Installing and configuring iPlanet Directory Server for Solaris9

 

(iPlanet Directory Server is now called SUN ONE Directory Server or Java System Directory Server)

 

(SimpleBind + SSL/TLS/start_tls + without-SASL + automount + netgroup + sudo + apache)

(See also related documents at http://web.singnet.com.sg/~garyttt/)

 

Last Updated: 6-Dec-2007

 

Purpose:

 

This document describes the steps involved in installing and configuring a SUN ONE (iPlanet) Directory Server  (DS5.2 or iDS 5.2) with SSL/TLS support on Soalris8/9. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.

 

To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for Solaris9” and/or" Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"

 

Another related document "Deploying SUN Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.

 

Download URL:

http://www.sun.com/software/products/directory_srvr_ee/get.jsp

 

Public Mail Lists/Forums:

http://lists.fini.net/mailman/listinfo/ldap-interop

http://forum.java.sun.com/forum.jspa?forumID=761

http://www.ldapguru.com

http://www.dbforums.com (comp.unix.solaris)

http://bbs.chinaunix.net/ (Chinese web site)

 

Useful URLs:

·         SUN Blogs http://blogs.sun.com,

Search for “ldap” or “ldapclient” or “ldap ssl” or “ldap tls” or “ldap nis” depending on your need.

·         Raja’s SUN Native LDAP Product Support Document

http://blogs.sun.com/roller/resources/raja/ldap-psd.html

·         SUN Blue Print: Tom Bailaski and Michael Haines’s “LDAP in the Solaris Operating Environment”

http://www.sun.com/books/catalog/haines_bialaski_ldap.xml (not downloadable, got to buy it)

·         SUN Blue Print: Michael Haines’s  “Understanding NIS to LDAP Service (N2L) Architecture”

http://www.sun.com/blueprints/0306/819-4326.pdf

·         A twisted world - Rohan Pinto’s Weblog :: NIS to LDAP migration guide

http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide

·         SUN ONE Directory Server 5.2 Installation and Tunning Guide:

http://docs.sun.com/source/816-6697-10/contents.html

·         SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”:

http://docs.sun.com/app/docs/doc/816-4856

·         SUN Solaris10's “System Administration Guide: Naming and Directory Services”:

http://docs.sun.com/app/docs/doc/816-4556

·         SUN ONE Directory Server 5.2 documentations:

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52

·         SUN Jave System/Directory Server 5 / 2005Q1 documentations:

http://docs.sun.com/app/docs/coll/DirectoryServer_05q1

·         SUN Jave System/Directory Server 5 / 2005Q4 documentations:

http://docs.sun.com/app/docs/coll/1316.1

·         John Berger’s Beginner Guide to SunONE DS

      http://www.thebergerbits.com/Beginners_Guide_to_SunONE_DS.pdf

·         SUN ONE Directory Server 5.2 release notes:

      http://docs.sun.com/source/816-6703-10/index.html

·         SUN Java System Directory Server 5.2 / 2005Q1 release notes:

      http://docs.sun.com/source/817-7611/index.html

·         SUN Java System/Directory Server 5.2 / 2005Q4 release notes

      http://docs.sun.com/source/819-2405/index.html

·         SUN Java System/Directory Server 5.2 / 2005Q1 release notes for Compressed Archive

      http://docs.sun.com/source/819-1815/index.html

·         SUN Java System/Directory Server 5.2 / 2005Q4 release notes for Patchzip

      http://docs.sun.com/source/819-4290/index.html

·         SUN Java System/Directory Server 5.2 Log File Access Log Content:

      http://docs.sun.com/source/817-7616/fileref.html#wp20452

·         OpenSSH LDAP Public Key Patch

http://www.opendarwin.org/projects/openssh-lpk/

·         LDAP Error and Status Codes

http://www.directory-info.com/LDAP/LDAPErrorCodes.html

·         BIND9.NET LDAP Page

http://www.bind9.net/ldap

·         SUN ONE Directory Server Error Code Reference:

http://docs.sun.com/source/816-6699-10/ax_errcd.html

·         Automating LDAP Client Installation (JumpStart)

      http://www.sun.com/blueprints/0701/LDAPinstall.pdf

·         LDAP Client Login Authentication

      http://yolinux.com/TUTORIALS/LDAP_Authentication.html

·         Integrating AIX into Heterogenous LDAP Environments

      http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf

·         Integrating  UNIX/Linux LDAP Clients into Active Directory – ad4unix

      http://sourceforge.net/projects/ad4unix/

·         Integrating  Windows Clients into UNIX/Linux LDAP Server - pGina

      http://sourceforge.net/projects/pgina/

·         SUN Directory Server Resource Kit

http://www.sun.com/software/products/directory_srvr_ee/get.jsp

 

Freeware tools used:

·         OpenSSL 0.9.7e or later – http://www.openssl.org

·         LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/

·         BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools

·         JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/  (can do SSL connection)

·         Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html

·         Novell LDAP CoolTools: http://www.novell.com/coolsolutions/tools/bycategory/168.html

·         LDAP Account Manager: http://lam.sf.net

·         Softerra LDAP Administrator: http://www.ldapadministrator.com/

·         SUN Directory Editor: http://www.sun.com/software/products/directory_srvr_ee/get.jsp

 

Example used:

 

·         MASTER LDAP Server: ldap1.example.com, 192.168.1.168

·         SLAVE LDAP Server: ldap2.example.com, 192.168.1.178

·         RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188

·         Solaris8 LDAP Client: client2.example.com, 192.168.1.198

·         Solaris9 LDAP Client: client3.example.com, 192.168.1.208

 

It is highly recommended that OS level Security Hardening be applied to all LDAP Servers.

 

Preparation Steps:

 

This step is for BOTH LDAP Server(s) as well as Clients

 

Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts

 

It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:

192.168.1.168             ldap1.example.com    ldap1

 

Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain.

 

If this is an Upgrade of old iDS 5.0 or 5.1 Server to latest 5.2, it is always very wise to backup all *.db TLS security files in $IDS5_PATH/alias before proceeding.

 

The procedures in this document are also applicable to Solaris8 provided that patch 108993 has been applied, note that Solaris8 has different syntax for “ldapclient” command. For Solaris9, LDAP library patch 112960 are highly recommended. See also the following URL if you are using SJES/DS5.2.

 

http://docs.sun.com/source/817-7611/index.html#wp33336

 

Please refer to Appendix for a useful script to check patches.

 

The prcocedures are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:

http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html

 

For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.

 

Step 1: Install SUN ONE Directory Server 5.2 Patch_4

 

This step is for LDAP Server(s) only.

 

Log in as root.

 

# cd /var/tmp

# tar xvf ds.5.2.P4.Solaris.SPARC.full.tar

 

IMPORTANT NOTE: If you have previous version of iDS5 (5.0/ 5.1) installed, please shutdown its slapd process, uninstall its software components, and remove any references of 5.0/5.1 (eg: /usr/iplanet/ds5/lib) in LD_LIBRARY_PATH in /etc/profile and/or current login shells, as well as disable iDS5.0/5.1 startup script (cd /etc/rc2.d; mv S72directory s72directory; ./s72directory stop), before proceeding to run "setup"

 

# ./setup

or

# ./setup -nodisplay

 

Enter default value for each prompt is usually good for a testing LDAP Server.

 

For SJES/DS5.2:

 

# jar xvf  java_es_05Q1_directory-ga-solaris-sparc.zip
# cd java_es_05Q1_directory
# chmod -R a+x *

# cd Solaris_sparc
# ./installer

or

# ./installer -nodisplay

 

Enter default value for each and every prompt is usually good for a testing LDAP Server.

 

Note 1: after running “installer”and if you encounter error and wish to re-run “setup”, simply perform the following “uninstall” actions (Applicable to SJES/DS5.2):

In CDE X-Windows terminal, run “prodreg” to uninstall components.

# prodreg
If “prodreg” does not work, manual “clean-up” may be performed:

# rm –f /var/sadm/install/productregistry

# rm –f /var/sadm/install/logs/*_install*

# cd /var/sadm/pkg

# rm –rf SUNWdsv* SUNWasv* SUNWcomds

Then unset the “installed?” flag(s) in /etc/ds/versions:

#version|command path|installed?|default?

5.1|//usr/iplanet/ds5/sbin/directoryserver|YES|NO

5.2|//usr/ds/v5.2/sbin/directoryserver|NO|YES

 

Note 2: if some of the scripts extracted out from the tar file do not have execution permissions, perform the following action prior to running setup.

# chmod -R a+x *

Now start admin server and slapd if they are not started.

# ps –ef | egrep “admin-serv|slapd”

# /var/Sun/mps/start-admin

# /var/Sun/mps/slapd-`hostname`/start-slapd

 

Please note that the Solaris SPARC version of SJES/DS5.2 is already at Patch_4 level, it can be confirmed by looking /var/Sun/mps/slapd-`hostname`/errors while restarting ns-slapd, there will be banner saying it is Patch_4, if it is not at Patch_4, it is advisable to download and apply 117665-03.

 

Note: Latest Patches for various OS platforms listed below, note that –01 is Patch_2, -02 is Patch_3 and –03 is the current latest Patch_4.

 

117665-03: for Solaris8/9 SPARC
117666-03: for Solaris8/9 x86
117667-03: for Windows
117668-03: for Linux
117669-03: for HP-UX
117670-03: For AIX

 

Now run "idsconfig", note that this command is NOT searchable by $PATH.

 

NOTE: if SJES/DS5.2 is used and if the LDAP domain you are trying to setup is NOT “dc=example,dc=com”, the following hack to “idsconfig” is required to fix a road block issue: “ERROR: Can not determine the top of tree”.

 

# cd /usr/lib/ldap
# mv idsconfig idsconfig.orig
# cp idsconfig.orig idsconfig
# vi idsconfig

Replace line:
grep -i -v NetscapeRoot > ${TMPDIR}/treeTOP
with:
grep -i -v NetscapeRoot | grep -i -v dc=example > ${TMPDIR}/treeTOP

 

Note: in some latest version of “idsconfig”, you would see “{GREP}” in place of “grep”.

 

Otherwise, please proceed.

 

# /usr/lib/ldap/idsconfig

 

It is strongly recommended that you BACKUP the directory server

before running idsconfig.

 

Hit Ctrl-C at any time before the final confirmation to exit.

 

Do you wish to continue with server setup (y/n/h)? [n] y

Enter the iPlanet Directory Server's (iDS) hostname to setup: ldap1

Enter the port number for iDS (h=help): [389]

Enter the directory manager DN: [cn=Directory Manager]

Enter passwd for cn=Directory Manager :

Enter the domainname to be served (h=help): [example.com]

Enter LDAP Base DN (h=help): [dc=example,dc=com]

Enter the profile name (h=help): [default]

Default server list (h=help): [192.168.1.168] ldap1.example.com ldap2.example.com

Preferred server list (h=help):

Choose desired search scope (one, sub, h=help):  [one]

The following are the supported credential levels:

  1  anonymous

  2  proxy

  3  proxy anonymous

Choose Credential level [h=help]: [1] 2

The following are the supported Authentication Methods:

  1  none

  2  simple

  3  sasl/DIGEST-MD5

  4  tls:simple

  5  tls:sasl/DIGEST-MD5

Choose Authentication Method (h=help): [1] 2

 

Current authenticationMethod: simple

 

Do you want to add another Authentication Method? n

 

Do you want the clients to follow referrals (y/n/h)? [n]

Do you want to modify the server timelimit value (y/n/h)? [n]

Do you want to modify the server sizelimit value (y/n/h)? [n]

Do you want to store passwords in "crypt" format (y/n/h)? [n] y

Do you want to setup a Service Authentication Methods (y/n/h)? [n]

Client search time limit in seconds (h=help): [30]

Profile Time To Live in seconds (h=help): [43200]

Bind time limit in seconds (h=help): [10]

Do you wish to setup Service Search Descriptors (y/n/h)? [n] y

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: passwd

Enter the base: ou=People,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: group

Enter the base: ou=group,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: shadow

Enter the base: ou=People,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] A

Enter the service id: netgroup

Enter the base: ou=netgroup,dc=example,dc=com

Enter the scope: one

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit]

 

              Summary of Configuration

 

  1  Domain to serve               : example.com

  2  Base DN to setup              : dc=example,dc=com

  3  Profile name to create        : default

  4  Default Server List           : ldap1.example.com ldap2.example.com

  5  Preferred Server List         :

  6  Default Search Scope          : one

  7  Credential Level              : proxy

  8  Authentication Method         : simple

  9  Enable Follow Referrals       : FALSE

 10  iDS Time Limit                :

 11  iDS Size Limit                :

 12  Enable crypt password storage : TRUE

 13  Service Auth Method pam_ldap  :

 14  Service Auth Method keyserv   :

 15  Service Auth Method passwd-cmd:

 16  Search Time Limit             : 30

 17  Profile Time to Live          : 43200

 18  Bind Limit                    : 10

 19  Service Search Descriptors Menu

 

Enter config value to change: (1-19 0=commit changes) [0] 19

Do you wish to setup Service Search Descriptors (y/n/h)? [n] y

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit] P

 

Current Service Search Descriptors:

==================================

passwd:ou=People,dc=example,dc=com?one

group:ou=group,dc=example,dc=com?one

shadow:ou=People,dc=example,dc=com?one

netgroup:ou=netgroup,dc=example,dc=com?one

 

Hit return to continue.

