LDAP(1) User Commands LDAP(1)
NAME
ldap - LDAP as a naming repository
DESCRIPTION
LDAP refers to Lightweight Directory Access Protocol, which is an
industry standard for accessing directory servers. By initializing
the client using
ldapclient(8) and using the keyword
ldap in the name
service switch file,
/etc/nsswitch.conf, Solaris clients can obtain
naming information from an LDAP server. Information such as
usernames, hostnames, and passwords are stored on the LDAP server in
a Directory Information Tree or
DIT. The
DIT consists of entries
which in turn are composed of attributes. Each attribute has a type
and one or more values.
Solaris LDAP clients use the LDAP v3 protocol to access naming
information from LDAP servers. The LDAP server must support the
object classes and attributes defined in
RFC2307bis (draft), which
maps the naming service model on to LDAP. As an alternate to using
the schema defined in
RFC2307bis (draft), the system can be
configured to use other schema sets and the schema mapping feature is
configured to map between the two. Refer to the
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) for more
details.
The
ldapclient(8) utility can make a Solaris machine an LDAP client
by setting up the appropriate directories, files, and configuration
information. The LDAP client caches this configuration information
in local cache files. This configuration information is accessed
through the
ldap_cachemgr(8) daemon. This daemon also refreshes the
information in the configuration files from the LDAP server,
providing better performance and security. The
ldap_cachemgr must run
at all times for the proper operation of the naming services.
There are two types of configuration information, the information
available through a profile, and the information configured per
client. The profile contains all the information as to how the client
accesses the directory. The credential information for proxy user is
configured on a per client basis and is not downloaded through the
profile.
The profile contains server-specific parameters that are required by
all clients to locate the servers for the desired LDAP domain. This
information could be the server's IP address and the search base
Distinguished Name (DN), for instance. It is configured on the client
from the default profile during client initialization and is
periodically updated by the
ldap_cachemgr daemon when the expiration
time has elapsed.
Client profiles can be stored on the LDAP server and can be used by
the
ldapclient utility to initialize an LDAP client. Using the client
profile is the easiest way to configure a client machine. See
ldapclient(8).
Credential information includes client-specific parameters that are
used by a client. This information could be the Bind DN (LDAP "login"
name) of the client and the password. If these parameters are
required, they are manually defined during the initialization through
ldapclient(8).
The naming information is stored in containers on the LDAP server. A
container is a non-leaf entry in the DIT that contains naming service
information. Containers are similar to maps in NIS. A default
mapping between the NIS databases and the containers in LDAP is
presented below. The location of these containers as well as their
names can be overridden through the use of
serviceSearchDescriptors.
For more information, see
ldapclient(8).
+-----------+-----------------+---------------------------+
| Database | Object Class | Container |
+-----------+-----------------+---------------------------+
|passwd | posixAccount | ou=people,dc=... |
| | shadowAccount | |
+-----------+-----------------+---------------------------+
|group | posixGroup | ou=Group,dc=... |
+-----------+-----------------+---------------------------+
|services | ipService | ou=Services,dc=... |
+-----------+-----------------+---------------------------+
|protocols | ipProtocol | ou=Protocols,dc=... |
+-----------+-----------------+---------------------------+
|rpc | oncRpc | ou=Rpc,dc=... |
+-----------+-----------------+---------------------------+
|hosts | ipHost | ou=Hosts,dc=... |
|ipnodes | ipHost | ou=Hosts,dc=... |
+-----------+-----------------+---------------------------+
|ethers | ieee802Device | ou=Ethers,dc=... |
+-----------+-----------------+---------------------------+
|bootparams | bootableDevice | ou=Ethers,dc=... |
+-----------+-----------------+---------------------------+
|networks | ipNetwork | ou=Networks,dc=... |
|netmasks | ipNetwork | ou=Networks,dc=... |
+-----------+-----------------+---------------------------+
|netgroup | nisNetgroup | ou=Netgroup,dc=... |
+-----------+-----------------+---------------------------+
