Chapter 16 Setting Up Clients (Tasks)

This chapter describes how to set up a Solaris LDAP naming services client.

This chapter covers the following topics.

• Prerequisites to Client Setup

• Initializing a Client

• Using Profiles to Initialize a Client

• Using Proxy Credentials

• Initializing a Client Manually

• Modifying a Manual Client Configuration

• Uninitializing a Client

• Setting Up TLS Security

Prerequisites to Client Setup

In order for a Solaris client to use LDAP as a naming service the following needs to be in place.

• The client's domain name must be served by the LDAP server

• The nsswitch.conf file needs to point to LDAP for the required services

• The client needs to be configured with all the given parameters that define its behavior

• ldap_cachemgr needs to be running on the client

• At least one server for which a client is configured must be up and running

The ldapclient utility is the key to setting up an LDAP client, as it performs all of the above steps, except for starting the server. The rest of this chapter will show examples of how to use the ldapclient utility to setup a LDAP client and use the various other LDAP utilities to get information about, and check the status of an LDAP client.

Initializing a Client

ldapclient(1M) is a utility used to setup LDAP clients in the Solaris operating environment. ldapclient assumes the server has already been configured with the appropriate client profiles. You must install and configure the server with the appropriate profiles before you can set up clients.

There are two main ways to set up a client using ldapclient.

• Profile

  At a minimum, you need to specify the server address containing the profile and domain you want to use. If no profile is specified, then the “default” profile is assumed. The server will provide the rest of the required information, except for proxy and certificate database information. If a client's credential level is proxy or proxy anonymous, you must supply the proxy bind DN and password. See Assigning Client Credential Levels for more information.

• Manual

  You configure the profile on the client itself, which means defining all parameters from the command line. Thus, the profile information is stored in cache files and is never refreshed by the server.

Though you can manually configure clients, it is not recommended. Using the configuration profiles decreases the complexity and cost of managing clients.

Using Profiles to Initialize a Client

How to Initialize a Client Using Profiles

1. Become superuser.

2. Run ldapclient with init -a.

   # ldapclient init -a profileName=new \ -a domainName=west.example.com 192.168.0.1

   System successfully configured

Using Proxy Credentials

How to Initialize a Client Using Proxy Credentials

1. Become superuser.

2. Run ldapclient (defining proxy values).

   # ldapclient init -a profileName=pit1 \ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ -a domainName=west.example.com \ -a proxyPassword=test1234 192.168.0.1

   System successfully configured

The values for -a proxyDN and -a proxyPassword are required if the profile to be used is set up for proxy. As the credentials are not stored in the profile saved on the server, you must supply the information when you initialize the client. This method is more secure than the older method of storing the proxy credentials on the server.

The proxy information is used to create /var/ldap/ldap_client_cred. The rest of the information is put in /var/ldap/ldap_client_file.

Do not edit either of the client configuration files directly. Use ldapclient to create or modify the content of these files.

Initializing a Client Manually

Superusers can perform manual client configurations. However, many of the checks are bypassed during the process, so it is relatively easy to mis-configure your system. In addition, you must change settings on every machine, instead of in one central place, as is done when using profiles.

How to Initialize a Client Manually

1. Become superuser.

2. Use ldapclient manual to initialize the client.

   # ldapclient manual -a domainName=dc=west.example.com \ -a credentialLevel=proxy \ -a defaultSearchBase=dc=west, dc=example, dc=com \ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ -a proxyPassword=testtest 192.168.0.1

3. Use ldapclient list to verify.

   # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f NS_LDAP_SERVERS= 192.168.0.1 NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com NS_LDAP_CREDENTIAL_LEVEL= proxy

Modifying a Manual Client Configuration

How to Modify a Manual Configuration

1. Become superuser.

2. Use the ldapclient modify command to change the authentication method to simple.

   # ldapclient mod -a authenticationMethod=simple

3. Use ldapclient list to verify the change was made.

   # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f NS_LDAP_SERVERS= 192.168.0.1 NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com NS_LDAP_AUTH= simple NS_LDAP_CREDENTIAL_LEVEL= proxy

Uninitializing a Client

How to Uninitialize a Client

1. Become superuser.

2. Use ldapclient.

   # ldapclient -uninit System successfully recovered

ldapclient uninit restores the client name service to what it was prior to the most recent init, modify, or manual operation. In other words, it performs an “undo” on the last step taken. For example, if the client was configured to use profile1 and was then changed to use profile2, using ldapclient uninit would revert the client back to using profile1.

Setting Up TLS Security

The cert7.db and key3.db files must be readable by everyone. Do not to include any private keys in the key3.db file.

If using TLS, the necessary security databases must be installed. In particular, the files cert7.db and key3.db are needed. The cert7.db file contains the database of trusted certificates. The key3.db file contains the client's keys. Even if the LDAP naming service client does not use client keys, this file must be present.

Before running ldapclient, you should set up and install the needed security database files described in this section.