 

  A  Add a Service Search Descriptor

  D  Delete a SSD

  M  Modify a SSD

  P  Display all SSD's

  H  Help

  X  Clear all SSD's

 

  Q  Exit menu

Enter menu choice: [Quit]

              Summary of Configuration

 

  1  Domain to serve               : example.com

  2  Base DN to setup              : dc=example,dc=com

  3  Profile name to create        : default

  4  Default Server List           : ldap1.example.com ldap2.example.com

  5  Preferred Server List         :

  6  Default Search Scope          : one

  7  Credential Level              : proxy

  8  Authentication Method         : simple

  9  Enable Follow Referrals       : FALSE

 10  iDS Time Limit                :

 11  iDS Size Limit                :

 12  Enable crypt password storage : TRUE

 13  Service Auth Method pam_ldap  :

 14  Service Auth Method keyserv   :

 15  Service Auth Method passwd-cmd:

 16  Search Time Limit             : 30

 17  Profile Time to Live          : 43200

 18  Bind Limit                    : 10

 19  Service Search Descriptors Menu

 

Enter config value to change: (1-19 0=commit changes) [0]

Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]

Enter passwd for proxyagent: password

Re-enter passwd: password

 

WARNING: About to start committing changes. (y=continue, n=EXIT) y

 

  1. Changed passwordstoragescheme to "crypt" in cn=config.

  2. Schema attributes have been updated.

  3. Schema objectclass definitions have been added.

  4. NisDomainObject added to dc=example,dc=com.

  5. Top level "ou" containers complete.

  6. automount maps: auto_home auto_direct auto_master auto_shared processed.

  7. ACI for dc=example,dc=com modified to disable self modify.

  8. Add of VLV Access Control Information (ACI).

  9. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added.

  10. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for

password.

  11. Generated client profile and loaded on server.

  12. Processing eq,pres indexes:

      ipHostNumber (eq,pres)   Finished indexing.

      uidNumber (eq,pres)   Finished indexing.

      ipNetworkNumber (eq,pres)   Finished indexing.

      gidnumber (eq,pres)   Finished indexing.

      oncrpcnumber (eq,pres)   Finished indexing.

      automountKey (eq,pres)   Finished indexing.

  13. Processing eq,pres,sub indexes:

      membernisnetgroup (eq,pres,sub)   Finished indexing.

      nisnetgrouptriple (eq,pres,sub)   Finished indexing.

  14. Processing VLV indexes:

      example.com.getgrent vlv_index   Entry created

      example.com.gethostent vlv_index   Entry created

      example.com.getnetent vlv_index   Entry created

      example.com.getpwent vlv_index   Entry created

      example.com.getrpcent vlv_index   Entry created

      example.com.getspent vlv_index   Entry created

 

idsconfig: Setup of iDS server ldap1 is complete.

 

 

Note: idsconfig has created entries for VLV indexes.  Use the

      directoryserver(1m) script on ldap1 to stop

      the server and then enter the following vlvindex

      sub-commands to create the actual VLV indexes:

 

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tgrent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

thostent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tnetent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tpwent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

trpcent

  directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.ge

tspent

 

IMPORTANT NOTE: DO NOT USE "directoryserver –s <server-instance> vlvindex …" to create vlvindex, as /usr/sbin/directoryserver may be pointing to Solaris OLD built-in iDS 5.0 or 5.1 executable, use the following short script instead.

 

# cat ids52_vlvindex.sh

/var/Sun/mps/slapd-ldap1/stop-slapd

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getgrent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.gethostent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getnetent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getpwent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getrpcent

/var/Sun/mps/slapd-ldap1/vlvindex -n userRoot -T example.com.getspent

/var/Sun/mps/slapd-ldap1/start-slapd

 

# ./ids52_vlvindex.sh

[24/Feb/2005:00:00:09 -0500] - userRoot: Indexing VLV: example.com.getgrent

[24/Feb/2005:00:00:09 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:12 -0500] - userRoot: Indexing VLV: example.com.gethostent

[24/Feb/2005:00:00:12 -0500] - userRoot: Indexed search unsuccessful, will perfo

rm unindexed search instead.

[24/Feb/2005:00:00:12 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:14 -0500] - userRoot: Indexing VLV: example.com.getnetent

[24/Feb/2005:00:00:14 -0500] - userRoot: Indexed search unsuccessful, will perfo

rm unindexed search instead.

[24/Feb/2005:00:00:14 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:17 -0500] - userRoot: Indexing VLV: example.com.getpwent

 [24/Feb/2005:00:00:17 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:19 -0500] - userRoot: Indexing VLV: example.com.getrpcent

[24/Feb/2005:00:00:19 -0500] - userRoot: Indexed search unsuccessful, will perfo

rm unindexed search instead.

[24/Feb/2005:00:00:19 -0500] - userRoot: Finished indexing.

[24/Feb/2005:00:00:21 -0500] - userRoot: Indexing VLV: example.com.getspent

 [24/Feb/2005:00:00:21 -0500] - userRoot: Finished indexing.

 

Note 1: you may also use SUN ONE Console “Create Browsing Index” function (right click object)  to do the same for the above.

 

Note 2: Initially when there is no data under ou=People and ou=group, the vlv index creation will failur, this is normal.

 

Congratulation!!! You have just successfully completed the installation of SUN ONE Directory Server.

 

Step 2: Create SSL Certificate(s)

 

This step is for BOTH LDAP Server(s) as well as Clients which require SSL_TLS support for LDAP connection.

 

IMPORTANT NOTE 2: For Solaris8, Patch 112438 is required if /dev/random instead of prngd is used to support OpenSSL.

 

 

Prepare the following short script "cr_ssl_certs_ids5ldap.sh", content as follow, please customize the details of the Certificate,

 

IMPORTANT NOTE: Please note that the self-signed server certicate created is PURELY for TESTING and DEMONSTRATION PURPOSES ONLY, in production environment please create a Certificate Signing Request (CSR) using iPlanet Administration Console and contact trusted commercial vendors like Verisign to sign the certificate request and pay for the service fee. The Signed certificate can then be merged into current server using the iPlanet Administration Console.  SUN ONE DS5.2 (iDS 5.2) already comes built-in with a list of popular Certificate Authority Certificates including Verisign.

 

Tips: if you interested in an ONE-BUTTON productivity script that creates SSL Certificates for both slapd and admin-serv, please consult “Configuring Solaris Native LDAP Client for Fedora Directory Server” from my Home Page, for a script called “cr_ssl_certs.sh”, this script works for BOTH SUN ONE Directory Server as well as Fedora Directory Server.

 

#! /bin/sh

#

# cr_ssl_certs_ids5ldap.sh

#

# Gary Tay, 07-Jan-2005, written

#

# Ref. URL is http://docs.sun.com/source/816-5542-10/certutil.htm#13305

#

# Customize location of iDS5

IDS5_PATH=/var/Sun/mps; export IDS5_PATH

# Customize the followings

PATH=$PATH:$IDS5_PATH/shared/bin; export PATH

LD_LIBRARY_PATH=/var/Sun/mps/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH

DOW=`date | cut -d' ' -f1`

HOST=`hostname`

DOMAIN=`domainname`

FQDN="$HOST.$DOMAIN"

ORG="Example Companies"

LOCALITY="NewYork City"

STATE="NewYork"

COUNTRY="US"

cd $IDS5_PATH/alias

echo "Backing up $IDS5_PATH/alias/*.db to $IDS5_PATH/alias/backup_$DOW..."

mkdir -p $IDS5_PATH/alias/backup_$DOW >/dev/null 2>/dev/null

cp $IDS5_PATH/alias/*.db $IDS5_PATH/alias/backup_$DOW

rm -f $IDS5_PATH/alias/slapd-$HOST-*.db

# Please read "certutil" help information

# http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

echo "Creating Key and Certificate databases..."

certutil -N -d $IDS5_PATH/alias -P "slapd-$HOST-"

# -S = Standalone certificate, -s = Subject

# -t = trust attributes, -x = self-signed, -v 12 = valid for 12 months

# -P = Prefixed with string, -5 = prompt for type of certificate

echo "Creating a self-signed Server Certificate..."

certutil -S -d $IDS5_PATH/alias -n "$FQDN" -s "CN=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -t "CTPu,CTPu,CTPu" -x -v 12 -P "slapd-$HOST-" -5

echo "Listing the certificate..."

certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-"

certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN

echo "Verifying the certificate..."

certutil -V -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN -u V -e -l

 

Run this script:

 

# ./cr_ssl_certs_ids5ldap.sh

Backing up /var/Sun/mps/alias/*.db to /var/Sun/mps/alias/backup_Thu...

Creating Key and Certificate databases...

In order to finish creating your database, you

must enter a password which will be used to

encrypt this key and any future keys.

 

The password must be at least 8 characters long,

and must contain at least one non-alphabetic character.

 

Enter new password: secret

Re-enter password: secret

Creating a self-signed Server Certificate...

 

A random seed must be generated that will be used in the

creation of your key.  One of the easiest ways to create a

random seed is to use the timing of keystrokes on a keyboard.

 

To begin, type keys on the keyboard until this progress meter

is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

 

 

Continue typing until the progress meter is full:

 

|************************************************************|

 

Finished.  Press enter to continue:

Enter Password or Pin for "NSS Certificate DB": secret

 

 

Generating key.  This may take a few moments...

 

                          0 - SSL Client

                          1 - SSL Server

                          2 - S/MIME

                          3 - Object Signing

                          4 - Reserved for futuer use

                          5 - SSL CA

                          6 - S/MIME CA

                          7 - Object Signing CA

                          Other to finish

1

                          0 - SSL Client

                          1 - SSL Server

                          2 - S/MIME

                          3 - Object Signing

                          4 - Reserved for futuer use

                          5 - SSL CA

                          6 - S/MIME CA

                          7 - Object Signing CA

                          Other to finish

9

Is this a critical extension [y/n]?

y

Listing the certificate...

