The ldapservercfg utility can configure an OpenLDAP server instance interactively or with default settings read from an SMF service instance.
Ensure that the following requirements are met:
The /usr/sbin/ldapservercfg utility is installed.
The python-ldap-27 package is installed.
The dnspython package is installed.
By default, the Oracle Solaris OpenLDAP server instance uses Online Configuration (OLC) instead of the legacy configuration file slapd.conf.
When OLC exists, the ldap/server:openldap service starts the slapd daemon using the OLC configuration. After running ldapservercfg openldap, LDAP configuration is contained in /etc/openldap/slapd.d.
When OLC is not available, the ldap/server:openldap service uses a plain configuration file, /etc/openldap/slapd.conf. This slapd.conf file is useful for manually configuring OpenLDAP or for migrating from another server.
The –a option of ldapservercfg can be used to configure OpenLDAP with no human interaction; ldapservercfg reads required configuration values from property values of the ldap/server:openldap SMF service.
If the ldap/server:openldap service is online and no OpenLDAP configuration exists in /etc/openldap, then the service executes the following command:
# ldapservercfg -a openldap
The server is configured using property values of the service. If the values of the service properties have not been changed from their default values, the directory is configured to serve the distinguished name dc=example,dc=com. See the default configuration shown below in Step 2.
$ svcs ldap/server:openldap STATE STIME FMRI disabled Jun_17 svc:/network/ldap/server:openldap
The following files and directories must not exist or must be empty:
The /etc/openldap/slapd.conf legacy configuration file does not exist.
The /etc/openldap/slapd.d directory does not exist.
The /etc/openldap/certs directory does not exist.
The /var/openldap/openldap-data directory is empty.
$ svcprop -p cred ldap/server:openldap cred/admin_cn astring admin cred/admin_passwd astring "" cred/backend_cn astring Manager cred/backend_passwd astring "" cred/proxy_cn astring proxyagent cred/proxy_passwd astring "" cred/read_authorization astring solaris.smf.read.name-service.ldap.server cred/stability astring Evolving cred/value_authorization astring solaris.smf.value.name-service.ldap.server
If backend_passwd is not specified, root password is used. If admin_passwd is not specified, the admin account is not created. If proxy_passwd is not specified, the proxyagent account is not created.
These values are used to configure the DIT and default profiles used by ldapclient.
$ svcprop -p profile/default ldap/server:openldap profile/default/authentication_method astring tls:simple profile/default/credential_level astring proxy profile/default/search_base astring dc=example,dc=com profile/default/search_scope astring one profile/default/server_list astring "" profile/default/service_search_descriptor astring "" profile/default/value_authorization astring solaris.smf.value.name-service.ldap.server
For more information about these values, see the ldapclient(8) and ldapservercfg(8) man pages.
This step is necessary unless you want a server for dc=example,dc=com. See Configuring openldap Service Properties.
The following example of configuration using openldap service property values shows performing this configuration as the openldap user. You can perform this OpenLDAP server configuration as any user that is assigned the OpenLDAP Server Administration rights profile.
$ su - openldap $ /usr/sbin/ldapservercfg -a openldap TLS CA certificate directory: /etc/openldap/certs TLS CA certificate file: /etc/certs/ca-certificates.crt TLS public certificate file: /etc/openldap/certs/certdb.pem TLS private key file: /etc/openldap/certs/server.key Starting server...Succeeded. The server is set as a master server. WARNING: The client profile credential_level is proxy, but there is no 'cred/proxy_passwd' provided, can't create proxy account, will use anonymous credential level instead. Summary of Configuration 1 Profile name to create : default 2 Base DN to setup : dc=example,dc=com 3 Default Search Scope : one 4 Default Server List : abc.example.com 5 Credential Level : anonymous 6 Authentication Method : tls:none 7 Enable crypt password storage : True 8 Enable shadow update : False 9 Service Search Descriptors Menu == Begin Directory Server Configuration == 1. Schema "{4}solaris" has been created. 2. Schema "{5}kerberos" has been created. 3. Adding suffix... 4. Suffix dc=example,dc=com successfully created. 5. ACIs was added for suffix "dc=example,dc=com". Entry "people" was added into the directory. Entry "group" was added into the directory. Entry "rpc" was added into the directory. Entry "protocols" was added into the directory. Entry "networks" was added into the directory. Entry "aliases" was added into the directory. Entry "hosts" was added into the directory. Entry "services" was added into the directory. Entry "ethers" was added into the directory. Entry "profile" was added into the directory. Entry "printers" was added into the directory. Entry "netgroup" was added into the directory. Entry "projects" was added into the directory. Entry "SolarisAuthAttr" was added into the directory. Entry "SolarisProfAttr" was added into the directory. Entry "Timezone" was added into the directory. Entry "ipTnet" was added into the directory. 6. Top level "ou" containers complete. Entry "auto_home" was added into the directory. Entry "auto_direct" was added into the directory. Entry "auto_master" was added into the directory. Entry "auto_shared" was added into the directory. 7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed. 8. Generated client profile and loaded on server. 9. Overlay ppolicy has been already activated. ppolicy overlay added successfully. Default password policy was added into the directory. 10. Setup indexes ... Checking indexes for server "abc.example.com": 11. Index uidNumber successfully created. 12. Index ipNetworkNumber successfully created. 13. Index gidnumber successfully created. 14. Index oncrpcnumber successfully created. 15. Index automountKey successfully created. 16. Index uid successfully created. 17. Index krbPrincipalName successfully created. 18. Index membernisnetgroup successfully created. == End Directory Server Configuration == Setup LDAP server is complete.
