ldapservercfg - prepare a directory server to be populated with data and serveLDAPclients
ldapservercfg [-avq] [-d debug-level] server-type
The ldapservercfg utility is used to configure and populate a directory server to serve LDAP clients.
The ldapservercfg utility uses server-type to specify the type of directory server to be configured. The current supported server types are:
Oracle Unified Directory (version 11.1.2.3 and later)
OpenLDAP (version as packaged with Oracle Solaris)
The directory server is configured to support Oracle Solaris naming services, as defined in /usr/share/lib/ldif/nameservice.ldif, and Kerberos services as defined in /usr/share/lib/ldif/kerberos.ldif.
The Directory Information Tree (DIT) structure recommended in RFC2307bis-02 is created.
A default LDAP configuration profile is created to allow automatic configuration of LDAP clients.
When the oud option is selected, it is assumed that the Oracle Unified Directory server has been installed and enabled according to the procedures documented in section "Setting Up the Directory Server" in OUD Administration Guide. Ensure the security features such as SSL/TLS, sasl/DIGEST or sasl/GSSAPI are enabled on server side if you want to access the server through corresponding security mechanism.
The tool supplies a default settings for its parameters and allows the user to edit them.
Configures OpenLDAP using the rights profile OpenLDAP, which includes the required user, group, authorizations and privileges to properly execute ldapservercfg and to configure and enable the slapd server. ldapservercfg should be started through a profile shell like pfexec.
The tool reads initial parameter values from svc:/network/ldap/server:openldap.
If necessary, the server is converted to use Online Configuration (OLC). The server is configured to accept unencrypted connections on port 389, encrypted connections (with STARTTLS) on port 389, and encrypted connections (using raw TLS) on port 636.
When the server configuration is successful, the configuration properties in svc:/network/ldap/server:openldap are updated.
Four special accounts might be created. Their names, default Distinguished Name (DN) and use is:
The configuration account is used to create new databases or load additional schemas. Its password is set the same as the Backend Manager password.
The backend account is the manager for the directory. It has complete access to all data in the directory.
The admin account is created if shadow update is enabled. Clients use this account to add or modify users.
Users with the solaris.password.assign authorization are able to change other users' passwords only if the client system is configured with an administrator account & password and enableShadowUpdate is configured, See ldapclient(8) for details.
This account is created if proxy access is enabled. Clients will be configured to bind as this account.
The following options are supported:
Specifies the debug-level.
Turns off debugging
Turns on debugging and opens tracing
Function Stacks
Specifies that the server should be configured with no human interaction by using SMF property values and default values. For more information, see the PARAMETERS section below.
The SMF service svc:/network/ldap/server:openldap uses this option the first time the service is enabled.
Quietly.
Verbose output.
For OpenLDAP installations, server configuration parameters can be specified through properties on svc:/network/ldap/server:openldap.
Writing these properties requires the authorization solaris.smf.value.name-service.ldap.server.
Reading the properties in the cred property group requires the authorization solaris.smf.read.name-service.ldap.server.
Some of the Special Account names can be configured in SMF property values. Below each account property name is paired with its password property.
The password properties are only used by ldapservercfg during non-interactive use. When setting passwords into properties they should be hashed using slappasswd(8oldap).
cred/backend_cn defaults to Manager when not set.
cred/backend_passwd defaults to the system's root password and is also used for the Configuration account.
When not set cred/admin_cn defaults to admin
When ldapservercfg is run non-interactively this account will be created and shadow update enabled only if a password hash is set.
See Example 877, Setting cred/admin_passwd value for openLDAP non-interactive configuration below.
When not set cred/proxy_cn defaults to proxyagent
When ldapservercfg is run non-interactively this account will be created if default/credential_level specifies proxy and cred/proxy_passwd is set. When it is not set the default/credential_level of proxy is ignored and anonymous is used instead.
These properties are used to configure LDAP service and to save a client profile within the Directory.
Default: derived from system's DNS domain name or, if not available, dc=example,dc=com
Containers are created relative to this DN.
Clients are instructed to search relative to this DN.
For example, if the host name is ldap.example.net, the default Search Base DN would be "dc=example,dc=net".
Default: tls:simple
This property controls what authentication method the generated LDAP client profile directs client systems to use.
For a full list of supported authentication methods and additional information see ldapclient(8).
Default: proxy
Specify the credential level the client should use to contact the directory. The credential levels supported are anonymous, proxy, and self. If a proxy credential level is specified, then the authentication_method attribute must be specified to determine the authentication mechanism. Also, if the credential level is proxy and at least one of the authentication methods require a bind DN, the cred/proxy_cn and cred/proxy_passwd attribute values must be set.
If a self credential level is specified, the authentication_method must be sasl/GSSAPI.
Default: one
Specify the default search scope for the client's search operations. This default can be overridden for a given service by specifying a service_search_descriptor. The default is one level search.
Default: system's host name
A multi-valued property providing LDAP server names that the LDAP client can resolve the addresses of without the LDAP name service. Client's must resolve the LDAP servers' names to addresses by using either files or dns. If the LDAP server name cannot be resolved, your naming service will fail.
The fully qualified domain names MUST also match those provided in any Certificates.
Override the default base DN for LDAP searches for a given service. The format of the descriptors also allow overriding the default search scope and search filter for each service. The default value for all services is NULL. This is a multi-valued attribute with one value per service.