 

Certificate Name                                             Trust Attributes

 

ldap1.example.com                                    CTPu,CTPu,CTPu

 

p    Valid peer

P    Trusted peer (implies p)

c    Valid CA

T    Trusted CA to issue client certs (implies c)

C    Trusted CA to certs(only server certs for ssl) (implies c)

u    User cert

w    Send warning

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            00:cb:4f:a8:2b

        Signature Algorithm: PKCS #1 MD5 With RSA Encryption

        Issuer: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US

        Validity:

            Not Before: Thu Feb 24 06:19:43 2005

            Not After: Wed May 24 06:19:43 2006

        Subject: CN=ldap1.example.com, O=Example Companies, L=NewYork City, ST=NewYork, C=US

        Subject Public Key Info:

            Public Key Algorithm: PKCS #1 RSA Encryption

            RSA Public Key:

                Modulus:

                    00:b0:79:44:72:b7:61:84:d9:c1:17:4d:a1:05:48:

                    0e:4b:3d:c8:02:52:9d:4e:de:9e:6b:b9:7e:2b:5b:

                    a4:40:d0:d4:e3:1c:3f:93:02:19:d7:5b:68:85:b6:

                    a9:d8:ef:85:ae:9b:09:33:ae:52:d6:78:d5:a9:de:

                    c8:bf:ce:f6:c7:d7:12:74:aa:21:fa:1a:9d:5d:45:

                    20:d9:4d:47:6c:1d:88:de:d9:c2:2b:bc:76:80:a6:

                    f5:8a:0d:fc:48:f6:fc:c0:38:e3:69:4a:3f:15:11:

                    b5:dc:a7:9f:1b:59:56:c8:3a:68:a4:9f:41:be:e9:

                    33:7b:e3:e3:89:39:0a:77:b5

                Exponent: 65537 (0x10001)

        Signed Extensions:

            Name:

                Certificate Type

            Critical:

                True

            Data: <SSL Server>

 

    Fingerprint (MD5):

        D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E

    Fingerprint (SHA1):

        DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09

 

    Signature Algorithm: PKCS #1 MD5 With RSA Encryption

    Signature:

        01:c7:8a:1d:55:7f:25:3d:fd:dd:db:5e:04:ac:de:16:7f:b2:

        07:c9:27:e0:c6:03:90:16:f9:3e:7d:8a:55:27:43:d1:d9:db:

        90:4c:38:1e:c1:14:2f:99:be:d4:46:90:f7:9c:64:f2:8c:f2:

        af:0e:62:da:55:9c:66:72:24:9f:46:52:46:ac:3a:73:a3:0d:

        31:b1:4e:36:86:f0:3d:8c:3d:09:14:71:15:30:ca:4b:41:cd:

        e5:4c:bf:4b:5d:8a:81:e2:fb:c4:51:72:c4:48:50:ba:02:d4:

        bc:bb:00:2c:a9:43:dc:80:e4:90:8b:c0:2c:55:7d:94:b4:63:

        59:d4

    Certificate Trust Flags:

        SSL Flags:

            Valid Peer

            Trusted

            Valid CA

            Trusted CA

            User

            Trusted Client CA

        Email Flags:

            Valid Peer

            Trusted

            Valid CA

            Trusted CA

            User

            Trusted Client CA

        Object Signing Flags:

            Valid Peer

            Trusted

            Valid CA

            Trusted CA

            User

            Trusted Client CA

 

Verifying the certificate...

Enter Password or Pin for "NSS Certificate DB": secret

certutil: certificate is valid

 

The above run will create slapd-ldap1-key3.db and slapd-ldap1-cert7.db in $LDAP_ROOT/alias directory.

 

Now we have to configure iDS 5.2 to use SSL encryption.

 

Start the iPlanet Administration Server if it is not started.

 

# /var/Sun/mps/start-admin

 

Run the local iPlanet Administation Console (/var/Sun/mps/startconsole) or run Windows based "SUN ONE Server Console".

 

# /var/Sun/mps/startconsole

 

Login as cn=Directory Manager

 

Go to Directory Server Tasks/Manage Certificates tab, notice that there is a certificate created called "ldap1.example.com" issued to "ldap1.example.com" and by itself "ldap1.example.com", valid for use as SSL Server Certificate for 12+3=15 months.

 

Go to Directory Server Configuration/Encryption tab, check "Enable SSL for this server" and also "Use this cipher family: RSA", ensure that the "Certificate" field is referencing the slapd-ldap1-cert7.db we have created, i.e. it is called ldap1.example.com

 

Click Save

 

Go to Directory Server Configuration/Network tab, ensure that LDAP server will be run to listen on "Both secure and non-secure ports", i.e. port 389 as well as 636.

 

Go to Directory Server Tasks, stop the LDAP Server, when you try to restart it, you would notice it will need a password file.

 

You can EITHER start it using command line or try to create this password file for slapd-ldap1-key3.db we have created, it MUST be in this format: $LDAP_ROOT/alias/slapd-ldap1-pin.txt

 

# echo "Internal (Software) Token:secret" >/var/Sun/mps/alias/slapd-ldap1-pin.txt

 

IMPORTANT NOTE: DO NOT LEAVE ANY SPACES after the "Token:" and at the end of the line or else the password will not be recognized by "start-slapd".

 

# chmod 400 /var/Sun/mps/alias/slapd-ldap1-pin.txt

 

If ns-slapd is run of non-root user, example “nobody” or “ns-slapd” or “ldap”, make sure the pin file is readable by the slapd owner.

 

# chown $NS-SLAPD_OWNER /var/Sun/mps/alias/slapd-ldap1-pin.txt

 

Restart LDAP Server now.

 

# /var/Sun/mps/slapd-ldap1/start-slapd

 

Congratulation!!! You have configured a LDAP Server with SSL/TLS support.

 

You may now try to retrieve the directory data:

 

# /usr/bin/ldapsearch -b "dc=example,dc=com" -L "objectclass=*"

 

Log in as root and install OpenSSL and supporting LibGCC, both of which could be downloaded from http://www.sunfreeware.com.

 

# pkgadd -d openssl-0.9.7X-sol9-sparc-local

# pkgadd d libgcc-3.X.X-sol9-sparc-local

 

This will install OpenSSL into the standard /usr/local/ssl directory, and supporting libgcc into /usr/local/lib.

 

You may now try to test SSL_TLS locally using the following command:

 

# env LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/lib /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts

CONNECTED(00000003)

depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

verify return:1

---

Certificate chain

 0 s:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

   i:/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

-----BEGIN CERTIFICATE-----

MIICfjCCAeegAwIBAgIFAMtPqCswDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMC

VVMxEDAOBgNVBAgTB05ld1lvcmsxFTATBgNVBAcTDE5ld1lvcmsgQ2l0eTEaMBgG

A1UEChMRRXhhbXBsZSBDb21wYW5pZXMxIjAgBgNVBAMTGW55cHBsZGV2MjEucGxh

dHRzLm1obS5taGMwHhcNMDUwMjI0MDYxOTQzWhcNMDYwNTI0MDYxOTQzWjB2MQsw

CQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEVMBMGA1UEBxMMTmV3WW9yayBD

aXR5MRowGAYDVQQKExFFeGFtcGxlIENvbXBhbmllczEiMCAGA1UEAxMZbnlwcGxk

ZXYyMS5wbGF0dHMubWhtLm1oYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

sHlEcrdhhNnBF02hBUgOSz3IAlKdTt6ea7l+K1ukQNDU4xw/kwIZ11tohbap2O+F

rpsJM65S1njVqd7Iv872x9cSdKoh+hqdXUUg2U1HbB2I3tnCK7x2gKb1ig38SPb8

wDjjaUo/FRG13KefG1lWyDpopJ9Bvukze+PjiTkKd7UCAwEAAaMYMBYwFAYJYIZI

AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAAHHih1VfyU9/d3bXgSs

3hZ/sgfJJ+DGA5AW+T59ilUnQ9HZ25BMOB7BFC+ZvtRGkPecZPKM8q8OYtpVnGZy

JJ9GUkasOnOjDTGxTjaG8D2MPQkUcRUwyktBzeVMv0tdioHi+8RRcsRIULoC1Ly7

ACypQ9yA5JCLwCxVfZS0Y1nU

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

issuer=/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

---

Acceptable client certificate CA names

/C=US/ST=NewYork/L=NewYork City/O=Example Companies/CN=ldap1.example.com

---

SSL handshake has read 909 bytes and written 342 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-MD5

    Session-ID: 4CBF01674425A9E455393A843FA6AEA8838372F7DC13531168B9B3C9AF5857FE

    Session-ID-ctx:

    Master-Key: D04984C9F325DD4CBEBE8A4BD63A182C98CB2C0AE3CD9F0A8FF6102A4C499512E757D996F2F80C9906288673BF52E0D7

    Key-Arg   : None

    Start Time: 1109232085

    Timeout   : 300 (sec)

    Verify return code: 18 (self signed certificate)

---

^C#

 

<Ctrl-C or Ctrl-Break to exit>

 

IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> is defined in /etc/hosts file.

 

Step 3:  Populate the directory server with People, group and TLS profile data

 

This step is for LDAP Server(s).

 

Prepare People.ldif and group.ldif and add them into directory data. You may also manually add directory data using iPlanet Console.

 

Tips 1: when you use iPlanet Console to add People entry, remember to check the “posix” user (posixAccount) option, so that uidNumber and gidNumber could be entered.

 

Tips 2: Use $LDAP_ROOT/slapd-ldap1/getpwenc command to find the encrypted format of LDAP userPassword.

 

# cd /var/Sun/mps/slapd-ldap1

# ./getpwenc CRYPT testpassword

{crypt}GFOZa/ZLlDdng

 

A sample People.ldif with only two entries is shown here

 

dn: uid=gtay, ou=People, dc=example,dc=com

givenName: Gary

sn: Tay

loginShell: /bin/bash

uidNumber: 6167

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: gtay

cn: Gary Tay

homeDirectory: /home/gtay

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Gary Tay

userPassword: {CRYPT}U8bo2twhJ9Kkg

 

dn: uid=tuser, ou=People, dc=example,dc=com

givenName: Test

sn: User

loginShell: /bin/bash

uidNumber: 9999

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: tuser

cn: Test User

homeDirectory: /home/tuser

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Test User

userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=

 

A sample group.ldif with only one entry is shown here

 

dn: cn=Users,ou=group,dc=example,dc=com

cn: Users

gidNumber: 102

objectClass: top

objectClass: posixGroup

memberUid: gtay

memberUid: tuser

 

If you need SSL/TLS to protect the LDAP connection sessions, prepare tls_profile.ldif.

 

dn: cn=tls_profile,ou=profile,dc=example,dc=com

ObjectClass: top

ObjectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example,dc=com

authenticationMethod: tls:simple

followReferrals: FALSE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

bindTimeLimit: 10

cn: tls_profile

credentialLevel: proxy

serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one

serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one

 

# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f People.ldif

Bind Password:

adding new entry uid=gtay, ou=People, dc=example,dc=com

adding new entry uid=tuser, ou=People, dc=example,dc=com

 

# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f group.ldif

Bind Password:

adding new entry cn=Users,ou=group,dc=example,dc=com

 

# /usr/bin/ldapadd -c -D "cn=Directory Manager" -f tls_profile.ldif

Bind Password:

adding new entry cn=tls_profile,ou=profile,dc=example,dc=com

 

For massive import of People and group entries, you may use “/usr/sbin/ldapaddent” command, see “man ldapaddent” for more details, or you may use PADL’s MigrationTools.

 

http://www.padl.com/OSS/MigrationTools.html

 

Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of “-p” to create userPassword attribute and the CRYPT password is only added when the DB is shadow.

 

# cat test.txt
test9991:x:9991:102:test9991:/var/tmp:/bin/sh
 
# ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwd
Enter password:
SERVICE = passwd
Adding entry : test9991
1 entries added
 
# cat tests.txt
test9991:ElnMr/iU805dA:12881::::::
 
# ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadow
Enter password:
SERVICE = shadow
Adding entry : test9991
1 entries added
#

 

IMPORTANT NOTE ABOUT LDIF IMPORT FILES:

 

When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of  LDAP data import using ldapadd command, please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif files be removed or else “ldapadd” command will throw errors.

 

Create iDS5 LDAP server start/stop script /etc/init.d/ids5ldap.server, modify Run Control startup script as needed.

 

# touch /etc/init.d/ids5ldap.server

# chmod 744 /etc/init.d/ids52.server

# mv /etc/rc2.d/S72directory /etc/rc2.d/s72directory

# ln -s /etc/init.d/ids5ldap.server /etc/rc2.d/S72directory

# vi /etc/init.d/ids5ldap.server

 

Content of /etc/init.d/ids5ldap.server

 

#! /bin/sh

#

# ids5ldap.server – iDS5 LDAP Server start script

#

# Gary Tay, 19-Feb-2005

#

IDS5_PATH=/var/Sun/mps

SERVER_ID=`hostname`

SERVER_OWNER="root"
SERVER_GROUP="root
"

LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib:/var/Sun/mps/lib:/usr/lib/mps

case "$1" in

'start')

        echo 'SUN ONE Directory Server service starting.'

        $IDS5_PATH/slapd-$SERVER_ID/start-slapd

        chown $SERVER_OWNER:$SERVER_GROUP $SERVER_ROOT/alias/*.db
        su - $SERVER_OWNER -c $SERVER_ROOT/start-admin
        ;;

'stop')

        echo 'SUN ONE Directory Server service stopping.'