The ldapservercfg openldap command (no –a option) prompts you for settings. Default values are taken from openldap service property values as discussed in Configuring openldap Service Properties.
The following example of interactive configuration using openldap service property values shows performing this configuration as the openldap user. You can perform this OpenLDAP server configuration as any user that is assigned the OpenLDAP Server Administration rights profile.
$ su - openldap
Provide information as prompted.
$ /usr/sbin/ldapservercfg openldap Do you want to configure this server as a master server? (yes/[no]) [yes] Do you want to start server with TLS support? (yes/[no]) [no] yes TLS CA certificate directory: /etc/openldap/certs TLS CA certificate file: /etc/certs/ca-certificates.crt TLS public certificate file: /etc/openldap/certs/certdb.pem TLS private key file: /etc/openldap/certs/server.key Starting server...Succeeded. Enter LDAP Search Base: [dc=example,dc=com] dc=scdev,dc=sfbay,dc=sun,dc=com Enter the directory manager CN: [Manager] Enter password for cn=Manager,dc=scdev,dc=sfbay,dc=sun,dc=com: Re-enter password: The server is set as a master server. The following are the supported credential levels: 1 anonymous 2 proxy Choose Credential level [h=help]: [1] 2 Enter CN for proxy agent: [proxyagent] Enter password for proxy agent: Re-enter password: The following are the supported Authentication Methods: 1 simple 2 tls:simple Choose Authentication Method: [1] 2 Do you want to enable shadow update? (yes/[no]) [yes] Enter CN for the administrator: [admin] Enter password for the administrator: Re-enter password: Do you wish to setup Service Search Descriptors? (yes/[no]) [no] Summary of Configuration 1 Profile name to create : default 2 Base DN to setup : dc=scdev,dc=sfbay,dc=sun,dc=com 3 Default Search Scope : sub 4 Default Server List : abc.example.com 5 Credential Level : proxy 6 Authentication Method : tls:simple 7 Enable crypt password storage : True 8 Enable shadow update : True 9 Service Search Descriptors Menu Enter config value to change: (1-9 0=commit changes) [0] WARNING: About to start committing changes. (yes/[no]) yes == Begin Directory Server Configuration == 1. Schema "{4} solaris" has been created. 2. Schema "{5} kerberos" has been created. 3. Adding suffix... 4. Suffix dc=scdev,dc=sfbay,dc=sun,dc=com successfully created. 5. ACIs was added for suffix "dc=scdev,dc=sfbay,dc=sun,dc=com". Entry "people" was added into the directory. Entry "group" was added into the directory. Entry "rpc" was added into the directory. Entry "protocols" was added into the directory. Entry "networks" was added into the directory. Entry "aliases" was added into the directory. Entry "hosts" was added into the directory. Entry "services" was added into the directory. Entry "ethers" was added into the directory. Entry "profile" was added into the directory. Entry "printers" was added into the directory. Entry "netgroup" was added into the directory. Entry "projects" was added into the directory. Entry "SolarisAuthAttr" was added into the directory. Entry "SolarisProfAttr" was added into the directory. Entry "Timezone" was added into the directory. Entry "ipTnet" was added into the directory. 6. Top level "ou" containers complete. Entry "auto_home" was added into the directory. Entry "auto_direct" was added into the directory. Entry "auto_master" was added into the directory. Entry "auto_shared" was added into the directory. 7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed. 8. Proxy Agent cn=proxyagent,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com added. 9. Administrator identity cn=admin,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com added. 10. Give "cn=admin,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com" read/write access to shadow data. 11. Generated client profile and loaded on server. 12. Overlay ppolicy has been already activated. ppolicy overlay added successfully. Default password policy was added into the directory. 13. Setup indexes ... Checking indexes for server "abc.example.com": 14. Index uidNumber successfully created. 15. Index ipNetworkNumber successfully created. 16. Index gidnumber successfully created. 17. Index oncrpcnumber successfully created. 18. Index automountKey successfully created. 19. Index uid successfully created. 20. Index krbPrincipalName successfully created. 21. Index membernisnetgroup successfully created. == End Directory Server Configuration == Setup LDAP server is complete.