See the section about configuring LDAP clients to use SSL in the “Managing SSL” chapter of the Administrator's Guide for the version of Sun ONE Directory Server you are using. For information on how to create and manage these files. Once configured, these files must be stored in the location expected by the LDAP naming services client. The attribute certificatePath is used to determine this location. This is by default /var/ldap.

For example, after setting up the necessary cert7.db and key3.db files using Netscape Communicator^TM, copy the files to the default location.

# cp $HOME/.netscape/cert7.db /var/ldap
# cp $HOME/.netscape/key3.db /var/ldap

Next, give everyone read access.

# chmod 444 /var/ldap/cert7.db
# chmod 444 /var/ldap/key3.db

Netscape will manage the cert7.db and key3.db files in the $HOME/.netscape directory. Copies of these security databases must be stored on a local file system if you are using them for an LDAP naming services client.

Configuring PAM

You can configure pam_ldap with or without password management support. Choose the appropriate procedure for your configuration from the following two options.

Using pam_ldap Without Password Management Support

If you are using pam_ldap without password management support, follow the sample pam.conf file in Example pam.conf File for pam_ldap. Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file. For details, see pam.conf(4).

Configuring pam_ldap for Password Management Support

If you need to configure pam_ldap for password management support, copy the sample pam.conf file in Example pam_conf file for pam_ldap Configured for Password Management. Then, add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file. In addition, if any PAM module in the sample pam.conf file specifies the binding control flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file. Also, add the server_policy option to the line that contains the service module pam_authtok_store.so.1.

• The binding control flag

  Using the binding control flag allows a local password override of a remote (LDAP) password. For example, if a user account is found on both the local files and the LDAP namespace, the password associated with the local account takes precedence over the remote password. Thus, if the local password expires, authentication fails even if the remote LDAP password is still valid.

• The server_policy option

  The server_policy option instructs pam_unix to ignore a user found in the LDAP namespace and to allow pam_ldap to perform authentication or account validation. In the case of pam_authtok_store.so.1, a new password is passed to the LDAP server without encryption. The password is thereby stored in the directory according to the password encryption scheme configured on the server. For more information, see pam.conf(4) and pam_ldap(5).

Retrieving LDAP Naming Services Information

You can retrieve information about LDAP naming services by using the ldaplist utility. This LDAP utility lists the naming information from the LDAP servers in LDIF format. It can be useful for troubleshooting. See ldaplist(1) for further information.

Listing All LDAP Containers

ldaplist displays its output with a blank line separating records, which is helpful for big multiline records.

The output of ldaplist depends upon the client configuration. For example, if the value of ns_ldap_search is sub rather than one, ldaplist lists all the entries under the current search baseDN.

The following is and example of ldaplist output.

# ldaplist

dn: ou=people,dc=west,dc=example,dc=com

dn: ou=group,dc=west,dc=example,dc=com

dn: ou=rpc,dc=west,dc=example,dc=com

dn: ou=protocols,dc=west,dc=example,dc=com

dn: ou=networks,dc=west,dc=example,dc=com

dn: ou=netgroup,dc=west,dc=example,dc=com

dn: ou=aliases,dc=west,dc=example,dc=com

dn: ou=hosts,dc=west,dc=example,dc=com

dn: ou=services,dc=west,dc=example,dc=com

dn: ou=ethers,dc=west,dc=example,dc=com

dn: ou=profile,dc=west,dc=example,dc=com

dn: automountmap=auto_home,dc=west,dc=example,dc=com

dn: automountmap=auto_direct,dc=west,dc=example,dc=com

dn: automountmap=auto_master,dc=west,dc=example,dc=com

dn: automountmap=auto_shared,dc=west,dc=example,dc=com

Listing All User Entry Attributes

To list specific information such as a user's passwd entry, use getent as follows:

# getent passwd user1

user1::30641:10:Joe Q. User:/home/user1:/bin/csh

If you want to list all attributes, use ldaplist with the -l option.

# ldaplist -l passwd user1

        dn: uid=user1,ou=People,dc=west,dc=example,dc=com
        uid: user1
        cn: user1
        uidNumber: 30641
        gidNumber: 10
        gecos: Joe Q. User
        homeDirectory: /home/user1
        loginShell: /bin/csh
        objectClass: top
        objectClass: shadowAccount
        objectClass: account
        objectClass: posixAccount
        shadowLastChange: 6445
        userPassword: {crypt}J6vlYXRU.sW8c

Customizing the Client Environment

The following sections describe how you can customize the client environment.

You can change any of the services, but be careful, because if the data is not populated on the server for the service specified things will stop working. In some cases files may not be setup by default as well.

Modifying the nsswitch.conf File

You can modify your /etc/nsswitch.conf file to customize where each service gets its information. The default settings are stored in /etc/nsswitch.ldap and ldapclient uses this file to create your /etc/nsswitch.conf file when the client is initialized.

Enabling DNS

If you want to enable DNS by setting up a /etc/resolv.conf file, add DNS to your hosts lines as shown below.

hosts:      ldap dns [NOTFOUND=return] files