Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1‎ > ‎


     ldap - LDAP as a naming repository

     LDAP refers to Lightweight Directory Access Protocol,  which
     is  an industry standard for accessing directory servers. By
     initializing the client using ldapclient(1M) and  using  the
     keyword    ldap   in   the   name   service   switch   file,
     /etc/nsswitch.conf, Solaris clients can obtain naming infor-
     mation  from  an LDAP server. Information such as usernames,
     hostnames, and passwords are stored on the LDAP server in  a
     Directory  Information  Tree  or  DIT.  The  DIT consists of
     entries which in  turn  are  composed  of  attributes.  Each
     attribute has a type and one or more values.

     Solaris LDAP clients use the LDAP v3 protocol to access nam-
     ing information from LDAP servers. The LDAP server must sup-
     port the object classes and attributes defined in RFC2307bis
     (draft),  which maps the naming service model on to LDAP. As
     an alternate to  using  the  schema  defined  in  RFC2307bis
     (draft),  the  system  can be configured to use other schema
     sets and the schema mapping feature  is  configured  to  map
     between  the  two. Refer to the System Administration Guide:
     Naming and Directory Services (DNS, NIS, and LDAP) for  more

     The ldapclient(1M) utility can make  a  Solaris  machine  an
     LDAP  client  by  setting  up  the  appropriate directories,
     files,  and  configuration  information.   The  LDAP  client
     caches  this configuration information in local cache files.
     This  configuration  information  is  accessed  through  the
     ldap_cachemgr(1M)  daemon.   This  daemon also refreshes the
     information in the configuration files from the LDAP server,
     providing better performance and security. The ldap_cachemgr
     must run at all times for the proper operation of the naming

     There are two types of configuration information, the infor-
     mation available through a profile, and the information con-
     figured per client. The profile contains all the information
     as  to how the client accesses the directory. The credential
     information for proxy user is configured  on  a  per  client
     basis and is not downloaded through the profile.

     The profile contains  server-specific  parameters  that  are
     required  by  all  clients  to  locate  the  servers for the
     desired LDAP domain. This information could be the  server's
     IP  address and the search base Distinguished Name (DN), for
     instance. It is configured on the client  from  the  default
     profile  during  client  initialization  and is periodically
     updated by the ldap_cachemgr daemon when the expiration time
     has elapsed.
     Client profiles can be stored on the LDAP server and can  be
     used by the ldapclient utility to initialize an LDAP client.
     Using the client profile is the easiest way to  configure  a
     client machine. See ldapclient(1M).

     Credential information includes  client-specific  parameters
     that  are  used  by  a client. This information could be the
     Bind DN (LDAP "login" name) of the client and the  password.
     If  these parameters are required, they are manually defined
     during the initialization through ldapclient(1M).

     The naming information is stored in containers on  the  LDAP
     server. A container is a non-leaf entry in the DIT that con-
     tains naming service information. Containers are similar  to
     maps  in  NIS  and tables in NIS+. A default mapping between
     the NIS databases and the containers in  LDAP  is  presented
     below.  The  location  of  these containers as well as their
     names can be overridden  through  the  use  of  serviceSear-
     chDescriptors. For more information, see ldapclient(1M).

    |      Database      |    Object Class    |          Container        |
    | passwd             | posixAccount       |  ou=people,dc=...         |
    |                    | shadowAccount      |                           |
    | group              | posixGroup         |  ou=Group,dc=...          |
    | services           | ipService          |  ou=Services,dc=...       |
    | protocols          | ipProtocol         |  ou=Protocols,dc=...      |
    | rpc                | oncRpc             |  ou=Rpc,dc=...            |
    | hosts              | ipHost             |  ou=Hosts,dc=...          |
    | ipnodes            | ipHost             |  ou=Hosts,dc=...          |
    | ethers             | ieee802Device      |  ou=Ethers,dc=...         |
    | bootparams         | bootableDevice     |  ou=Ethers,dc=...         |
    | networks           | ipNetwork          |  ou=Networks,dc=...       |
    | netmasks           | ipNetwork          |  ou=Networks,dc=...       |
    | netgroup           | nisNetgroup        |  ou=Netgroup,dc=...       |
    | aliases            | mailGroup          |  ou=Aliases,dc=...        |
    | publickey          | nisKeyObject       |                           |
    | generic            | nisObject          |  nisMapName=...,dc=...    |
    | printers           | printerService     |  ou=Printers,dc=...       |
    | auth_attr          | SolarisAuthAttr    |  ou=SolarisAuthAttr,dc=...|
    | prof_attr          | SolarisProfAttr    |  ou=SolarisProfAttr,dc=...|
    | exec_attr          | SolarisExecAttr    |  ou=SolarisProfAttr,dc=...|
    | user_attr          | SolarisUserAttr    |  ou=people,dc=...         |
    | audit_user         | SolarisAuditUser   |  ou=people,dc=...         |

