The ldapservercfg utility uses the values of openldap service properties to configure the server, both when used interactively and when used non-interactively.
Use this procedure to change the credentials names and passwords before initial configuration.
The password (passwd) properties are not used when running ldapservercfg interactively.
Use slappasswd to create password hashes. See the slappasswd(8oldap) man page.
# slappasswd -h "{SSHA}"
New password: yoursecret
Reenter new password: yoursecret
{SSHA}password-hash
Use the editprop tool as shown in Using editprop to Modify openldap Service Properties, or use the svccfg setprop command as shown in the following example.
# svccfg s ldap/server:openldap
svc:/network/ldap/server:openldap> setprop cred/backend_passwd = astring: "{SSHA}password-hash"
svc:/network/ldap/server:openldap> setprop cred/proxy_passwd = astring: "{SSHA}password-hash"
svc:/network/ldap/server:openldap> setprop cred/admin_passwd = astring: "{SSHA}password-hash"
svc:/network/ldap/server:openldap> refresh
svc:/network/ldap/server:openldap> quit
Using the svccfg editprop command to modify service property values presents all properties that you can edit and their current values in your editor ($EDITOR). For more information about editprop, see Invoking a Property Editor in Managing System Services in Oracle Solaris 11.4.
The following command opens an editor on the properties of the openldap service:
# svccfg -s ldap/server:openldap editprop
When you issue the preceding command, your editor opens with content very similar to the following content:
