Chapter 5 Making Subscriber Directory Entries

This chapter covers creating subscriber entries in the Solaris ISP Server^TM directory service using command line tools, the Deja tool, or by converting existing user data in bulk. Topics include:

• "Making Subscriber Entries from the Command Line"

  • "Creating a Basic Subscriber Entry"

  • "Creating an Entry for a Subscriber with Virtual Hosting"

  • "Adding Remote User Information"

  • "The Complete ldif File"

• "Making Subscriber Entries Using the Deja Tool"

  • "Creating a Basic Subscriber Entry"

  • "Creating an Entry for a Subscriber with Virtual Hosting"

  • "Creating an Entry for a Subscriber with RADIUS Access"

  • "Creating an Entry for a Subscriber with both Virtual Hosting and RADIUS Access"

• "Adding FTP and Web Virtual Hosting Information"

  • "Making Bulk Entries from Existing User Data"

Making Subscriber Entries from the Command Line

Solaris ISP Server subscribers come in several varieties:

• The general (basic) subscriber

• The subscriber who uses virtually-hosted FTP or Web services

• The subscriber who gains access to services through a RADIUS server

• The subscriber who uses both, and whose directory entry requires both RADIUS and FTP information

In the sections that follow, instructions are provided for building the complex subscriber entry by creating the simpler entry and adding to it.

Creating a Basic Subscriber Entry

Before you can create subscriber entries, the domain and the People organizational unit entries must exist. Once you have created those entries, you can edit a text file (for example, people.ldif) and enter the data for the subscriber. The basic subscriber entry has the single object class ispSubscriber, and very few mandatory attributes. The file for a basic subscriber looks like this:

dn: cn=Jane Doe (jldoe),ou=People,ou=wcgate1,ou=eng,o=sun,c=US 
commonname:Jane Doe (jldoe) 
sn: Doe
uid: jldoe 
userpassword: hidden 
objectclass: ispSubscriber 

Where

dn

Is the distinguished name of the subscriber entry. Use the appropriate DN for subscriber entries in the desired domain.

commonName

Is the naming attribute of a subscriber entry (ispSubscriber object class). For Solaris ISP Server subscribers and administrators, the value of the commonName attribute takes the form Firstname Lastname (userid).

sn

Is the surname of the subscriber.

uid

Is the login name of the subscriber.

userPassword

Is the password, limited to eight characters if you are sharing password information with UNIX accounts. This value is generated with the encryption method you set in the directory services administration console.

objectClass: ispSubscriber

Is the object class type of this subscriber entry.

You can create any number of subscriber entries by adding blocks of data with different attribute values to the file. When it is complete, save and close people.ldif. Add the subscriber entries to the directory with the following command, replacing the bind DN and password with your own:

% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f people.ldif

Adding FTP and Web Virtual Hosting Information

The information required for the specially-configured virtual hosting available with Sun^TM Internet FTP Server^TM and Sun^TM WebServer^TM adds only three attributes to the data file:

gidnumber: 60001 
uidnumber:60001 
ispcontentdirectory: jldoe

Where

gidNumber

Is the UNIX group ID specified for this user in the virtually-hosted domain for FTP and Web services. Use the GID appropriate to your use of UNIX accounts.

uidNumber

Is the UNIX user ID specified for this user in the virtually-hosted domain for FTP and Web services. Use the UID appropriate to your use of UNIX accounts.

ispContentDirectory

Is the location (relative to the associated domain's document root) where this subscriber's content files are located.

Setting the values for the uidNumber and gidNumber attributes requires existing UNIX accounts properly set up to share access to the virtual FTP domain. See the Sun Internet FTP Server online help for information on defining a virtual host configuration.

You can create any number of subscriber entries by adding blocks of data to the file. When it is complete, save and close people.ldif. Add the subscriber entries to the directory with the following command, replacing the bind DN and password with your own:

% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f people.ldif

If you have already created these entries, you must perform an ldapmodify. Locate the manual page for ldapmodify(1) and follow those instructions.

Adding Remote User Information

An entry for a subscriber who gains access to ISP services through a RADIUS server must support an additional object class (remoteUser) and has several attributes added to the entry information.

The default Solaris ISP Server configuration designates the root domain as the search base for RADIUS subscriber entries. If your configuration is different, use the directory services administration console to configure RADIUS and enter values appropriate for your search base.

