ldap man page on Solaris

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
Solaris logo
[printable version]

ldap(1)				 User Commands			       ldap(1)

NAME
       ldap - LDAP as a naming repository

DESCRIPTION
       LDAP  refers  to	 Lightweight  Directory	 Access	 Protocol, which is an
       industry standard for accessing directory servers. By initializing  the
       client using ldapclient(1M) and using the keyword ldap in the name ser‐
       vice switch file, /etc/nsswitch.conf, Solaris clients can obtain naming
       information  from  an LDAP server. Information such as usernames, host‐
       names, and passwords are stored on  the	LDAP  server  in  a  Directory
       Information  Tree or DIT. The DIT consists of entries which in turn are
       composed of attributes. Each attribute has a type and one or more  val‐
       ues.

       Solaris LDAP clients use the LDAP v3 protocol to access naming informa‐
       tion from LDAP servers. The LDAP server must support the object classes
       and  attributes	defined	 in  RFC2307bis (draft), which maps the naming
       service model on to LDAP. As an alternate to using the  schema  defined
       in RFC2307bis (draft), the system can be configured to use other schema
       sets and the schema mapping feature is configured to  map  between  the
       two.  Refer  to	the  System Administration Guide: Naming and Directory
       Services (DNS, NIS, and LDAP) for more details.

       The ldapclient(1M) utility can make a Solaris machine an LDAP client by
       setting up the appropriate directories, files, and configuration infor‐
       mation.	The LDAP client caches this configuration information in local
       cache  files.  This  configuration  information is accessed through the
       ldap_cachemgr(1M) daemon.  This daemon also refreshes  the  information
       in  the configuration files from the LDAP server, providing better per‐
       formance and security. The ldap_cachemgr must run at all times for  the
       proper operation of the naming services.

       There  are  two	types  of  configuration  information, the information
       available through a profile, and the information configured per client.
       The  profile contains all the information as to how the client accesses
       the directory. The credential information for proxy user is  configured
       on a per client basis and is not downloaded through the profile.

       The  profile  contains  server-specific parameters that are required by
       all clients to locate the servers for the  desired  LDAP	 domain.  This
       information  could  be the server's IP address and the search base Dis‐
       tinguished Name (DN), for instance. It is configured on the client from
       the  default  profile  during client initialization and is periodically
       updated by the  ldap_cachemgr  daemon  when  the	 expiration  time  has
       elapsed.

       Client profiles can be stored on the LDAP server and can be used by the
       ldapclient utility to initialize an LDAP client. Using the client  pro‐
       file  is	 the  easiest  way  to	configure  a client machine. See ldap‐
       client(1M).

       Credential information includes	client-specific	 parameters  that  are
       used  by	 a client. This information could be the Bind DN (LDAP "login"
       name) of the client and the password. If these parameters are required,
       they  are  manually  defined  during  the  initialization through ldap‐
       client(1M).

       The naming information is stored in containers on the  LDAP  server.  A
       container  is  a non-leaf entry in the DIT that contains naming service
       information. Containers are similar to maps in NIS and tables in	 NIS+.
       A  default mapping between the NIS databases and the containers in LDAP
       is presented below. The location of these containers as well  as	 their
       names  can  be  overridden through the use of serviceSearchDescriptors.
       For more information, see ldapclient(1M).

       ┌────────────────────┬────────────────────┬───────────────────────────┐
       │     Database	    │	Object Class	 │	   Container	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │passwd		    │posixAccount	 │ ou=people,dc=...	     │
       │		    │shadowAccount	 │			     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │group		    │posixGroup		 │ ou=Group,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │services	    │ipService		 │ ou=Services,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │protocols	    │ipProtocol		 │ ou=Protocols,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │rpc		    │oncRpc		 │ ou=Rpc,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │hosts		    │ipHost		 │ ou=Hosts,dc=...	     │
       │ipnodes		    │ipHost		 │ ou=Hosts,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │ethers		    │ieee802Device	 │ ou=Ethers,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │bootparams	    │bootableDevice	 │ ou=Ethers,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │networks	    │ipNetwork		 │ ou=Networks,dc=...	     │
       │netmasks	    │ipNetwork		 │ ou=Networks,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │netgroup	    │nisNetgroup	 │ ou=Netgroup,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │aliases		    │mailGroup		 │ ou=Aliases,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │publickey	    │nisKeyObject	 │			     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │generic		    │nisObject		 │ nisMapName=...,dc=...     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │printers	    │printerService	 │ ou=Printers,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │auth_attr	    │SolarisAuthAttr	 │ ou=SolarisAuthAttr,dc=... │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │prof_attr	    │SolarisProfAttr	 │ ou=SolarisProfAttr,dc=... │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │exec_attr	    │SolarisExecAttr	 │ ou=SolarisProfAttr,dc=... │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │user_attr	    │SolarisUserAttr	 │ ou=people,dc=...	     │
       ├────────────────────┼────────────────────┼───────────────────────────┤
       │audit_user	    │SolarisAuditUser	 │ ou=people,dc=...	     │
       └────────────────────┴────────────────────┴───────────────────────────┘

