The ldapservercfg utility uses the values of openldap service properties to configure the server, both when used interactively and when used non-interactively.
Use this procedure to change the credentials names and passwords before initial configuration.
The password (passwd) properties are not used when running ldapservercfg interactively.
Use slappasswd to create password hashes. See the slappasswd(8oldap) man page.
# slappasswd -h "{SSHA}" New password: yoursecret Reenter new password: yoursecret {SSHA}password-hash
Use the editprop tool as shown in Using editprop to Modify openldap Service Properties, or use the svccfg setprop command as shown in the following example.
# svccfg s ldap/server:openldap svc:/network/ldap/server:openldap> setprop cred/backend_passwd = astring: "{SSHA}password-hash" svc:/network/ldap/server:openldap> setprop cred/proxy_passwd = astring: "{SSHA}password-hash" svc:/network/ldap/server:openldap> setprop cred/admin_passwd = astring: "{SSHA}password-hash" svc:/network/ldap/server:openldap> refresh svc:/network/ldap/server:openldap> quit
Using the svccfg editprop command to modify service property values presents all properties that you can edit and their current values in your editor ($EDITOR). For more information about editprop, see Invoking a Property Editor in Managing System Services in Oracle Solaris 11.4.
The following command opens an editor on the properties of the openldap service:
# svccfg -s ldap/server:openldap editprop
When you issue the preceding command, your editor opens with content very similar to the following content:
## ## Change property values by removing the leading '#' from the ## appropriate lines and editing the values. svccfg subcommands ## such as delprop can also be added to the script. ## ## Property group "config" ## The following properties are defined in the selected instance ## (svc:/network/ldap/server:openldap) ## ## Hostname and Port ## # setprop config/urls = astring: ("ldap:///" "ldaps:///" "ldapi:///") # setprop config/value_authorization = astring: solaris.smf.value.name-service.ldap.server ## Property group "cred" ## The following properties are defined in the selected instance ## (svc:/network/ldap/server:openldap) ## ## Admin Common Name ## # setprop cred/admin_cn = astring: admin ## ## Admin Password ## # setprop cred/admin_passwd = ## ## Backend Common Name ## # setprop cred/backend_cn = astring: Manager ## ## Backend Password ## # setprop cred/backend_passwd = ## ## Proxy Common Name ## # setprop cred/proxy_cn = astring: proxyagent ## ## Proxy Password ## # setprop cred/proxy_passwd = # setprop cred/read_authorization = astring: solaris.smf.read.name-service.ldap.server # setprop cred/stability = astring: Evolving # setprop cred/value_authorization = astring: solaris.smf.value.name-service.ldap.server ## Property group "profile" ## Property group "profile/default" ## The following properties are defined in the selected instance ## (svc:/network/ldap/server:openldap) ## ## Authentication Method(s) ## # setprop profile/default/authentication_method = astring: tls:simple ## ## Credential Level(s) ## # setprop profile/default/credential_level = astring: proxy ## ## Search Base ## # setprop profile/default/search_base = astring: "dc=example,dc=com" ## ## Search Scope ## # setprop profile/default/search_scope = astring: one ## ## Server List ## # setprop profile/default/server_list = ## ## Service Search Descriptor(s) ## # setprop profile/default/service_search_descriptor = # setprop profile/default/value_authorization = astring: solaris.smf.value.name-service.ldap.server ## Uncomment to apply these changes to this instance. # refresh
The following partial file shows how to change the passwords and the search base:
## ## Admin Password ## setprop cred/admin_passwd = astring: {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD ## ## Backend Password ## setprop cred/backend_passwd = astring: {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD ## ## Proxy Password ## setprop cred/proxy_passwd = astring: {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD ## ## Search Base ## setprop profile/default/search_base = astring: "dc=sample,dc=example,dc=com" ## Uncomment to apply these changes to this instance. refresh
After you exit your editor, use the following command to verify the changes you made:
# svcprop -p cred -p profile ldap/server:openldap cred/admin_cn astring admin cred/admin_passwd astring {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD cred/backend_cn astring Manager cred/backend_passwd astring {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD cred/proxy_cn astring proxyagent cred/proxy_passwd astring {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD cred/read_authorization astring solaris.smf.read.name-service.ldap.server cred/stability astring Evolving cred/value_authorization astring solaris.smf.value.name-service.ldap.server profile/default/authentication_method astring tls:simple profile/default/credential_level astring proxy profile/default/search_base astring dc=sample,dc=example,dc=com profile/default/search_scope astring one profile/default/server_list astring profile/default/service_search_descriptor astring profile/default/value_authorization astring solaris.smf.value.name-service.ldap.server
The output from the following ldapservercfg command shows that the changes to the credential and profile properties have been applied:
$ /usr/sbin/ldapservercfg -a openldap TLS CA certificate directory: /etc/openldap/certs TLS CA certificate file: /etc/certs/ca-certificates.crt TLS public certificate file: /etc/openldap/certs/certdb.pem TLS private key file: /etc/openldap/certs/server.key Starting server…Succeeded. The server is set as a master server. Summary of Configuration 1 Profile name to create : default 2 Base DN to setup : dc=sample,dc=example,dc=com 3 Default Search Scope : one 4 Default Server List : abc.example.com 5 Credential Level : proxy 6 Authentication Method : tls:simple 7 Enable crypt password storage : True 8 Enable shadow update : True 9 Service Search Descriptors Menu = Begin Directory Server Configuration = 1. Schema "{4}solaris" has been created. 2. Schema "{5}kerberos" has been created. 3. Adding suffix… 4. Suffix dc=sample,dc=example,dc=com successfully created. 5. ACIs was added for suffix "dc=sample,dc=example,dc=com". Entry "people" was added into the directory. Entry "group" was added into the directory. Entry "rpc" was added into the directory. Entry "protocols" was added into the directory. Entry "networks" was added into the directory. Entry "aliases" was added into the directory. Entry "hosts" was added into the directory. Entry "services" was added into the directory. Entry "ethers" was added into the directory. Entry "profile" was added into the directory. Entry "printers" was added into the directory. Entry "netgroup" was added into the directory. Entry "projects" was added into the directory. Entry "SolarisAuthAttr" was added into the directory. Entry "SolarisProfAttr" was added into the directory. Entry "Timezone" was added into the directory. Entry "ipTnet" was added into the directory. 6. Top level "ou" containers complete. Entry "auto_home" was added into the directory. Entry "auto_direct" was added into the directory. Entry "auto_master" was added into the directory. Entry "auto_shared" was added into the directory. 7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed. 8. Proxy Agent cn=proxyagent,ou=profile,dc=sample,dc=example,dc=com added. 9. Administrator identity cn=admin,ou=profile,dc=sample,dc=example,dc=com added. 10. Give "cn=admin,ou=profile,dc=sample,dc=example,dc=com" read/write access to shadow data. 11. Generated client profile and loaded on server. 12. Overlay ppolicy has been already activated. ppolicy overlay added successfully. Default password policy was added into the directory. 13. Setup indexes … Checking indexes for server "abc.example.com": 14. Index uidNumber successfully created. 15. Index ipNetworkNumber successfully created. 16. Index gidnumber successfully created. 17. Index oncrpcnumber successfully created. 18. Index automountKey successfully created. 19. Index uid successfully created. 20. Index krbPrincipalName successfully created. 21. Index membernisnetgroup successfully created. = End Directory Server Configuration = Setup LDAP server is complete.