The additional lines in the ldif file are:

objectclass: remoteUser
authsuffixname: @ispxpress
grpcheckinfo: authSuffixName
grpcheckinfo: userPassword
authserviceprotocol: Framed-User
framedrouting: None
framedprotocol: PPP
grpreplyinfo: authServiceProtocol
grpreplyinfo: framedProtocol
grpreplyinfo: framedRouting 

Where

objectClass: remoteUser

Is a required object class for the subscriber accessing services using a RADIUS server.

authsuffixname: @ispxpress

Is a suffix added to the subscriber's user name to enable the RADIUS server to distinguish among entries with the same uid in different domains. Use the appropriate suffix for the your user entry.

grpcheckinfo: authSuffixName

Indicates that the RADIUS server should verify the authSuffixName attribute value before selecting the entry to authenticate against.

grpcheckinfo: userPassword

Indicates that the RADIUS server should verify the userPassword attribute value before selecting the entry to authenticate against.

authserviceprotocol: Framed-User

If you are using the default RADIUS configuration, enter this attribute exactly as shown. The correct value is determined by the configuration of your network access server.

framedrouting: None

If you are using the default RADIUS configuration, enter this attribute exactly as shown. The correct value is determined by the configuration of your network access server.

framedprotocol: PPP

If you are using the default RADIUS configuration, enter this attribute exactly as shown. The correct value is determined by the configuration of your network access server.

grpreplyinfo: authServiceProtocol

Tells the RADIUS server to include the value of the authServiceProtocol attribute in its reply message.

grpreplyinfo: framedProtocol

Tells the RADIUS server to include the value of the framedProtocol attribute in its reply message.

grpreplyinfo: framedRouting

Tells the RADIUS server to include the value of the framedRouting attribute in its reply message.

You can create any number of subscriber entries by adding blocks of data to the file. When it is complete, save and close people.ldif. Add the subscriber entries to the directory with the following command, replacing the bind DN and password with your own:

% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f people.ldif

If you have already created these entries, you must perform an ldapmodify. Locate the manual page for ldapmodify(1) and follow those instructions.

The Complete ldif File

The complete ldif file for a complex user looks like:

dn: cn=Jane Doe (jldoe),ou=People,ou=wcgate1,ou=eng,o=sun,c=US
commonname:Jane Doe (jldoe)
sn: Doe
uid: jldoe 
userpassword: hidden 
gidnumber: 60001 
uidnumber: 60001 
objectclass: ispSubscriber 
objectclass: remoteUser
ispcontentdirectory: /home/users/jldoe
authsuffixname: @ispxpress
grpcheckinfo: authSuffixName
grpcheckinfo: userPassword
authserviceprotocol: Framed-User
framedrouting: None
framedprotocol: PPP
grpreplyinfo: authServiceProtocol
grpreplyinfo: framedProtocol
grpreplyinfo: framedRouting 

Making Subscriber Entries Using the Deja Tool

Creating a Basic Subscriber Entry

Each ISP subscriber (or customer) must have an entry in the directory. These entries, of the ispSubscriber object class, provide authentication and access information for each customer. There are different types of subscriber entries, depending on the needs of the individual subscriber.

To make a basic subscriber entry in the directory:

1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

2. Choose Create Entry from the Entry menu.

3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.

   ---

   Tip -

   If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

   ---

4. Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

5. Click Next Step.

6. Choose the object class ispSubscriber, and click Next Step.

7. Set values for the following mandatory attributes:

   • userid: enter the user's login name

   • commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

     ---

     Note -

     It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

     ---

   • sn: enter the subscriber's surname.

   • userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.

   These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.

8. Click Done.

   The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

   See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool.

Creating an Entry for a Subscriber with Virtual Hosting

To make a subscriber entry in the directory:

1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

2. Choose Create Entry from the Entry menu.

3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.

   ---

   Tip -

   If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

   ---

4. Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

5. Click Next Step.

6. Choose the object class ispSubscriber, and click Next Step.

7. Set values for the following mandatory attributes:

   • userid: enter the user's login name

   • commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

     ---

     Note -

     It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

     ---

   • sn: enter the subscriber's surname.

   • userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.

   • gidNumber: enter the UNIX group ID defined for a user in the virtually-hosted domain.

   • uidNumber: enter the UNIX user ID defined for a user in the virtually-hosted domain.