       The security model for clients is defined by a combination of the  cre‐
       dential	level  to be used, the authentication method, and the PAM mod‐
       ules to be used. The credential	level  defines	what  credentials  the
       client  should  use  to	authenticate  to the directory server, and the
       authentication method defines the method of choice. Both these  can  be
       set  with multiple values. The Solaris LDAP supports the following val‐
       ues for credential level :
	 anonymous
	 proxy
	 self

       The Solaris LDAP	 supports  the	following  values  for	authentication
       method:
	 none
	 simple
	 sasl/CRAM-MD5
	 sasl/DIGEST-MD5
	 sasl/GSSAPI
	 tls:simple
	 tls:sasl/CRAM-MD5
	 tls:sasl/DIGEST-MD5

       When the credential level is configured as self, DNS must be configured
       and the authentication method must be sasl/GSSAPI. The hosts  and  ipn‐
       odes  in	 /etc/nsswitch.conf must be configured to use DNS, for example
       hosts: dns files and ipnodes: dns files.

       sasl/GSSAPI automatically uses  GSSAPI  confidentiality	and  integrity
       options, if they are configured on the directory server.

       The  credential	level of self enables per-user naming service lookups,
       or lookups that use the GSSAPI credentials of the user when  connecting
       to  the directory server. Currently the only GSSAPI mechanism supported
       in this model is Kerberos V5. Kerberos must be  configured  before  you
       can use this credential level. See kerberos(5) for details.

       More  protection	 can  be provided by means of access control, allowing
       the server to grant access for certain containers  or  entries.	Access
       control	is  specified  by Access Control Lists (ACLs) that are defined
       and stored in the LDAP server. The Access Control  Lists	 on  the  LDAP
       server  are called Access Control Instructions (ACIs) by the the SunOne
       Directory Server. Each ACL or  ACI  specifies  one  or  more  directory
       objects,	 for example, the cn attribute in a specific container, one or
       more clients to whom you grant or deny access, and one or  more	access
       rights  that  determine what the clients can do to or with the objects.
       Clients can be users or applications. Access rights can be specified as
       read  and write, for example. Refer to the System Administration Guide:
       Naming and Directory  Services  (DNS,  NIS,  and	 LDAP)	regarding  the
       restrictions on ACLs and ACIs when using LDAP as a naming repository.

       A  sample nsswitch.conf(4) file called nsswitch.ldap is provided in the
       /etc directory. This is	copied	to  /etc/nsswitch.conf	by  the	 ldap‐
       client(1M) utility. This file uses LDAP as a repository for the differ‐
       ent databases in the nsswitch.conf file.

       The following is a list of the user commands related to LDAP:

       idsconfig(1M)	 Prepares a SunOne Directory Server  to	 be  ready  to
			 support Solaris LDAP clients.

       ldapaddent(1M)	 Creates LDAP entries from corresponding /etc files.

       ldapclient(1M)	 Initializes  LDAP  clients, or generates a configura‐
			 tion profile to be stored in the directory.

       ldaplist(1)	 Lists the contents of the LDAP naming space.

FILES
       /var/ldap/ldap_client_cred    Files that contain the LDAP configuration
       /var/ldap/ldap_client_file    of	 the  client.  Do  not manually modify
				     these files. Their content is not guaran‐
				     teed  to  be  human  readable.  Use ldap‐
				     client(1M) to update them.

       /etc/nsswitch.conf	     Configuration file for  the  name-service
				     switch.

       /etc/nsswitch.ldap	     Sample  configuration  file for the name-
				     service switch configured with  LDAP  and
				     files.

       /etc/pam.conf		     PAM framework configuration file.

SEE ALSO
       ldaplist(1),  idsconfig(1M),  ldap_cachemgr(1M),	 ldapaddent(1M), ldap‐
       client(1M),   nsswitch.conf(4),	  pam.conf(4),	  kerberos(5)pam_auth‐
       tok_check(5),  pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
       pam_ldap(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
       pam_unix_session(5)

       System  Administration  Guide: Naming and Directory Services (DNS, NIS,
       and LDAP)

NOTES
       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
       pam_unix_auth(5), andpam_unix_session(5).

SunOS 5.10			  28 Aug 2006			       ldap(1)
[top]

List of man pages available for Solaris

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net