Configuring LDAP Schema Settings (CLI)

Use the following procedure to configure LDAP schema settings.

1. Go to configuration services ldap and enter the show command.
2. Enter a value for the base search DN.

   Use quotation marks around the value to preserve the embedded equal symbols and comma. For example, enter:

   hostname:configuration services ldap> set base_dn="dc=example,dc=com"

   This base search DN is automatically prepended with ou=people for user searches, ou=group for group searches, and ou=netgroup for netgroup searches. If these values do not work in your environment, set different values for user_search, group_search, or netgroup_search. The value of base_dn is ignored if you provide a value for user_search, group_search, or netgroup_search.

3. Specify either recursive or non-recursive scope.

   For recursive search, set search_scope to sub. For non-recursive search, set search_scope to one.

   The value of search_scope applies to all searches. To override search_scope for specific types of searches, provide a value for user_search, group_search, or netgroup_search.

4. Set search descriptor properties.

   The search descriptor properties are user_search, group_search, and netgroup_search.

   By default, ou=people is prepended to the value of base_dn for user searches, ou=group is prepended to the value of base_dn for group searches, and ou=netgroup is prepended to the value of base_dn for netgroup searches. If your LDAP database does not have subtrees named people, group, or netgroup, then searches of the database will fail as object not found.

   Set the values of the search descriptor properties to specify the correct subtrees to search for users, groups, and netgroups. Use quotation marks around the value to preserve the embedded equal symbols and commas. For example, you might enter the following for the search descriptor for users:

   hostname:configuration services ldap> set user_search="ou=employees,dc=example,dc=com"

   If your LDAP database does not have subtrees for users and groups, use the search descriptor properties to re-enter the base search DN to prevent ou=people or ou=group from being prepended automatically, as shown in the following example:

   hostname:configuration services ldap> set group_search="dc=example,dc=com"

   You must include the value of base_dn in the search descriptor value. Also include your scope selection. Both base_dn and search_scope will be ignored and the search descriptor value will be used instead. The example in the previous paragraph specifies non-recursive search. To specify recursive search, change that example to the following:

   hostname:configuration services ldap> set group_search="dc=example,dc=com?sub"

5. Set the attribute mapping properties.

   The default attributes that are used for user searches are shown in table "Attributes of the Users Data Type" in LDAP Custom Mappings. The default attributes that are used for group searches are shown in table "Attributes of the Groups Data Type" in LDAP Custom Mappings.

   If your environment stores this data in different attributes, use the user_mapattr, group_mapattr, and netgroup_mapattr properties to specify the attribute to use to retrieve the given data. For example, enter the following command to use employeename instead of uid as the attribute for user names:

   hostname:configuration services ldap> set user_mapattr="uid=employeename"

   Enclose the mapping in quotation marks to preserve the equal symbol in the mapping.

   To specify multiple attribute changes, enter a list of mappings with quotation marks around each mapping, as shown in the following example:

   hostname:configuration services ldap> set user_mapattr="uid=employeename","uidNumber=employeenumber"

6. Set the object mapping properties.

   The default object class that is used for user searches is posixAccount. The default object class that is used for group searches is posixGroup. The default object class that is used for netgroup searches is nisNetgroup.

   If your environment uses a different object class, use the user_mapobjclass, group_mapobjclass, and netgroup_mapobjclass properties to specify the name of the object class to use. For example, enter the following command to use unixaccount instead of posixAccount as the user object class:

   hostname:configuration services ldap> set user_mapobjclass="posixAccount=unixaccount"

7. Commit changed property settings.

   Enter show, review property settings, and enter commit.

Related Topics

• "LDAP Schema Properties" table in LDAP Properties

• "Attributes of the Users Data Type" table in LDAP Custom Mappings

• "Attributes of the Groups Data Type" table in LDAP Custom Mappings