ldap
User Commands ldap(1)NAME
ldap - LDAP as a naming repositoryDESCRIPTION
LDAP refers to Lightweight Directory Access Protoco,l which is emerging as an industry standard for accessing directory servers. By using the keyword ldap in the name service switch file, /etc/nsswitch.conf, Solaris clients can obtain naming information from an LDAP server. Information such as usernames, hostnames, and passwords are stored on the LDAP server in the form of a tree called Directory Information Tree or DIT. The DIT consists of entries which in turn are composed of attributes. Each attribute has a type and one or more values. Solaris LDAP clients use LDAP v3 protocol to access naming information from LDAP servers. The LDAP server must support the object classes and attributes defined in RFC2307bis (draft), which maps the Naming Information Service model onto LDAP. Refer to the Solaris Naming Administration Guide for more details. The ldapclient(1M) utility can make a Solaris machine an ldap client by setting up the appropriate directories and configuration information. The LDAP clients cache this con- figuration information in local cache files. This confi- guration information is accessed through the ldap_cachemgr(1M) daemon. This daemon also refreshes the information in the configuration files from the LDAP server, providing better performance and security. A client Profile is stored in the LDAP server and is used by the ldapclient utility to initialize an LDAP client. Using the client profile is the easiest way to configure a client machine. See ldapclient(1M). There are two types of configuration information: client and domain. Domain information contains server-specific parameters that are required by all clients to locate the servers for the desired LDAP domain. This information could be the server's IP address and the search base DN, for instance, and is con- figured on the client (from the default profile, for exam- ple) during client initialization and is periodically updated by the ldap_cachemgr daemon when the expiration time has elapsed. Client information contains client-specific parameters that are used only by a client. This information could be the Bind DN of the client and the password. These parameters are defined during the initialization either manually through SunOS 5.8 Last change: 13 Oct 1999 1 User Commands ldap(1) ldapclient(1M) or by having been stored in the client pro- file on the LDAP server. The Naming information is stored in containers on the LDAP server. A container is a non-leaf entry in the Directory Information Tree (DIT) that contains naming service informa- tion. Containers are similar to maps in NIS and tables in NIS+. A mapping between the Network Information Service (NIS) databases and the containers in LDAP is presented below: __________________________________________________________________ | Database | Object Class | Container | |____________________|____________________|_______________________| | passwd | posixAccount | shadowAccount | |____________________|____________________|_______________________| | | shadowAccount | | |____________________|____________________|_______________________| | group | posixGroup | ou=Group,dc=... | |____________________|____________________|_______________________| | services | ipService | ou=Services,dc=... | |____________________|____________________|_______________________| | protocols | ipProtocol | ou=Protocols,dc=... | |____________________|____________________|_______________________| | rpc | oncRpc | ou=Rpc,dc=... | |____________________|____________________|_______________________| | hosts | ipHost | ou=Hosts,dc=... | |____________________|____________________|_______________________| | ipnodes | | | |____________________|____________________|_______________________| | ethers | ieee802Device | ou=Ethers,dc=... | |____________________|____________________|_______________________| | bootparams | bootableDevice | ou=Ethers,dc=... | |____________________|____________________|_______________________| | network | ipNetwork | ou=Networks,dc=... | |____________________|____________________|_______________________| | netmasks | | | |____________________|____________________|_______________________| | netgroup | nisNetgroup | ou=Netgroup,dc=... | |____________________|____________________|_______________________| | alias | mailGroup | ou=Aliases,dc=... | |____________________|____________________|_______________________| | generic | nisObject | nisMapName=...,dc=...| |____________________|____________________|_______________________| Clients can authenticate to the LDAP server using three types of authentication mechanisms: Anonymous, Simple, and CRAM-MD5. More protection is provided in the form of access control, allowing the server to grant access for certain containers and/or entries. Access control is specified in the form of access control lists (ACLs). Each ACL specifies SunOS 5.8 Last change: 13 Oct 1999 2 User Commands ldap(1) one or more directory objects ( for example, the cn attri- bute in a specific container), one or more clients you grant or deny access, and one or more access rights that determine what the clients can do to or with the objects. Clients could be users or applications. Access rights could be specified as read and write, for example. Refer to the Solaris Naming Administration Guide for some restrictions on ACLs when using ldap as a Naming repository. A new nsswitch.conf(4) file named nsswitch.ldap is available when riding the ldapclient utility. This file uses ldap as a repository for the different databases in the nsswitch.conf file. The following is a list of the user commands related to ldap: ldapclient(1M) Intialize ldap clients. ldaplist(1) List the contents of the ldap naming space.FILES
/var/ldap/ldap_client_cache contains a list of servers, their transport addresses, and the security method used to access them. /var/ldap/ldap_client_cred contains Bind Distinguished Name and the encrypted password. This file is normally only readable by root (uid 0) and is only modified and read by ldap_cachemgr(1M). /etc/nsswitch.conf" configuration file for the name-service switch /etc/nsswitch.ldap configuration file for the name-service switch config- ured with ldapSEE ALSO
ldaplist(1)ldap_cachemgr(1M), ldapclient(1M), nsswitch.conf(4), pam.conf(4), pam_ldap(5) Solaris Naming Administration Guide Solaris Naming Setup and Configuration Guide SunOS 5.8 Last change: 13 Oct 1999 3