The syntax of service_search_descriptor is defined in the profile IETF draft, its basic format is:
service:[base][?[scope][?[filter]]][;[base][?[scope][?[filter]]]]
In the example SSD:
passwd:ou=staff,dc=example,dc=com?sub?(&(objectClass=posixAccount) (fulltimeEmployee=TRUE);ou=volunteer,dc=example,dc=com?one
the LDAP client would do a sub level search in ou=staff,dc=example,dc=com applying filter (&(objectClass=posixAccount)(fulltimeEmployee=TRUE) and search ou=volunteer,dc=example,dc=com at the single level (one with the default filter (objectClass=posixAccount) for the passwd service.
See Example 876, Setting profile/default/service_search_descriptor (SSD) below for pre-setting multiple services.
The following schema elements are added to the server if they are not already installed:
Object classes:
SolarisQualifiedUserAttr DUAConfigProfile
Attribute types:
SolarisUserAttrEntry SolarisUserType
Access control lists are set so that:
|-----------------|---------------------------------------------------| | Options | Results | | | Non-Sensitive | Sensitive | | Proxy? | Admin? | Anon? | Proxy? | Admin? | Anon? | Proxy? | Admin? | |--------|--------|-------|--------|--------|-------|--------|--------| | No[1] | No | Read | - | - | No | - | - | | No | Yes | Read | - | Write | No | - | Write | | Yes | No | No | Read | - | No | Read | - | | Yes | Yes | No | Read | Write | No | Read | Write | |--------|--------|-------|--------|--------|-------|--------|--------|
Default Configuration
Non-sensitive attributes are:
uid
uidNumber
gidNumber
cn
objectClass
memberUid
memberGid
loginShell
homeDirectory
gecos
description
nisDomain
automountMapName
SolarisAttrKeyValue
SolarisAttrShortDesc
SolarisAttrLongDesc
SolarisKernelSecurityPolicy
SolarisProfileType
SolarisProfileId
SolarisUserQualifier
SolarisProjectId
SolarisProjectName
SolarisProjectAttr
SolarisUserAttrEntry
SolarisUserType
SolarisAttrReserved1
SolarisAttrReserved2
Security-critical attributes are:
userPassword
shadowLastChange
shadowMin
shadowMax
shadowWarning
shadowInactive
shadowExpire
shadowFlag
In addition, userPassword is writable by the particular user.
As recommended by RFC2307bis-02, the DIT tree under the base DN is laid out with containers for each type of object stored:
ou=people posixAccount
shadowAcount
ou=group posixGroup
ou=services ipService
ou=protocols ipProtocol
ou=rpc oncRpc
ou=hosts ipHost
ou=ethers ieee802Device
bootableDevice
ou=networks ipNetwork
ou=netgroup nisNetgroup
nisMapName=... nisObject
automountMapName=... automountMap
An RFC 4876 profile is created at cn=default, ou=profile, search_base.
The following exit values are returned:
Successful completion.
An error occurred.
In the following example, the user is prompted for information to set up OUD.
example# ldapservercfg oudExample 2 Setting profile/default/server_list
Using svccfg(8) delpropvalue is used to delete the property values, followed by addpropvalue twice to add two qualified server names.
example# svccfg -s ldap/server:openldap delpropvalue \ > profile/default/server_list '*' example# svccfg -s ldap/server:openldap addpropvalue \ > profile/default/server_list "serv1.example.com" example# svccfg -s ldap/server:openldap addpropvalue \ > profile/default/server_list "serv2.example.com" example# svccfg -s ldap/server:openldap refreshExample 3 Setting profile/default/service_search_descriptor (SSD)
Using svccfg(8) setprop to overwrite all current values, followed by addpropvalue to add an additional value. The SMF instance is then refreshed using svcadm(8), to commit the changes. The values are then displayed with svcprop(1) and piped through fmt(1) for brevity.
example# svccfg -s ldap/server:openldap \ > setprop profile/default/service_search_descriptor = \ > "printers:ou=hc,dc=example,dc=com?one" example# svccfg -s ldap/server:openldap addpropvalue \ > profile/default/service_search_descriptor \ > "ethers:ou=mac,dc=example,dc=com?sub" example# svcadm refresh ldap/server:openldap example# svcprop -p profile/default/service_search_descriptor > ldap/server:openldap | fmt -60 "printers:ou=hc,dc=example,dc=com?one" "ethers:ou=mac,dc=example,dc=com?sub"Example 4 Setting cred/admin_passwd value for openLDAP non-interactive configuration
Using svccfg(8) in combination with slappasswd(8oldap) to prompt for and save the password. The use of mktemp(1) keeps the password off of the command line.
example# tmp=`mktemp` && > (/usr/bin/echo 'setprop cred/admin_passwd = astring: \c'; > /usr/sbin/slappasswd) > $tmp && > svccfg -s ldap/server:openldap -f $tmp; rm $tmp New password: Re-enter new password: example# svcadm refresh ldap/server:openldap
A self-signed certificate and private key are generated. They can be replaced as desired.
Contains a list of root certificates that the server trusts. This list should include the certificates used to sign the server's certificate, if a CA-signed certificate is used.
See attributes(7) for descriptions of the following attributes:
|
attributes(7), idsconfig(8), ldap(7), ldap_cachemgr(8), ldapaddent(8), ldapclient(8), ldaplist(1), resolv.conf(5), slapd(8oldap), slappasswd(8oldap)
RFC 4876: A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents
RFC 2307: An Approach for Using LDAP as a Network Information Service
Oracle Solaris Schema: