Configuring the OpenLDAP Server for LDAP Clients

Language:

The ldapservercfg utility can configure an OpenLDAP server instance interactively or with default settings read from an SMF service instance.

Ensure that the following requirements are met:

The /usr/sbin/ldapservercfg utility is installed.
The python-ldap-27 package is installed.
The dnspython package is installed.

By default, the Oracle Solaris OpenLDAP server instance uses Online Configuration (OLC) instead of the legacy configuration file slapd.conf.

When OLC exists, the ldap/server:openldap service starts the slapd daemon using the OLC configuration. After running ldapservercfg openldap, LDAP configuration is contained in /etc/openldap/slapd.d.
When OLC is not available, the ldap/server:openldap service uses a plain configuration file, /etc/openldap/slapd.conf. This slapd.conf file is useful for manually configuring OpenLDAP or for migrating from another server.

How to Configure an OpenLDAP Server With Settings from SMF

The –a option of ldapservercfg can be used to configure OpenLDAP with no human interaction; ldapservercfg reads required configuration values from property values of the ldap/server:openldap SMF service.

If the ldap/server:openldap service is online and no OpenLDAP configuration exists in /etc/openldap, then the service executes the following command:

# ldapservercfg -a openldap

The server is configured using property values of the service. If the values of the service properties have not been changed from their default values, the directory is configured to serve the distinguished name dc=example,dc=com. See the default configuration shown below in Step 2.

Check that the service is disabled and no OpenLDAP configuration exists.
```
$ svcs ldap/server:openldap
STATE          STIME    FMRI
disabled       Jun_17   svc:/network/ldap/server:openldap
```
The following files and directories must not exist or must be empty:
- The /etc/openldap/slapd.conf legacy configuration file does not exist.
- The /etc/openldap/slapd.d directory does not exist.
- The /etc/openldap/certs directory does not exist.
- The /var/openldap/openldap-data directory is empty.

Check the default SMF properties for the openldap service.

Check credential properties.

$ svcprop -p cred ldap/server:openldap
cred/admin_cn astring admin
cred/admin_passwd astring ""
cred/backend_cn astring Manager
cred/backend_passwd astring ""
cred/proxy_cn astring proxyagent
cred/proxy_passwd astring ""
cred/read_authorization astring solaris.smf.read.name-service.ldap.server
cred/stability astring Evolving
cred/value_authorization astring solaris.smf.value.name-service.ldap.server

If backend_passwd is not specified, root password is used. If admin_passwd is not specified, the admin account is not created. If proxy_passwd is not specified, the proxyagent account is not created.

Check the LDAP Name Service Profile data.

These values are used to configure the DIT and default profiles used by ldapclient.

$ svcprop -p profile/default ldap/server:openldap
profile/default/authentication_method astring tls:simple
profile/default/credential_level astring proxy
profile/default/search_base astring dc=example,dc=com
profile/default/search_scope astring one
profile/default/server_list astring ""
profile/default/service_search_descriptor astring ""
profile/default/value_authorization astring solaris.smf.value.name-service.ldap.server

For more information about these values, see the ldapclient(8) and ldapservercfg(8) man pages.

(Optional) Configure the openldap service as required.
This step is necessary unless you want a server for dc=example,dc=com. See Configuring openldap Service Properties.

Use the ldapservercfg utility to configure the OpenLDAP server.

The following example of configuration using openldap service property values shows performing this configuration as the openldap user. You can perform this OpenLDAP server configuration as any user that is assigned the OpenLDAP Server Administration rights profile.

$ su - openldap
$ /usr/sbin/ldapservercfg -a openldap
TLS CA certificate directory: /etc/openldap/certs
TLS CA certificate file: /etc/certs/ca-certificates.crt
TLS public certificate file: /etc/openldap/certs/certdb.pem
TLS private key file: /etc/openldap/certs/server.key Starting server...Succeeded.

The server is set as a master server.

WARNING: The client profile credential_level is proxy, but there is no
'cred/proxy_passwd' provided, can't create proxy account, will
use anonymous credential level instead.

Summary of Configuration

1 Profile name to create : default
2 Base DN to setup : dc=example,dc=com
3 Default Search Scope : one
4 Default Server List : abc.example.com
5 Credential Level : anonymous
6 Authentication Method : tls:none
7 Enable crypt password storage : True
8 Enable shadow update : False
9 Service Search Descriptors Menu

== Begin Directory Server Configuration ==

1. Schema "{4}solaris" has been created.
2. Schema "{5}kerberos" has been created.
3. Adding suffix...
4. Suffix dc=example,dc=com successfully created.
5. ACIs was added for suffix "dc=example,dc=com".
Entry "people" was added into the directory.
Entry "group" was added into the directory.
Entry "rpc" was added into the directory.
Entry "protocols" was added into the directory.
Entry "networks" was added into the directory.
Entry "aliases" was added into the directory.
Entry "hosts" was added into the directory.
Entry "services" was added into the directory.
Entry "ethers" was added into the directory.
Entry "profile" was added into the directory.
Entry "printers" was added into the directory.
Entry "netgroup" was added into the directory.
Entry "projects" was added into the directory.
Entry "SolarisAuthAttr" was added into the directory.
Entry "SolarisProfAttr" was added into the directory.
Entry "Timezone" was added into the directory.
Entry "ipTnet" was added into the directory.
6. Top level "ou" containers complete.
Entry "auto_home" was added into the directory.
Entry "auto_direct" was added into the directory.
Entry "auto_master" was added into the directory.
Entry "auto_shared" was added into the directory.
7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed.
8. Generated client profile and loaded on server.
9. Overlay ppolicy has been already activated.
ppolicy overlay added successfully.
Default password policy was added into the directory.
10. Setup indexes ...
Checking indexes for server "abc.example.com":
11. Index uidNumber successfully created.
12. Index ipNetworkNumber successfully created.
13. Index gidnumber successfully created.
14. Index oncrpcnumber successfully created.
15. Index automountKey successfully created.
16. Index uid successfully created.
17. Index krbPrincipalName successfully created.
18. Index membernisnetgroup successfully created.

