This chapter describes how to configure Sun ONE Directory Server (formerly iPlanet Directory Server) to support a network of Solaris LDAP naming services clients. The information is specific to the Sun ONE Directory Server.
You must have already performed all the procedures described in Chapter 11 before you can configure Sun ONE Directory Server to work with Solaris LDAP clients.
A directory server (an LDAP server) cannot be its own client.
This chapter covers the following topics.
Using Service Search Descriptors to Modify Client Access to Various Services
Configuring the Directory Server to Enable Password Management
During the server installation process, you will have defined crucial variables, with which you should create a checklist similar to the one below before launching idsconfig. You can use the blank checklist provided in Blank Checklists.
The information included below will serve as the basis for all examples that follow in the LDAP related chapters. The example domain is of an widget company, Example, Inc. with stores nationwide. The examples will deal with the West Coast Division, with the domain west.example.com
Variable |
Definition for Example Network |
---|---|
Port number at which an instance of the directory server is installed (DEFAULT=389) |
default |
Name of server |
myserver (from the FQDN ipdserver.west.example.com or 192.168.0.0) |
Replica server(s) (IPnumber:port number) |
192.168.0.1 [for ipdrep.west.example.com] |
Directory manager [dn: cn=directory manager] |
default |
Domain name to be served |
west.example.com |
Maximum time (in seconds) to process client requests before timing out |
—1 |
Maximum number of entries returned for each search request |
—1 |
If you are using hostnames in defining defaultServerList or preferredServerList, you MUST ensure LDAP is not used for hosts lookup. This means ldap must not be in /etc/nsswitch.conf hosts line.
Client profiles are defined per domain. At least one profile must be defined for a given domain.
idsconfig indexes the following list of attributes for improved performance.
pres,eq,sub
pres,eq,sub
pres,eq
pres,eq
pres,eq
pres,eq
pres,eq
pres,eq
pres,eq
idsconfig(1M) automatically adds the necessary schema definitions. Unless you are very experienced in LDAP administration, do not manually modify the server schema. See Chapter 18, LDAP General Reference (Reference) for an extended list of schemas used by the LDAP naming service.
The browsing index functionality of the Sun ONE Directory Server, otherwise known as the virtual list view, provides a way in which a client can view a select group or number of entries from very long list, thus making the search process less time consuming for each client. Browsing indexes provide optimized, predefined search parameters with which the Solaris LDAP naming client can access specific information from the various services more quickly. Keep in mind that if you do not create browsing indexes, the clients may not get all the entries of a given type because the server limits for search time or number of entries might not be enforced.
Indexes are configured on the directory server and the proxy user has read access to these indexes.
Before configuring browsing indexes on the Sun ONE Directory Server, consider the performance cost associated with using these indexes. For more information, refer to the Administration Guide for the version of Sun ONE Directory Server that you are using.
In the following example, note that the -n option denotes the name of the database with the entries to be indexed and the -s option denotes the instance of the directory server.
idsconfig creates all the default VLV indices.
directoryserver -s ipdserver vlvindex -n userRoot -T getgrent directoryserver -s ipdserver vlvindex -n userRoot -T gethostent directoryserver -s ipdserver vlvindex -n userRoot -T getnetent directoryserver -s ipdserver vlvindex -n userRoot -T getpwent directoryserver -s ipdserver vlvindex -n userRoot -T getrpcent directoryserver -s ipdserver vlvindex -n userRoot -T getspent |
A service search descriptor (SSD) changes the default search request for a given operation in LDAP to a search you define. SSDs are particularly useful if, for example, you have been using LDAP with customized container definitions or another operating system and are now transitional to Solaris 9. Using SSDs, you can configure Solaris 9 LDAP naming services without having to change your existing LDAP database and data.
Assume your predecessor at Example, Inc. had configured LDAP, storing users in ou=Users container. You are now upgrading to Solaris 9. By definition, Solaris 9 LDAP assumes that user entries are stored in ou=People container. Thus, when it comes to searching the passwd service, LDAP will search the ou=people level of the DIT and not find the correct values.
One laborious solution to the above problem would be to completely overwrite Example, Inc.'s existing DIT and to rewrite all the exiting applications on Example, Inc.'s network so that they are compatible with the new LDAP naming service. A second, far preferable solution would be to use an SSD that would tell LDAP to look for user info in an ou=Users container instead the default ou=people container.
You would define the necessary SSD during the configuration of the Sun ONE Directory Server using idsconfig. The prompt line appears as follows.
