This chapter covers creating subscriber entries in the Solaris ISP ServerTM directory service using command line tools, the Deja tool, or by converting existing user data in bulk. Topics include:
"Making Subscriber Entries from the Command Line"
"Making Subscriber Entries Using the Deja Tool"
"Adding FTP and Web Virtual Hosting Information"
Solaris ISP Server subscribers come in several varieties:
The general (basic) subscriber
The subscriber who uses virtually-hosted FTP or Web services
The subscriber who gains access to services through a RADIUS server
The subscriber who uses both, and whose directory entry requires both RADIUS and FTP information
In the sections that follow, instructions are provided for building the complex subscriber entry by creating the simpler entry and adding to it.
Before you can create subscriber entries, the domain and the People organizational unit entries must exist. Once you have created those entries, you can edit a text file (for example, people.ldif) and enter the data for the subscriber. The basic subscriber entry has the single object class ispSubscriber, and very few mandatory attributes. The file for a basic subscriber looks like this:
dn: cn=Jane Doe (jldoe),ou=People,ou=wcgate1,ou=eng,o=sun,c=US commonname:Jane Doe (jldoe) sn: Doe uid: jldoe userpassword: hidden objectclass: ispSubscriber
Where
Is the distinguished name of the subscriber entry. Use the appropriate DN for subscriber entries in the desired domain.
Is the naming attribute of a subscriber entry (ispSubscriber object class). For Solaris ISP Server subscribers and administrators, the value of the commonName attribute takes the form Firstname Lastname (userid).
Is the surname of the subscriber.
Is the login name of the subscriber.
Is the password, limited to eight characters if you are sharing password information with UNIX accounts. This value is generated with the encryption method you set in the directory services administration console.
Is the object class type of this subscriber entry.
You can create any number of subscriber entries by adding blocks of data with different attribute values to the file. When it is complete, save and close people.ldif. Add the subscriber entries to the directory with the following command, replacing the bind DN and password with your own:
% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f people.ldif |
The information required for the specially-configured virtual hosting available with SunTM Internet FTP ServerTM and SunTM WebServerTM adds only three attributes to the data file:
gidnumber: 60001 uidnumber:60001 ispcontentdirectory: jldoe
Where
Is the UNIX group ID specified for this user in the virtually-hosted domain for FTP and Web services. Use the GID appropriate to your use of UNIX accounts.
Is the UNIX user ID specified for this user in the virtually-hosted domain for FTP and Web services. Use the UID appropriate to your use of UNIX accounts.
Is the location (relative to the associated domain's document root) where this subscriber's content files are located.
Setting the values for the uidNumber and gidNumber attributes requires existing UNIX accounts properly set up to share access to the virtual FTP domain. See the Sun Internet FTP Server online help for information on defining a virtual host configuration.
You can create any number of subscriber entries by adding blocks of data to the file. When it is complete, save and close people.ldif. Add the subscriber entries to the directory with the following command, replacing the bind DN and password with your own:
% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f people.ldif |
If you have already created these entries, you must perform an ldapmodify. Locate the manual page for ldapmodify(1) and follow those instructions.
An entry for a subscriber who gains access to ISP services through a RADIUS server must support an additional object class (remoteUser) and has several attributes added to the entry information.
The default Solaris ISP Server configuration designates the root domain as the search base for RADIUS subscriber entries. If your configuration is different, use the directory services administration console to configure RADIUS and enter values appropriate for your search base.
The additional lines in the ldif file are:
objectclass: remoteUser authsuffixname: @ispxpress grpcheckinfo: authSuffixName grpcheckinfo: userPassword authserviceprotocol: Framed-User framedrouting: None framedprotocol: PPP grpreplyinfo: authServiceProtocol grpreplyinfo: framedProtocol grpreplyinfo: framedRouting
Where
Is a required object class for the subscriber accessing services using a RADIUS server.
Is a suffix added to the subscriber's user name to enable the RADIUS server to distinguish among entries with the same uid in different domains. Use the appropriate suffix for the your user entry.
Indicates that the RADIUS server should verify the authSuffixName attribute value before selecting the entry to authenticate against.
Indicates that the RADIUS server should verify the userPassword attribute value before selecting the entry to authenticate against.
If you are using the default RADIUS configuration, enter this attribute exactly as shown. The correct value is determined by the configuration of your network access server.
If you are using the default RADIUS configuration, enter this attribute exactly as shown. The correct value is determined by the configuration of your network access server.
If you are using the default RADIUS configuration, enter this attribute exactly as shown. The correct value is determined by the configuration of your network access server.
Tells the RADIUS server to include the value of the authServiceProtocol attribute in its reply message.
Tells the RADIUS server to include the value of the framedProtocol attribute in its reply message.
Tells the RADIUS server to include the value of the framedRouting attribute in its reply message.
You can create any number of subscriber entries by adding blocks of data to the file. When it is complete, save and close people.ldif. Add the subscriber entries to the directory with the following command, replacing the bind DN and password with your own:
% ldapadd -D "cn=admin,o=sun,c=US" -w secret -f people.ldif |
If you have already created these entries, you must perform an ldapmodify. Locate the manual page for ldapmodify(1) and follow those instructions.
