test

Solaris ISP Server 2.0 Administration Guide

Chapter 4 Making Directory Entries

This chapter covers creating the domain and NAS (Network Access Server) entries required by Solaris ISP ServerTM. Both command-line and GUI procedures are included. Topics in this chapter include:

Making Entries from the Command Line

General information on how to create directory services entries is located in Chapter 5, "Loading and Maintaining Directory Information," in the Sun Directory Services 3.1 Administration Guide. This section presents instructions on how to create the directory entries required by Solaris ISP Server.

Creating Directory Entries: General Procedure

Sun Directory Services has the following command-line utilities for creating and modifying directory entries:

These directory services command-line utilities require root access. They are fully documented in reference manual pages (section 1).

Both ldapadd and ldapmodify can take input from the command line or from a specified file. Because information for an entry can be rather lengthy and complex, the sections that follow describe the form requiring a text file.

In each case, creating an entry (or entries) requires the following steps:

  1. Write a file specifying the entry or entries to be made in the directory. The format for this file is specified in the ldif(4) reference manual page.

  2. Create the entry using ldapadd, specifying the file with the entry information.

In every case, the form of the ldapadd command should be:

ldapadd -D "BindDN" -w password -f file

Where BindDN is the distinguished name (DN) for binding to the directory with write access to this part of the directory tree, and password is the password for binding. Replace the file option with the name of the ldif file you have created.

Structure of an ldif(4) File

For each entry you add at the command line, you will create an entry in an ldif-format file to hold the information about the entry. These are simple text files with one or more directory entries each separated by a single blank line. Each entry has the structure of the following example.

Note -

Only mandatory attributes are shown in the example. Most object classes have a number of optional attributes that may be set appropriately for your particular use of the entry.

The example shows an entry for a record with the organizationalUnit object class. Other records with different object classes will have different attributes. The example is to show the format.

dn: ou=wcgate1,ou=eng,o=sun,c=US 
ou: wcgate1 
associateddomain: wcgate1.eng.sun.com  
objectclass: organizationalUnit
objectclass: domainRelatedObject

Where

dn

Indicates the distinguished name of the entry being created. Use the DN for your desired domain.

ou

Is the naming attribute of the entry being created. Common naming attributes include commonName, organizationalUnit (ou), and domainComponent (dc). Use the RDN for your domain.

associatedDomain

Contains the domain name (in dot notation) of the corresponding entry in the DC tree. Use the name of your domain.

See "Solaris ISP Server Directory Structure" for information on how the OSI tree and the DC tree interact. See "Creating Domain Entries" for instructions on creating the two cross-referenced entries for a domain.

There may be many attribute:value pairs in this position, one per line.

objectClass

Is the object class (type) of the entry. There may be many objectClass entries; this example shows two.

For more detailed information on available object classes and attributes, see Chapter 6, Solaris ISP Server Directory Schema of this guide, and Chapter 8, "Configuring the Directory Schema," of the Sun Directory Services 3.1 Administration Guide.

Creating Domain Entries

To create a domain in the directory, you must create two parallel domain entries, one in the OSI tree and one in the DC tree, and then create the required organizationalUnit entries under the domain entry in the OSI tree.

To create the domain wcgate1 under eng.sun.com, perform the following steps:

  1. Edit a text file (for example, domain.ldif) and enter the data for the OSI tree entry:

    dn: ou=wcgate1,ou=eng,o=sun,c=US 
ou: wcgate1
associateddomain: wcgate1.eng.sun.com 
objectclass: organizationalUnit 
objectclass: domainRelatedObject

    Note that the associatedDomain attribute of the entry contains the DNS name of the domain.

  2. Add to domain.ldif the data for the DC tree entry:

    dn: dc=wcgate1,dc=eng,dc=sun,dc=com 
dc: wcgate1
associatedname: ou=wcgate1,ou=eng,o=sun,c=US 
description: DNS-to-DN Mapping for wcgate1.eng.sun.com 
labeleduri: ldap:///ou=wcgate1,ou=eng,o=sun,c=US??sub 
objectclass: domain 
objectclass: labeledURIObject

    Note that the associatedName attribute of the entry contains the distinguished name of the OSI tree entry. The labeledURI attribute contains the same information (as specified in RFC 2255).

