This section describes commands that are used to determine the state of the LDAP client environment. For additional information about the command options, see the related man pages.
For information about Service Management Facility (SMF), refer to Managing System Services in Oracle Solaris 11.4. Also refer to the svcadm(8) and svcs(1) man pages for more details.
The ldap_cachemgr daemon must be online and functioning correctly at all times for the system to work. When you set up and start the LDAP client service, svc:/network/ldap/client, the client SMF method automatically starts the ldap_cachemgr daemon.
To view the state of the service, use the svcs command.
# svcs \*ldap\* STATE STIME FMRI disabled Aug_24 svc:/network/ldap/client:default
To view all information about the service, use the –l option.
# svcs -l network/ldap/client:default fmri svc:/network/ldap/client:default name LDAP Name Service Client enabled false state disabled next_state none state_time Thu Oct 20 23:04:11 2011 logfile /var/svc/log/network-ldap-client:default.log restarter svc:/system/svc/restarter:default contract_id manifest /lib/svc/manifest/network/ldap/client.xml manifest /lib/svc/manifest/milestone/config.xml manifest /lib/svc/manifest/network/network-location.xml manifest /lib/svc/manifest/system/name-service/upgrade.xml dependency optional_all/none svc:/milestone/config (online) dependency optional_all/none svc:/network/location:default (online) dependency require_all/none svc:/system/filesystem/minimal (online) dependency require_all/none svc:/network/initial (online) dependency require_all/restart svc:/network/nis/domain (online) dependency optional_all/none svc:/system/manifest-import (online) dependency require_all/none svc:/milestone/unconfig (online) dependency optional_all/none svc:/system/name-service/upgrade (online)
To view more extensive status information, which is useful for diagnosing a problem, pass the –g option to ldap_cachemgr.
# /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 2144
SMF service state: online
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2021/09/16 11:32:05
Next refresh time: 2021/09/28 10:17:43
Server information:
Previous refresh time: 2021/09/28 09:47:47
Next refresh time: 2021/09/28 10:02:47
server: aldap.example.com, ODSEE/RAWSSL, status: UP
vendor: Oracle Corporation, version: Sun-Directory-Server/11.1.1.7.181016
last seen: 2021/09/28 09:47:47, round trip: 604.094 ms
server: bldap.example.com, ODSEE/RAWSSL, status: UP
vendor: Oracle Corporation, version: Sun-Directory-Server/11.1.1.7.181016
last seen: 2021/09/28 09:47:47, round trip: 630.718 ms
server: cldap.example.com, ODPS/RAWSSL, status: ERROR
error message: Can't connect to the LDAP server
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
If the ldap_cachemgr daemon is disabled, use the svcadm enable network/ldap/client command to enable the daemon.
For more information about the ldap_cachemgr daemon, see the ldap_cachemgr(8) man page.
Become a superuser or assume an equivalent role, and use the ldapclient command with the –list option to view the current profile information. In addition to the ldapclient list command, you can also use the svccfg or svcprop commands to obtain current profile information.
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 192.0.2.1, 192.0.2.10
NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= 192.0.2.1
NS_LDAP_PROFILE= pit1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=west,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 5
Use the ldaplist command to verify whether communication exists between the LDAP client and the LDAP server.
To display all the containers of the DIT on the server, use the ldaplist command without options.
To display the contents of the specific database, use the ldaplist database command, for example, ldaplist passwd username or ldaplist host hostname.
To check for information on a system that has no existing LDAP client, use the ldapsearch command. The information that is displayed depends on the filter you use for searching. The following example lists all of the containers in the DIT:
# ldapsearch -H ldapuri -b "dc=west,dc=example,dc=com" -s one "objectclass=*"
For a list of options and filters that you can use with the ldapsearch command, see the ldapsearch(1oldap) man page.
To ensure that the ldapclient services function correctly, ensure that you enable the svc:/system/name-service/cache service, that the service is online, and that the nscd daemon is running.
# svcs name-service/cache STATE STIME FMRI online 10:58:21 svc:/system/name-service/cache:default
$ ldaplist 2>&1 | fmt -s ldaplist: libsldap.so.1 internal error Partial results due to timeout: LDAP ERROR (50): Error occurred while receiving results. Insufficient access. and libldap returned: (50) VLV Control using ldaps://ldaps.example.com:636
The access to LDAP credentials is restricted to users and programs that have the solaris.smf.value.name-service.ldap.client authorization. Without this authorization, a user can only see LDAP server lookups that do not require credentials. This situation also affects any tool that uses the LDAP naming service configuration, such as ldaplist.
Note that any user can use the getent command to retrieve LDAP information. Such lookups occur inside nscd, which has access to the credentials.