ldap - LDAP as a naming repository


     LDAP refers to Lightweight Directory Access Protocol,  which
     is  an industry standard for accessing directory servers. By
     initializing the client using ldapclient(1M) and  using  the
     keyword    ldap   in   the   name   service   switch   file,
     /etc/nsswitch.conf, Solaris clients can obtain naming infor-
     mation  from an LDAP server.  Information such as usernames,
     hostnames, and passwords are stored on the LDAP server in  a
     Directory  Information  Tree  or  DIT.  The  DIT consists of
     entries which in  turn  are  composed  of  attributes.  Each
     attribute has a type and one or more values.

     Solaris LDAP clients use the LDAP v3 protocol to access nam-
     ing information from LDAP servers. The LDAP server must sup-
     port the object classes and attributes defined in RFC2307bis
     (draft),  which maps the naming service model on to LDAP. As
     an alternate to  using  the  schema  defined  in  RFC2307bis
     (draft),  the  system  can be configured to use other schema
     sets and the schema mapping feature  is  configured  to  map
     between  the  two. Refer to the System Administration Guide:
     Naming and Directory Services (DNS, NIS, and LDAP) for  more

     The ldapclient(1M) utility can make  a  Solaris  machine  an
     LDAP  client  by  setting  up  the  appropriate directories,
     files, and configuration information. The LDAP client caches
     this  configuration  information  in local cache files. This
     configuration   information   is   accessed   through    the
     ldap_cachemgr(1M)  daemon.  This  daemon  also refreshes the
     information in the configuration files from the LDAP server,
     providing better performance and security. The ldap_cachemgr
     must run at all times for the proper operation of the naming

     There are two types of configuration information, the infor-
     mation   available  through  a  profile, and the information
     configured per client. The profile contains all the informa-
     tion  as  to  how  the   client  accesses the directory. The
     credential information for proxy user is configured on a per
     client basis and is not downloaded through the profile.

     The profile contains server-specific parameters   that   are
     required   by   all  clients  to  locate the servers for the
     desired LDAP domain. This information could be the  server's
     IP  address and the search base Distinguished Name (DN), for
     instance. It is configured on the client  from  the  default
     profile  during  client  initialization and is  periodically
     updated by the ldap_cachemgr daemon when the expiration time
     has elapsed.
     Client profiles can be stored on the LDAP server and may  be
     used by the ldapclient utility to initialize an LDAP client.
     Using the client profile is the easiest way to  configure  a
     client  machine. See ldapclient(1M).

     Credential information includes  client-specific  parameters
     that  are  used  by  a client. This information could be the
     Bind DN (LDAP "login" name) of the client and the  password.
     If  these parameters are required, they are manually defined
     during the initialization through ldapclient(1M).

     The naming information is stored in containers on  the  LDAP
     server.  A  container   is  a non-leaf entry in the DIT that
     contains naming service information. Containers are  similar
     to maps in NIS and tables in NIS+. A default mapping between
     the NIS databases  and the containers  in LDAP is  presented
     below.  The  location  of  these containers as well as their
     names  can be overridden through  the  use  of  serviceSear-
     chDescriptors. For more information see ldapclient(1M).

