JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Working With Naming and Directory Services in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  Name Service Switch (Overview)

3.  Managing DNS (Tasks)

4.  Setting Up Oracle Solaris Active Directory Clients (Tasks)

Part II NIS Setup and Administration

5.  Network Information Service (Overview)

6.  Setting Up and Configuring NIS (Tasks)

7.  Administering NIS (Tasks)

8.  NIS Troubleshooting

Part III LDAP Naming Services

9.  Introduction to LDAP Naming Services (Overview)

Audience Assumptions

Suggested Background Reading

Additional Prerequisite

LDAP Naming Services Compared to Other Naming Services

Advantages of LDAP Naming Services

Restrictions of LDAP Naming Services

LDAP Naming Services Setup (Task Map)

LDAP Data Interchange Format

Using Fully Qualified Domain Names With LDAP

Default Directory Information Tree

Default LDAP Schema

Service Search Descriptors and Schema Mapping

Description of SSDs

attributeMap Attributes

objectclassMap Attribute

LDAP Client Profiles

LDAP Client Profile Attributes

Local LDAP Client Attributes

ldap_cachemgr Daemon

LDAP Naming Services Security Model

Transport Layer Security

Assigning Client Credential Levels

LDAP anonymous Credential Level

LDAP proxy Credential Level

LDAP proxy anonymous Credential Level

LDAP per-user Authentication

enableShadowUpdate Switch

Credential Storage for LDAP Clients

Choosing Authentication Methods for the LDAP Naming Service

Specifying Authentication Methods for Specific Services in LDAP

Pluggable Authentication Methods

pam_unix_* Service Modules

Kerberos Service Module

LDAP Service Module

PAM and Changing Passwords

LDAP Account Management

LDAP Account Management With the pam_unix_* Modules

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP Naming Service (Reference)

15.  Transitioning From NIS to LDAP (Tasks)

Glossary

Index

LDAP Client Profiles

To simplify client setup, and avoid having to reenter the same information for each and every client, create a single client profile on the directory server. This way, a single profile defines the configuration for all clients configured to use it. Any subsequent change to the profile attributes is propagated to the clients at a rate defined by the refresh interval.

Configuration information specified in the LDAP client profiles, is automatically imported into the SMF repository when the svc:/network/ldap/client service is started.

Any client profiles should be stored in a well-known location on the LDAP server. The root DN for the given domain must have an object class of nisDomainObject and a nisDomain attribute containing the client's domain. All profiles are located in the ou=profile container relative to this container. These profiles should be readable anonymously.

LDAP Client Profile Attributes

The following table shows the LDAP client's profile attributes, which can be set automatically when you run idsconfig. See How to Initialize an LDAP Client Manually and the idsconfig(1M) man page for information on how to set a client profile manually.

Table 9-2 LDAP Client Profile Attributes

Attribute
Description
cn
The profile name. The attribute has no default value. The value must be specified.
preferredServerList
The host addresses of the preferred servers is a space separated list of server addresses. (Do not use host names.) The servers in this list are tried in order before those in defaultServerList until a successful connection is made. This has no default value. At least one server must be specified in either preferredServerList or defaultServerList.
defaultServerList
The host addresses of the default servers is a space separated list of server addresses. (Do not use host names.) After the servers in preferredServerlist are tried, those default servers on the client's subnet are tried, followed by the remaining default servers, until a connection is made. At least one server must be specified in either preferredServerList or defaultServerList. The servers in this list are tried only after those on the preferred server list. This attribute has no default value.
defaultSearchBase
The DN relative to which to locate the well-known containers. There is no default for this value. However, this can be overridden for a given service by the serviceSearchDescriptor attribute.
defaultSearchScope
Defines the scope of a database search by a client. It can be overridden by the serviceSearchDescriptor attribute. The possible values are one or sub. The default value is a one level search.
authenticationMethod
Identifies the method of authentication used by the client. The default is none (anonymous). See Choosing Authentication Methods for the LDAP Naming Service for more information.
credentialLevel
Identifies the type of credentials a client should use to authenticate. The choices are anonymous, proxy, or self (also known as per-user). The default is anonymous.
serviceSearchDescriptor
Defines how and where a client should search for a naming database, for example, if the client should look in one or more points in the DIT. By default no SSDs are defined.
serviceAuthenticationMethod
Authentication method used by a client for the specified service. By default, no service authentication methods are defined. If a service does not have serviceAuthenticationMethod defined, it will default to the value of authenticationMethod.
attributeMap
Attribute mappings used by client. By default no attributeMap is defined.
objectclassMap
Object class mappings used by client. By default no objectclassMap is defined.
searchTimeLimit
Maximum time [in seconds] a client should allow for a search to complete before timing out. This does not affect the time the LDAP server will allow for a search to complete. The default value is 30 seconds.
bindTimeLimit
Maximum time in seconds a client should allow to bind with a server before timing out. Default value is 30 seconds.
followReferrals
Specifies whether a client should follow an LDAP referral. Possible values TRUE or FALSE. The default value is TRUE.
profileTTL
Time between refreshes of the client profile from the LDAP server by the ldap_cachemgr(1M). Default is 43200 seconds or 12 hours. If given a value of 0, the profile will never be refreshed.

Local LDAP Client Attributes

The following table lists the LDAP client attributes that can be set locally using the ldapclient command. See the ldapclient(1M) man page for more information.

Table 9-3 Local LDAP Client Attributes

Attribute
Description
adminDN
Specifies the administrator entry's distinguished name for the admin credential. If the value of the enableShadowUpdate switch is true on the client system, and credentialLevel has a value other than self, then adminDN must be specified.
adminPassword
Specifies the administrator entry's password for the admin credential. If the value of the enableShadowUpdate switch is true on the client system, and credentialLevel has a value other than self, then adminPassword must be defined.
domainName
Specifies the client's domain name (which becomes the default domain for the client system). This attribute has no default value and must be specified.
proxyDN
The proxy's distinguished name. If the client system is configured with credentialLevel of proxy, the proxyDN must be specified.
proxyPassword
The proxy's password. If the client system is configured with credentialLevel of proxy, proxyPassword must be defined.
certificatePath
The directory on the local file system containing the certificate databases. If a client system is configured with authenticationMethod or serviceAuthenticationMethod using TLS, then this attribute is used. The default value is /var/ldap.

Note - If the BaseDN in an SSD contains a trailing comma, it is treated as a relative value of the defaultSearchBase. The values of the defaultSearchBase are appended to the BaseDN before a search is performed.