unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

ldap(1)                          User Commands                         ldap(1)



NAME
       ldap - LDAP as a naming repository

DESCRIPTION
       LDAP  refers  to  Lightweight  Directory  Access  Protocol, which is an
       industry standard for accessing directory servers. By initializing  the
       client using ldapclient(1M) and using the keyword ldap in the name ser-
       vice switch file, /etc/nsswitch.conf, Solaris clients can obtain naming
       information  from an LDAP server.  Information such as usernames, host-
       names, and passwords are stored on  the  LDAP  server  in  a  Directory
       Information  Tree or DIT. The DIT consists of entries which in turn are
       composed of attributes. Each attribute has a type and one or more  val-
       ues.

       Solaris LDAP clients use the LDAP v3 protocol to access naming informa-
       tion from LDAP servers. The LDAP server must support the object classes
       and  attributes  defined  in  RFC2307bis (draft), which maps the naming
       service model on to LDAP. As an alternate to using the  schema  defined
       in RFC2307bis (draft), the system can be configured to use other schema
       sets and the schema mapping feature is configured to  map  between  the
       two.  Refer  to  the  System Administration Guide: Naming and Directory
       Services (DNS, NIS, and LDAP) for more details.

       The ldapclient(1M) utility can make a Solaris machine an LDAP client by
       setting up the appropriate directories, files, and configuration infor-
       mation. The LDAP client caches this configuration information in  local
       cache  files.  This  configuration  information is accessed through the
       ldap_cachemgr(1M) daemon. This daemon also refreshes the information in
       the  configuration files from the LDAP server, providing better perfor-
       mance and security. The ldap_cachemgr must run at  all  times  for  the
       proper operation of the naming services.

       There  are  two  types  of  configuration  information, the information
       available through a profile, and the information configured per client.
       The profile contains all the information as to how the  client accesses
       the directory. The credential information for proxy user is  configured
       on a per client basis and is not downloaded through the profile.

       The  profile  contains  server-specific parameters that are required by
       all clients to locate the servers for the  desired  LDAP  domain.  This
       information  could be the  server's IP address and the search base Dis-
       tinguished Name (DN), for instance. It is configured on the client from
       the default profile during  client  initialization and is  periodically
       updated by the ldap_cachemgr  daemon  when  the  expiration  time   has
       elapsed.

       Client profiles can be stored on the LDAP server and may be used by the
       ldapclient utility to initialize an LDAP client. Using the client  pro-
       file  is  the  easiest  way  to configure a  client  machine. See ldap-
       client(1M).

       Credential information includes  client-specific  parameters  that  are
       used  by  a client. This information could be the Bind DN (LDAP "login"
       name) of the client and the password. If these parameters are required,
       they  are  manually  defined  during  the  initialization through ldap-
       client(1M).

       The naming information is stored in containers on the  LDAP  server.  A
       container  is  a non-leaf entry in the DIT that contains naming service
       information. Containers are similar to maps in NIS and tables in  NIS+.
       A  default  mapping  between  the NIS databases  and the containers  in
       LDAP is presented below. The location of these containers  as  well  as
       their names  can be overridden through the use of serviceSearchDescrip-
       tors. For more information, see ldapclient(1M).


       tab() allbox; lw(1.833333i)| lw(1.833333i)| lw(1.833333i).  DatabaseOb-
       ject  ClassContainer  passwdposixAccountou=people,dc=...  shadowAccount
       groupposixGroupou=Group,dc=...      servicesipServiceou=Services,dc=...
       protocolsipProtocolou=Protocols,dc=...   rpconcRpcou=Rpc,dc=...   host-
       sipHostou=Hosts,dc=...       ipnodesipHostou=Hosts,dc=...        ether-
       sieee802Deviceou=Ethers,dc=...                    bootparamsbootableDe-
       viceou=Ethers,dc=...  networksipNetworkou=Networks,dc=...   netmasksip-
       Network    ou=Networks,dc=...     netgroupnisNetgroupou=Netgroup,dc=...
       aliasesmailGroupou=Aliases,dc=...  publickeynisKeyObject  genericnisOb-
       jectnisMapName=...,dc=...      printersprinterServiceou=Printers,dc=...
       auth_attrSolarisAuthAttrou=SolarisAuthAttr,dc=...  prof_attrSolarisPro-
       fAttrou=SolarisProfAttr,dc=...   exec_attrSolarisExecAttrou=SolarisPro-
       fAttr,dc=...   user_attrSolarisUserAttrou=people,dc=...   audit_userSo-
       larisAuditUserou=people,dc=...


