This chapter describes how to configure Sun Java System Directory Server (formerly Sun ONE Directory Server) to support a network of Solaris LDAP naming services clients. The information is specific to the Sun Java System Directory Server. For information about installing and configuring the directory server, see the Sun Java System Directory Server documentation, that is included with the Sun Java Enterprise System.You must have already performed all the procedures described in the installation and configuration documentation that shipped with your Sun Java System Directory Server before you can configure Sun Java System Directory Server to work with Solaris LDAP clients. A directory server (an LDAP server) cannot be its own client. This chapter covers the following topics.Configuring Sun Java System Directory Server Using idsconfig Using Service Search Descriptors to Modify Client Access to Various Services Running idsconfig Populating the Directory Server Using ldapaddent Managing Printer Entries Populating the Directory Server With Additional Profiles Configuring the Directory Server to Enable Account Management Migrating Your Sun Java System Directory Server Sun Java System Directory Serversetup using idsconfigDuring the server installation process, you will have defined crucial variables, with which you should create a checklist similar to the one below before launching idsconfig. You can use the blank checklist provided in Blank Checklists.The information included below will serve as the basis for all examples that follow in the LDAP related chapters. The example domain is of an widget company, Example, Inc. with stores nationwide. The examples will deal with the West Coast Division, with the domain west.example.com Variable Definition for Example Network Port number at which an instance of the directory server is installed 389 (default) Name of server myserver (from the FQDN myserver.west.example.com or 192.168.0.1) Replica server(s) (IPnumber:port number) 192.168.0.2 [for myreplica.west.example.com] Directory manager cn=directory manager (default) Domain name to be served west.example.com Maximum time (in seconds) to process client requests before timing out 1 Maximum number of entries returned for each search request 1 If you are using hostnames in defining defaultServerList or preferredServerList, you MUST ensure LDAP is not used for hosts lookup. This means ldap must not be in /etc/nsswitch.conf hosts line. Variable Definition for Example Network Profile name (the default name is default) WestUserProfile Server list (defaults to the local subnet) 192.168.0.1 Preferred server list (listed in order of which server to try first, second, and so on) none Search scope (number of levels down through the directory tree. 'One', the default, or 'Sub') one (default) Credential used to gain access to server. Default is anonymous proxy ReferralsFollow Referrals? ( a pointer to another server if the main server is unavailable) Default is no. Y Search time limit (default is 30 seconds) for waiting for server to return information. default Bind time limit (default is 10 seconds) for contacting the server. default Authentication method Default is none. simple Client profiles are defined per domain. At least one profile must be defined for a given domain. index LDAP client attributesidsconfig indexes the following list of attributes for improved performance.membernisnetgrouppres,eq,sub nisnetgrouptriplepres,eq,sub ipHostNumberpres,eq,sub uidNumberpres,eq gidNumberpres,eq ipNetworkNumberpres,eq automountkeypres,eq oncRpcNumberpres,eq idsconfig1M automatically adds the necessary schema definitions. Unless you are very experienced in LDAP administration, do not manually modify the server schema. See Chapter 14, LDAP General Reference (Reference) for an extended list of schemas used by the LDAP naming service. browsing indicesThe browsing index functionality of the Sun Java System Directory Server, otherwise known as the virtual list view (VLV), provides a way in which a client can view a select group or number of entries from very long list, thus making the search process less time consuming for each client. Browsing indexes provide optimized, predefined search parameters with which the Solaris LDAP naming client can access specific information from the various services more quickly. Keep in mind that if you do not create browsing indexes, the clients may not get all the entries of a given type because the server limits for search time or number of entries might be enforced.VLV indexes are configured on the directory server and the proxy user has read access to these indexes.Before configuring browsing indexes on the Sun Java System Directory Server, consider the performance cost associated with using these indexes. For more information, refer to the Administration Guide for the version of Sun Java System Directory Server that you are using.idsconfig creates entries for several VLV indexes. Use the directoryserver script to stop the server and to create the actual VLV indexes. See the idsconfig1M and the directoryserver1M man pages for more information. Refer to the output of the idsconfig command to determine the VLV entries created by idsconfig and the syntax of the corresponding directoryserver commands that you need to run. See Example idsconfig Setup for sample idsconfig output. service search descriptorsdefinitionA service search descriptor (SSD) changes the default