Go to main content

Working With Oracle® Solaris 11.4 Directory and Naming Services: LDAP

Exit Print View

Updated: January 2019
 
 

Configuring the OpenLDAP Server for LDAP Clients

The ldapservercfg utility can configure an OpenLDAP server instance interactively or with default settings read from an SMF service instance.

Ensure that the following requirements are met:

  • The /usr/sbin/ldapservercfg utility is installed.

  • The python-ldap-27 package is installed.

  • The dnspython package is installed.

By default, the Oracle Solaris OpenLDAP server instance uses Online Configuration (OLC) instead of the legacy configuration file slapd.conf.

  • When OLC exists, the ldap/server:openldap service starts the slapd daemon using the OLC configuration. After running ldapservercfg openldap, LDAP configuration is contained in /etc/openldap/slapd.d.

  • When OLC is not available, the ldap/server:openldap service uses a plain configuration file, /etc/openldap/slapd.conf. This slapd.conf file is useful for manually configuring OpenLDAP or for migrating from another server.

How to Configure an OpenLDAP Server With Settings from SMF

The –a option of ldapservercfg can be used to configure OpenLDAP with no human interaction; ldapservercfg reads required configuration values from property values of the ldap/server:openldap SMF service.

If the ldap/server:openldap service is online and no OpenLDAP configuration exists in /etc/openldap, then the service executes the following command:

# ldapservercfg -a openldap

The server is configured using property values of the service. If the values of the service properties have not been changed from their default values, the directory is configured to serve the distinguished name dc=example,dc=com. See the default configuration shown below in Step 2.

  1. Check that the service is disabled and no OpenLDAP configuration exists.
    $ svcs ldap/server:openldap
    STATE          STIME    FMRI
    disabled       Jun_17   svc:/network/ldap/server:openldap

    The following files and directories must not exist or must be empty:

    • The /etc/openldap/slapd.conf legacy configuration file does not exist.

    • The /etc/openldap/slapd.d directory does not exist.

    • The /etc/openldap/certs directory does not exist.

    • The /var/openldap/openldap-data directory is empty.

  2. Check the default SMF properties for the openldap service.
    1. Check credential properties.
      $ svcprop -p cred ldap/server:openldap
      cred/admin_cn astring admin
      cred/admin_passwd astring ""
      cred/backend_cn astring Manager
      cred/backend_passwd astring ""
      cred/proxy_cn astring proxyagent
      cred/proxy_passwd astring ""
      cred/read_authorization astring solaris.smf.read.name-service.ldap.server
      cred/stability astring Evolving
      cred/value_authorization astring solaris.smf.value.name-service.ldap.server

      If backend_passwd is not specified, root password is used. If admin_passwd is not specified, the admin account is not created. If proxy_passwd is not specified, the proxyagent account is not created.

    2. Check the LDAP Name Service Profile data.

      These values are used to configure the DIT and default profiles used by ldapclient.

      $ svcprop -p profile/default ldap/server:openldap
      profile/default/authentication_method astring tls:simple
      profile/default/credential_level astring proxy
      profile/default/search_base astring dc=example,dc=com
      profile/default/search_scope astring one
      profile/default/server_list astring ""
      profile/default/service_search_descriptor astring ""
      profile/default/value_authorization astring solaris.smf.value.name-service.ldap.server

      For more information about these values, see the ldapclient(8) and ldapservercfg(8) man pages.

  3. (Optional) Configure the openldap service as required.

    This step is necessary unless you want a server for dc=example,dc=com. See Configuring openldap Service Properties.

  4. Use the ldapservercfg utility to configure the OpenLDAP server.

    The following example of configuration using openldap service property values shows performing this configuration as the openldap user. You can perform this OpenLDAP server configuration as any user that is assigned the OpenLDAP Server Administration rights profile.

    $ su - openldap
    $ /usr/sbin/ldapservercfg -a openldap
      TLS CA certificate directory: /etc/openldap/certs
      TLS CA certificate file: /etc/certs/ca-certificates.crt
      TLS public certificate file: /etc/openldap/certs/certdb.pem
      TLS private key file: /etc/openldap/certs/server.key  Starting server...Succeeded.
    
      The server is set as a master server.
    
    WARNING: The client profile credential_level is proxy, but there is no
             'cred/proxy_passwd' provided, can't create proxy account, will
             use anonymous credential level instead.
    
    
                    Summary of Configuration
    
      1  Profile name to create        : default
      2  Base DN to setup              : dc=example,dc=com
      3  Default Search Scope          : one
      4  Default Server List           : abc.example.com
      5  Credential Level              : anonymous
      6  Authentication Method         : tls:none
      7  Enable crypt password storage : True
      8  Enable shadow update          : False
      9  Service Search Descriptors Menu
    
    
      == Begin Directory Server Configuration ==
    
      1. Schema "{4}solaris" has been created.
      2. Schema "{5}kerberos" has been created.
      3. Adding suffix...
      4. Suffix dc=example,dc=com successfully created.
      5. ACIs was added for suffix "dc=example,dc=com".
         Entry "people" was added into the directory.
         Entry "group" was added into the directory.
         Entry "rpc" was added into the directory.
         Entry "protocols" was added into the directory.
         Entry "networks" was added into the directory.
         Entry "aliases" was added into the directory.
         Entry "hosts" was added into the directory.
         Entry "services" was added into the directory.
         Entry "ethers" was added into the directory.
         Entry "profile" was added into the directory.
         Entry "printers" was added into the directory.
         Entry "netgroup" was added into the directory.
         Entry "projects" was added into the directory.
         Entry "SolarisAuthAttr" was added into the directory.
         Entry "SolarisProfAttr" was added into the directory.
         Entry "Timezone" was added into the directory.
         Entry "ipTnet" was added into the directory.
      6. Top level "ou" containers complete.
         Entry "auto_home" was added into the directory.
         Entry "auto_direct" was added into the directory.
         Entry "auto_master" was added into the directory.
         Entry "auto_shared" was added into the directory.
      7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed.
      8. Generated client profile and loaded on server.
      9. Overlay ppolicy has been already activated.
         ppolicy overlay added successfully.
         Default password policy was added into the directory.
      10. Setup indexes ...
         Checking indexes for server "abc.example.com":
      11. Index uidNumber successfully created.
      12. Index ipNetworkNumber successfully created.
      13. Index gidnumber successfully created.
      14. Index oncrpcnumber successfully created.
      15. Index automountKey successfully created.
      16. Index uid successfully created.
      17. Index krbPrincipalName successfully created.
      18. Index membernisnetgroup successfully created.
    
