentication method used by all services, unless the value is overridden by the serviceAuthenticationMethod parameter. You can specify multiple values in a semicolon-separated list. The default value is none. If simple or CRAM_MD5 is specified, a proxy bind DN and a proxy password must be provided. See -w and -D. Supported authentication methods include:
Specify the default search base DN. The default is the root naming context on the server specified to serve the client's domain.
Specify the credential level to be used by a service. You can specify multiple values in a space-separated list. The default value for all services is NULL. The supported credential levels are anonymous or proxy. At present, no service uses this attribute. This option can be specified multiple times.
Specify the credential level the client should use to contact the directory. The credential levels supported are anonymous or proxy.
Specify the domain name, which becomes the default domain for the machine. The default is the current domain name. This attribute is only used in client initialization.
Specify the Bind Distinguished Name for the proxy identity. This option is required if the credential level is proxy, and at least one of the authentication methods requires a bind DN. There is no default value.
Specify the TTL value for the client information. This option is relevant only if the machine was initialized with a client profile. The values for profileTTL can be zero (0), to indicate no expiration, or a positive integer combined with one of the following letters to indicate the unit of measure:
Indicates days
Indicates hours
Indicates minutes
Indicates seconds
The default value is 12h. Set profileTTL to 0 if you do not want ldap_cachemgr(1M) to attempt an automatic refresh from the servers.
Specify the certificate path for the location of the certificate database. The value is the path where security database files reside. This option is used for TLS support, which is specified in the authenticationMethod and serviceAuthenticationMethod attributes. The default value for certificatePath is /var/ldap. Since this option is not part of profile, it cannot be used with the ldap_gen_profile utility.
Initialize client.
List the contents of the LDAP client cache. The output, which is sent to standard output, is meant to be human readable. The direct contents of the configuration files might not be easily readable.
Specify a mapping from an objectclass defined by a service to an objectclass in an alternative schema. This can be used to change the default schema used for a given service. The syntax of objectclassMap is defined in the profile IETF draft. This option can be specified multiple times. The default value for all services is NULL. The following examples defines an objectclassMap:
-M "passwd:posixAccount=unixAccount" |
This option can be specified multiple times.
Modify parameters in the configuration file.
Specify the maximum number of seconds allowed for an LDAP search operation. The default is 30 seconds. The server may have its own search time limit.
Specify the space-separated list of preferred server IP addresses that are to be contacted before the servers specified by the defaultServerList attribute. The port number is optional. If the port number is not specified, the default LDAP server port number 389 is used, except when TLS is specified in the authentication method. If TLS is specified, the default LDAP server port number is 636.
Specify the profile name. For ldapclient initialization, this attribute is the name of an existing profile, which may be be downloaded periodically, depending upon the value of the profileTTL attribute. For ldap_gen_profile, this is the name of the profile to be generated. The default value is default.
Quiet mode. No output is generated.
Specify a mapping from an attribute defined by a service to an attribute in an alternative schema. Use this option to change the default schema that is employed for a given service. The syntax of attributeMap is defined in the profile IETF draft. This option can be specified multiple times. The default value for all services is NULL. In the example,
-R "passwd:uid=employeeNumber" |
the LDAP client would use the LDAP attribute employeeNumber rather than uid for passwd service. attributeMap is a multi-valued attribute.
Specify the search referral setting. A setting of true implies that referral will be followed automatically. If the setting is false, referrals are not followed. The default value is true.
Specify the default search scope for the client's search operations. This default can be overridden for a given service by setting the serviceSearchDescriptor for it. The default is one level search.
Override the default base DN for LDAP searches for a given service. The format of the descriptors allow for overriding the default search scope and search filter for each service. The syntax of serviceSearchDescriptor is defined in the profile IETF draft. This option can be specified multiple times. The default value for all services is NULL. In the example,
-S "passwd:ou=people,dc=a1,dc=acme,dc=com?one" |
the LDAP client does a one level search for the passwd service in
ou=people,dc=a1,dc=acme,dc=com |
rather than in
ou=people,defaultSearchBase |
The maximum time in seconds that a client should spend performing a bind operation. Set this to a positive integer. The default value is 30.
Uninitialize the LDAP client. This option is used only if ldapclient was used to initialize the client.
Verbose mode
Specify client proxy password for authentication methods that require a proxy password. This option is not required if the credential level is set to anonymous or the authentication method is none. There is no default.
The following operand is supported:
A space separated list of server IP addresses. The port number is optional. If the port number is not specified, the default LDAP server port number 389 is used, except when TLS is specified in the authentication method. When TLS is specified, the default LDAP server port number is 636.
The following example shows how to set up a client using the default profile stored on the specified LDAP server. All the correct values to use for talking to your domain will be listed. This command will only be successful if either the credential level in the profile is set to anonymous or the authentication method is set to none.
example# ldapclient -P default 129.100.100.1 |
The following example shows how to set up a client using only one server. The authentication method is set to none, and the search base is dc=mycompany,dc=com.
example# ldapclient -i -a one -b "dc=mycompany,dc=com" \ 129.100.100.1 |
The following example shows how to set up a client using only one server. The credential level is set to proxy. The authentication method of is sasl/CRAM_MD5, with the option not to follow referrals. The domain name is xyz.mycompany.com, and the LDAP server is running on port number 386 at IP address 129.100.100.1.
example# ldapclient -i -c proxy -a sasl/CRAM_MD5 -w secret \ -D cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \ -d xyz.mycompany.com -r false 129.100.100.1:386 |
The following example shows how to use the ldap_gen_profile command to set the defaultSearchBase and the server addresses.
example# ldap_gen_profile -P myprofile -b cd=eng,dc=sun,dc=com \ 129.100.100.1 129.100.234.15:386 > myprofile.ldif |
The following example shows a profile that overrides every default value.
example# ldap_gen_profile -P eng -c proxy -a sasl/DIGES-MD5 \ -t 20 -b dc=eng,dc=ge-uk,dc=com \ -S passwd:ou=people,dc-lba,dc=ge-uk,dc=com?one -s sub \ -R passwd:uid=employeenumber -M passwd:posixAccount=unixAccount \ -r false -e 3600 -p 129.100.100.30 -o 30 129.100.200.1 129.100.100.1 \ 204.34.5.6 > eng.ldif |
The following exit values are returned:
The command successfully executed.
An unspecified error occured.
The server was unreachable. Either the server was down, the server was slow, or the reason the server was unreachable is unknown.
The IP address is reachable. However, there is no LDAP server running at the IP address and port number specified.
The LDAP server contacted did not know about the profile name given.
The proxyBindDN and proxyPassword attributes are required, but they are not provided.
Contain the LDAP configuration of the client. These files are not to be modified manually. Their content is not guaranteed to be human readable. Use ldapclient to update them.
System default domainname that matches the domain name of the data in the LDAP servers
Configuration file for the name-service switch.
Sample configuration file for the name-service switch configured with LDAP and files
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWnisu |
Interface Stability |
Evolving |
ldap(1), ldapadd(1), ldapdelete(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1), ldapaddent(1M), ldap_cachemgr(1M), suninstall(1M), nsswitch.conf(4), resolv.conf(4), attributes(5), pam_ldap(5), pam_unix(5)
Hostnames may also be used. If hostnames are used, you must configure nsswitch.conf to use files or dns, not ldap, to resolve hosts lookup. If you fail to configure nsswitch.conf properly, then your system or certain processes can hang if you use a hostname value.
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPERANDS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO | NOTES