The complete ldif file for a complex user looks like:
dn: cn=Jane Doe (jldoe),ou=People,ou=wcgate1,ou=eng,o=sun,c=US commonname:Jane Doe (jldoe) sn: Doe uid: jldoe userpassword: hidden gidnumber: 60001 uidnumber: 60001 objectclass: ispSubscriber objectclass: remoteUser ispcontentdirectory: /home/users/jldoe authsuffixname: @ispxpress grpcheckinfo: authSuffixName grpcheckinfo: userPassword authserviceprotocol: Framed-User framedrouting: None framedprotocol: PPP grpreplyinfo: authServiceProtocol grpreplyinfo: framedProtocol grpreplyinfo: framedRouting
Each ISP subscriber (or customer) must have an entry in the directory. These entries, of the ispSubscriber object class, provide authentication and access information for each customer. There are different types of subscriber entries, depending on the needs of the individual subscriber.
To make a basic subscriber entry in the directory:
Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.
Choose Create Entry from the Entry menu.
Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.
If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.
Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
Click Next Step.
Choose the object class ispSubscriber, and click Next Step.
Set values for the following mandatory attributes:
userid: enter the user's login name
commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.
sn: enter the subscriber's surname.
userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.
These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.
Click Done.
The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.
See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool.
To make a subscriber entry in the directory:
Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.
Choose Create Entry from the Entry menu.
Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.
If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.
Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
Click Next Step.
Choose the object class ispSubscriber, and click Next Step.
Set values for the following mandatory attributes:
userid: enter the user's login name
commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.
sn: enter the subscriber's surname.
userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.
gidNumber: enter the UNIX group ID defined for a user in the virtually-hosted domain.
uidNumber: enter the UNIX user ID defined for a user in the virtually-hosted domain.
ispContentDirectory: enter the path (relative to the ispDirectoryRoot defined for the virtually-hosted domain) to the subscriber's FTP content directory. Include the leading slash, for example: /home/ftp.
These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.
Click Done.
The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.
See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool. Also see Appendix A, "Configuring a Virtual Host."
Adding RADIUS server access information to a subscriber entry involves adding an object class, remoteUser, and setting a number of special attributes. To make a subscriber entry in the directory for a user who accesses services through a RADIUS server:
Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.
Choose Create Entry from the Entry menu.
Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.
If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.
Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
Click Next Step.
Choose the object classes ispSubscriber and remoteUser, and click Next Step.
Set values for the following mandatory attributes:
userid: enter the user's login name
commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.
sn: enter the subscriber's surname.
userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.
gidNumber: enter the UNIX group ID defined for a user in the virtually-hosted domain.
uidNumber: enter the UNIX user ID defined for a user in the virtually-hosted domain.
ispContentDirectory: enter the path (relative to the ispDirectoryRoot defined for the virtually-hosted domain) to the subscriber's FTP content directory. Include the leading slash, for example: /home/ftp.
authSuffixName: enter the suffix string to be appended to the user's login name.
grpCheckInfo: enter the attributes you want used for user authentication (grpCheckInfo is multi-valued). We recommend that you enter at least authSuffixName and userPassword.
authServiceProtocol: enter Framed-User.
framedRouting: enter None.
framedProtocol: enter PPP.
grpReplyInfo: set this multivalued attribute three times, with the following values:
authServiceProtocol
framedProtocol
framedRouting
These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.
Click Done.
The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.
See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool. Also see Appendix A, "Configuring a Virtual Host."
To make an entry in the directory services for a subscriber who uses a RADIUS server for access and who has FTP or Web services on a virtual host:
Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.
Choose Create Entry from the Entry menu.
Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=People,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a People node in a domain or organization.
If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.
Choose the cn attribute for the subscriber's relative distinguished name, and enter the name in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
Click Next Step.
Choose the object classes ispSubscriber and remoteUser, and click Next Step.
Set values for the following mandatory attributes:
userid: enter the user's login name
commonName: enter the subscriber's name, in the form Firstname Lastname (userid). The cn attribute is case-insensitive.
It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.
sn: enter the subscriber's surname.
userPassword: enter the user's password. Limit passwords to 8 characters if you are sharing user information with UNIX accounts.
authSuffixName: enter the suffix string to be appended to the user's login name.
grpCheckInfo: enter the attributes you want used for user authentication (grpCheckInfo is multi-valued). We recommend that you enter at least authSuffixName and userPassword.
authServiceProtocol: enter Framed-User.
framedRouting: enter None.
framedProtocol: enter PPP.
grpReplyInfo: set this multivalued attribute three times, with the following values:
authServiceProtocol
framedProtocol
framedRouting
These attributes must have values for the subscriber entry to be valid. You can add values for optional entries as appropriate.
Click Done.
The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.
See the Sun Directory Services User Guide, Chapter 2, "Deja Tool: Standard LDAP Features" for more information about the Deja tool. Also see Appendix A, "Configuring a Virtual Host."