       The  security model for clients is defined by a combination of the cre-
       dential level to be used, the authentication method, and the  PAM  mod-
       ules  to  be  used.  The  credential level defines what credentials the
       client should use to authenticate to  the  directory  server,  and  the
       authentication  method defines the method of choice.  Both these can be
       set with multiple values. The Solaris LDAP supports the following  val-
       ues for credential level :

                 anonymous

                 proxy

       The  Solaris  LDAP  supports  the  following  values for authentication
       method:

                 none

                 simple

                 sasl/CRAM-MD5

                 sasl/DIGEST-MD5

                 tls:simple

                 tls:sasl/CRAM-MD5

                 tls:sasl/DIGEST-MD5

       More protection can be provided by means of  access  control,  allowing
       the  server  to  grant access for certain containers or entries. Access
       control is specified by Access Control Lists (ACLs)  that  are  defined
       and  stored  in  the  LDAP server. The Access Control Lists on the LDAP
       server are called Access Control  Instructions (ACIs) by the the SunOne
       Directory  Server.  Each  ACL  or  ACI  specifies one or more directory
       objects, for example, the cn attribute in a specific container, one  or
       more  clients  to whom you grant or deny access, and one or more access
       rights that determine what the clients can do to or with  the  objects.
       Clients  can  be users or  applications. Access rights can be specified
       as read and write, for example.  Refer  to  the  System  Administration
       Guide: Naming and Directory Services (DNS, NIS, and LDAP) regarding the
       restrictions on ACLs and ACIs when using LDAP as a naming repository.

       A sample nsswitch.conf(4) file called nsswitch.ldap is provided in  the
       /etc  directory.  This  is  copied  to /etc/nsswitch.conf  by the ldap-
       client(1M) utility. This file uses LDAP as a repository for the differ-
       ent databases in the  nsswitch.conf file.

       The following is a list of the user commands related to LDAP:

       idsconfig(1M)           Prepares  a SunOne Directory Server to be ready
                               to support Solaris LDAP clients.



       ldapaddent(1M)          Creates LDAP entries  from  corresponding  /etc
                               files.



       ldapclient(1M)          Initializes  LDAP  clients, or generates a con-
                               figuration profile to be stored in  the  direc-
                               tory.



       ldaplist(1)             Lists the contents of the LDAP naming space.



FILES
       /var/ldap/ldap_client_cred      Files  that contain the LDAP configura-
       /var/ldap/ldap_client_file      tion of the  client.  Do  not  manually
                                       modify  these  files.  Their content is
                                       not  guaranteed to be  human  readable.
                                       Use ldapclient(1M) to update them.




       /etc/nsswitch.conf              Configuration file for the name-service
                                       switch.



       /etc/nsswitch.ldap              Sample configuration file for the name-
                                       service switch configured with LDAP and
                                       files.



       /etc/pam.conf                   PAM framework configuration file.



SEE ALSO
       ldaplist(1), idsconfig(1M),  ldap_cachemgr(1M),  ldapaddent(1M),  ldap-
       client(1M),    nsswitch.conf(4),   pam.conf(4),   pam_authtok_check(5),
       pam_authtok_get(5), pam_authtok_store(5),  pam_dhkeys(5),  pam_ldap(5),
       pam_passwd_auth(5),        pam_unix_account(5),       pam_unix_auth(5),
       pam_unix_session(5)

       System Administration Guide: Naming and Directory Services  (DNS,  NIS,
       and LDAP)

NOTES
       The pam_unix(5) module is no longer supported. Similar functionality is
       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).



SunOS 5.10                        7 Jan 2004                           ldap(1)