   • ispContentDirectory: enter the path (relative to the ispDirectoryRoot defined for the virtually-hosted domain) to the subscriber's FTP content directory. Include the leading slash, for example: /home/ftp.

   These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.

8. Click Done.

   The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

   See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool. Also see Appendix A, "Configuring a Virtual Host."

Creating an Entry for a Subscriber with RADIUS Access

Adding RADIUS server access information to a subscriber entry involves adding an object class, remoteUser, and setting a number of special attributes. To make a subscriber entry in the directory for a user who accesses services through a RADIUS server:

1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

2. Choose Create Entry from the Entry menu.

3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.

   ---

   Tip -

   If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

   ---

4. Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

5. Click Next Step.

6. Choose the object classes ispSubscriber and remoteUser, and click Next Step.

7. Set values for the following mandatory attributes:

   • userid: enter the user's login name

   • commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

     ---

     Note -

     It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

     ---

   • sn: enter the subscriber's surname.

   • userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.

   • gidNumber: enter the UNIX group ID defined for a user in the virtually-hosted domain.

   • uidNumber: enter the UNIX user ID defined for a user in the virtually-hosted domain.

   • ispContentDirectory: enter the path (relative to the ispDirectoryRoot defined for the virtually-hosted domain) to the subscriber's FTP content directory. Include the leading slash, for example: /home/ftp.

   • authSuffixName: enter the suffix string to be appended to the user's login name.

   • grpCheckInfo: enter the attributes you want used for user authentication (grpCheckInfo is multi-valued). We recommend that you enter at least authSuffixName and userPassword.

   • authServiceProtocol: enter Framed-User.

   • framedRouting: enter None.

   • framedProtocol: enter PPP.

   • grpReplyInfo: set this multivalued attribute three times, with the following values:

     • authServiceProtocol

     • framedProtocol

     • framedRouting

   These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.

8. Click Done.

   The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

   See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool. Also see Appendix A, "Configuring a Virtual Host."

Creating an Entry for a Subscriber with both Virtual Hosting and RADIUS Access

To make an entry in the directory services for a subscriber who uses a RADIUS server for access and who has FTP or Web services on a virtual host:

1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

2. Choose Create Entry from the Entry menu.

3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.

   ---

   Tip -

   If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

   ---

4. Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

5. Click Next Step.

6. Choose the object classes ispSubscriber and remoteUser, and click Next Step.

7. Set values for the following mandatory attributes:

   • userid: enter the user's login name

   • commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.

     ---

     Note -

     It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

     ---

   • sn: enter the subscriber's surname.

   • userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.

   • authSuffixName: enter the suffix string to be appended to the user's login name.

   • grpCheckInfo: enter the attributes you want used for user authentication (grpCheckInfo is multi-valued). We recommend that you enter at least authSuffixName and userPassword.

   • authServiceProtocol: enter Framed-User.

   • framedRouting: enter None.

   • framedProtocol: enter PPP.

   • grpReplyInfo: set this multivalued attribute three times, with the following values:

     • authServiceProtocol

     • framedProtocol

     • framedRouting

   These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.

8. Click Done.

   The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

   See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool. Also see Appendix A, "Configuring a Virtual Host."

Bulk Loading Subscriber Entries

The Solaris ISP Server Directory Services component contains tools for converting existing user data into entries in the directory service. You can export existing data, for example, from a database, NIS, or another LDAP directory into a structured text file, then use the sispload tool to convert the data into an ldif file that can be used with ldapmodify.

The file /etc/opt/SUNWconn/ldap/current/mapping/sispload.mapping contains tables for mapping input data into one of four types of user entry:

• The sisp table creates ispSubscriber entries.

• The sisprad table creates ispSubscriber entries with the remoteUser object class for RADIUS authentication.

• The sispsims table creates ispSubscriber entries with the emailPerson object class for use with Sun Internet Mail Server software.

• The sispradsims table creates ispSubscriber entries with the emailPerson and remoteUser object classes for use with Sun Internet Mail Server software and RADIUS authentication.

Making Bulk Entries from Existing User Data

1. Export your existing user data to a text file (the "input file") with one user on each line.

   You may need to edit the text file to get the data in the correct order and to use the proper field separator. If possible, arrange the data in the order described in Step 2 to reduce the amount of manual editing required.

   An example input file is provided in /opt/SUNWisp/ldap/sunds/examples/sispload.input.