     The security model for clients is defined by  a  combination
     of  the  credential  level  to  be  used, the authentication
     method, and the PAM modules to be used. The credential level
     defines  what credentials the client should use to authenti-
     cate to the directory server, and the authentication  method
     defines  the  method  of  choice. Both these can be set with
     multiple values. The Solaris  LDAP  supports  the  following
     values for credential level :

     The Solaris LDAP supports the following values for authenti-
     cation method:

     When the credential level is configured as self, DNS must be
     configured   and   the   authentication   method   must   be
     sasl/GSSAPI. The hosts  and  ipnodes  in  /etc/nsswitch.conf
     must  be configured to use DNS, for example hosts: dns files
     and ipnodes: dns files.

     sasl/GSSAPI automatically uses  GSSAPI  confidentiality  and
     integrity  options,  if they are configured on the directory

     The credential level of self enables per-user naming service
     lookups,  or  lookups that use the GSSAPI credentials of the
     user when connecting to the directory server. Currently  the
     only  GSSAPI  mechanism  supported in this model is Kerberos
     V5. Kerberos must be configured  before  you  can  use  this
     credential level. See kerberos(5) for details.

     More protection can be provided by means of access  control,
     allowing  the  server to grant access for certain containers
     or entries. Access control is specified  by  Access  Control
     Lists (ACLs) that are defined and stored in the LDAP server.
     The Access Control Lists  on  the  LDAP  server  are  called
     Access  Control Instructions (ACIs) by the the SunOne Direc-
     tory Server. Each ACL or ACI specifies one or more directory
     objects,  for  example,  the cn attribute in a specific con-
     tainer, one or more  clients  to  whom  you  grant  or  deny
     access,  and  one  or more access rights that determine what
     the clients can do to or with the objects.  Clients  can  be
     users  or  applications.  Access  rights can be specified as
     read and write, for example. Refer to the System Administra-
     tion  Guide:  Naming  and  Directory Services (DNS, NIS, and
     LDAP) regarding the restrictions on ACLs and ACIs when using
     LDAP as a naming repository.

     A sample nsswitch.conf(4) file called nsswitch.ldap is  pro-
     vided   in   the   /etc   directory.   This   is  copied  to
     /etc/nsswitch.conf by the ldapclient(1M) utility. This  file
     uses LDAP as a repository for the different databases in the
     nsswitch.conf file.

     The following is a list of  the  user  commands  related  to

     idsconfig(1M)     Prepares a SunOne Directory Server  to  be
                       ready to support Solaris LDAP clients.

     ldapaddent(1M)    Creates LDAP  entries  from  corresponding
                       /etc files.

     ldapclient(1M)    Initializes LDAP clients, or  generates  a
                       configuration  profile to be stored in the

     ldaplist(1)       Lists the  contents  of  the  LDAP  naming

     /var/ldap/ldap_client_cred    Files that  contain  the  LDAP
     /var/ldap/ldap_client_file    configuration  of  the client.
                                   Do not manually  modify  these
                                   files.  Their  content  is not
                                   guaranteed to be  human  read-
                                   able.  Use  ldapclient(1M)  to
                                   update them.

     /etc/nsswitch.conf            Configuration  file  for   the
                                   name-service switch.

     /etc/nsswitch.ldap            Sample configuration file  for
                                   the  name-service  switch con-
                                   figured with LDAP and files.

     /etc/pam.conf                 PAM  framework   configuration

     ldaplist(1),        idsconfig(1M),        ldap_cachemgr(1M),
     ldapaddent(1M),       ldapclient(1M),      nsswitch.conf(4),
     pam.conf(4),                kerberos(5)pam_authtok_check(5),
     pam_authtok_get(5),   pam_authtok_store(5),   pam_dhkeys(5),
     pam_ldap(5),    pam_passwd_auth(5),     pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5)

     System Administration Guide: Naming and  Directory  Services
     (DNS, NIS, and LDAP)

     The pam_unix(5) module is no longer supported. Similar func-
     tionality     is     provided    by    pam_authtok_check(5),
     pam_authtok_get(5),   pam_authtok_store(5),   pam_dhkeys(5),
     pam_passwd_auth(5),  pam_unix_account(5),  pam_unix_auth(5),

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.