        $IDS5_PATH/slapd-$SERVER_ID/stop-slapd

        $IDS5_PATH/stop-admin

        ;;

*)

        echo "Usage: $0 { start | stop }"

        exit 1

        ;;

esac

 

Try stopping and starting LDAP server

 

# /etc/init.d/ids5ldap.server stop

# /etc/init.d/ids5ldap.server start

 

To verify:

 

# ps -ef | grep ns-slapd

    root 19647     1  0 02:46:26 ?        0:03 ./ns-slapd -D /var/Sun/mps/slapd-ldap1 -i /var/Sun/mps/slapd-ldap1/lo

    root 20286 16953  0 03:47:46 pts/1    0:00 grep ns-slapd

 

Tips: whenever you have problem starting LDAP server, i.e. it is not shown in process status, check the errors log file in /var/Sun/mps/slapd-ldap1/logs directory.

 

Try to list the LDAP content locally at the server by binding "anonymous"ly (without "-D" option), note that userPassword never get listed.

 

# /usr/bin/ldapsearch –h ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"

dn: dc=example,dc=com

dc: example

objectClass: top

objectClass: domain

objectClass: nisDomainObject

nisDomain: example.com

 

dn: cn=Directory Administrators, dc=example,dc=com

objectClass: top

objectClass: groupofuniquenames

cn: Directory Administrators

 

dn: ou=Groups, dc=example,dc=com

objectClass: top

objectClass: organizationalunit

ou: Groups

 

dn: ou=People, dc=example,dc=com

objectClass: top

objectClass: organizationalunit

ou: People

 

dn: ou=Special Users,dc=example,dc=com

objectClass: top

objectClass: organizationalUnit

ou: Special Users

description: Special Administrative Accounts

 

dn: cn=Accounting Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: Accounting Managers

ou: groups

description: People who can manage accounting entries

 

dn: cn=HR Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: HR Managers

ou: groups

description: People who can manage HR entries

 

dn: cn=QA Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: QA Managers

ou: groups

description: People who can manage QA entries

 

dn: cn=PD Managers,ou=groups,dc=example,dc=com

objectClass: top

objectClass: groupOfUniqueNames

cn: PD Managers

ou: groups

description: People who can manage engineer entries

 

dn: ou=group,dc=example,dc=com

ou: group

objectClass: top

objectClass: organizationalUnit

 

dn: ou=rpc,dc=example,dc=com

ou: rpc

objectClass: top

objectClass: organizationalUnit

 

dn: ou=protocols,dc=example,dc=com

ou: protocols

objectClass: top

objectClass: organizationalUnit

 

dn: ou=networks,dc=example,dc=com

ou: networks

objectClass: top

objectClass: organizationalUnit

 

dn: ou=netgroup,dc=example,dc=com

ou: netgroup

objectClass: top

objectClass: organizationalUnit

 

dn: ou=aliases,dc=example,dc=com

ou: aliases

objectClass: top

objectClass: organizationalUnit

 

dn: ou=hosts,dc=example,dc=com

ou: hosts

objectClass: top

objectClass: organizationalUnit

 

dn: ou=services,dc=example,dc=com

ou: services

objectClass: top

objectClass: organizationalUnit

 

dn: ou=ethers,dc=example,dc=com

ou: ethers

objectClass: top

objectClass: organizationalUnit

 

dn: ou=profile,dc=example,dc=com

ou: profile

objectClass: top

objectClass: organizationalUnit

 

dn: ou=printers,dc=example,dc=com

ou: printers

objectClass: top

objectClass: organizationalUnit

 

dn: automountMapName=auto_home,dc=example,dc=com

automountMapName: auto_home

objectClass: top

objectClass: automountMap

 

dn: automountMapName=auto_direct,dc=example,dc=com

automountMapName: auto_direct

objectClass: top

objectClass: automountMap

 

dn: automountMapName=auto_master,dc=example,dc=com

automountMapName: auto_master

objectClass: top

objectClass: automountMap

 

dn: automountMapName=auto_shared,dc=example,dc=com

automountMapName: auto_shared

objectClass: top

objectClass: automountMap

 

dn: cn=proxyagent,ou=profile,dc=example,dc=com

cn: proxyagent

sn: proxyagent

objectClass: top

objectClass: person

 

dn: cn=default,ou=profile,dc=example,dc=com

objectClass: top

objectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example,dc=com

authenticationMethod: simple

followReferrals: FALSE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

cn: default

credentialLevel: proxy

serviceSearchDescriptor: passwd:ou=People,dc=example,dc=com?one

serviceSearchDescriptor: group:ou=group,dc=example,dc=com?one

serviceSearchDescriptor: shadow:ou=People,dc=example,dc=com?one

serviceSearchDescriptor: netgroup:ou=netgroup,dc=example,dc=com?one

bindTimeLimit: 10

 

dn: uid=gtay, ou=People, dc=example,dc=com

givenName: Gary

sn: Tay

loginShell: /bin/bash

uidNumber: 6167

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: gtay

cn: Gary Tay

homeDirectory: /home/gtay

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Gary Tay

 

 

dn: uid=tuser, ou=People, dc=example,dc=com

givenName: Test

sn: User

loginShell: /bin/bash

uidNumber: 9999

gidNumber: 102

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

objectClass: shadowAccount

uid: tuser

cn: Test User

homeDirectory: /home/tuser

shadowLastChange: -1

shadowMin: -1

shadowMax: 99999

shadowWarning: 7

shadowInactive: -1

shadowExpire: -1

shadowFlag: 0

gecos: Test User

 

dn: cn=Users,ou=group,dc=example,dc=com

cn: Users

gidNumber: 102

objectClass: top

objectClass: posixGroup

memberUid: gtay

memberUid: tuser

 

dn: cn=tls_profile,ou=profile,dc=example,dc=com

objectClass: top

objectClass: DUAConfigProfile

defaultServerList: ldap1.example.com ldap2.example.com

defaultSearchBase: dc=example,dc=com

authenticationMethod: tls:simple

followReferrals: FALSE

defaultSearchScope: one

searchTimeLimit: 30

profileTTL: 43200

bindTimeLimit: 10

cn: tls_profile

credentialLevel: proxy

serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one

serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one

serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one

 

Congratulation!!! You have created a LDAP server capable for answering name service (uid) lookup requests from any LDAP Client.

 

You may repeat Step 1, 2 and 3 to install a SLAVE LDAP Server, ldap2.example.com, assuming you are not using LDAP Replication feature in iDS 5.2, but instead deleveloping your own script to regularly replicate the People and group data from MASTER to SLAVE.

 

 

Step 4: Configure RedHat Linux LDAP Client (OpenLDAP+PADL libraries)

 

This step is for RedHat Linux LDAP Clients only

 

Assuming client1.example.com is a RedHat Linux OpenLDAP Client.

 

Login as root.

 

 

These lines should be present in /etc/openldap/ldap.conf of the RedHat Linux LDAP Client

 

# List two or more LDAP servers if failover is required

HOST    ldap1.example.com ldap2.example.com

# URI ldap://ldap1.example.com ldap://ldap2.example.com

BASE    dc=example, dc=com

TLS_CACERT     /etc/openldap/cert7.pem

 

In the above file, how do you obtain cert7.pem?

 

In production environment it is provided by your SSL Certificate commercial provider in .pem (ASCII) format, in our testing environment it MAY contain the slapd-<server_id>-cert7.db in ASCII format from BOTH the MASTER and SLAVE LDAP Server.

 

Use the following script to extract the ASCII format for slapd-<server_id>-cert7.db.

 

# cat list_cert7_db_in_ascii.sh

 

#! /bin/sh
#
# list_cert7_db_in_ascii.sh
#
# Gary Tay, 08-Jan-2005, written
#
# Ref. URL is http://docs.sun.com/source/816-5542-10/certutil.htm#13305
#
# Customize location of iDS5
IDS5_PATH=/var/Sun/mps; export IDS5_PATH
# Customize the followings
PATH=$PATH:$IDS5_PATH/shared/bin; export PATH

LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH

HOST=`hostname`
DOMAIN=`domainname`
FQDN="$HOST.$DOMAIN"
cd $IDS5_PATH/alias
certutil -L -d $IDS5_PATH/alias -P "slapd-$HOST-" -n $FQDN -a

 

Note that this script is to be executed at LDAP Server end, not LDAP Client.

 

Login as root at ldap1.example.com

 

# ./list_cert7_db_in_ascii.sh >cert7.pem

# cat cert7.pem

-----BEGIN CERTIFICATE-----

MIICfjCCAeegAwIBAgIFAMtPqCswDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMC

VVMxEDAOBgNVBAgTB05ld1lvcmsxFTATBgNVBAcTDE5ld1lvcmsgQ2l0eTEaMBgG

A1UEChMRRXhhbXBsZSBDb21wYW5pZXMxIjAgBgNVBAMTGW55cHBsZGV2MjEucGxh

dHRzLm1obS5taGMwHhcNMDUwMjI0MDYxOTQzWhcNMDYwNTI0MDYxOTQzWjB2MQsw

CQYDVQQGEwJVUzEQMA4GA1UECBMHTmV3WW9yazEVMBMGA1UEBxMMTmV3WW9yayBD

aXR5MRowGAYDVQQKExFFeGFtcGxlIENvbXBhbmllczEiMCAGA1UEAxMZbnlwcGxk

ZXYyMS5wbGF0dHMubWhtLm1oYzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

sHlEcrdhhNnBF02hBUgOSz3IAlKdTt6ea7l+K1ukQNDU4xw/kwIZ11tohbap2O+F

rpsJM65S1njVqd7Iv872x9cSdKoh+hqdXUUg2U1HbB2I3tnCK7x2gKb1ig38SPb8

wDjjaUo/FRG13KefG1lWyDpopJ9Bvukze+PjiTkKd7UCAwEAAaMYMBYwFAYJYIZI

AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBBAUAA4GBAAHHih1VfyU9/d3bXgSs

3hZ/sgfJJ+DGA5AW+T59ilUnQ9HZ25BMOB7BFC+ZvtRGkPecZPKM8q8OYtpVnGZy

JJ9GUkasOnOjDTGxTjaG8D2MPQkUcRUwyktBzeVMv0tdioHi+8RRcsRIULoC1Ly7

ACypQ9yA5JCLwCxVfZS0Y1nU

-----END CERTIFICATE-----

 

If SLAVE LDAP is built, login as root at ldap2.example.com, run list_cert7_db_in_ascii.sh again and APPEND the output to cert7.pem.

 

Copy this cert7.pem over to all RedHat Linux LDAP Clients, at /etc/openldap/cert7.pem.

 

Now go back to root session of RedHat Linux LDAP Client.

 

Run “authconfig”, select LDAP Authentication with TLS, specify “ldap1.example.com ldap2.example.com” as LDAP Servers , note that this may just generate a rather basic /etc/ldap.conf (NSS_LDAP) file. So manual editing is required to further specify TLS and other parameters.

 

Do not confuse NSS_LDAP’s (shared with PAM_LDAP’s) configuration file /etc/ldap.conf with OpenLDAP client configuration file, in our case, /etc/openldap/ldap.conf.

