LDAP Client Profiles
To simplify client setup, and avoid having to reenter the same information for
each and every client, create a single client profile on the directory server.
This way, a single profile defines the configuration for all clients configured to
use it. Any subsequent change to the profile attributes is propagated to the
clients at a rate defined by the refresh interval.
These client profiles should be stored in a well-known location on the LDAP
server. The root DN for the given domain must have an object class
of nisDomainObject and a nisDomain attribute containing the client's domain. All profiles are
located in the ou=profile container relative to this container. These profiles should be
readable anonymously.
Client Profile Attributes
The following table shows the Solaris LDAP client's profile attributes, which can be
set automatically when you run idsconfig. See Initializing a Client Manually and the idsconfig(1M) man page for
information on how to set a client profile manually.
Table 9-2 Client Profile Attributes
|
|
cn |
The profile name. The attribute
has no default value. The value must be specified. |
preferredServerList |
The host addresses of the
preferred servers is a space separated list of server addresses. (Do not use
host names.) The servers in this list are tried in order before
those in defaultServerList until a successful connection is made. This has no default
value. At least one server must be specified in either preferredServerList or defaultServerList. |
defaultServerList |
The
host addresses of the default servers is a space separated list of server
addresses. (Do not use host names.) After the servers in preferredServerlist are tried,
those default servers on the client's subnet are tried, followed by the remaining default
servers, until a connection is made. At least one server must be specified
in either preferredServerList or defaultServerList. The servers in this list are tried
only after those on the preferred server list. This attribute has no default value. |
defaultSearchBase |
The
DN relative to which to locate the well-known containers. There is no default
for this value. However, this can be overridden for a given service by
the serviceSearchDescriptor attribute. |
defaultSearchScope |
Defines the scope of a database search by a client.
It can be overridden by the serviceSearchDescriptor attribute. The possible values are one or
sub. The default value is a one level search. |
authenticationMethod |
|
credentialLevel |
Identifies the type of credentials a client should use to authenticate. The choices
are anonymous, proxy, or self (also known as per user). The default is
anonymous. |
serviceSearchDescriptor |
Defines how and where a client should search for a naming
database, for example, if the client should look in one or more points
in the DIT. By default no SSDs are defined. |
serviceAuthenticationMethod |
Authentication method used by a
client for the specified service. By default, no service authentication methods are defined.
If a service does not have serviceAuthenticationMethod defined, it will default to the value
of authenticationMethod. |
attributeMap |
Attribute mappings used by client. By default no attributeMap is
defined. |
objectclassMap |
Object class mappings used by client. By default no objectclassMap is
defined. |
searchTimeLimit |
Maximum time [in seconds] a client should allow for a search to complete
before timing out. This does not affect the time the LDAP server will
allow for a search to complete. The default value is 30 seconds. |
bindTimeLimit |
Maximum
time in seconds a client should allow to bind with a server before
timing out. Default value is 30 seconds. |
followReferrals |
Specifies whether a client should follow
an LDAP referral. Possible values TRUE or FALSE. The default value is TRUE. |
profileTTL |
Time between
refreshes of the client profile from the LDAP server by the ldap_cachemgr(1M). Default
is 43200 seconds or 12 hours. If given a value of 0, the
profile will never be refreshed. |
|
Local Client Attributes
The following table lists the client attributes that can be set locally using
ldapclient. See the ldapclient(1M) man page for more information.
Table 9-3 Local Client Attributes
|
|
adminDN |
Specifies the administrator entry's
distinguished name for the admin credential. If the value of the enableShadowUpdate switch is
true on the client system, and credentialLevel has a value other than
self, then adminDN must be specified. |
adminPassword |
Specifies the administrator entry's password for the
admin credential. If the value of the enableShadowUpdate switch is true on the
client system, and credentialLevel has a value other than self, then adminPassword must be
defined. |
domainName |
Specifies the client's domain name (which becomes the default domain for the client
system). This attribute has no default value and must be specified. |
proxyDN |
The proxy's
distinguished name. If the client system is configured with credentialLevel of proxy, the proxyDN
must be specified. |
proxyPassword |
The proxy's password. If the client system is configured with
credentialLevel of proxy, proxyPassword must be defined. |
certificatePath |
The directory on the local file
system containing the certificate databases. If a client system is configured with authenticationMethod
or serviceAuthenticationMethod using TLS, then this attribute is used. The default value is
/var/ldap. |
|
Note - If the BaseDN in an SSD contains a trailing comma, it is treated as a
relative value of the defaultSearchBase. The values of the defaultSearchBase are appended to
the BaseDN before a search is performed.