|aliases | mailGroup | ou=Aliases,dc=... |
+-----------+-----------------+---------------------------+
|publickey | nisKeyObject | |
+-----------+-----------------+---------------------------+
|generic | nisObject | nisMapName=...,dc=... |
+-----------+-----------------+---------------------------+
|printers | printerService | ou=Printers,dc=... |
+-----------+-----------------+---------------------------+
|auth_attr | SolarisAuthAttr | ou=SolarisAuthAttr,dc=... |
+-----------+-----------------+---------------------------+
|prof_attr | SolarisProfAttr | ou=SolarisProfAttr,dc=... |
+-----------+-----------------+---------------------------+
|exec_attr | SolarisExecAttr | ou=SolarisProfAttr,dc=... |
+-----------+-----------------+---------------------------+
|user_attr | SolarisUserAttr | ou=people,dc=... |
+-----------+-----------------+---------------------------+
The security model for clients is defined by a combination of the
credential level to be used, the authentication method, and the PAM
modules to be used. The credential level defines what credentials
the client should use to authenticate to the directory server, and
the authentication method defines the method of choice. Both these
can be set with multiple values. The Solaris LDAP supports the
following values for credential level :
anonymous proxy self The Solaris LDAP supports the following values for authentication
method:
none simple sasl/CRAM-MD5 sasl/DIGEST-MD5 sasl/GSSAPI tls:simple tls:sasl/CRAM-MD5 tls:sasl/DIGEST-MD5 When the credential level is configured as
self, DNS must be
configured and the authentication method must be
sasl/GSSAPI. The
hosts and
ipnodes in
/etc/nsswitch.conf must be configured to use
DNS, for example
hosts: dns files and
ipnodes: dns files.
sasl/GSSAPI automatically uses
GSSAPI confidentiality and integrity
options, if they are configured on the directory server.
The credential level of
self enables per-user naming service lookups,
or lookups that use the
GSSAPI credentials of the user when
connecting to the directory server. Currently the only
GSSAPI mechanism supported in this model is Kerberos V5. Kerberos must be
configured before you can use this credential level. See
kerberos(7) for details.
More protection can be provided by means of access control, allowing
the server to grant access for certain containers or entries. Access
control is specified by Access Control Lists (ACLs) that are defined
and stored in the LDAP server. The Access Control Lists on the LDAP
server are called Access Control Instructions (ACIs) by the SunOne
Directory Server. Each ACL or ACI specifies one or more directory
objects, for example, the
cn attribute in a specific container, one
or more clients to whom you grant or deny access, and one or more
access rights that determine what the clients can do to or with the
objects. Clients can be users or applications. Access rights can be
specified as read and write, for example. Refer to the
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) regarding the restrictions on ACLs and ACIs when using LDAP as
a naming repository.
A sample
nsswitch.conf(5) file called
nsswitch.ldap is provided in
the
/etc directory. This is copied to
/etc/nsswitch.conf by the
ldapclient(8) utility. This file uses LDAP as a repository for the
different databases in the
nsswitch.conf file.
The following is a list of the user commands related to LDAP:
idsconfig(8) Prepares a SunOne Directory Server to be ready to
support Solaris LDAP clients.
ldapaddent(8) Creates LDAP entries from corresponding
/etc files.
ldapclient(8) Initializes LDAP clients, or generates a
configuration profile to be stored in the
directory.
ldaplist(1) Lists the contents of the LDAP naming space.
FILES
/var/ldap/ldap_client_cred /var/ldap/ldap_client_file Files that contain the LDAP
configuration of the client. Do not
manually modify these files. Their
content is not guaranteed to be human
readable. Use
ldapclient(8) to update
them.
/etc/nsswitch.conf Configuration file for the name-service
switch.
/etc/nsswitch.ldap Sample configuration file for the name-
service switch configured with LDAP and
files.
/etc/pam.conf PAM framework configuration file.
SEE ALSO
ldaplist(1),
nsswitch.conf(5),
pam.conf(5),
kerberos(7),
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_ldap(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7),
pam_unix_session(7),
idsconfig(8),
ldap_cachemgr(8),
ldapaddent(8),
ldapclient(8) System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)NOTES
The
pam_unix(7) module is no longer supported. Similar functionality
is provided by
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7), and
pam_unix_session(7).
March 6, 2017 LDAP(1)