      == End Directory Server Configuration ==
    
    
      Setup LDAP server is complete.

How to Configure OpenLDAP Server Interactively

The ldapservercfg openldap command (no –a option) prompts you for settings. Default values are taken from openldap service property values as discussed in Configuring openldap Service Properties.

  1. Switch to the openldap user.

    The following example of interactive configuration using openldap service property values shows performing this configuration as the openldap user. You can perform this OpenLDAP server configuration as any user that is assigned the OpenLDAP Server Administration rights profile.

    $ su - openldap
  2. Use the ldapservercfg utility to configure the OpenLDAP server.

    Provide information as prompted.

    $ /usr/sbin/ldapservercfg openldap
    
    Do you want to configure this server as a master server? (yes/[no]) [yes]
    Do you want to start server with TLS support? (yes/[no]) [no] yes
      TLS CA certificate directory: /etc/openldap/certs
      TLS CA certificate file: /etc/certs/ca-certificates.crt
      TLS public certificate file: /etc/openldap/certs/certdb.pem
      TLS private key file: /etc/openldap/certs/server.key
    Starting server...Succeeded.
    Enter LDAP Search Base: [dc=example,dc=com] dc=scdev,dc=sfbay,dc=sun,dc=com
    Enter the directory manager CN: [Manager]
    Enter password for cn=Manager,dc=scdev,dc=sfbay,dc=sun,dc=com:
    Re-enter password:
    
      The server is set as a master server.
    
    The following are the supported credential levels:
      1 anonymous
      2 proxy
    
    
    Choose Credential level [h=help]: [1] 2
    Enter CN for proxy agent: [proxyagent]
    Enter password for proxy agent:
    Re-enter password:
    
    The following are the supported Authentication Methods:
      1 simple
      2 tls:simple
    
    Choose Authentication Method: [1] 2
    Do you want to enable shadow update? (yes/[no]) [yes]
    Enter CN for the administrator: [admin]
    Enter password for the administrator:
    Re-enter password:
    
    Do you wish to setup Service Search Descriptors? (yes/[no])  [no]
    
    Summary of Configuration
    
      1  Profile name to create        : default
      2  Base DN to setup              : dc=scdev,dc=sfbay,dc=sun,dc=com
      3  Default Search Scope          : sub
      4  Default Server List           : abc.example.com
      5  Credential Level              : proxy
      6  Authentication Method         : tls:simple
      7  Enable crypt password storage : True
      8  Enable shadow update          : True
      9  Service Search Descriptors Menu
    
    Enter config value to change: (1-9 0=commit changes) [0]
    WARNING: About to start committing changes. (yes/[no]) yes
    
    == Begin Directory Server Configuration ==
    
    1. Schema "{4} solaris" has been created.
    2. Schema "{5} kerberos" has been created.
    3. Adding suffix...
    4. Suffix dc=scdev,dc=sfbay,dc=sun,dc=com successfully created.
    5. ACIs was added for suffix "dc=scdev,dc=sfbay,dc=sun,dc=com".
       Entry "people" was added into the directory.
       Entry "group" was added into the directory.
       Entry "rpc" was added into the directory.
       Entry "protocols" was added into the directory.
       Entry "networks" was added into the directory.
       Entry "aliases" was added into the directory.
       Entry "hosts" was added into the directory.
       Entry "services" was added into the directory.
       Entry "ethers" was added into the directory.
       Entry "profile" was added into the directory.
       Entry "printers" was added into the directory.
       Entry "netgroup" was added into the directory.
       Entry "projects" was added into the directory.
       Entry "SolarisAuthAttr" was added into the directory.
       Entry "SolarisProfAttr" was added into the directory.
       Entry "Timezone" was added into the directory.
       Entry "ipTnet" was added into the directory.
    6. Top level "ou" containers complete.
       Entry "auto_home" was added into the directory.
       Entry "auto_direct" was added into the directory.
       Entry "auto_master" was added into the directory.
       Entry "auto_shared" was added into the directory.
    7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed.
    8. Proxy Agent cn=proxyagent,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com added.
    9. Administrator identity cn=admin,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com added.
    10. Give "cn=admin,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com" read/write access to shadow data.
    11. Generated client profile and loaded on server.
    12. Overlay ppolicy has been already activated.
       ppolicy overlay added successfully.
       Default password policy was added into the directory.
    13. Setup indexes ...
       Checking indexes for server "abc.example.com":
    14. Index uidNumber successfully created.
    15. Index ipNetworkNumber successfully created.
    16. Index gidnumber successfully created.
    17. Index oncrpcnumber successfully created.
    18. Index automountKey successfully created.
    19. Index uid successfully created.
    20. Index krbPrincipalName successfully created.
    21. Index membernisnetgroup successfully created.
    
    == End Directory Server Configuration ==
    
    Setup LDAP server is complete.