 

Edit /etc/ldap.conf, below is a well-commented sample, the lines in GREEN are usually changed

 

# List two or more LDAP servers if failover is required

host ldap1.example.com ldap2.example.com

# “host” directive may be deprecated in future releases,

# you may wish to use ‘uri’ directive to replace “host” directive

# uri ldap://ldap1.example.com ldap://ldap2.example.com

base dc=example,dc=com

ldap_version 3

binddn cn=proxyagent,ou=profile,dc=example,dc=com

bindpw password

# The distinguished name to bind to the server with

# if the effective user ID is root. Password is

# stored in /etc/ldap.secret (mode 600)

rootbinddn “cn=Directory Manager”

port 389

# The search scope.

#scope sub

#scope one

#scope base

# Search timelimit

#timelimit 30

# Bind timelimit

#bind_timelimit 30

# Idle timelimit; client will close connections

# (nss_ldap only) if the server has not been contacted

# for the number of seconds specified below.

#idle_timelimit 3600

 

# Filter to AND with uid=%s

#pam_filter objectclass=account

pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)

pam_login_attribute uid

 

# Search the root DSE for the password policy (works

# with Netscape Directory Server)

#pam_lookup_policy yes

 

# Check the 'host' attribute for access control

# Default is no; if set to yes, and user has no

# value for the host attribute, and pam_ldap is

# configured for account management (authorization)

# then the user will not be allowed to login.

#pam_check_host_attr yes

 

# Group to enforce membership of

#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

 

# Group member attribute

#pam_member_attribute uniquemember

pam_member_attribute memberUid

 

# Specify a minium or maximum UID number allowed

#pam_min_uid 0

#pam_max_uid 0

 

# Template login attribute, default template user

# (can be overriden by value of former attribute

# in user's entry)

#pam_login_attribute userPrincipalName

#pam_template_login_attribute uid

#pam_template_login nobody

 

# HEADS UP: the pam_crypt, pam_nds_passwd,

# and pam_ad_passwd options are no

# longer supported.

 

# Do not hash the password at all; presume

# the directory server will do it, if

# necessary. This is the default.

#pam_password clear

 

# Hash password locally; required for University of

# Michigan LDAP server, and works with Netscape

# Directory Server if you're using the UNIX-Crypt

# hash mechanism and not using the NT Synchronization

# service.

pam_password crypt

 

# Remove old password first, then update in

# cleartext. Necessary for use with Novell

# Directory Services (NDS)

#pam_password nds

 

# Update Active Directory password, by

# creating Unicode password and updating

# unicodePwd attribute.

#pam_password ad

 

# Use the OpenLDAP password change

# extended operation to update the password.

#pam_password exop

 

# Redirect users to a URL or somesuch on password

# changes.

#pam_password_prohibit_message Please visit http://internal to change your password.

 

# RFC2307bis naming contexts

# Syntax:

# nss_base_XXX          base?scope?filter

# where scope is {base,one,sub}

# and filter is a filter to be &'d with the

# default filter.

# You can omit the suffix eg:

# nss_base_passwd       ou=People,

# to append the default base DN but this

# may incur a small performance impact.

nss_base_passwd ou=People,dc=example,dc=com?one

nss_base_shadow ou=People,dc=example,dc=com?one

nss_base_group          ou=group,dc=example,dc=com?one

#nss_base_hosts         ou=Hosts,dc=example,dc=com?one

#nss_base_services      ou=Services,dc=example,dc=com?one

#nss_base_networks      ou=Networks,dc=example,dc=com?one

#nss_base_protocols     ou=Protocols,dc=example,dc=com?one

#nss_base_rpc           ou=Rpc,dc=example,dc=com?one

#nss_base_ethers        ou=Ethers,dc=example,dc=com?one

#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne

#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one

#nss_base_aliases       ou=Aliases,dc=example,dc=com?one

nss_base_netgroup      ou=netgroup,dc=example,dc=com?one

 

# attribute/objectclass mapping

# Syntax:

#nss_map_attribute      rfc2307attribute        mapped_attribute

#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

 

# configure --enable-nds is no longer supported.

# For NDS now do:

#nss_map_attribute uniqueMember member

 

# configure --enable-mssfu-schema is no longer supported.

# For MSSFU now do:

#nss_map_objectclass posixAccount User

#nss_map_attribute uid msSFUName

#nss_map_attribute uniqueMember posixMember

#nss_map_attribute userPassword msSFUPassword

#nss_map_attribute homeDirectory msSFUHomeDirectory

#nss_map_objectclass posixGroup Group

#pam_login_attribute msSFUName

#pam_filter objectclass=User

#pam_password ad

 

# configure --enable-authpassword is no longer supported

# For authPassword support, now do:

#nss_map_attribute userPassword authPassword

#pam_password nds

 

# For IBM SecureWay support, do:

#nss_map_objectclass posixAccount aixAccount

#nss_map_attribute uid userName

#nss_map_attribute gidNumber gid

#nss_map_attribute uidNumber uid

#nss_map_attribute userPassword passwordChar

#nss_map_objectclass posixGroup aixAccessGroup

#nss_map_attribute cn groupName

#nss_map_attribute uniqueMember member

#pam_login_attribute userName

#pam_filter objectclass=aixAccount

#pam_password clear

 

# Netscape SDK LDAPS

#ssl on

 

# Netscape SDK SSL options

#sslpath /etc/ssl/certs/cert7.db

 

# OpenLDAP SSL mechanism

# start_tls mechanism uses the normal LDAP port, LDAPS typically 636

ssl start_tls

#ssl on

 

# OpenLDAP SSL options

# Require and verify server certificate (yes/no)

# Default is "no"

tls_checkpeer yes

 

# CA certificates for server certificate verification

# At least one of these are required if tls_checkpeer is "yes"

#tls_cacertfile /etc/ssl/ca.cert

#tls_cacertdir /etc/ssl/certs

tls_cacertfile /etc/openldap/cert7.pem

 

# Seed the PRNG if /dev/urandom is not provided

#tls_randfile /var/run/egd-pool

 

# SSL cipher suite

# See man ciphers for syntax

#tls_ciphers TLSv1

 

# Client certificate and key

# Use these, if your server requires client authentication.

#tls_cert

#tls_key

 

Now from RedHat Linux LDAP Client, we could test again the openssl “CAfile“ command:

 

# openssl s_client -connect ldap1.example.com:636 -CAfile /etc/openldap/cert7.pem -debug

---

<Ctrl-C or Ctrl-Break to exit> it should not display verification error

 

IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.

 

You should test if RedHat Linix OpenLDAP client could connect to LDAP Server (slapd) by using simple authentication (-x), without or with START_TLS (-ZZ).

 

# ldapsearch -x -LLL

# ldapsearch -x -LLL -ZZ

 

To test the use of LDAP for user id lookup, you can use "id" or "getent", before that please ensure that keyword 'ldap' appears in /etc/nsswitch.conf and "nscd" is running

 

#  grep ldap /etc/nsswitch.conf

passwd:     files ldap

shadow:   files ldap

group:      files ldap

 

# /etc/init.d/nscd stop; /etc/init.d/nscd start

 

# id tuser

uid=99999(tuser) gid=102(Users)

# getent passwd gtay

 

Step 4X: Configure Solaris Native LDAP Client (SUN Native LDAP libraries)

 

This step is for Solaris8 and Solaris9 Native LDAP Clients only.

 

Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively.

 

Please note that for Solaris8 LDAP Client, lastest kernel patch and ldapv2 Patch 108993-XX must be installed, for Solaris9 LDAP Client, latest kernel patch abd ldap Patch 112960-XX must be installed.

 

Log in to client2 or client3 as ‘root’.

 

We would first need to generate two files /var/ldap/cert7.db and /var/ldap/key3.db such that cert7.db contains self-signed SSL Web Server certificate(s).

 

Run "netscape" browser locally, or from a remote Windows PC, and capture the self-signed SSL Server certificates from ldap1.example.com and ldap2.example.com into $HOME/.netscape/cert7.db or c:\Program Files\Netscape\users\user_name\cert7.db.

 

The URL to capture cert7.db is https://LDAP_SERVER_FQDN:636/, ignore "The document contained no data" message. FQDN means Fully Qualified Domain Name.

 

https://ldap1.example.com:636/

https://ldap2.example.com:636/

 

To view the content of cert7.db in Netscape Browser, click Communicator/Tools/Security Info/Web Sites.

 

Copy this cert7.db and the corresponding key3.db to /var/ldap of all Solaris LDAP Clients.

 

Don’t forget to:

# chmod 644 /var/ldap/cert7.db

# chmod 644 /var/ldap/key3.db

 

To test if TLS connection is OK remotely from LDAP Client to LDAP Server, you could run "test_native_client_tls.sh" which requires /var/ldap/cert7.db.

 

$ cat test_native_client_tls.sh

IDS5_PATH=/var/Sun/mps

LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH

echo "Testing MASTER LDAP Server..."

$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"

echo "Press any key"

read any_key

echo "Testing SLAVE LDAP Server..."

$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)"

echo "Done"

 

Note 1: Please note that /usr/bin/ldapsearch DOES NOT support “-Z” and “-P” options, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of “ldapsearch”?

 

For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location, if it id not there, you may download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.

 

For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY  installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.

 

Note 2: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script “test_native_client_tls.sh” ONCE at ONE of the Solaris LDAP Clients to prove that the TLS connection between LDAP Client and Server is fine with the SSL Server Certificate installed at the Server end.

 

$ ./test_native_client_tls.sh

Testing MASTER LDAP Server...

version: 1

dn:

objectClass: top

namingContexts: dc=example,dc=com

namingContexts: o=NetscapeRoot

supportedExtension: 2.16.840.1.113730.3.5.7

supportedExtension: 2.16.840.1.113730.3.5.8

supportedExtension: 2.16.840.1.113730.3.5.3

supportedExtension: 2.16.840.1.113730.3.5.5

supportedExtension: 2.16.840.1.113730.3.5.6

supportedExtension: 2.16.840.1.113730.3.5.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

supportedExtension: 1.3.6.1.4.1.1466.20037

supportedExtension: 1.3.6.1.4.1.4203.1.11.3

supportedControl: 2.16.840.1.113730.3.4.2

supportedControl: 2.16.840.1.113730.3.4.3

supportedControl: 2.16.840.1.113730.3.4.4

supportedControl: 2.16.840.1.113730.3.4.5

supportedControl: 1.2.840.113556.1.4.473

supportedControl: 2.16.840.1.113730.3.4.9

supportedControl: 2.16.840.1.113730.3.4.16

supportedControl: 2.16.840.1.113730.3.4.15

supportedControl: 2.16.840.1.113730.3.4.17

supportedControl: 2.16.840.1.113730.3.4.19

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

supportedControl: 2.16.840.1.113730.3.4.14

supportedControl: 1.3.6.1.4.1.1466.29539.12

supportedControl: 2.16.840.1.113730.3.4.12

supportedControl: 2.16.840.1.113730.3.4.18

supportedControl: 2.16.840.1.113730.3.4.13

supportedSASLMechanisms: EXTERNAL

supportedSASLMechanisms: GSSAPI

supportedSASLMechanisms: DIGEST-MD5

supportedLDAPVersion: 2

supportedLDAPVersion: 3

vendorName: Sun Microsystems, Inc.

vendorVersion: Sun-ONE-Directory/5.2

dataversion: 020050202073550020050202073550

netscapemdsuffix: cn=ldap://dc=ldap1,dc=example,dc=com:389

vlvsearch: cn=example.com_shadow_vlv_index,cn=userRoot,cn=ldbm database,cn=

 plugins,cn=config

vlvsearch: cn=example.com_rpc_vlv_index,cn=userRoot,cn=ldbm database,cn=plu

 gins,cn=config

vlvsearch: cn=example.com_passwd_vlv_index,cn=userRoot,cn=ldbm database,cn=

 plugins,cn=config

vlvsearch: cn=example.com_networks_vlv_index,cn=userRoot,cn=ldbm database,c

 n=plugins,cn=config

vlvsearch: cn=example.com_hosts_vlv_index,cn=userRoot,cn=ldbm database,cn=p

 lugins,cn=config

vlvsearch: cn=example.com_group_vlv_index,cn=userRoot,cn=ldbm database,cn=p

 lugins,cn=config

Press any key

 

Testing SLAVE LDAP Server..

version: 1

dn:

objectClass: top

namingContexts: dc=example,dc=com

namingContexts: o=NetscapeRoot

supportedExtension: 2.16.840.1.113730.3.5.7

supportedExtension: 2.16.840.1.113730.3.5.8

supportedExtension: 2.16.840.1.113730.3.5.3

supportedExtension: 2.16.840.1.113730.3.5.5

supportedExtension: 2.16.840.1.113730.3.5.6

supportedExtension: 2.16.840.1.113730.3.5.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

supportedExtension: 1.3.6.1.4.1.1466.20037

supportedExtension: 1.3.6.1.4.1.4203.1.11.3

supportedControl: 2.16.840.1.113730.3.4.2

supportedControl: 2.16.840.1.113730.3.4.3

supportedControl: 2.16.840.1.113730.3.4.4

supportedControl: 2.16.840.1.113730.3.4.5

supportedControl: 1.2.840.113556.1.4.473

supportedControl: 2.16.840.1.113730.3.4.9

supportedControl: 2.16.840.1.113730.3.4.16

supportedControl: 2.16.840.1.113730.3.4.15

supportedControl: 2.16.840.1.113730.3.4.17

supportedControl: 2.16.840.1.113730.3.4.19

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

supportedControl: 2.16.840.1.113730.3.4.14

supportedControl: 1.3.6.1.4.1.1466.29539.12

supportedControl: 2.16.840.1.113730.3.4.12

supportedControl: 2.16.840.1.113730.3.4.18

supportedControl: 2.16.840.1.113730.3.4.13

supportedSASLMechanisms: EXTERNAL

supportedSASLMechanisms: GSSAPI

supportedSASLMechanisms: DIGEST-MD5

supportedLDAPVersion: 2

supportedLDAPVersion: 3

vendorName: Sun Microsystems, Inc.

vendorVersion: Sun-ONE-Directory/5.2

dataversion: 020050224074626020050224074626

netscapemdsuffix: cn=ldap://dc=ldap2,dc=example,dc=com:389

vlvsearch: cn=example.com_shadow_vlv_index,cn=userRoot,cn=ldbm database,cn=

 plugins,cn=config

vlvsearch: cn=example.com_rpc_vlv_index,cn=userRoot,cn=ldbm database,cn=plu

 gins,cn=config

vlvsearch: cn=example.com_passwd_vlv_index,cn=userRoot,cn=ldbm database,cn=

 plugins,cn=config

vlvsearch: cn=example.com_networks_vlv_index,cn=userRoot,cn=ldbm database,c

 n=plugins,cn=config

vlvsearch: cn=example.com_hosts_vlv_index,cn=userRoot,cn=ldbm database,cn=p

 lugins,cn=config

vlvsearch: cn=example.com_group_vlv_index,cn=userRoot,cn=ldbm database,cn=p

 lugins,cn=config

Done

 

Next we will configure LDAP Client, there are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred, the first contain all parameters and the second the password of “proxyAgent”.