2. Edit the input file to use the proper field separator and to arrange the fields in the order expected by sispload.

   By default, fields must be separated by an exclamation point (!). To change the field separator, see the sispload.mapping(4) manual page.

   The order of the fields for the sisp table is described below. If you wish to use the sisprad, sispsims, or sispradsims tables, consult the sispload.mapping(4) manual page.

   Each line should have the following fields in this order (optional fields with no data may be left blank, but a field separator is still required; see the sispload.mapping(4) manual page for details):

   !LastName!FirstName!Nickname!Username!Password!DomainName!\
        E-mailAddress!Services!UID!GID!ContentDirectory!

   The Services and ContentDirectory fields may not exist in your current user database. Creating data for these fields is explained in Step 3.

   Here is a sample input line with the Password field left blank (the Username will be entered as the password by sispload):

   !Smith!Joseph!Joe!jsmith!!myIsp.net!jsmith@pop.myIsp.net!\
   ispVersion=1.0,ou=SUNWftp,ou=Services,o=myIsp,c=us!\
   90981!100!jsmith/public_html!

3. Since the Services and ContentDirectory fields may not exist in your existing data, you may need to edit the input file to add these fields.

   The Services field should contain the distinguished name of each ispService entry representing a service the user is allowed to access (for example, FTP or news). For each service, the distinguished name must include the ispVersion attribute, an ou entry with the service ID, and a relative distinguished name from the root of the tree to an ou=Services node. For example:

   ispVersion=1.0,ou=SUNWftp,ou=Services,o=myIsp,c=us

   The ContentDirectory field specifies a directory where the user may store personal files such as web pages. The sispload.mapping file specifies "/home" as the default root, and the value in the ContentDirectory field is appended to create the value of the ispContentDirectory attribute for the ispSubscriber. Note that the ispContentDirectory is relative to the ispDirectoryRoot of an ispService entry that makes use of it. Edit sispload.mapping to use a different default root.

4. Run /opt/SUNWisp/ldap/sunds/sbin/sispload with the input file to create an ldif file.

   The sispload command takes the following arguments:

   sispload [[-b baseDN]] [[-d debugLevel]] [[-h ldapHost]] [[-m mapFile]] [[-o outputFile]] [[-t mapTable]] [[-V variable=value...]]-f inputFile

   -b baseDN

   Specifies the base distinguished name beneath which the user entries will be added. This argument is optional, and defaults to the primary naming context you specify at install time. You may want to specify a different domain in your directory tree (for example, "ou=subDomain,o=myIsp,c=US") .

   -d debugLevel

   Specifies the level of logging performed by the ldap server daemon (dsservd). See the manual page for sispload(1M) for values.

   -h ldapHost

   Specifies the host name of the Solaris ISP Server directory server. By default, the host from which sispload is invoked is used.

   -m mapFile

   Specifies the mapping file that contains the definitions for translating the input file into ldif entries. By default sispload.mapping in the directory /etc/opt/SUNWconn/ldap/current/mapping is used.

   -o outputFile

   Specifies a prefix for creating files with the error and ldif output. By default, errors are sent to STDERR and the ldif output to STDOUT. If you specify a value here, two files will be created: outputFile.ldif and outputFile.err.

   -t mapTable

   Specifies the table in the mapping file to use. By default, the sisp table in the default mapping file is used; other options in the default mapping table are sisprad, sispsims, and sispradsims.

   -V variable=value

   Sets variables for use in the conversion. Repeat the -V flag to define multiple variables.

   -f inputFile

   Specifies the full path name to the input file you have created. This option is required.

   For example:

   # cd /opt/SUNWisp/ldap/sbin # ./sispload -b o=myIsp,c=US -t sisprad -o /tmp/ldapusers -f /tmp/input.nis.txt

5. Run /opt/SUNWconn/bin/ldapmodify with the ldif file you created to add the users to the directory.

   For example:

   # cd /opt/SUNWconn/bin # ./ldapmodify -D cn=admin,o=myIsp,c=US -w secret -f /tmp/ldapusers.ldif

6. Examine the error output to see if any entries could not be added to the directory service.

   The error output will contain ldif entries for users that could not be added to the directory. Usually the cause is a syntax error in the input file. You may want to extract these entries from the original input file, save them to a new file, fix the errors, and run sispload again.