test

Solaris ISP Server 2.0 Administration Guide

Creating Directory Entries for a Domain

Five directory entries are necessary to support a domain: one in the DC tree and four in the OSI tree (see Chapter 3, Using Directory Services for illustrations of the tree structure). Follow the steps in "Creating the DC Tree Entry", "Creating the OSI Tree Entry", and "Creating the organizationalUnit Entries" to complete the required domain entries.

Note -

You must also perform any DNS or NIS mapping your domains require.

Creating the DC Tree Entry

The DC tree entry maps the domain name server form of the name to the distinguished name of the entry in the OSI tree. Be very careful to enter the associatedName attribute correctly; it must contain the distinguished name of the OSI tree entry.

  1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

  2. Choose Create Entry from the Entry menu.

  3. Enter the distinguished name of the domain's parent in the parent text field. For example, for a domain beneath sun.com you would enter: dc=sun,dc=com.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  4. Choose the dc attribute for the domain's relative distinguished name, and enter the name. Click Next Step.

  5. Choose the object class domain and click Next Step.

  6. Set values for the following mandatory attributes:

    • dc: enter the relative distinguished name of the domain.

      Note -

      It may appear that the dc attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the dc attribute. Enter the same value.

    • associatedName: enter the domain name of the domain entry you will create in the OSI tree. For example, the domain eng beneath sun.com would have the distinguished name ou=eng,o=sun,c=us.

  7. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

  8. Proceed to the next section and create the OSI tree entry.

Creating the OSI Tree Entry

The OSI tree entry contains the actual directory services information about the domain. Be very careful to enter the associatedDomain attribute correctly; it must contain the name of the DC tree entry in domain name form, for example eng.sun.com.

  1. Click Cancel to get an empty Create Entry screen in Deja.

  2. Enter the distinguished name of the domain's parent in the parent text field. For example, for a domain beneath sun.com you would enter: o=sun,c=us.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  3. Choose the ou attribute for the domain's relative name, and enter the name. The ou attribute is case-insensitive.

  4. Click Next Step.

  5. Choose the object classes organizationalUnit and domainRelatedObject and click Next Step.

  6. Set values for the following mandatory attributes:

    • ou: enter the relative name of the domain. The ou attribute is case-insensitive.

      Note -

      It may appear that the ou attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the ou attribute. Enter the same value.

    • associatedDomain: enter the distinguished name of the domain entry you just created. For example, eng.sun.com.

  7. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

  8. Proceed to the next section and create the organizationalUnit entries.

Creating the organizationalUnit Entries

Solaris ISP Server expects subscriber, group, and service entries to be located in specific organizationalUnit entries under a domain or organization. Once your domain entries are correct, create these entries as well.

  1. Click Cancel to get an empty Create Entry screen in Deja.

  2. Enter the distinguished name of the domain you just created in the parent text field. For example, if your domain were eng.sun.com, you would enter ou=eng,o=sun,c=us.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  3. Choose the ou attribute for the organizationalUnit's relative distinguished name, and enter People. The ou attribute is case-insensitive.

  4. Click Next Step.

  5. Choose the object class organizationalUnit and click Next Step.

  6. Set the value of the ou attribute to People.

  7. Click Done.

  8. Repeat steps 1 through 7 for the Groups and Services organization unit entries.

Creating a NAS Entry for the RADIUS Server

The network access server (NAS) is the server running within a terminal server. It contacts the Sun Directory Services RADIUS server for authentication of the user requesting access.

To make a NAS entry in the directory:

  1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

  2. Choose Create Entry from the Entry menu.

  3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=Services,ou=SomeDomain,o=sun,c=us.

    Note -

    The default Solaris ISP Server configuration assumes that NAS entries are located under the Services node in the root domain. If you locate yours elsewhere, see the RADIUS mapping manual page on how to modify the /etc/opt/SUNWconn/ldap/current/mapping/radius.mapping configuration file to reflect your environment.

  4. Choose the cn attribute for the NAS entry's relative distinguished name and enter the name of the network access server. The cn attribute is case-insensitive.

  5. Click Next Step.

  6. Choose the object classes nas and device, and click Next Step.

  7. Set values for the following mandatory attributes:

    • cn: enter the name of the network access server. The cn attribute is case-insensitive.

      Note -

      It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

    • sharedKey: enter the key shared with your network access server.

    • ipHostNumber: enter the IP address of the host where the network access server is running.

  8. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.

Creating Group Entries

Sun WebServer uses groups to control access to material. When a realm is configured to use the directory services as its source, the users and groups must be entries in Sun Directory Services. In order to create a group entry, the individual members of the group must already have ispSubscriber entries in the directory.

To make a group entry in the directory:

  1. Start and log into Deja. See "Accessing the Sun Directory Services Deja Tool " for detailed steps.

  2. Choose Create Entry from the Entry menu.

  3. Enter the distinguished name of the subscriber's parent in the parent text field; for example, ou=Groups,ou=SomeDomain,o=sun,c=us. Solaris ISP Server expects subscriber entries to be located under a Groups node in a domain or organization.

    Tip -

    If the parent is visible in the tree on the left of Deja's screen, select it and click Get from Browser.

  4. Choose the cn attribute for the group's relative distinguished name, and enter the name of the group. The cn attribute is case-insensitive.

  5. Click Next Step.

  6. Choose the object class groupOfNames, and click Next Step.

  7. Set values for the following mandatory attributes:

    • cn: enter the name of the group. The cn attribute is case-insensitive.

      Note -

      It may appear that the cn attribute must be set twice. The first step sets the entry's relative distinguished name. This step actually sets the commonName attribute. Enter the same value.

    • member: enter the distinguished name of the first member and click Add. Assign one member attribute and value for each actual member of the group. Each entry is the distinguished name of an ispSubscriber entry.

  8. Click Done.

    The message "Entry successfully created" appears in the Deja message box. Your entry appears in the directory tree graph on the left of the Deja screen.