|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
User Commands ldap(1)
NAME
ldap - LDAP as a naming repository
DESCRIPTION
LDAP refers to Lightweight Directory Access Protocol, which
is an industry standard for accessing directory servers. By
initializing the client using ldapclient(1M) and using the
keyword ldap in the name service switch file,
/etc/nsswitch.conf, Solaris clients can obtain naming infor-
mation from an LDAP server. Information such as usernames,
hostnames, and passwords are stored on the LDAP server in a
Directory Information Tree or DIT. The DIT consists of
entries which in turn are composed of attributes. Each
attribute has a type and one or more values.
Solaris LDAP clients use the LDAP v3 protocol to access nam-
ing information from LDAP servers. The LDAP server must sup-
port the object classes and attributes defined in RFC2307bis
(draft), which maps the naming service model on to LDAP. As
an alternate to using the schema defined in RFC2307bis
(draft), the system can be configured to use other schema
sets and the schema mapping feature is configured to map
between the two. Refer to the System Administration Guide:
Naming and Directory Services (DNS, NIS, and LDAP) for more
details.
The ldapclient(1M) utility can make a Solaris machine an
LDAP client by setting up the appropriate directories,
files, and configuration information. The LDAP client caches
this configuration information in local cache files. This
configuration information is accessed through the
ldap_cachemgr(1M) daemon. This daemon also refreshes the
information in the configuration files from the LDAP server,
providing better performance and security. The ldap_cachemgr
must run at all times for the proper operation of the naming
services.
There are two types of configuration information, the infor-
mation available through a profile, and the information
configured per client. The profile contains all the informa-
tion as to how the client accesses the directory. The
credential information for proxy user is configured on a per
client basis and is not downloaded through the profile.
The profile contains server-specific parameters that are
required by all clients to locate the servers for the
desired LDAP domain. This information could be the server's
IP address and the search base Distinguished Name (DN), for
instance. It is configured on the client from the default
profile during client initialization and is periodically
updated by the ldap_cachemgr daemon when the expiration time
has elapsed.
SunOS 5.10 Last change: 7 Jan 2004 1
User Commands ldap(1)
Client profiles can be stored on the LDAP server and may be
used by the ldapclient utility to initialize an LDAP client.
Using the client profile is the easiest way to configure a
client machine. See ldapclient(1M).
Credential information includes client-specific parameters
that are used by a client. This information could be the
Bind DN (LDAP "login" name) of the client and the password.
If these parameters are required, they are manually defined
during the initialization through ldapclient(1M).
The naming information is stored in containers on the LDAP
server. A container is a non-leaf entry in the DIT that con-
tains naming service information. Containers are similar to
maps in NIS and tables in NIS+. A default mapping between
the NIS databases and the containers in LDAP is presented
below. The location of these containers as well as their
names can be overridden through the use of serviceSear-
chDescriptors. For more information, see ldapclient(1M).
SunOS 5.10 Last change: 7 Jan 2004 2
User Commands ldap(1)
______________________________________________________________________
| Database | Object Class | Container |
|____________________|____________________|___________________________|
| passwd | posixAccount | ou=people,dc=... |
|____________________|____________________|___________________________|
| | shadowAccount | |
|____________________|____________________|___________________________|
| group | posixGroup | ou=Group,dc=... |
|____________________|____________________|___________________________|
| services | ipService | ou=Services,dc=... |
|____________________|____________________|___________________________|
| protocols | ipProtocol | ou=Protocols,dc=... |
|____________________|____________________|___________________________|
| rpc | oncRpc | ou=Rpc,dc=... |
|____________________|____________________|___________________________|
| hosts | ipHost | ou=Hosts,dc=... |
|____________________|____________________|___________________________|
| ipnodes | ipHost | ou=Hosts,dc=... |
|____________________|____________________|___________________________|
| ethers | ieee802Device | ou=Ethers,dc=... |
|____________________|____________________|___________________________|
| bootparams | bootableDevice | ou=Ethers,dc=... |
|____________________|____________________|___________________________|
| networks | ipNetwork | ou=Networks,dc=... |