  3. Add to domain.ldif the data for the required Services organizational unit entry:

    dn: ou=Services,ou=wcgate1,ou=eng,o=sun,c=US 
ou: Services 
objectclass: organizationalUnit

  4. Add to domain.ldif the data for the required People organizational unit entry:

    dn: ou=People,ou=wcgate1,ou=eng,o=sun,c=US 
ou: People 
objectclass: organizationalUnit

  5. Add to domain.ldif the data for the required Groups organizational unit entry:

    dn: ou=Groups,ou=wcgate1,ou=eng,o=sun,c=US 
ou: Groups 
objectclass: organizationalUnit

  6. Save and close domain.ldif.

  7. Add the entries to the directory with the following command, replacing the bind DN and password with your own:


    % ldapadd -D "cn=admin,o=sun,c=US" -w secret -f domain.ldif

When your ldapadd is complete, the directory looks like Figure 4-1.

Figure 4-1 Directory Structure with a Domain Added

Graphic

Creating Group Entries

Before you can create group entries, a number of entries must already exist:

Once you have created those entries, you can start a text file (for example, groups.ldif) and enter the data for the group. A typical data set looks like the following:

dn: cn=isp-gp1,ou=Groups,ou=wcgate1,ou=eng,o=sun,c=US 
cn: isp-grp1
objectclass: groupOfNames
member: cn=Ed Anchor (anchor),ou=People,ou=wcgate1,ou=eng,o=sun,c=US 
member: cn=April Shower (showers),ou=People,ou=wcgate1,ou=eng,o=sun,c=US S
member: cn=Chili Jones (relleno),ou=People,ou=wcgate1,ou=eng,o=sun,c=US

Where

dn

Is the distinguished name of the group to be created. Use a group name appropriate to your environment.

cn

Is the relative distinguished name of the group entry.

objectClass

The object class groupOfNames distinguishes this type of entry.

member

Each member attribute takes as its value the distinguished name of an existing subscriber entry.

You can create any number of group entries by adding data to the file. When it is complete, save and close groups.ldif. Add the groups to the directory with the following command, replacing the bind DN and password with your own:


% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f groups.ldif

Making Entries Using Deja

Accessing the Sun Directory Services Deja Tool

You can create individual entries in the directory services with the Deja tool. To access Deja:

  1. (Optional) If working remotely, log into the machine where the directory services server is running. Set the environment variable DISPLAY to allow the browser-based GUI to work remotely.

  2. To run Deja as a Java application, enter:

    /opt/SUNWconn/bin/deja

  3. Log into Deja, using the Sun Directory Services administrator's distinguished name and password. The successful login message displays in Deja's message box (lower left). You can proceed to perform any tasks requiring Deja.

Creating Directory Entries for a Domain

Five directory entries are necessary to support a domain: one in the DC tree and four in the OSI tree (see Chapter 3, Using Directory Services for illustrations of the tree structure). Follow the steps in "Creating the DC Tree Entry", "Creating the OSI Tree Entry", and "Creating the organizationalUnit Entries" to complete the required domain entries.

Note -

You must also perform any DNS or NIS mapping your domains require.

Creating the DC Tree Entry

The DC tree entry maps the domain name server form of the name to the distinguished name of the entry in the OSI tree. Be very careful to enter the associatedName attribute correctly; it must contain the distinguished name of the OSI tree entry.

  1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

  2. Choose Create Entry from the Entry menu.

  3. Enter the distinguished name of the domain's parent in the parent text field. For example, for a domain beneath sun.com you would enter: dc=sun,dc=com.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  4. Choose the dc attribute for the domain's relative distinguished name, and enter the name. Click Next Step.

  5. Choose the object class domain and click Next Step.

  6. Set values for the following mandatory attributes:

    • dc: enter the relative distinguished name of the domain.

      Note -

      It may appear that the dc attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the dc attribute. Enter the same value.