== End Directory Server Configuration ==

Setup LDAP server is complete.

How to Configure OpenLDAP Server Interactively

The ldapservercfg openldap command (no –a option) prompts you for settings. Default values are taken from openldap service property values as discussed in Configuring openldap Service Properties.

Switch to the openldap user.
The following example of interactive configuration using openldap service property values shows performing this configuration as the openldap user. You can perform this OpenLDAP server configuration as any user that is assigned the OpenLDAP Server Administration rights profile.
```
$ su - openldap
```

Use the ldapservercfg utility to configure the OpenLDAP server.

Provide information as prompted.

$ /usr/sbin/ldapservercfg openldap

Do you want to configure this server as a master server? (yes/[no]) [yes]
Do you want to start server with TLS support? (yes/[no]) [no] yes
  TLS CA certificate directory: /etc/openldap/certs
  TLS CA certificate file: /etc/certs/ca-certificates.crt
  TLS public certificate file: /etc/openldap/certs/certdb.pem
  TLS private key file: /etc/openldap/certs/server.key
Starting server...Succeeded.
Enter LDAP Search Base: [dc=example,dc=com] dc=scdev,dc=sfbay,dc=sun,dc=com
Enter the directory manager CN: [Manager]
Enter password for cn=Manager,dc=scdev,dc=sfbay,dc=sun,dc=com:
Re-enter password:

  The server is set as a master server.

The following are the supported credential levels:
  1 anonymous
  2 proxy


Choose Credential level [h=help]: [1] 2
Enter CN for proxy agent: [proxyagent]
Enter password for proxy agent:
Re-enter password:

The following are the supported Authentication Methods:
  1 simple
  2 tls:simple

Choose Authentication Method: [1] 2
Do you want to enable shadow update? (yes/[no]) [yes]
Enter CN for the administrator: [admin]
Enter password for the administrator:
Re-enter password:

Do you wish to setup Service Search Descriptors? (yes/[no])  [no]

Summary of Configuration

  1  Profile name to create        : default
  2  Base DN to setup              : dc=scdev,dc=sfbay,dc=sun,dc=com
  3  Default Search Scope          : sub
  4  Default Server List           : abc.example.com
  5  Credential Level              : proxy
  6  Authentication Method         : tls:simple
  7  Enable crypt password storage : True
  8  Enable shadow update          : True
  9  Service Search Descriptors Menu

Enter config value to change: (1-9 0=commit changes) [0]
WARNING: About to start committing changes. (yes/[no]) yes

== Begin Directory Server Configuration ==

1. Schema "{4} solaris" has been created.
2. Schema "{5} kerberos" has been created.
3. Adding suffix...
4. Suffix dc=scdev,dc=sfbay,dc=sun,dc=com successfully created.
5. ACIs was added for suffix "dc=scdev,dc=sfbay,dc=sun,dc=com".
   Entry "people" was added into the directory.
   Entry "group" was added into the directory.
   Entry "rpc" was added into the directory.
   Entry "protocols" was added into the directory.
   Entry "networks" was added into the directory.
   Entry "aliases" was added into the directory.
   Entry "hosts" was added into the directory.
   Entry "services" was added into the directory.
   Entry "ethers" was added into the directory.
   Entry "profile" was added into the directory.
   Entry "printers" was added into the directory.
   Entry "netgroup" was added into the directory.
   Entry "projects" was added into the directory.
   Entry "SolarisAuthAttr" was added into the directory.
   Entry "SolarisProfAttr" was added into the directory.
   Entry "Timezone" was added into the directory.
   Entry "ipTnet" was added into the directory.
6. Top level "ou" containers complete.
   Entry "auto_home" was added into the directory.
   Entry "auto_direct" was added into the directory.
   Entry "auto_master" was added into the directory.
   Entry "auto_shared" was added into the directory.
7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed.
8. Proxy Agent cn=proxyagent,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com added.
9. Administrator identity cn=admin,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com added.
10. Give "cn=admin,ou=profile,dc=scdev,dc=sfbay,dc=sun,dc=com" read/write access to shadow data.
11. Generated client profile and loaded on server.
12. Overlay ppolicy has been already activated.
   ppolicy overlay added successfully.
   Default password policy was added into the directory.
13. Setup indexes ...
   Checking indexes for server "abc.example.com":
14. Index uidNumber successfully created.
15. Index ipNetworkNumber successfully created.
16. Index gidnumber successfully created.
17. Index oncrpcnumber successfully created.
18. Index automountKey successfully created.
19. Index uid successfully created.
20. Index krbPrincipalName successfully created.
21. Index membernisnetgroup successfully created.

== End Directory Server Configuration ==

Setup LDAP server is complete.