|____________________|____________________|___________________________|
| netmasks | ipNetwork | ou=Networks,dc=... |
|____________________|____________________|___________________________|
| netgroup | nisNetgroup | ou=Netgroup,dc=... |
|____________________|____________________|___________________________|
| aliases | mailGroup | ou=Aliases,dc=... |
|____________________|____________________|___________________________|
| publickey | nisKeyObject | |
|____________________|____________________|___________________________|
| generic | nisObject | nisMapName=...,dc=... |
|____________________|____________________|___________________________|
| printers | printerService | ou=Printers,dc=... |
|____________________|____________________|___________________________|
| auth_attr | SolarisAuthAttr | ou=SolarisAuthAttr,dc=...|
|____________________|____________________|___________________________|
| prof_attr | SolarisProfAttr | ou=SolarisProfAttr,dc=...|
|____________________|____________________|___________________________|
| exec_attr | SolarisExecAttr | ou=SolarisProfAttr,dc=...|
|____________________|____________________|___________________________|
| user_attr | SolarisUserAttr | ou=people,dc=... |
|____________________|____________________|___________________________|
| audit_user | SolarisAuditUser | ou=people,dc=... |
|____________________|____________________|___________________________|
The security model for clients is defined by a combination
of the credential level to be used, the authentication
method, and the PAM modules to be used. The credential level
SunOS 5.10 Last change: 7 Jan 2004 3
User Commands ldap(1)
defines what credentials the client should use to authenti-
cate to the directory server, and the authentication method
defines the method of choice. Both these can be set with
multiple values. The Solaris LDAP supports the following
values for credential level :
anonymous
proxy
The Solaris LDAP supports the following values for authenti-
cation method:
none
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5
More protection can be provided by means of access control,
allowing the server to grant access for certain containers
or entries. Access control is specified by Access Control
Lists (ACLs) that are defined and stored in the LDAP server.
The Access Control Lists on the LDAP server are called
Access Control Instructions (ACIs) by the the SunOne Direc-
tory Server. Each ACL or ACI specifies one or more directory
objects, for example, the cn attribute in a specific con-
tainer, one or more clients to whom you grant or deny
access, and one or more access rights that determine what
the clients can do to or with the objects. Clients can be
users or applications. Access rights can be specified as
read and write, for example. Refer to the System Administra-
tion Guide: Naming and Directory Services (DNS, NIS, and
LDAP) regarding the restrictions on ACLs and ACIs when using
LDAP as a naming repository.
A sample nsswitch.conf(4) file called nsswitch.ldap is pro-
vided in the /etc directory. This is copied to
/etc/nsswitch.conf by the ldapclient(1M) utility. This file
uses LDAP as a repository for the different databases in the
nsswitch.conf file.
The following is a list of the user commands related to
LDAP:
SunOS 5.10 Last change: 7 Jan 2004 4
User Commands ldap(1)
idsconfig(1M) Prepares a SunOne Directory Server
to be ready to support Solaris LDAP
clients.
ldapaddent(1M) Creates LDAP entries from
corresponding /etc files.
ldapclient(1M) Initializes LDAP clients, or gen-
erates a configuration profile to be
stored in the directory.
ldaplist(1) Lists the contents of the LDAP nam-
ing space.
FILES
/var/ldap/ldap_client_cred Files that contain the LDAP
/var/ldap/ldap_client_file configuration of the client.
Do not manually modify these
files. Their content is not
guaranteed to be human read-
able. Use ldapclient(1M) to
update them.
/etc/nsswitch.conf Configuration file for the
name-service switch.
/etc/nsswitch.ldap Sample configuration file
for the name-service switch
configured with LDAP and
files.
/etc/pam.conf PAM framework configuration
file.
SunOS 5.10 Last change: 7 Jan 2004 5
User Commands ldap(1)
SEE ALSO
ldaplist(1), idsconfig(1M), ldap_cachemgr(1M),
ldapaddent(1M), ldapclient(1M), nsswitch.conf(4),
pam.conf(4), pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_ldap(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)
System Administration Guide: Naming and Directory Services
(DNS, NIS, and LDAP)
NOTES
The pam_unix(5) module is no longer supported. Similar func-
tionality is provided by pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
and pam_unix_session(5).
SunOS 5.10 Last change: 7 Jan 2004 6
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:25:00 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2874 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2487 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2406 hits)
(Suse Linux 10.1)
|
Man Pages 