 

To do this on Solaris8, as root run ldapclient_init_tlsprofile_sol8.sh

 

Content of ldapclient_init_tlsprofile_sol8.sh:

 

#
# ldapclient_init_tlsprofile_sol8.sh
#
# Gary Tay, 28-Jul-2005, written
#
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
echo We first initialize a /var/ldap/ldap_client_file with "default" profile
/usr/sbin/ldapclient -v -i -a simple -b dc=example,dc=com -c proxy \
   -D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
   -S "passwd: ou=People,dc=example,dc=com?one" \
   -S "shadow: ou=People,dc=example,dc=com?one" \
   -S "group: ou=group,dc=example,dc=com?one" \
   -S "netgroup: ou=netgroup,dc=example,dc=com?one" \
   192.168.1.168
echo ...
echo As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
    -e '/^passwd:/a\
shadow:     files ldap' \
    /etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
echo ...
echo We then overwrite /var/ldap/ldap_client_file with "tls_profile" version
echo and refresh ldap_cachemgr
echo Please customize the NS_LDAP_XXX parameters in this script
cat <<EOF >/var/ldap/ldap_client_file.tls_profile
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
EOF
cp /var/ldap/ldap_client_file.tls_profile /var/ldap/ldap_client_file
/etc/init.d/ldap.client stop
/etc/init.d/ldap.client start
echo Done.

 

(Note: if you are not using TLS, comment out the relevant section of the script)

 

IMPORTANT NOTE: if MASTER LDAP 192.168.1.168 is down for maintenance or any reason, replace “192.168.1.168” with “192.168.1.178” in the above script to download from SLAVE LDAP.

 

# ./ ldapclient_init_tlsprofile_sol8.sh

Arguments parsed:

        domainName: example.com

        proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com

        profileName: tls_profile

        proxyPassword: password

        defaultServerList: 192.168.1.168

Handling init option

About to configure machine by downloading a profile

findBaseDN: begins

findBaseDN: Stopping ldap

findBaseDN: calling __ns_ldap_default_config()

found 2 namingcontexts

findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"

rootDN[0] dc=example,dc=com

found baseDN dc=example,dc=com for domain example.com

Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com

Proxy password: {NS1}ecfa88f3a945c411

Credential level: 1

Authentication method: 3

About to modify this machines configuration by writing the files

Stopping network services

Stopping sendmail

Stopping nscd

autofs not running

ldap not running

nisd not running

nis_cache not running

nispasswd not running

nis(yp) not running

Removing existing restore directory

file_backup: stat(/etc/nsswitch.conf)=0

file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)

file_backup: stat(/etc/defaultdomain)=0

file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)

file_backup: stat(/etc/.rootkey)=-1

file_backup: No /etc/.rootkey file.

file_backup: stat(/var/nis/NIS_COLD_START)=-1

file_backup: No /var/nis/NIS_COLD_START file.

file_backup: nis domain is "example.com"

file_backup: stat(/var/yp/binding/example.com)=-1

file_backup: No /var/yp/binding/example.com directory.

file_backup: stat(/var/ldap/ldap_client_file)=0

file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)

file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)

Starting network services

start: /usr/bin/domainname example.com... success

start: /usr/lib/ldap/ldap_cachemgr... success

start: /etc/init.d/autofs start... success

start: /etc/init.d/nscd start... success

start: /etc/init.d/sendmail start... success

System successfully configured

...
As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
which contains a bug in "hosts:" entry, we need to repair it
...
Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
...
We then overwrite /var/ldap/ldap_client_file with "tls_profile" version
and refresh ldap_cachemgr
Please customize the NS_LDAP_XXX parameters in this script
Done.

 

(Note: if you are not using TLS, comment out the relevant section of the script)

 

For Solaris9, run " ldapclient_init_tlsprofile_sol9.sh"

 

Content of ldapclient_init_tlsprofile_sol9.sh:

 

#! /usr/bin/sh

#

# ldapclient_init_tlsprofile_sol9.sh

#

# Gary Tay, 18-Feb-2005, written

#

# Make sure root account is used

[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1

# Please customize the value of profileName and LDAP Server IP

ldapclient -v init \

-a profileName=tls_profile \

-a domainName=example.com \

-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \

-a proxyPassword=password 192.168.1.168

# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap

# which contains a bug in "hosts:" entry, we need to repair it

sed -e '/^hosts:/s/ldap.*files$/files dns/' \

    -e '/^passwd:/a\

shadow:     files ldap' \

    /etc/nsswitch.ldap >/etc/nsswitch.work

cp /etc/nsswitch.work /etc/nsswitch.conf

# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf

/etc/init.d/nscd stop

/etc/init.d/nscd start

 

# ./ ldapclient_init_tlsprofile_sol9.sh

Parsing profileName=tls_profile

Parsing domainName=example.com

Parsing defaultSearchBase=dc=example,dc=com

Parsing proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com

Parsing proxyPassword=password

Arguments parsed:

        defaultSearchBase: dc=example,dc=com

        domainName: example.com

        proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com

        profileName: tls_profile

        proxyPassword: password

        defaultServerList: 192.168.1.168

Handling manual option

Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com

Proxy password: {NS1}ecfa88f3a945c411

Authentication method: 0

Authentication method: 0

No proxyDN/proxyPassword required

About to modify this machines configuration by writing the files

Stopping network services

Stopping sendmail

Stopping nscd

Stopping autofs

Stopping ldap

nisd not running

nis_cache not running

nispasswd not running

nis(yp) not running

Removing existing restore directory

file_backup: stat(/etc/nsswitch.conf)=0

file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)

file_backup: stat(/etc/defaultdomain)=0

file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)

file_backup: stat(/etc/.rootkey)=-1

file_backup: No /etc/.rootkey file.

file_backup: stat(/var/nis/NIS_COLD_START)=-1

file_backup: No /var/nis/NIS_COLD_START file.

file_backup: nis domain is "example.com"

file_backup: stat(/var/yp/binding/example.com)=-1

file_backup: No /var/yp/binding/example.com directory.

file_backup: stat(/var/ldap/ldap_client_file)=0

file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)

file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)

Starting network services

start: /usr/bin/domainname example.com... success

start: /usr/lib/ldap/ldap_cachemgr... success

start: /etc/init.d/autofs start... success

start: /etc/init.d/nscd start... success

start: /etc/init.d/sendmail start... success

System successfully configured

#

 

Also note that you must use ldap1.example.com in LDAP data and /var/ldap/ldap_client_file, instead of LDAP Server IP address if you want SSL/START_TLS to recognize the LDAP Server self-signed certificate, BUT for running the download/manual init scripts, LDAP Server IP is used.

 

In both cases, /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred will be generated, do take a look at their contents.

 

Coment of /var/ldap/ldap_client_file:

 

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= ldap1.example.com, ldap2.example.com

NS_LDAP_SEARCH_BASEDN= dc=example,dc=com

NS_LDAP_AUTH= tls:simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= one

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_CACHETTL= 43200

NS_LDAP_PROFILE= tls_profile

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one

NS_LDAP_BIND_TIME= 10

 

Coment of /var/ldap/ldap_client_cred:

 

NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com

NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411

 

(Tips: see Appendix for a script called cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of proxyAgent, this script can only be run on Solaris8)

 

Check and change the file permission of BOTH ldap_client_file and ldap_client_cred if needed

 

# cd /var/ldap

# chmod 400 ldap_client_file ldap_client_cred

 

Edit /etc/nsswitch.conf, make sure that these lines exist:

 

passwd:  files ldap

group:                   files ldap

shadow: files ldap

hosts:                     files dns

 

Now try refreshing ldap_cachemgr and nscd

 

# /etc/init.d/ldap.client stop

# /etc/init.d/ldap.client start

# ps -ef | grep ldap

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

# ps -ef | grep nscd

 

Make sure also that ldap1.example and ldap2.example.com are defined in BOTH "/etc/hosts" files and DNS, and that "hosts: files dns" instead of "host: files ldap" is defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there will be error messages during login, i.e. "unknown host or invalid literal address".

 

To test the name service, on top of using "id" and "getent", there is also "ldaplist" command

 

# /usr/lib/ldap/ldap_cachemgr -g

# id tuser

uid=9999(tuser) gid=102(Users)

# getent passwd tuser

tuser::9999:102::/home/tuser:/bin/bash

# ldaplist -l passwd tuser

dn: uid=tuser,ou=People,dc=example,dc=com

        givenName: Test

        sn: User

        loginShell: /bin/bash

        uidNumber: 9999

        gidNumber: 102

        objectClass: top

        objectClass: person

        objectClass: organizationalPerson

        objectClass: inetorgperson

        objectClass: posixAccount

        objectClass: shadowAccount

        uid: tuser

        cn: Test User

        homeDirectory: /home/tuser

        shadowLastChange: -1

        shadowMin: -1

        shadowMax: 99999

        shadowWarning: 7

        shadowInactive: -1

        shadowExpire: -1

        shadowFlag: 0

        gecos: Test User

 

Tips 1: If there is problem looking up the LDAP entries, try to look for errors in /var/adm/messages and/or /var/log/syslog. The LDAP Server log files are also good source to pick up clues.

 

Tips 2: How could we prevent “userPassword” from being listed by “ldaplist -l” or “ldapaddent -d”?

 

In SUN ONE Console, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named “LDAP_Naming_Services_proxy_password_read”:

 

Change it.

From:

(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)

 

To:

(target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)

 

 

Step 5: Configure “automount” to work with RedHat or Solaris Native LDAP Clients

 

Assumtions: one or more NFS Servers, eg: nfs_server and nfs_server2 have exported /home directories.

 

First, at the LDAP Server, modify the LDAP objects “automount” and “automountMap” in SUN ONE Console, to add optional attribute.

 

Open Directory Server, click "Configuration" tab, click "Schema", at "User Defined Object Classes":

Select "automount", click "Edit", add "cn" to "Allowed Attributes", click "OK".

Select "automountMap", click "Edit", add "ou" to "Allowed Attributes", click "OK"

 

Instead of using GUI SUN ONE Console, you may also use the following ldif file to achieve the same at command level:

 

# cat automount_schema_mods.ldif

dn: cn=schema

changetype: modify

objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY ( cn $ description ) X-ORIGIN 'user defined' )

 

dn: cn=schema

changetype: modify

objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST automountMapName MAY ( description $ ou ) X-ORIGIN 'user defined' )

 

# ldapadd -c -D "cn=Directory Manager" -f automount_schema_mods.ldif

 

Second, at the LDAP Server, create the automount maps for SUN ONE DS5.2, below is a sample, there are two sets, auto_* for Solaris Native LDAP Client and auto.* for RedHat LDAP Client.

