LDAP(1) User Commands LDAP(1)


NAME


ldap - LDAP as a naming repository

DESCRIPTION


LDAP refers to Lightweight Directory Access Protocol, which is an
industry standard for accessing directory servers. By initializing the
client using ldapclient(1M) and using the keyword ldap in the name
service switch file, /etc/nsswitch.conf, Solaris clients can obtain
naming information from an LDAP server. Information such as usernames,
hostnames, and passwords are stored on the LDAP server in a Directory
Information Tree or DIT. The DIT consists of entries which in turn are
composed of attributes. Each attribute has a type and one or more values.


Solaris LDAP clients use the LDAP v3 protocol to access naming
information from LDAP servers. The LDAP server must support the object
classes and attributes defined in RFC2307bis (draft), which maps the
naming service model on to LDAP. As an alternate to using the schema
defined in RFC2307bis (draft), the system can be configured to use other
schema sets and the schema mapping feature is configured to map between
the two. Refer to the System Administration Guide: Naming and Directory
Services (DNS, NIS, and LDAP) for more details.


The ldapclient(1M) utility can make a Solaris machine an LDAP client by
setting up the appropriate directories, files, and configuration
information. The LDAP client caches this configuration information in
local cache files. This configuration information is accessed through
the ldap_cachemgr(1M) daemon. This daemon also refreshes the information
in the configuration files from the LDAP server, providing better
performance and security. The ldap_cachemgr must run at all times for the
proper operation of the naming services.


There are two types of configuration information, the information
available through a profile, and the information configured per client.
The profile contains all the information as to how the client accesses
the directory. The credential information for proxy user is configured on
a per client basis and is not downloaded through the profile.


The profile contains server-specific parameters that are required by all
clients to locate the servers for the desired LDAP domain. This
information could be the server's IP address and the search base
Distinguished Name (DN), for instance. It is configured on the client
from the default profile during client initialization and is periodically
updated by the ldap_cachemgr daemon when the expiration time has elapsed.


Client profiles can be stored on the LDAP server and can be used by the
ldapclient utility to initialize an LDAP client. Using the client profile
is the easiest way to configure a client machine. See ldapclient(1M).


Credential information includes client-specific parameters that are used
by a client. This information could be the Bind DN (LDAP "login" name) of
the client and the password. If these parameters are required, they are
manually defined during the initialization through ldapclient(1M).


The naming information is stored in containers on the LDAP server. A
container is a non-leaf entry in the DIT that contains naming service
information. Containers are similar to maps in NIS. A default mapping
between the NIS databases and the containers in LDAP is presented below.
The location of these containers as well as their names can be overridden
through the use of serviceSearchDescriptors. For more information, see
ldapclient(1M).


+-----------+-----------------+---------------------------+
| Database | Object Class | Container |
+-----------+-----------------+---------------------------+
|passwd | posixAccount | ou=people,dc=... |
| | shadowAccount | |
+-----------+-----------------+---------------------------+
|group | posixGroup | ou=Group,dc=... |
+-----------+-----------------+---------------------------+
|services | ipService | ou=Services,dc=... |
+-----------+-----------------+---------------------------+
|protocols | ipProtocol | ou=Protocols,dc=... |
+-----------+-----------------+---------------------------+
|rpc | oncRpc | ou=Rpc,dc=... |
+-----------+-----------------+---------------------------+
|hosts | ipHost | ou=Hosts,dc=... |
|ipnodes | ipHost | ou=Hosts,dc=... |
+-----------+-----------------+---------------------------+
|ethers | ieee802Device | ou=Ethers,dc=... |
+-----------+-----------------+---------------------------+
|bootparams | bootableDevice | ou=Ethers,dc=... |
+-----------+-----------------+---------------------------+
|networks | ipNetwork | ou=Networks,dc=... |
|netmasks | ipNetwork | ou=Networks,dc=... |
+-----------+-----------------+---------------------------+
|netgroup | nisNetgroup | ou=Netgroup,dc=... |
+-----------+-----------------+---------------------------+
|aliases | mailGroup | ou=Aliases,dc=... |
+-----------+-----------------+---------------------------+
|publickey | nisKeyObject | |
+-----------+-----------------+---------------------------+
|generic | nisObject | nisMapName=...,dc=... |
+-----------+-----------------+---------------------------+
|printers | printerService | ou=Printers,dc=... |
+-----------+-----------------+---------------------------+
|auth_attr | SolarisAuthAttr | ou=SolarisAuthAttr,dc=... |
+-----------+-----------------+---------------------------+
|prof_attr | SolarisProfAttr | ou=SolarisProfAttr,dc=... |
+-----------+-----------------+---------------------------+
|exec_attr | SolarisExecAttr | ou=SolarisProfAttr,dc=... |
+-----------+-----------------+---------------------------+
|user_attr | SolarisUserAttr | ou=people,dc=... |
+-----------+-----------------+---------------------------+