    • associatedName: enter the domain name of the domain entry you will create in the OSI tree. For example, the domain eng beneath sun.com would have the distinguished name ou=eng,o=sun,c=us.

  7. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

  8. Proceed to the next section and create the OSI tree entry.

Creating the OSI Tree Entry

The OSI tree entry contains the actual directory services information about the domain. Be very careful to enter the associatedDomain attribute correctly; it must contain the name of the DC tree entry in domain name form, for example eng.sun.com.

  1. Click Cancel to get an empty Create Entry screen in Deja.

  2. Enter the distinguished name of the domain's parent in the parent text field. For example, for a domain beneath sun.com you would enter: o=sun,c=us.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  3. Choose the ou attribute for the domain's relative name, and enter the name. The ou attribute is case-insensitive.

  4. Click Next Step.

  5. Choose the object classes organizationalUnit and domainRelatedObject and click Next Step.

  6. Set values for the following mandatory attributes:

    • ou: enter the relative name of the domain. The ou attribute is case-insensitive.

      Note -

      It may appear that the ou attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the ou attribute. Enter the same value.

    • associatedDomain: enter the distinguished name of the domain entry you just created. For example, eng.sun.com.

  7. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

  8. Proceed to the next section and create the organizationalUnit entries.

Creating the organizationalUnit Entries

Solaris ISP Server expects subscriber, group, and service entries to be located in specific organizationalUnit entries under a domain or organization. Once your domain entries are correct, create these entries as well.

  1. Click Cancel to get an empty Create Entry screen in Deja.

  2. Enter the distinguished name of the domain you just created in the parent text field. For example, if your domain were eng.sun.com, you would enter ou=eng,o=sun,c=us.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  3. Choose the ou attribute for the organizationalUnit's relative distinguished name, and enter People. The ou attribute is case-insensitive.

  4. Click Next Step.

  5. Choose the object class organizationalUnit and click Next Step.

  6. Set the value of the ou attribute to People.

  7. Click Done.

  8. Repeat steps 1 through 7 for the Groups and Services organization unit entries.

Creating a NAS Entry for the RADIUS Server

The network access server (NAS) is the server running within a terminal server. It contacts the Sun Directory Services RADIUS server for authentication of the user requesting access.

To make a NAS entry in the directory:

  1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

  2. Choose Create Entry from the Entry menu.

  3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=Services,ou=SomeDomain,o=sun,c=us.

    Note -

    The default Solaris ISP Server configuration assumes that NAS entries are located under the Services node in the root domain. If you locate yours elsewhere, see the RADIUS mapping manual page on how to modify the /etc/opt/SUNWconn/ldap/current/mapping/radius.mapping configuration file to reflect your environment.

  4. Choose the cn attribute for the NAS entry's relative distinguished name and enter the name of the network access server. The cn attribute is case-insensitive.

  5. Click Next Step.

  6. Choose the object classes nas and device, and click Next Step.

  7. Set values for the following mandatory attributes:

    • cn: enter the name of the network access server. The cn attribute is case-insensitive.

      Note -

      It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

    • sharedKey: enter the key shared with your network access server.

    • ipHostNumber: enter the IP address of the host where the network access server is running.

  8. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

Creating Group Entries

Sun WebServer uses groups to control access to material. When a realm is configured to use the directory services as its source, the users and groups must be entries in Sun Directory Services. In order to create a group entry, the individual members of the group must already have ispSubscriber entries in the directory.

To make a group entry in the directory:

  1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

  2. Choose Create Entry from the Entry menu.

  3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=Groups,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a Groups node in a domain or organization.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  4. Choose the cn attribute for the group's relative distinguished name, and enter the name of the group. The cn attribute is case-insensitive.

  5. Click Next Step.

  6. Choose the object class groupOfNames, and click Next Step.

  7. Set values for the following mandatory attributes:

    • cn: enter the name of the group. The cn attribute is case-insensitive.

      Note -

      It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

    • member: enter the distinguished name of the first member and click Add. Assign one member attribute and value for each actual member of the group. Each entry is the distinguished name of an ispSubscriber entry.

  8. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.