 

# cat automount_sun1ds52.ldif

dn: automountMapName=auto_master,dc=example,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto_master

 

dn: automountkey=/home,automountMapName=auto_master,dc=example,dc=com

objectClass: top

objectClass: automount

automountKey: /home

automountInformation: auto_home -nobrowse

 

dn: automountkey=/-,automountMapName=auto_master,dc=example,dc=com

objectClass: top

objectClass: automount

automountKey: /-

automountInformation: auto_direct

 

dn: automountMapName=auto_home,dc=example,dc=com

objectClass: top

objectClass: automountMap

automountMapName: auto_home

 

dn: automountkey=*,automountMapName=auto_home,dc=example,dc=com

objectClass: top

objectClass: automount

automountKey: *

automountInformation: nfs_server:/home/&

 

dn: automountKey=/home2,automountMapName=auto_direct,dc=example,dc=com

objectClass: top

objectClass: automount

automountKey: /home2

automountInformation: nfs_server2:/home

 

dn: ou=auto.master,dc=example,dc=com

objectclass: top

objectclass: automountMap

automountmapname: auto.master

ou: auto.master

 

dn: cn=/home,ou=auto.master,dc=example,dc=com

objectclass: top

objectclass: automount

automountinformation: ldap:ou=auto.home,dc=example,dc=com

automountkey: /home

cn: /home

 

dn: ou=auto.home,dc=example,dc=com

objectclass: top

objectclass: automountMap

automountmapname: auto.home

ou: auto.home

 

dn: cn=/,ou=auto.home,dc=example,dc=com

objectclass: top

objectclass: automount

automountinformation: nfs_server:/home/&

automountkey: /

cn: /

 

And add it into the DIT.

 

# ldapadd -c -D "cn=Directory Manager" –f automount_sun1ds52.ldif

 

Third, at LDAP Server, create cn=tls_automount_profile under ou=profile,dc=example,dc=com

 

# cat tls_automount_profile

 

dn: cn=tls_automount_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: sub
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_automount_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
serviceSearchDescriptor: auto.master: nisMapName=auto.master,dc=example,dc=com?one
serviceSearchDescriptor: auto.home: nisMapName=auto.home,dc=example,dc=com?one
serviceSearchDescriptor: auto_master: automountMapName=auto_master,dc=example,dc=com?one
serviceSearchDescriptor: auto_home: automountMapName=auto_home,dc=example,dc=com?one
serviceSearchDescriptor: auto_direct: automountMapName=auto_direct,dc=example,dc=com?one
objectclassMap: automount: automount=nisObject
objectclassMap: automount: automountMap=nisMap
attributeMap: automount: automountInformation=nisMapEntry
attributeMap: automount: automountKey=cn
attributeMap: automount: automountMapName=nisMapName

 

Note: either line of below is OK

attributeMap: automount: automountMapName=nisMapName

OR

attributeMap: automount: automountMapName=ou

 

# ldapadd -c -D "cn=Directory Manager" –f tls_automount_profile.ldif

 

Forth, at the Solaris Native LDAP Client ONLY, create corresponding ldap_client_file (and ldap_client_cred if different proxy password), and restart ldap_cachemgr and nscd.

 

# cat ldap_client_file

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= ldap1.example.com ldap2.example.com

NS_LDAP_SEARCH_BASEDN= dc=example,dc=com

NS_LDAP_AUTH= tls:simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= sub

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_CACHETTL= 43200

NS_LDAP_PROFILE= tls_automount_profile

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=example,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=example,dc=com?one

NS_LDAP_BIND_TIME= 10

NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName

NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn

NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry

NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap

NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject

 

Note: either line of below is OK

NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName

OR

NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=ou

 

# /etc/init.d/ldap.client stop                                                                                       (For Solaris only)

# /etc/init.d/ldap.client start                                                                                      (For Solaris only)

Make sure that /etc/nsswitch.conf contains “automount: files ldap” (optional if it is “automount: files” and local /etc/auto_xxx files contain +auto_xxx directives)

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

 

To verify:

# ldaplist -l auto_master; ldaplist -l auto_home; ldaplist -l auto_irect                  (For Solaris only)

# ldaplist -l auto.master; ldaplist -l auto.home                                                        (For Solaris only)

# ldapsearch -x -LLL -ZZ "objectclass=automountMap"                                    (For RedHat)

 

Fifth, create /etc/auto_master, /etc/auto_home and /etc/auto_direct for Solaris, create /etc/auto.master and /etc/auto.home for RedHat and restart autofs/automountd.

 

IMPORTANT NOTE 1: RedHat autofs/automountd has bug, please download and install the latest autofs rpm from Fedora Core3 download site: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/autofs-4.1.3-114.i386.rpm

 

IMPORTANT NOTE 2: For RedHat autofs/automountd to work, please ensure that $ETC_OPENLDAP/ldap.conf (usually /etc/openldap.conf contains “host” and “base” statements for automountd to read, please note that RedHat automountd does not read /etc/ldap.conf)

 

Sample contents for Solaris Native LDAP Client:

 

# cat /etc/auto_master

# Master map for automounter

#

+auto_master

/net      -hosts               -nosuid,nobrowse

/home  auto_home      -nobrowse

/xfn      -xfn

/-          auto_direct

 

# cat /etc/auto_home

# Home directory map for automounter

#

+auto_home

 

# cat /etc/auto_direct

+auto_direct

 

Sample contents for RedHat LDAP Client, note that RedHat does not have auto.direct.

 

# cat /etc/auto.master

+auto.master

 

# cat /etc/auto.home

+auto.home

 

# /etc/init.d/auto.fs stop

# /etc/init.d/auto.fs start

 

Sixth, test autofs/automount by logging in as “uid”, check “df –k” to see if /home/uid is mounted, do a “cd /home/uid2” and check again.

 

$ pwd

/home/uid

$ df -k

Filesystem            kbytes    used   avail capacity  Mounted on

nfs_server:/home/uid

                     355069743 160782087 190736959    46%    /home/uid

nfs_server2:/home

                     …                                                        28%    /home2

$ cd /home/uid2

$ df -k

 

Step 6: Configure “netgroup” to work with RedHat or Solaris Native LDAP Clients

 

(i.e. controlling user access to host using netgroup LDAP maps)

 

Pre-requisites:

. For Solaris8/9, latest kernel and LDAP Patch 108993 (Solaris8) or 112960 (Solaris9) must be applied

. For RedHat, RHFC3 or RHEL4 clients are recommended

. “shadowAccount” objectClass must be defined for People entries in LDAP DIT, on top of “posixAccount

. Make sure Step 4X Tips 2: How could we prevent “userPassword” from being listed by “ldaplist -l” or “ldapaddent -d”?  Which is an ACI to deny “read” access to userPassword by proxyAgent, is setup.

 

At the RedHat or Solaris LDAP Client, edit /etc/nsswitc.conf, change the following lines.

 

From:

passwd: files ldap
netgroup: files

 

To:

passwd: compat

passwd_compat: ldap
netgroup: ldap

 

Restart nscd.

# /etc/init.d/nscd stop

# /etc/init.d/nscd start

 

Add the following sample lines to the end of /etc/passwd, note that there are SIX semi-colons (6 ‘:’s) and only the first two colons enclose a ‘x’ character.

 

+@netgroup1:x:::::

+@netgroup2:x:::::

 

IMPORTANT NOTE: DO NOT RUN “pwconv” as root, as it will add something like below, a ‘x’ in 2nd field and a 5-digit number in 3rd field of the +netgroupX lines at the end of /etc/shadow, and this WILL BREAK a DS5.2 password policy feature called “User must change password after a reset”, i.e. it WON’T WORK for user who is a member of any of the following Netgroups:

 

+@netgroup1:x:13091::::::

+@netgroup2:x:13091::::::

 

Add the CORRESPONDING lines to the end of /etc/shadow, note that there are EIGHT semi-colons (8 ‘:’s) and between them there are NULL content:

 

+@netgroup1::::::::

+@netgroup2::::::::

 

At the LDAP Server, add these netgroup entries. Assuming these People entries (gtay, tuser, tuser2) already exist, assuming ou=netgroup already exists.

 

# cat netgroup.ldif

dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup1
nisNetgroupTriple: (,gtay,)
nisNetgroupTriple: (,tuser,)

dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
 nisNetgroupTriple: (,tuser2,)

 

# ldapadd -c -D “cn=Directory Manager” -W -f netgroup.ldif

 

For advance netgroup usage, see the following examples:

 

# nisNetgroupTriple Examples: (host,user,domain)
# jdoe is in the appusers netgroup for all servers, all domains.
# scarter is in the appusers netgroup only on the server mars.
# all users are in the appusers netgroup on the server pluto.
dn: cn=appusers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple: (mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appusers

 

dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: top

objectClass: nisNetgroup
memberNisNetgroup: appusers
memberNisNetgroup: unixadmin
memberNisNetgroup: security
memberNisNetgroup: architecture

cn: prod_appservers

 

At the LDAP Client, login as ‘root” and test the following commands:

 

# getent passwd tuser

# id tuser

# su - tuser

 

The above commands should all work for users in netgroup1 and netgroup2, but not others.

 

Assuming “test” is a user account exists in LDAP (as shown by ldaplist command) and not belonged to either netgroup1 and netgroup2.

 

# ldaplist -l passwd test

something

# getent passwd test

nothing

# id test; su - test

 

Solaris will say:

id: invalid user name: "userid"
su: unknown id: userid

 

RedHat will say:

id: userid: No such user
su: user userid does not exist

 

Now try logging in using user accounts in netgroup1 or netgroup2, eg: “tuser” or “tuser2”, they should all succeed, others will always fail, of course “root” is not affected by netgroup host access feature.

 

# ssh -v tuser@localhost

 

Congratulation!!! You have managed to use netgroup LDAP maps to control user access to host.

 

Step 7: Configure “sudo” to use LDAP maps for centralized management

 

Login as “root” at the LDAP Server.

 

# cd /var/Sun/mps/slapd-`hostname`/config/schema

Prepare 99sudo.ldif

 

# vi 99sudo.ldif
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )

(The above is provided by README.LDAP from sudo source, note that there is no blank line between all the lines)

Restart DS5.2 to load the schema.

In SUN ONE Console or using a LDAP GUI based editor eg:JXplorer wor LDAP Browser/Editor, edit the client profile(s) to provide SSD Service Search Descriptor for “sudoers”.

serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com

Login as “root” at the LDAP Client.

For BOTH Solaris8/9 Native LDAP Client and RedHat OpenLDAP+PADL LDAP Client

Use gcc 3.2.1 or later to compile sudo source code with BOTH LDAP and PAM support, please note that the “sudo” RPM provided by RedHat does not have LDAP support compiled in, this could be easily verified by the fact that “ldd `which sudo`” will not show “libldap-2.2.so.7”.

 

# ldd `which sudo`

To compile and build sudo:
# cd /var/tmp
# tar xvf sudo-1.6.8p9.tar
# cd /var/tmp/sudo-1.6.8p9

# ./configure --with-ldap=/usr --with-pam
(For SUN Solaris Native LDAP Client or RedHat OpenLDAP+PADL LDAP Client where LDAP library directory prefix is /usr/lib)

OR
# ./configure --with-ldap=/usr/local --with-pam
(For OpenLDAP+PADL LDAP Client or any Linux/UNIX LDAP Client built from source where LDAP library directory prefix is /usr/local/lib)

# make clean
# make

 

If there are already previous version of sudoers configuration files, please back them up

# mv /etc/sudoers /etc/sudoers.orig

For RedHat:

# mv /etc/pam.d/sudo /etc/pam.d/sudo.orig

# mv /usr/bin/sudo /usr/bin/sudo.orig

# make install

For RedHat:

# cp sample.pam /etc/pam.d/sudo

 

For BOTH RedHat and Solaris

# ln -s /usr/local/bin/sudo /usr/bin/sudo


# sudo -V | head
Sudo version 1.6.8p9

Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo

Prepare sample sudoers.ldif using:

Method 1) sudoers2ldif.sh which will call the sudoers2ldif tool provided by sudo build (it is in the build directory, copy it to /usr/bin or any shared area that can be referenced by $PATH), and convert existing /etc/sudoers.