Do you wish to setup Service Search Descriptors (y/n/h? y A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] a Enter the service id: passwd Enter the base: service ou=user,dc=west,dc=example,dc=com Enter the scope: one[default] A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] p Current Service Search Descriptors: ================================== Passwd:ou=Users,ou=west,ou=example,ou=com? Hit return to continue. A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] q |
You do not need special rights to run idsconfig, nor do you need to be an LDAP naming client. Remember to create a checklist as mentioned in Creating a Checklist Based on Your Server Installation in preparation for running idsconfig. You do not have to run idsconfig from a server or an LDAP naming service client machine. You can run idsconfig from any Solaris machine on the network.
idsconfig sends the Directory Manager's password in the clear. If you do not want this to happen, you must run idsconfig on the directory server itself, not on a client.
Make sure the target Sun ONE Directory Server is up and running.
Run idsconfig.
# /usr/lib/ldap/idsconfig |
Answer the questions prompted.
Note that 'no' [n] is the default user input. If you need clarification on any given question, type
h |
Refer to the following example run of idsconfig using the definitions listed in the server and client checklists at the beginning of this chapter in Creating a Checklist Based on Your Server Installation. It is an example of a simple setup, without modifying many of the defaults. The most complicated method of modifying client profiles is by creating SSDs. Refer to Using Service Search Descriptors to Modify Client Access to Various Services for a detailed discussion.
A carriage return sign after the prompt means that you are accepting the [default] by hitting enter.
# usr/lib/ldap/idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] Y |
Enter the directory server's hostname to setup: myserver |
Enter the port number for directory server (h=help): [389] Enter the directory manager DN: [cn=Directory Manager] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [west.example.com] Enter LDAP Base DN (h=help): [dc=west,dc=example,dc=com] Enter the profile name (h=help): [default] Default server list (h=help): [192.168.0.0] Preferred server list (h=help): Choose desired search scope (one, sub, h=help): [one] The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy anonymous Choose Credential level [h=help]: [1] 2 |
The following are the supported Authentication Methods: 1 none 2 simple 3 sasl/DIGEST-MD5 4 tls:simple 5 tls:sasl/DIGEST-MD5 Choose Authentication Method (h=help): [1] 2 |
Current authenticationMethod: simple Do you want to add another Authentication Method? N |
Do you want the clients to follow referrals (y/n/h)? [n] Y |
Do you want to modify the server timelimit value (y/n/h)? [n] Y |
Enter the time limit for iDS (current=3600): [-1] |
Do you want to modify the server sizelimit value (y/n/h)? [n] Y |
Enter the size limit for iDS (current=2000): [-1] |
Do you want to store passwords in "crypt" format (y/n/h)? [n] Y |
Do you want to setup a Service Authentication Methods (y/n/h)? [n] Client search time limit in seconds (h=help): [30] Profile Time To Live in seconds (h=help): [43200] |
Bind time limit in seconds (h=help): [10] 2 |
Do you wish to setup Service Search Descriptors (y/n/h)? [n] Summary of Configuration 1 Domain to serve : west.example.com 2 Base DN to setup : dc=west,dc=example,dc=com 3 Profile name to create : default 4 Default Server List : 192.168.0.0 5 Preferred Server List : 6 Default Search Scope : one 7 Credential Level : proxy 8 Authentication Method : simple 9 Enable Follow Referrals : TRUE 10 iDS Time Limit : -1 11 iDS Size Limit : -1 12 Enable crypt password storage : TRUE 13 Service Auth Method pam_ldap : 14 Service Auth Method keyserv : 15 Service Auth Method passwd-cmd: 16 Search Time Limit : 30 17 Profile Time to Live : 43200 18 Bind Limit : 2 19 Service Search Descriptors Menu Enter config value to change: (1-19 0=commit changes) [0] Enter DN for proxy agent:[cn=proxyagent,ou=profile,dc=west,dc=example,dc=com] Enter passwd for proxyagent: Re-enter passwd: |
WARNING: About to start committing changes. (y=continue, n=EXIT) Y |
1. Changed timelimit to -1 in cn=config. 2. Changed sizelimit to -1 in cn=config. 3. Changed passwordstoragescheme to "crypt" in cn=config. 4. Schema attributes have been updated. 5. Schema objectclass definitions have been added. 6. Created DN component dc=west. 7. NisDomainObject added to dc=west,dc=example,dc=com. 8. Top level "ou" containers complete. 9. Nis maps: auto_home auto_direct auto_master auto_shared processed. 10. ACI for dc=west,dc=example,dc=com modified to disable self modify. 11. Add of VLV Access Control Information (ACI). 12. Proxy Agent cn=proxyagent,ou=profile,dc=west,dc=example,dc=com added. 13. Give cn=proxyagent,ou=profile,dc=west,dc=example,dc=com read permission for password. 14. Generated client profile and loaded on server. 15. Processing eq,pres indexes: ipHostNumber (eq,pres) Finished indexing. uidNumber (eq,pres) Finished indexing. ipNetworkNumber (eq,pres) Finished indexing. gidnumber (eq,pres) Finished indexing. oncrpcnumber (eq,pres) Finished indexing. 16. Processing eq,pres,sub indexes: membernisnetgroup (eq,pres,sub) Finished indexing. nisnetgrouptriple (eq,pres,sub) Finished indexing. 17. Processing VLV indexes: west.example.com.getgrent vlv_index Entry created west.example.com.gethostent vlv_index Entry created west.example.com.getnetent vlv_index Entry created west.example.com.getpwent vlv_index Entry created west.example.com.getrpcent vlv_index Entry created west.example.com.getspent vlv_index Entry created idsconfig: Setup of directory server ipdserver is complete. Note: idsconfig has created entries for VLV indexes. Use the directoryserver(1m) script on ipdserver to stop the server and then enter the following vlvindex sub-commands to create the actual VLV indexes: directoryserver -s ipdserver vlvindex -n userRoot -T west.example.com.getgrent directoryserver -s ipdserver vlvindex -n userRoot -T west.example.com.gethostent directoryserver -s ipdserver vlvindex -n userRoot -T west.example.com.getnetent directoryserver -s ipdserver vlvindex -n userRoot -T west.example.com.getpwent directoryserver -s ipdserver vlvindex -n userRoot -T west.example.com.getrpcent directoryserver -s ipdserver vlvindex -n userRoot -T west.example.com.getspent |
Any parameters left blank in the summary screen will not be set up.
