Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022

ldapservercfg (8)


ldapservercfg - prepare a directory server to be populated with data and serveLDAPclients


ldapservercfg [-avq] [-d debug-level] server-type


The ldapservercfg utility is used to configure and populate a directory server to serve LDAP clients.

The ldapservercfg utility uses server-type to specify the type of directory server to be configured. The current supported server types are:


Oracle Unified Directory (version and later)


OpenLDAP (version as packaged with Oracle Solaris)

The directory server is configured to support Oracle Solaris naming services, as defined in /usr/share/lib/ldif/nameservice.ldif, and Kerberos services as defined in /usr/share/lib/ldif/kerberos.ldif.

The Directory Information Tree (DIT) structure recommended in RFC2307bis-02 is created.

A default LDAP configuration profile is created to allow automatic configuration of LDAP clients.

Oracle Unified Directory

When the oud option is selected, it is assumed that the Oracle Unified Directory server has been installed and enabled according to the procedures documented in section "Setting Up the Directory Server" in OUD Administration Guide. Ensure the security features such as SSL/TLS, sasl/DIGEST or sasl/GSSAPI are enabled on server side if you want to access the server through corresponding security mechanism.

The tool supplies a default settings for its parameters and allows the user to edit them.


Configures OpenLDAP using the rights profile OpenLDAP, which includes the required user, group, authorizations and privileges to properly execute ldapservercfg and to configure and enable the slapd server. ldapservercfg should be started through a profile shell like pfexec.

The tool reads initial parameter values from svc:/network/ldap/server:openldap.

If necessary, the server is converted to use Online Configuration (OLC). The server is configured to accept unencrypted connections on port 389, encrypted connections (with STARTTLS) on port 389, and encrypted connections (using raw TLS) on port 636.

When the server configuration is successful, the configuration properties in svc:/network/ldap/server:openldap are updated.

Special Accounts

Four special accounts might be created. Their names, default Distinguished Name (DN) and use is:

Configuration (OpenLDAP only)
DN: cn=config

The configuration account is used to create new databases or load additional schemas. Its password is set the same as the Backend Manager password.

Backend Manager (OpenLDAP only)
DN: cn=Manager, Search_base (default)

The backend account is the manager for the directory. It has complete access to all data in the directory.

DN: cn=admin, ou=profile, search_base (default)

The admin account is created if shadow update is enabled. Clients use this account to add or modify users.

Users with the solaris.password.assign authorization are able to change other users' passwords only if the client system is configured with an administrator account & password and enableShadowUpdate is configured, See ldapclient(8) for details.

DN: cn=proxyagent, ou=profile, search_base (default)

This account is created if proxy access is enabled. Clients will be configured to bind as this account.


The following options are supported:

–d debug-level

Specifies the debug-level.


Turns off debugging


Turns on debugging and opens tracing


Function Stacks

–a (OpenLDAP only)

Specifies that the server should be configured with no human interaction by using SMF property values and default values. For more information, see the PARAMETERS section below.

The SMF service svc:/network/ldap/server:openldap uses this option the first time the service is enabled.




Verbose output.


For OpenLDAP installations, server configuration parameters can be specified through properties on svc:/network/ldap/server:openldap.

Writing these properties requires the authorization solaris.smf.value.name-service.ldap.server.

Reading the properties in the cred property group requires the authorization solaris.smf.read.name-service.ldap.server.

Account credentials

Some of the Special Account names can be configured in SMF property values. Below each account property name is paired with its password property.

The password properties are only used by ldapservercfg during non-interactive use. When setting passwords into properties they should be hashed using slappasswd(8oldap).

Backend Manager (OpenLDAP only)

cred/backend_cn defaults to Manager when not set.

cred/backend_passwd defaults to the system's root password and is also used for the Configuration account.


When not set cred/admin_cn defaults to admin

When ldapservercfg is run non-interactively this account will be created and shadow update enabled only if a password hash is set.

See Example 877, Setting cred/admin_passwd value for openLDAP non-interactive configuration below.


When not set cred/proxy_cn defaults to proxyagent

When ldapservercfg is run non-interactively this account will be created if default/credential_level specifies proxy and cred/proxy_passwd is set. When it is not set the default/credential_level of proxy is ignored and anonymous is used instead.

LDAP configuration properties

These properties are used to configure LDAP service and to save a client profile within the Directory.

Search Base (base DN):

Default: derived from system's DNS domain name or, if not available, dc=example,dc=com

Containers are created relative to this DN.

Clients are instructed to search relative to this DN.

For example, if the host name is ldap.example.net, the default Search Base DN would be "dc=example,dc=net".

Client Authentication:

Default: tls:simple

This property controls what authentication method the generated LDAP client profile directs client systems to use.

For a full list of supported authentication methods and additional information see ldapclient(8).

Credential Level:

Default: proxy

Specify the credential level the client should use to contact the directory. The credential levels supported are anonymous, proxy, and self. If a proxy credential level is specified, then the authentication_method attribute must be specified to determine the authentication mechanism. Also, if the credential level is proxy and at least one of the authentication methods require a bind DN, the cred/proxy_cn and cred/proxy_passwd attribute values must be set.

If a self credential level is specified, the authentication_method must be sasl/GSSAPI.

Search Scope:

Default: one

Specify the default search scope for the client's search operations. This default can be overridden for a given service by specifying a service_search_descriptor. The default is one level search.

Server List

Default: system's host name

A multi-valued property providing LDAP server names that the LDAP client can resolve the addresses of without the LDAP name service. Client's must resolve the LDAP servers' names to addresses by using either files or dns. If the LDAP server name cannot be resolved, your naming service will fail.

The fully qualified domain names MUST also match those provided in any Certificates.