    | Database           | Object Class       |  Container                |
    | passwd             | posixAccount       |  ou=people,dc=...         |
    |                    | shadowAccount      |                           |
    | group              | posixGroup         |  ou=Group,dc=...          |
    | services           | ipService          |  ou=Services,dc=...       |
    | protocols          | ipProtocol         |  ou=Protocols,dc=...      |
    | rpc                | oncRpc             |  ou=Rpc,dc=...            |
    | hosts              | ipHost             |  ou=Hosts,dc=...          |
    | ipnodes            |                    |                           |
    | ethers             | ieee802Device      |  ou=Ethers,dc=...         |
    | bootparams         | bootableDevice     |  ou=Ethers,dc=...         |
    | networks           | ipNetwork          |  ou=Networks,dc=...       |
    | netmasks           | ipNetwork          |  ou=Networks,dc=...       |
    | netgroup           | nisNetgroup        |  ou=Netgroup,dc=...       |
    | aliases            | mailGroup          |  ou=Aliases,dc=...        |
    | publickey          | nisKeyObject       |                           |
    | generic            | nisObject          |  nisMapName=...,dc=...    |
    | printers           | printerService     |  ou=Printers,dc=...       |
    | auth_attr          | SolarisAuthAttr    |  ou=SolarisAuthAttr,dc=...|
    | prof_attr          | SolarisProfAttr    |  ou=SolarisProfAttr,dc=...|
    | exec_attr          | SolarisExecAttr    |  ou=SolarisProfAttr,dc=...|
    | user_attr          | SolarisUserAttr    |  ou=people,dc=...         |
    | audit_attr         | SolarisAuditAttr   |  ou=people,dc=...         |

     The security model for clients is defined by  a  combination
     of  the  credential  level  to  be  used, the authentication
     method, and the PAM module to be  used,  that  is,  pam_unix
     versus   pam_ldap. The credential level defines what creden-
     tials the client should use to authenticate to  the   direc-
     tory  server,  and  the  authentication  method  defines the
     method of choice.  Both  these  can  be  set  with  multiple
     values.  The  Solaris LDAP supports the following values for
     credential level :



     The Solaris LDAP supports the following values for authenti-
     cation method:








     More protection can be provided by means of  access control,
     allowing  the  server to grant access for certain containers
     or entries. Access control is specified  by  Access  Control
     Lists  (ACL's)  that  are  defined  and  stored  in the LDAP
     server. The Access Control Lists  on  the  LDAP  server  are
     called  Access  Control  Instructions (ACI's) by the iPlanet
     Directory Server. Each ACL or  ACI  specifies  one  or  more
     directory  objects,  for   example,  the  cn  attribute in a
     specific container, one or more clients to whom you grant or
     deny  access,  and  one or more access rights that determine
     what the clients can do to or with the objects. Clients  can
     be users or  applications. Access rights can be specified as
     read and write, for  example. Refer to the  System  Adminis-
     tration  Guide: Naming and Directory Services (DNS, NIS, and
     LDAP) regarding the restrictions on  ACL's  and  ACI's  when
     using LDAP as a naming repository.

     A sample nsswitch.conf(4) file called nsswitch.ldap is  pro-
     vided   in   the   /etc   directory.    This  is  copied  to
     /etc/nsswitch.conf  by the ldapclient(1M) utility. This file
     uses LDAP as a repository for the different databases in the
     nsswitch.conf file.

     The following is a list of  the  user  commands  related  to

           Prepares an iPlanet Directory Server to  be  ready  to
           support Solaris LDAP clients.`

           Creates LDAP entries from corresponding /etc files.

           Initializes LDAP clients, or generate a  configuration
           profile to be stored in the directory.

           Lists the contents of the LDAP naming space.



           Files that  contain  the  LDAP  configuration  of  the
           client. Do not manually modify these files. Their con-
           tent is not  guaranteed  to  be  human  readable.  Use
           ldapclient(1M) to update them.

           Configuration file for the name-service switch

           Sample configuration file for the name-service  switch
           configured with LDAP and files

           PAM framework configuration file.


     ldaplist(1),        idsconfig(1M),        ldap_cachemgr(1M),
     ldapaddent(1M),       ldapclient(1M),      nsswitch.conf(4),
     pam.conf(4),    pam_authtok_check(5),    pam_authtok_get(5),
     pam_authtok_store(5),       pam_dhkeys(5),      pam_ldap(5),
     pam_passwd_auth(5),    pam_unix(5),     pam_unix_account(5),
     pam_unix_auth(5), pam_unix_session(5),

     System Administration Guide: Naming and  Directory  Services
     (DNS, NIS, and LDAP)


     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and

Man(1) output converted with man2html