1. Oracle Solaris 11.4 Documentation Update Addendum
  2. Administering Network Services in Oracle Solaris
  3. Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
  4. Add Information About Creating an Active Directory and LDAP Client

Add Information About Creating an Active Directory and LDAP Client

Add the following section to Chapter 5, Setting Up LDAP Clients in Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP:

Creating an Active Directory and LDAP Client

You can create a name service configuration that supports SMB file sharing between Oracle Solaris and Windows sytems. This name service configuration enables an Oracle Solaris LDAP client be an Active Directory (AD) client, as well.

How to Add an Oracle Solaris LDAP Client to an Active Directory Configuration

This procedure creates an Active Directory (AD) and LDAP client by registering an existing Oracle Solaris LDAP client with an AD server.

  1. Put an existing Oracle Solaris LDAP client in domain mode.

    A client in domain mode is registered and recognized by the AD domain controllers and has Kerberos configured. See How to Configure an SMB Server in Domain Mode in Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.4.

    The smbadm join command requires that you specify the domain user, which is an authenticated user account that can join the domain. 

    # smbadm join -u username domain-name

    The following example command puts the example.com host in domain mode and specifies Admininstrator as the domain user: 

    # smbadm join -u Administrator example.com
After joining example.com the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password: Administrator-password
Locating DC in example.com ... this may take a minute ...
Joining example.com ... this may take a minute ...
Computer account exists (CN=TESTHOST,CN=Computers,DC=example,DC=com)
Successfully joined example.com
  2. Configure the LDAP naming services to use AD. 
    # nscfg adldap

    Note:

    The nscfg adldap command fails if the client is not in domain mode.

    This command inspects the AD LDAP server to verify that the required LDAP schema can support Oracle Solaris users and groups. Then, this command puts the system into LDAP manual mode and configures proxy authentication that uses sasl/GSSAPI (Kerberos) credentials for the LDAP server. The Kerberos host principal is the credential that enables the connection to the AD LDAP server.

    The updated configuration includes service search descriptors, configures the user, password, and group databases, and updates the SMF LDAP service (svc:/network/ldap/client:default). The LDAP service restarts automatically.

    Additionally, the name switch service configuration (svc:/system/name-service/switch:default) is updated. Both the name switch service and the name service cache service (svc:/system/name-service/cache:default) restart automatically.

    The following example command performs the initialization process and the -v option outputs the process steps: 

    # nscfg adldap -v
Check AD prerequisites...
 Check DNS...
 Check for existing LDAP configuration...
     Check LDAP service...
     Check name service switch service...
     Check name service cache service...
 Check SMB...
     Gather AD domain configuration from SMB...
     Check AD domain configuration from SMF...
     Gather additional dcs from smbadm...
     Probe AD LDAP server...
 posixAccount entries detected in BaseDN  found 34 people in basedn
 posixGroup entries detected in BaseDN  found 1 groups in basedn
     AD LDAP server probe complete.
Verification successful
Configuring...
 Initialize LDAP naming services for AD...
 Initializing LDAP naming services for AD...
     Initialize svc:/network/ldap/client...
     Initialize svc:/system/name-service/switch...
     Initialize svc:/system/name-service/cache...
     Refresh configured services...
 Refresh svccfg command:   /usr/sbin/svccfg -s svc:/network/ldap/client:default refresh
 Refresh svccfg command:   /usr/sbin/svccfg -s svc:/system/name-service/cache:default refresh
 Refresh svccfg command:   /usr/sbin/svccfg -s svc:/system/name-service/switch:default refresh

How to Unconfigure the LDAP Service in an Active Directory and LDAP Configuration

  1. Unconfigure the LDAP service in an Active Directory (AD) and LDAP configuration. 
    # nscfg adldap -u

    This command unconfigures the LDAP service, removes the ldap entry from the name switch service (svc:/system/name-service/switch:default), and reverts all name services databases to files-only mode, except for the host database.

    The following example command performs the unconfiguration process and the -v option outputs the process steps: 

    # nscfg adldap -u -v
Unconfigure LDAP naming services for AD...
 Unconfigure LDAP naming services for AD...
     Reset svc:/network/ldap/client...
     Reset svc:/system/name-service/switch...
     Reset svc:/system/name-service/cache...
     Refresh naming services...
 Refresh: svc:/network/ldap/client
 Refresh svccfg command:   /usr/sbin/svccfg -s svc:/network/ldap/client:default refresh
 Refresh: svc:/system/name-service/switch
Refresh svccfg command:   /usr/sbin/svccfg -s svc:/system/name-service/switch:default refresh