Chapter 18

General Reference

Blank Checklists

Table 18-1 Server Variables Defined

Variable	Definition for _______ Network
Port number at which an instance of the directory server is installed (DEFAULT=389)
Name of server
Replica server(s) (IP number:port number)
Directory manager [`dn: cn=directory manager`]
Domain name to be served
Maximum time (in seconds) to process client requests before timing out
Maximum number of entries returned for each search request

Table 18-2 Client Profile Variables Defined

Variable	Definition for ________ Network
Profile name
Server list (defaults to the local subnet)
Preferred server list (listed in order of which server to try first, second, and so on)
Search scope (number of levels down through the directory tree. '`One`' or '`Sub`')
Credential used to gain access to server. Default is `anonymous`
Follow Referrals? ( a pointer to another server if the main server is unavailable) Default is `no`.
Search time limit (in seconds, default 30) for waiting for server to return information.
Bind time limit (in seconds, default 30) for contacting server. The default is seconds.
Authentication method Default is `none`.

Upgrade Information

Solaris 9 clients are fully compatible with directory servers setup to serve Solaris 8 clients. ldapclient(1M) can simply download such a profile and configure the client using version 1 profiles. However to take advantage of new features built into Solaris 9 and to use the new security model, version 2 profiles must be used.

Servers can serve a mix of both old and new clients so that both clients see the same results from the server as long as schema mapping is not enabled and version 2 profiles are not configured to use special filters in serviceSearchDescriptors. Obviously if the server is not using the default schema older clients can not use that server as Solaris 8 clients can not arbitrarily map their schema.

One additional change that also should be considered is that in Solaris 8 clients running ldap_cachemgr() was recommended, but optional. In Solaris 9, ldap_cachemgr() must be running at all times. This daemon is required for the client to function properly.

New Automount Schema

By default, Solaris 9 uses a new schema for automount entries instead of using generic NIS map schema which Solaris 8 clients used. This means that if you setup a server with Solaris 9 tools, Solaris 8 clients can not see the automount entries. For sites where the server being setup is to serve both Solaris 9 and Solaris 8 clients, a profile can be created to map the schema to the old one before adding automounter entries. This would ensure that ldapaddent(1M) adds the entries using the old schema. However, note that this would also mean that all Solaris 9 clients must use a profile where the schema for automount is mapped.

You need to add the following mapping attributes to your profile for this mapping to take effect.

attributeMap: 		automount:automountMapName=nisMapName
attributeMap: 		automount:automountKey=cn
attributeMap: 		automount:automountInformation=nisMapEntry
objectclassMap: 	automount:automountMap=nisMap
objectclassMap: 	automount:automount=nisObject

LDAP Commands

There are two sets of LDAP related commands in Solaris. One set is the general LDAP tools which do not require the client to be configured with the LDAP naming service. The second set use the common LDAP configuration on the client and therefore can only be used if the client is configured to use LDAP as its naming service.

General LDAP Tools

LDAP command line tools support a common set of options, including authentication and bind parameters.

These commands can be used to manipulate directory entries directly. The ldapsearch, ldapadd, and ldapmodify tools support a common text-based format for representing directory information called the LDAP Data Interchange Format (LDIF).

Table 18-3 LDAP Tools

Tool	Function
`ldapsearch`(1)	Use to search for directory entries in the namespace. Displays attributes and values found.
`ldapmodify`(1)	Use to modify, or add directory entry.
`ldapadd`(1)	Use to add new directory entry.
`ldapdelete`(1)	Use to delete existing directory entry.

LDAP Tools Requiring LDAP Naming Services

Table 18-4 Tools (from Section 1 Man Pages)

Tool	Function
`ldapaddent`(1M)	Used to create entries in LDAP containers from their corresponding `/etc` files. This tool allows populating the directory from files. For example it reads `/etc/passwd` format file and populate `passwd` entries in the directory.
`ldaplist`	Used to list contents of various services from the directory.
`idsconfig`	Used to set up iPlanet Directory Server 5.1 to serve LDAP naming service clients.

An example `pam.conf` file for `pam_ldap`

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication

#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)

#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass