Chapter 16

Client Setup (Task)

This chapter describes how to set up a Solaris LDAP naming service client.

This chapter covers the following topics.

• "Prerequisites"

• "Initializing a Client"

• "Using Profiles to Initialize a Client"

• "Using Proxy Credentials"

• "Initializing a Client Manually"

• "Modifying a Manual Client Configuration"

• "Un-initializing a Client"

• "TLS Security Setup"

Prerequisites

In order for a Solaris client to use LDAP as a naming service the following needs to be in place.

• The client's domain name must be served by the LDAP server

• The nsswitch.conf file needs to point to LDAP for the required services. For information about the nsswitch.conf file, see Chapter 2, The Name Service Switch (Overview)

• The client needs to be configured with all the given parameters that define its behavior

• ldap_cachemgr needs to be running on the client

• At least one server for which a client is configured must be up and running

The ldapclient utility is the key to setting up an LDAP client, as it performs all of the above steps, except for starting the server. The rest of this chapter will show examples of how to use the ldapclient utility to setup a LDAP client and use the various other LDAP utilities to get information about, and check the status of an LDAP client.

Initializing a Client

ldapclient(1M) is an utility used to setup LDAP clients in a Solaris operating environment. ldapclient assumes the server has already been configured with the appropriate client profiles. You must install and configure the server with the appropriate profiles before you can set up any clients.

There are two ways to set up a client using ldapclient.

• Profile

  At a minimum, you need to specify the server address containing the profile and domain you wish to use. If no profile is specified, then the "default" profile is assumed. The server will provide the rest of the required information, except for proxy and certificate database information. If a client's credential level is proxy or proxy anonymous, you must supply the proxy bind DN and password. See "Assigning Client Credential Levels" for more information.

• Manual

  You configure the profile on the client itself, which means defining all parameters form the command line. Thus, the profile information is stored in cache files and is never refreshed by the server.

---

Note - Though you can manually configure clients, it is not recommended. Using the configuration profiles decreases the complexity and cost of managing clients.

---

Using Profiles to Initialize a Client

How to Initialize a Client Using Profiles

1. Become superuser.

2. Run ldapclient with init.

   # ldapclient init -a profileName=new -a \

   domainName=west.example.com 192.168.0.0

   System successfully configured

Using Proxy Credentials

How to Initialize a Client using Proxy Credentials

1. Become superuser.

2. Run ldapclient (defining proxy values).

   # ldapclient init -a proxyDn=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com -a domainname=west.example.com -a profilename=pit1 -a proxypassword=test1234 192.168.0.0

   System successfully configured

The -a proxyDn and -a proxypassword are required if the profile to be used is setup for proxy. As the credentials are not stored in the profile saved on the server, you need to supply the information when you initialize the client. This method is more secure than the older method of storing the proxy credentials on the server.

The proxy info will be used to create the /var/ldap/ldap_client_cred and the rest of the information will be put in /var/ldap/ldap_client_file.

---

Note - DO NOT edit either the client configuration files directly. Use ldapclient to create or modify the content of these files.

---

Initializing a Client Manually

Superusers can perform manual client configurations. However, many of the checks are bypassed during the process, so it is relatively easy to mis-configure your system. In addition, you must change settings on every machine, instead of in one central place, as is done when using profiles.

How to initialize a client manually.

1. Become superuser.

2. Use ldapclient manual.

   # ldapclient manual --a domainName=dc=west.example.com \

   --a credentialLevel=proxy --a defaultSearchBase=dc=west, dc=example, dc=com \

   --a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \

   --a proxyPassword=testtest 192.168.0.0

3. Use ldapclient list to verify.

   NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f NS_LDAP_SERVERS= 192.168.0.0 NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com NS_LDAP_CREDENTIAL_LEVEL= proxy