After idsconfig has completed the setup of the directory, you need to run the specified commands on the server before the server setup is complete and the server is ready to serve clients.
Before populating the directory server with data, you must configure the server to store passwords in UNIX Crypt format if you are using pam_unix. If you are using pam_ldap, you can store passwords in any format. For more information about setting the password in UNIX crypt format, see the Sun ONE Directory Server documents.
ldapaddent reads from the standard input (that being an /etc/filename like passwd) and places this data to the container associated with the service. Client configuration determines how the data will be written by default.
ldapaddent(1M) can only run on a client which is already configured for the LDAP naming service.
Use the ldapaddent command to add /etc/passwd entries to the server.
# ldapaddent -D "cn=directory manager" -f /etc/passwd passwd
See ldapaddent(1M). See Chapter 13, Basic Components and Concepts (Overview) for information about LDAP security and write-access to the directory server.
To add printer entries to the LDAP directory, use either the printmgr configuration tool or the lpset -n ldap command-line utility. See lpset(1M). Note that the printer objects added to the directory only define the connection parameter, required by print system clients, of printers. Local print server configuration data is still held in files. A typical printer entry would look like the following:
printer-uri=myprinter,ou=printers,dc=mkg,dc=example,dc=com objectclass=top objectclass=printerService objectclass=printerAbstract objectclass=sunPrinter printer-name=myprinter sun-printer-bsdaddr=printsvr.example.com,myprinter,Solaris sun-printer-kvp=description=HP LaserJet (PS) printer-uri=myprinter |
lpget(1M) can be used to list all printer entries known by the LDAP client's LDAP directory. If the LDAP client's LDAP server is a replica server, then printers listed might not be the same as that in the master LDAP server depending on the update replication agreement. See lpget(1M) for more information.
For example, to list all printers for a given base DN, type the following:
# lpget -n ldap list
myprinter: dn=myprinter,ou=printers,dc=mkt,dc=example,dc=com bsdaddr=printsvr.example.com,myprinter,Solaris description=HP LaserJet (PS) |
Use ldapclient with the genprofile option to create an LDIF representation of a configuration profile, based on the attributes specified. The profile you create can then be loaded into an LDAP server to be used as the client profile. The client profile can be downloaded by the client by using ldapclient init.
Refer to ldapclient(1M) for information about using ldapclient genprofile.
Become superuser.
Use ldapclient with the genprofile command.
# ldapclient genprofile -a profileName=myprofile \
-a defaultSearchBase=dc=west,dc=example,dc=com \
-a "defaultServerList=192.168.0.0 192.168.0.1:386" \
> myprofile.ldif
Upload the new profile to the server.
# ldapadd –h 192.168.0.0 —D “cn=directory manager” —f myprofile.ldif
In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server. You can use the Directory Server Console or ldapmodify to configure the password management policy for the LDAP directory. For procedures and more information, see the “User Account Management” chapter in the Administration Guide for the version of Sun ONE Directory Server that you are using.
Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script.
# ldapmodify -h ldapserver —D administrator DN \ -w administrator password <<EOF dn: proxy user DN DNchangetype: modify replace: passwordexpirationtime passwordexpirationtime: 20380119031407Z EOF |
pam_ldap password management relies on Sun ONE Directory Server to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. pam_unix, however, examines the shadow data to determine if accounts are locked or if passwords are aged. Since the shadow data is not kept up to date by the LDAP naming services or the directory server, pam_unix should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword Attribute. Denying proxy users read access to userPassword prevents pam_unix from making an invalid account validation.