To Configure an LDAP Repository for PAM (Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide)

Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

To Configure an LDAP Repository for PAM

This procedure describes how to configure an Identity Synchronization for Windows-supported LDAP repository for PAM, using the following example information:

The LDAP store is Directory Server 6.0 software that is hosted on a Solaris Operating System.
The host machine’s DNS name is LDAPHOST.EXAMPLE.COM.
The machine’s IP address is 192.168.220.219 in the test environment.

In this example, the IP address has a concrete value so that when you configure the PAM clients, you can use the repository’s IP address to avoid potential conflicts based on how the PAM client machine resolves its DNS queries.

Prerequisites to configure an Identity Synchronization for Windows- supported LDAP repository for PAM.

Consult the Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide to verify that you are using a supported Directory Server.
For PAM to work with Directory Server 6.0, you must edit the /usr/lib/ldap/idsconfig script and change 5 to 6 in the following code:
```
if [ "${IDS_MAJVER}" != "5" ]; then
```
While executing the idsconfig command-line tool, you need to know which values to assign to the various configuration parameters. If you do not know, use the default values when prompted (other than the configuration parameters 1, 2, and 4).

Use the following steps to configure an Identity Synchronization for Windows- supported LDAP repository for PAM.

Configure the LDAP store by using the Solaris OS idsconfig command-line tool.

The idsconfig tool prompts you for values that are needed to form the directory information tree (DIT) to be contained in the LDAP store. The idsconfig tool will manipulate the requisite LDAP store schema to accommodate the impending user population.

When you configure the test system, the following idsconfig summary screen is displayed:
To change the value of a configuration parameter, type its associated configuration number.
Select an option from the list of predefined options that can be supplied to the selected parameter.
Evaluate the following key parameters’ values:
- Domain to serve
- Base DN to setup
- Profile name to create
- Service Auth Method pam_ldap
If necessary, use the idsconfig tool to change the context of these parameter values so they are appropriate for your deployment. If you are working in a test environment where you can change DNS entries and set machine IP addresses to arbitrary values, you may use the names and addresses provided in this appendix.
Continue with the proxy creation initiated by the idsconfig tool by providing the appropriate values (default or custom) for the various parameters.
After the configuration is complete and idsconfig stores the generated configuration, create virtual list view (VLV) indexes when prompted.

Note –
VLV indexes (also called browsing indexes) enable PAM to quickly search for groups, users, and so forth. For information about creating VLV indexes, go to:

Managing Browsing Indexes in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide

Pay particular attention to the number of VLV indexes that you are prompted to create. The idsconfig tool will provide a list of VLV indexes that are contextually sensitive to the state in which it finds the LDAP store.

The following figure shows the resulting topology, as displayed on the Sun Java System Directory Server Console.

When you are finished configuring the LDAP repository for PAM, continue to To Populate the LDAP Repository.