##
## Change property values by removing the leading '#' from the
## appropriate lines and editing the values. svccfg subcommands
## such as delprop can also be added to the script.
##
## Property group "config"
## The following properties are defined in the selected instance
## (svc:/network/ldap/server:openldap)
##
## Hostname and Port
##
# setprop config/urls = astring: ("ldap:///" "ldaps:///" "ldapi:///")
# setprop config/value_authorization = astring: solaris.smf.value.name-service.ldap.server
## Property group "cred"
## The following properties are defined in the selected instance
## (svc:/network/ldap/server:openldap)
##
## Admin Common Name
##
# setprop cred/admin_cn = astring: admin
##
## Admin Password
##
# setprop cred/admin_passwd =
##
## Backend Common Name
##
# setprop cred/backend_cn = astring: Manager
##
## Backend Password
##
# setprop cred/backend_passwd =
##
## Proxy Common Name
##
# setprop cred/proxy_cn = astring: proxyagent
##
## Proxy Password
##
# setprop cred/proxy_passwd =
# setprop cred/read_authorization = astring: solaris.smf.read.name-service.ldap.server
# setprop cred/stability = astring: Evolving
# setprop cred/value_authorization = astring: solaris.smf.value.name-service.ldap.server
## Property group "profile"
## Property group "profile/default"
## The following properties are defined in the selected instance
## (svc:/network/ldap/server:openldap)
##
## Authentication Method(s)
##
# setprop profile/default/authentication_method = astring: tls:simple
##
## Credential Level(s)
##
# setprop profile/default/credential_level = astring: proxy
##
## Search Base
##
# setprop profile/default/search_base = astring: "dc=example,dc=com"
##
## Search Scope
##
# setprop profile/default/search_scope = astring: one
##
## Server List
##
# setprop profile/default/server_list =
##
## Service Search Descriptor(s)
##
# setprop profile/default/service_search_descriptor =
# setprop profile/default/value_authorization = astring: solaris.smf.value.name-service.ldap.server
## Uncomment to apply these changes to this instance.
# refresh
The following partial file shows how to change the passwords and the search base:
##
## Admin Password
##
setprop cred/admin_passwd = astring: {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD
##
## Backend Password
##
setprop cred/backend_passwd = astring: {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD
##
## Proxy Password
##
setprop cred/proxy_passwd = astring: {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD
##
## Search Base
##
setprop profile/default/search_base = astring: "dc=sample,dc=example,dc=com"
## Uncomment to apply these changes to this instance.
refresh
After you exit your editor, use the following command to verify the changes you made:
# svcprop -p cred -p profile ldap/server:openldap
cred/admin_cn astring admin
cred/admin_passwd astring {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD
cred/backend_cn astring Manager
cred/backend_passwd astring {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD
cred/proxy_cn astring proxyagent
cred/proxy_passwd astring {SSHA}j9X9QwojnqelDhdl2qR6+OeWkkNVCRSD
cred/read_authorization astring solaris.smf.read.name-service.ldap.server
cred/stability astring Evolving
cred/value_authorization astring solaris.smf.value.name-service.ldap.server
profile/default/authentication_method astring tls:simple
profile/default/credential_level astring proxy
profile/default/search_base astring dc=sample,dc=example,dc=com
profile/default/search_scope astring one
profile/default/server_list astring
profile/default/service_search_descriptor astring
profile/default/value_authorization astring solaris.smf.value.name-service.ldap.server
The output from the following ldapservercfg command shows that the changes to the credential and profile properties have been applied:
$ /usr/sbin/ldapservercfg -a openldap
TLS CA certificate directory: /etc/openldap/certs
TLS CA certificate file: /etc/certs/ca-certificates.crt
TLS public certificate file: /etc/openldap/certs/certdb.pem
TLS private key file: /etc/openldap/certs/server.key
Starting server…Succeeded.
The server is set as a master server.
Summary of Configuration
1 Profile name to create : default
2 Base DN to setup : dc=sample,dc=example,dc=com
3 Default Search Scope : one
4 Default Server List : abc.example.com
5 Credential Level : proxy
6 Authentication Method : tls:simple
7 Enable crypt password storage : True
8 Enable shadow update : True
9 Service Search Descriptors Menu
= Begin Directory Server Configuration =
1. Schema "{4}solaris" has been created.
2. Schema "{5}kerberos" has been created.
3. Adding suffix…
4. Suffix dc=sample,dc=example,dc=com successfully created.
5. ACIs was added for suffix "dc=sample,dc=example,dc=com".
Entry "people" was added into the directory.
Entry "group" was added into the directory.
Entry "rpc" was added into the directory.
Entry "protocols" was added into the directory.
Entry "networks" was added into the directory.
Entry "aliases" was added into the directory.
Entry "hosts" was added into the directory.
Entry "services" was added into the directory.
Entry "ethers" was added into the directory.
Entry "profile" was added into the directory.
Entry "printers" was added into the directory.
Entry "netgroup" was added into the directory.
Entry "projects" was added into the directory.
Entry "SolarisAuthAttr" was added into the directory.
Entry "SolarisProfAttr" was added into the directory.
Entry "Timezone" was added into the directory.
Entry "ipTnet" was added into the directory.
6. Top level "ou" containers complete.
Entry "auto_home" was added into the directory.
Entry "auto_direct" was added into the directory.
Entry "auto_master" was added into the directory.
Entry "auto_shared" was added into the directory.
7. automount maps: ['auto_home', 'auto_direct', 'auto_master', 'auto_shared'] processed.
8. Proxy Agent cn=proxyagent,ou=profile,dc=sample,dc=example,dc=com added.
9. Administrator identity cn=admin,ou=profile,dc=sample,dc=example,dc=com added.
10. Give "cn=admin,ou=profile,dc=sample,dc=example,dc=com" read/write access to shadow data.
11. Generated client profile and loaded on server.
12. Overlay ppolicy has been already activated.
ppolicy overlay added successfully.
Default password policy was added into the directory.
13. Setup indexes …
Checking indexes for server "abc.example.com":
14. Index uidNumber successfully created.
15. Index ipNetworkNumber successfully created.
16. Index gidnumber successfully created.
17. Index oncrpcnumber successfully created.
18. Index automountKey successfully created.
19. Index uid successfully created.
20. Index krbPrincipalName successfully created.
21. Index membernisnetgroup successfully created.
= End Directory Server Configuration =
Setup LDAP server is complete.