The Solaris ISP Server Directory Services component contains tools for converting existing user data into entries in the directory service. You can export existing data, for example, from a database, NIS, or another LDAP directory into a structured text file, then use the sispload tool to convert the data into an ldif file that can be used with ldapmodify.
The file /etc/opt/SUNWconn/ldap/current/mapping/sispload.mapping contains tables for mapping input data into one of four types of user entry:
The sisp
table creates ispSubscriber
entries.
The sisprad
table creates ispSubscriber
entries with the remoteUser
object class for RADIUS authentication.
The sispsims
table creates ispSubscriber
entries with the emailPerson
object class for use with Sun Internet Mail Server software.
The sispradsims
table creates ispSubscriber
entries with the emailPerson
and remoteUser
object classes for use with Sun Internet Mail Server software and RADIUS authentication.
Export your existing user data to a text file (the "input file") with one user on each line.
You may need to edit the text file to get the data in the correct order and to use the proper field separator. If possible, arrange the data in the order described in Step 2 to reduce the amount of manual editing required.
An example input file is provided in /opt/SUNWisp/ldap/sunds/examples/sispload.input.
Edit the input file to use the proper field separator and to arrange the fields in the order expected by sispload.
By default, fields must be separated by an exclamation point (!). To change the field separator, see the sispload.mapping(4) manual page.
The order of the fields for the sisp
table is described below. If you wish to use the sisprad
, sispsims
, or sispradsims
tables, consult the sispload.mapping(4) manual page.
Each line should have the following fields in this order (optional fields with no data may be left blank, but a field separator is still required; see the sispload.mapping(4) manual page for details):
!LastName!FirstName!Nickname!Username!Password!DomainName!\ E-mailAddress!Services!UID!GID!ContentDirectory!
The Services
and ContentDirectory
fields may not exist in your current user database. Creating data for these fields is explained in Step 3.
Here is a sample input line with the Password
field left blank (the Username
will be entered as the password by sispload):
!Smith!Joseph!Joe!jsmith!!myIsp.net!jsmith@pop.myIsp.net!\ ispVersion=1.0,ou=SUNWftp,ou=Services,o=myIsp,c=us!\ 90981!100!jsmith/public_html!
Since the Services
and ContentDirectory
fields may not exist in your existing data, you may need to edit the input file to add these fields.
The Services
field should contain the distinguished name of each ispService
entry representing a service the user is allowed to access (for example, FTP or news). For each service, the distinguished name must include the ispVersion
attribute, an ou
entry with the service ID, and a relative distinguished name from the root of the tree to an ou=Services
node. For example:
ispVersion=1.0,ou=SUNWftp,ou=Services,o=myIsp,c=us
The ContentDirectory
field specifies a directory where the user may store personal files such as web pages. The sispload.mapping file specifies "/home" as the default root, and the value in the ContentDirectory
field is appended to create the value of the ispContentDirectory
attribute for the ispSubscriber
. Note that the ispContentDirectory
is relative to the ispDirectoryRoot
of an ispService
entry that makes use of it. Edit sispload.mapping to use a different default root.
Run /opt/SUNWisp/ldap/sunds/sbin/sispload with the input file to create an ldif file.
The sispload command takes the following arguments:
sispload [[-b baseDN]] [[-d debugLevel]] [[-h ldapHost]] [[-m mapFile]] [[-o outputFile]] [[-t mapTable]] [[-V variable=value...]]-f inputFile
Specifies the base distinguished name beneath which the user entries will be added. This argument is optional, and defaults to the primary naming context you specify at install time. You may want to specify a different domain in your directory tree (for example, "ou=subDomain,o=myIsp,c=US") .
Specifies the level of logging performed by the ldap server daemon (dsservd
). See the manual page for sispload(1M) for values.
Specifies the host name of the Solaris ISP Server directory server. By default, the host from which sispload is invoked is used.
Specifies the mapping file that contains the definitions for translating the input file into ldif entries. By default sispload.mapping in the directory /etc/opt/SUNWconn/ldap/current/mapping is used.
Specifies a prefix for creating files with the error and ldif output. By default, errors are sent to STDERR and the ldif output to STDOUT. If you specify a value here, two files will be created: outputFile.ldif and outputFile.err.
Specifies the table in the mapping file to use. By default, the sisp
table in the default mapping file is used; other options in the default mapping table are sisprad
, sispsims
, and sispradsims
.
Sets variables for use in the conversion. Repeat the -V flag to define multiple variables.
Specifies the full path name to the input file you have created. This option is required.
For example:
# cd /opt/SUNWisp/ldap/sbin # ./sispload -b o=myIsp,c=US -t sisprad -o /tmp/ldapusers -f /tmp/input.nis.txt |
Run /opt/SUNWconn/bin/ldapmodify with the ldif file you created to add the users to the directory.
For example:
# cd /opt/SUNWconn/bin # ./ldapmodify -D cn=admin,o=myIsp,c=US -w secret -f /tmp/ldapusers.ldif |
Examine the error output to see if any entries could not be added to the directory service.
The error output will contain ldif entries for users that could not be added to the directory. Usually the cause is a syntax error in the input file. You may want to extract these entries from the original input file, save them to a new file, fix the errors, and run sispload again.