Content of sudoers2ldif.sh:


#! /bin/sh
SUDOERS_BASE=ou=sudoers,dc=example,dc=com
export SUDOERS_BASE
[ -n "$1" ] && INPUT_FILE=$1
[ -z "$1" ] && INPUT_FILE=/etc/sudoers
sudoers2ldif $INPUT_FILE

Below shows the content of a text file /etc/sudoers.orig and how it is converted to ldif, the example here shows no additional sudoRole entry.

# cat /etc/sudoers.orig
root ALL=(ALL) ALL

# sudoers2ldif.sh /etc/sudoers.orig
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here


dn: cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand:  ALL

Method 2) By hand using vi, the example here shows some sample sudoRole entries.

# vi sudoers.ldif
dn: ou=sudoers,dc=example,dc=com
objectclass: organizationalUnit
ou: sudoers

dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: logfile=/var/log/sudolog

dn: cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL

# Everyone can "su - tuser" without giving password
dn: cn=su_tuser_wo_pw,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: su_tuser_wo_pw
sudoUser: ALL
sudoHost: ALL
sudoCommand: /bin/su - tuser
sudoOption: !authenticate

# tuser2 can reboot host1 server as default RunAs is "root"
dn: cn=tuser2_can_reboot_host1,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: tuser2_can_reboot_host1
sudoUser: tuser2
sudoHost: host1
sudoCommand: /usr/sbin/shutdown -y -g0 -i6
sudoOption:

Populate LDAP Server.

For against OpenLDAP Server
# ldapadd -c -D "cn=Manager,dc=example,dc=com" -f sudoers.ldif

For against SUN ONE DS5.2 Server
# ldapadd -c -D "cn=Directory Manager” -f sudoers.ldif

For Solaris Natvive LDAP Client, prepare a /etc/ldap.conf (mode 644 is OK as no sensitive info) containing the following THREE lines, for RedHat, only the LAST LINE needs to be added as the FIRST TWO LINES are most likely present.

host ldap1.example.com
base dc=example,dc=com
sudoers_base ou=sudoers,dc=example,dc=com

For Solaris Native LDAP Client, edit /var/ldap/ldap_client_file to add:

 

NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=example,dc=com

Don’t forget to add ADDITIONAL SSD (Service Search Descriptor) for sudoers LDAP maps lookup in LDAP DIT, using SUN ONE DS5.2 Administration Console.


Restarte ldap_cachemgr /etc/init.d/ldap.client and name service daemon /etc/init.d/nscd.

(note that README.LDAP says the "sudoers: files ldap" statement in /etc/nsswitch.conf is RESERVED but NOT YET implemented, so this line is optional)

Try the following commands to verify LDAP query OK.

For Solaris:
# ldaplist -l sudoers
# ldaplist -l sudoers root
# ldaplist -l sudoers su_tuser_wo_pw

For RedHat:

# ldapsearch -x -LLL objectclass=sudoRole

Note that “getent sudoers root” won't work but that does not matter.

Make sure there is a /etc/pam.d/sudo, if there isn't copy sample.pam from sudo source build to it, the difference between sample.pam and the original /etc/pam.d/sudo is most likely additional commented lines.

To REALLY TEST if sudo+LDAP is working you MUST have EITHER an EMPTY /etc/sudoers or leaving the ORIGINAL /etc/sudoers file which contains effectively only ONE DEFAULT LINE “root ALL=(ALL) ALL”.



Now try to login as "gtay" and try both "su - tuser" and "sudo su - tuser"
$ su - tuser
Password:
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)
$ exit

$ sudo -l
$ sudo su - tuser (No password required)
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)

Now try to login as "tuser2" and try to reboot the server
$ id
uid=9998(tuser2) gid=102(Users)
$ /usr/sbin/shutdown -y -g0 -i6

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
Shutdown started. Fri May 20 15:23:20 SGT 2005

Changing to init state 6 - please wait
Broadcast Message from root (pts/3) on host1 Fri May 20 15:23:20...
THE SYSTEM sins001u5 IS BEING SHUT DOWN NOW ! ! !
Log off now or risk your files being damaged

Congratulation!!! You have successfully setup sudo+LDAP.

IMPORTANT NOTES:

1) With the absence of /etc/sudoers, "sudo -l" will complain and it will not retrieve sudo LDAP maps
sudo: can't stat /etc/sudoers: No such file or directory

2) "sudo -L" shows one option related to LDAP

ignore_local_sudoers: If LDAP directory is up, do we ignore local sudoers file
...

3) Don't forget to set LDAP Object Access permission to all objects under ou=sudoers,dc=example,dc=com using ACI in SUN ONE DS5.2 or ACL in OpenLDAP

 

 

Step 8: Configure “Apache” to use LDAP Authentication

 

The auth_ldap modules built-into Apache 2 is “experiemental” and may not be stable, you may use:

 

Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Apache 2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

 

Apache must be built with .so (shared object) support and SSL support if StartTLS is used.

To configure Apache2 with shared object and SSL support:

./configure --enable-so --enable-ssl --with-ssl-dir=/usr/local/ssl

(Refer to the URL above for Apache 1.X syntax)


IMPORTANT NOTE: DO NOT add --enable-ldap or --enable-auth-ldap or --with-ldap, to the above, they are for the "experiemental" ldap module support built-into Apache 2.x, and they DID NOT work for me, no sure of experience of others.

To configure “mod_auth_ldap” from muquit.com:

# OpenLDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr/local

# iPlanet LDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr


After that, modify httpd.conf, add the following lines in GREEN for testing purposes.

LoadModule auth_ldap_module modules/mod_auth_ldap.so

Alias /syslog "/var/log/"

<Directory "/var/log/">
Options Indexes FollowSymLinks MultiViews IncludesNoExec ExecCGI
AddOutputFilter Includes html
AllowOverride All
Order allow,deny
Allow from all
</Directory>

<Location /syslog>
AuthType Basic
AuthName "syslog"
require valid-user
#LDAP_Debug On
#LDAP_StartTLS On
LDAP_Server ldap1.example.com
# Add SLAVE LDAP Server for failover
LDAP_Server ldap2.example.com
LDAP_Port 389
Base_DN dc=example,dc=com
UID_Attr uid
</Location>

 

Restart httpd, and test this URL:

 

http://apache.example.com/syslog/

 

Appendix:

 

Appendix 1: Content of chk_patches_sjes_ds52.sh:

 
#! /bin/sh
#
# chk_patches_sjes_ds52.sh
#
# Gary Tay, 1-Apr-2005 written
#
# Pls customize the patches you are checking, use blank to separate
# multiple patch ids, eg: 5.9:112345 113456
#
# Pls refer to:
# http://docs.sun.com/source/817-7611/index.html#wp33336
#
#114677-08 SunOS 5.9: International Components for Unicode Patch
#117724-10 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0
#115342-01 SunOS 5.9: Simple Authentication and Security Layer (2.01)
#115610-18 SunOS 5.9_sparc: Administration Server 5.2 patch
#115614-20 SunOS 5.9: Directory Server 5.2 patch
#117015-16 Patch for localized Solaris packages
#116837-02 LDAP CSDK - SUNWldk, SUNWldkx
#
# Solaris 8: (DS 5.2 Patch3 for the package version)
#115610 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (Adminserv)
#115614 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (DS)
#117722 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0...
#118615 LDAP Java Development Kit 4.17 SunOS 5.8 5.9 _x86: genesis patch
#
# Solaris 8: LDAP-Client
#108993 LDAP-Client for Solaris 8 (phase II)
#108808 LDAP-Client for Solaris 8 (man-pages)
#
# And at your choice for for JES 114045
 
cat >/tmp/chk_patches$$.tmp <<EOF
5.8:108993 115610 115614 117722 118615 108808 114045
5.9:114677 117724 115342 115610 115614 117015 116837
EOF
SOLARIS_VER=`uname -r`
PATCH_IDS=`grep "$SOLARIS_VER" /tmp/chk_patches$$.tmp | cut -d: -f2`
for i in `echo $PATCH_IDS`
do
   RESULT=`showrev -p | grep "^Patch: $i-"`
   [ -n "$RESULT" ] && echo $RESULT
   [ -z "$RESULT" ] && echo PATCH $i not found...
done
/bin/rm -f /tmp/chk_patches$$.tmp
 

Example of running chk_patches_sjes_ds52.sh:

 

# ./chk_patches_sjes_ds52.sh
Patch: 114677-08 Obsoletes: Requires: Incompatibles: Packages: SUNWicu, SUNWicux
Patch: 117724-10 Obsoletes: 115926-10 Requires: Incompatibles: Packages: SUNWtls, SUNWtlsx, SUNWpr, SUNWjss, SUNWprx
Patch: 115342-01 Obsoletes: Requires: Incompatibles: Packages: SUNWsasl, SUNWsaslx
Patch: 115610-17 Obsoletes: Requires: Incompatibles: Packages: SUNWasvc, SUNWasvu, SUNWasvr, SUNWasvcp
Patch: 115614-19 Obsoletes: 117907-02 Requires: 115610-17 Incompatibles: Packages: SUNWdsvr, SUNWdsvcp, SUNWdsvh, SUNWdsvhx, SUNWdsvu, SUNWdsvx, SUNWdsvpl

PATCH 117015 not found...
Patch: 116837-02 Obsoletes: Requires: Incompatibles: Packages: SUNWldk
#

 

Appendix 2: Troubleshooting LDAP Search issue in access log

(From Fedora Directory Server mail list archive)

 
Look in the access log on the FDS server for connections from that 
workstation (grep on the IP of that workstations, or one of the user 
id's that are trying to auth, etc).  When you find it, grep out conn=xxx
 
(where xxx is the connection # from that IP) so you get the complete 
connection from start to finish.
 
- Look at the BIND lines to see what that workstation is binding as.
- Look at the SRCH lines, to see what basedn and filter is being used.  
- Look at the result line (right after the SRCH line) to see what the 
results are (though you'll probably just see err=32, which is no such 
object).  If there are multiple SRCH lines, check each one.
- Check the ACI's set on your suffix - in console, click on the 
Directory tab then right click on the top entry in your tree, and select
 
"set permissions" (something like that - doing this from memory).  Make 
sure the appropriate access is set.
 
You may have to look throughout your tree for aci's to be sure you find everything. 
(ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)" 
"aci"  to find 'em all.)
 

Appendix 3: Troubleshooting “Unable to log into Directory Console” due to admin-serv-`hostname` password expired out of the blue.

 

Pls refer to:
http://swforum.sun.com/jive/thread.jspa?threadID=48144&tstart=0
 

Appendix 4: Troubleshooting “pam_ldap” using debugging mode

 

Pls refer to:

http://forum.sun.com/jive/thread.jspa?threadID=53455&messageID=209557

 

Pls read useful info w.r.t. pam_unix and pam_ldap at:

http://www.informit.com/articles/article.asp?p=30339&seqNum=3&rl=1

 

One of the benefits of using pam_ldap, is it does not require passwords to be stored in any specific format, so you can store passwords using SSHA, SHA, or CRYPT formats.

 

Content of cr_proxyAgent_pw_in_NS1_format.sh (Solaris8 specific ldap_gen_profile command)

 

# cat cr_proxyAgent_pw_in_NS1_format.sh

/usr/sbin/ldap_gen_profile -P testprofile -b "dc=example,dc=com" \
   -D "cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w password \
   192.168.1.168

# ./cr_proxyAgent_pw_in_NS1_format.sh
dn: cn=testprofile,ou=profile,dc=example,dc=com
        SolarisBindDN: cn=proxyAgent,ou=profiLe,dc=example,dc=com
        SolarisBindPassword: {NS1}ecfa88f3a945c411
        SolarisLDAPServers: 192.168.1.168
        SolarisSearchBaseDN: dc=example,dc=com
        SolarisAuthMethod: NS_LDAP_AUTH_NONE
        SolarisTransportSecurity: NS_LDAP_SEC_NONE
        SolarisSearchReferral: NS_LDAP_FOLLOWREF
        SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
        SolarisSearchTimeLimit: 30
        SolarisCacheTTL: 43200
        cn: testprofile
        SolarisBindTimeLimit: 30
        ObjectClass: top
        ObjectClass: SolarisNamingProfile

--- End-of-Doc ---