See Example 875, Setting profile/default/server_list below.

Service Search Descriptor:

Override the default base DN for LDAP searches for a given service. The format of the descriptors also allow overriding the default search scope and search filter for each service. The default value for all services is NULL. This is a multi-valued attribute with one value per service.

The syntax of service_search_descriptor is defined in the profile IETF draft, its basic format is:


In the example SSD:


the LDAP client would do a sub level search in ou=staff,dc=example,dc=com applying filter (&(objectClass=posixAccount)(fulltimeEmployee=TRUE) and search ou=volunteer,dc=example,dc=com at the single level (one with the default filter (objectClass=posixAccount) for the passwd service.

See Example 876, Setting profile/default/service_search_descriptor (SSD) below for pre-setting multiple services.

Schema and DIT Structure

The following schema elements are added to the server if they are not already installed:

Object classes:


Attribute types:


Access control lists are set so that:

| Options         | Results                                           |
|                 | Non-Sensitive           | Sensitive               |
| Proxy? | Admin? | Anon? | Proxy? | Admin? | Anon? | Proxy? | Admin? |
| No[1]  | No     | Read  | -      | -      | No    | -      | -      |
| No     | Yes    | Read  | -      | Write  | No    | -      | Write  |
| Yes    | No     | No    | Read   | -      | No    | Read   | -      |
| Yes    | Yes    | No    | Read   | Write  | No    | Read   | Write  |

Default Configuration

Non-sensitive attributes are:

  • uid

  • uidNumber

  • gidNumber

  • cn

  • objectClass

  • memberUid

  • memberGid

  • loginShell

  • homeDirectory

  • gecos

  • description

  • nisDomain

  • automountMapName

  • SolarisAttrKeyValue

  • SolarisAttrShortDesc

  • SolarisAttrLongDesc

  • SolarisKernelSecurityPolicy

  • SolarisProfileType

  • SolarisProfileId

  • SolarisUserQualifier

  • SolarisProjectId

  • SolarisProjectName

  • SolarisProjectAttr

  • SolarisUserAttrEntry

  • SolarisUserType

  • SolarisAttrReserved1

  • SolarisAttrReserved2

Security-critical attributes are:

  • userPassword

  • shadowLastChange

  • shadowMin

  • shadowMax

  • shadowWarning

  • shadowInactive

  • shadowExpire

  • shadowFlag

In addition, userPassword is writable by the particular user.

As recommended by RFC2307bis-02, the DIT tree under the base DN is laid out with containers for each type of object stored:

ou=people                      posixAccount
ou=group                       posixGroup
ou=services                    ipService
ou=protocols                   ipProtocol
ou=rpc                         oncRpc
ou=hosts                       ipHost
ou=ethers                      ieee802Device
ou=networks                    ipNetwork
ou=netgroup                    nisNetgroup
nisMapName=...                 nisObject
automountMapName=...           automountMap

An RFC 4876 profile is created at cn=default, ou=profile, search_base.

Exit Status

The following exit values are returned:


Successful completion.


An error occurred.


Example 1 Prompting the User for Input

In the following example, the user is prompted for information to set up OUD.

example# ldapservercfg oud
Example 2 Setting profile/default/server_list

Using svccfg(8) delpropvalue is used to delete the property values, followed by addpropvalue twice to add two qualified server names.

example# svccfg -s ldap/server:openldap delpropvalue \
> profile/default/server_list '*'
example# svccfg -s ldap/server:openldap addpropvalue \
> profile/default/server_list "serv1.example.com"
example# svccfg -s ldap/server:openldap addpropvalue \
> profile/default/server_list "serv2.example.com"
example# svccfg -s ldap/server:openldap refresh
Example 3 Setting profile/default/service_search_descriptor (SSD)

Using svccfg(8) setprop to overwrite all current values, followed by addpropvalue to add an additional value. The SMF instance is then refreshed using svcadm(8), to commit the changes. The values are then displayed with svcprop(1) and piped through fmt(1) for brevity.

example# svccfg -s ldap/server:openldap \
> setprop profile/default/service_search_descriptor = \
> "printers:ou=hc,dc=example,dc=com?one"
example# svccfg -s ldap/server:openldap addpropvalue \
> profile/default/service_search_descriptor \
> "ethers:ou=mac,dc=example,dc=com?sub"
example# svcadm refresh ldap/server:openldap
example# svcprop -p profile/default/service_search_descriptor
> ldap/server:openldap | fmt -60
Example 4 Setting cred/admin_passwd value for openLDAP non-interactive configuration

Using svccfg(8) in combination with slappasswd(8oldap) to prompt for and save the password. The use of mktemp(1) keeps the password off of the command line.

example# tmp=`mktemp` &&
> (/usr/bin/echo 'setprop cred/admin_passwd = astring: \c';
> /usr/sbin/slappasswd) > $tmp &&
> svccfg -s ldap/server:openldap -f $tmp; rm $tmp
New password:
Re-enter new password:
example# svcadm refresh ldap/server:openldap


/etc/openldap/certs/server.pem (OpenLDAP)
/etc/openldap/certs/server.key (OpenLDAP)

A self-signed certificate and private key are generated. They can be replaced as desired.


Contains a list of root certificates that the server trusts. This list should include the certificates used to sign the server's certificate, if a CA-signed certificate is used.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

attributes(7), idsconfig(8), ldap(7), ldap_cachemgr(8), ldapaddent(8), ldapclient(8), ldaplist(1), resolv.conf(5), slapd(8oldap), slappasswd(8oldap)

RFC 4876: A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents

RFC 2307: An Approach for Using LDAP as a Network Information Service

Oracle Solaris Schema: