Creating a Trusted Extensions LDAP Client

The following procedure creates an LDAP client for an existing Trusted Extensions Directory Server.

Make the Global Zone an LDAP Client in Trusted Extensions

This procedure establishes the LDAP naming service configuration for the global zone on an LDAP client.

Use the txzonemgr script.

Note - If you plan to set up a name server in each labeled zone, you are responsible for establishing the LDAP client connection to each labeled zone.

Before You Begin

The Oracle Directory Server Enterprise Edition, that is, the Directory Server, must exist. The server must be populated with Trusted Extensions databases, and this client system must be able to contact the server. So, the Directory Server must have assigned a security template to this client. A specific assignment is not required, a wildcard assignment is sufficient.

You must be in the root role in the global zone.

If you are using DNS, add dns to the name-service/switch configuration.

The standard naming service switch file for LDAP is too restrictive for Trusted Extensions.

Display the current configuration.

# svccfg -s name-service/switch listprop config
config                       application
config/value_authorization   astring       solaris.smf.value.name-service.switch
config/default               astring       files ldap
config/netgroup              astring       ldap
config/printer               astring       "user files ldap"

Add dns to the host property and refresh the service.

# svccfg -s name-service/switch setprop config/host = astring: "files dns ldap"
# svccfg -s name-service/switch:default refresh

Verify the new configuration.

# svccfg -s name-service/switch listprop config
config                       application
config/value_authorization   astring       solaris.smf.value.name-service.switch
config/default               astring       files ldap
config/host                  astring       files dns ldap
config/netgroup              astring       ldap
config/printer               astring       "user files ldap"

The Trusted Extensions databases use the default configuration files ldap, so are not listed.

To create an LDAP client, run the txzonemgr command without any options.

# txzonemgr &

Double-click the global zone.
Select Create LDAP Client.

Answer the following prompts and click OK after each answer:

Enter Domain Name:                   Type the domain name
Enter Hostname of LDAP Server:       Type the name of the server
Enter IP Address of LDAP Server servername: Type the IP address
Enter LDAP Proxy Password:       Type the password to the server
Confirm LDAP Proxy Password:     Retype the password to the server
Enter LDAP Profile Name:         Type the profile name

Confirm or cancel the displayed values.
```
Proceed to create LDAP Client?
```
When you confirm, the txzonemgr script runs the ldapclient init command.

Complete client configuration by enabling shadow updates.

# ldapclient -v mod -a enableShadowUpdate=TRUE \
> -a adminDN=cn=admin,ou=profile,dc=domain,dc=suffix
System successfully configured

Verify that the information on the server is correct.
1. Open a terminal window, and query the LDAP server.
```
# ldapclient list
```
  The output looks similar to the following:
```
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain-name
...
NS_LDAP_BIND_TIME= number
```
2. Correct any errors.
  If you get an error, redo Step 2 through Step 4. For example, the following error can indicate that the system does not have an entry on the LDAP server:
```
LDAP ERROR (91): Can't connect to the LDAP server.
Failed to find defaultSearchBase for domain domain-name
```
  To correct this error, you need to check the LDAP server.

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library