The security model for clients is defined by a combination of the
credential level to be used, the authentication method, and the PAM
modules to be used. The credential level defines what credentials the
client should use to authenticate to the directory server, and the
authentication method defines the method of choice. Both these can be set
with multiple values. The Solaris LDAP supports the following values for
credential level :
anonymous
proxy
self


The Solaris LDAP supports the following values for authentication method:
none
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
sasl/GSSAPI
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5


When the credential level is configured as self, DNS must be configured
and the authentication method must be sasl/GSSAPI. The hosts and ipnodes
in /etc/nsswitch.conf must be configured to use DNS, for example hosts:
dns files and ipnodes: dns files.


sasl/GSSAPI automatically uses GSSAPI confidentiality and integrity
options, if they are configured on the directory server.


The credential level of self enables per-user naming service lookups, or
lookups that use the GSSAPI credentials of the user when connecting to
the directory server. Currently the only GSSAPI mechanism supported in
this model is Kerberos V5. Kerberos must be configured before you can use
this credential level. See kerberos(5) for details.


More protection can be provided by means of access control, allowing the
server to grant access for certain containers or entries. Access control
is specified by Access Control Lists (ACLs) that are defined and stored
in the LDAP server. The Access Control Lists on the LDAP server are
called Access Control Instructions (ACIs) by the SunOne Directory Server.
Each ACL or ACI specifies one or more directory objects, for example, the
cn attribute in a specific container, one or more clients to whom you
grant or deny access, and one or more access rights that determine what
the clients can do to or with the objects. Clients can be users or
applications. Access rights can be specified as read and write, for
example. Refer to the System Administration Guide: Naming and Directory
Services (DNS, NIS, and LDAP) regarding the restrictions on ACLs and ACIs
when using LDAP as a naming repository.


A sample nsswitch.conf(4) file called nsswitch.ldap is provided in the
/etc directory. This is copied to /etc/nsswitch.conf by the
ldapclient(1M) utility. This file uses LDAP as a repository for the
different databases in the nsswitch.conf file.


The following is a list of the user commands related to LDAP:

idsconfig(1M)
Prepares a SunOne Directory Server to be ready to
support Solaris LDAP clients.


ldapaddent(1M)
Creates LDAP entries from corresponding /etc files.


ldapclient(1M)
Initializes LDAP clients, or generates a configuration
profile to be stored in the directory.


ldaplist(1)
Lists the contents of the LDAP naming space.


FILES


/var/ldap/ldap_client_cred
/var/ldap/ldap_client_file
Files that contain the LDAP configuration
of the client. Do not manually modify these
files. Their content is not guaranteed to
be human readable. Use ldapclient(1M) to
update them.


/etc/nsswitch.conf
Configuration file for the name-service
switch.


/etc/nsswitch.ldap
Sample configuration file for the name-
service switch configured with LDAP and
files.


/etc/pam.conf
PAM framework configuration file.


SEE ALSO


ldaplist(1), idsconfig(1M), ldap_cachemgr(1M), ldapaddent(1M),
ldapclient(1M), nsswitch.conf(4), pam.conf(4), kerberos(5),
pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), pam_ldap(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5)


System Administration Guide: Naming and Directory Services (DNS, NIS, and
LDAP)

NOTES


The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).


March 6, 2017 LDAP(1)