search request for a given operation in LDAP to a search you define. SSDs are particularly useful if, for example, you have been using LDAP with customized container definitions or another operating system and are now transitional to the latest Solaris release. Using SSDs, you can configure Solaris LDAP naming services without having to change your existing LDAP database and data.Assume your predecessor at Example, Inc. had configured LDAP, storing users in ou=Users container. You are now upgrading to the latest Solaris release. By definition, Solaris LDAP client assumes that user entries are stored in ou=People container. Thus, when it comes to searching the passwd service, LDAP client will search the ou=people level of the DIT and not find the correct values.One laborious solution to the above problem would be to completely overwrite Example, Inc.'s existing DIT and to rewrite all the exiting applications on Example, Inc.'s network so that they are compatible with the new LDAP naming service. A second, far preferable solution would be to use an SSD that would tell LDAP client to look for user info in an ou=Users container instead the default ou=people container.You would define the necessary SSD during the configuration of the Sun Java System Directory Server using idsconfig. The prompt line appears as follows.Do you wish to setup Service Search Descriptors (y/n/h? y A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] a Enter the service id: passwd Enter the base: service ou=user,dc=west,dc=example,dc=com Enter the scope: one[default] A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] p Current Service Search Descriptors: ================================== Passwd:ou=Users,ou=west,ou=example,ou=com? Hit return to continue. A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] q You do not need special rights to run idsconfig, nor do you need to be an LDAP naming client. Remember to create a checklist as mentioned in Creating a Checklist Based on Your Server Installation in preparation for running idsconfig. You do not have to run idsconfig from a server or an LDAP naming service client machine. You can run idsconfig from any Solaris machine on the network. idsconfig sends the Directory Manager's password in the clear. If you do not want this to happen, you must run idsconfig on the directory server itself, not on a client. Make sure the target Sun Java System Directory Server is up and running. Run idsconfig.# /usr/lib/ldap/idsconfigRefer to Example 11–1 for an example run of idsconfig using the definitions listed in the server and client checklists at the beginning of this chapter in Creating a Checklist Based on Your Server Installation. Answer the questions when prompted.Note that 'no' [n] is the default user input. If you need clarification on any given question, typehand a brief help paragraph will appear.After idsconfig has completed the setup of the directory, you need to run the specified commands on the server before the server setup is complete and the server is ready to serve clients. This section provides an example of a simple idsconfig setup, without modifying many of the defaults. The most complicated method of modifying client profiles is by creating SSDs. Refer to Using Service Search Descriptors to Modify Client Access to Various Services for a detailed discussion.A carriage return sign after the prompt means that you are accepting the [default] by hitting enter.Any parameters left blank in the summary screen will not be set up. After idsconfig has completed the setup of the directory, you need to run the specified commands on the server before the server setup is complete and the server is ready to serve clients.# usr/lib/ldap/idsconfig It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] YEnter the directory server's hostname to setup: myserverEnter the Directory Server's port number (h=help): [389] Enter the directory manager DN: [cn=Directory Manager] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [west.example.com] Enter LDAP Base DN (h=help): [dc=west,dc=example,dc=com] Enter the profile name (h=help): [default] WestUserProfile Default server list (h=help): [192.168.0.1] Preferred server list (h=help): Choose desired search scope (one, sub, h=help): [one] The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy-anonymous 4 self 5 self proxy 6 self proxy anonymous Choose Credential level [h=help]: [1] 2The following are the supported Authentication Methods: 1 none 2 simple 3 sasl/DIGEST-MD5 4 tls:simple 5 tls:sasl/DIGEST-MD5 6 sasl/GSSAPI Choose Authentication Method (h=help): [1] 2Current authenticationMethod: simple Do you want to add another Authentication Method? NDo you want the clients to follow referrals (y/n/h)? [n] NDo you want to modify the server timelimit value (y/n/h)? [n] YEnter the server time limit (current=3600): [-1]Do you want to modify the server sizelimit value (y/n/h)? [n] YEnter the server size limit (current=2000): [-1]Do you want to store passwords in "crypt" format (y/n/h)? [n] YDo you want to setup a Service Authentication Methods (y/n/h)? [n] Client search time limit in seconds (h=help): [30] Profile Time To Live in seconds (h=help): [43200] Bind time limit in seconds (h=help): [10]Do you wish to setup Service Search Descriptors (y/n/h)? [n] Summary of Configuration 1 Domain to serve : west.example.com 2 Base DN to setup : dc=west,dc=example,dc=com 3 Profile name to create : WestUserProfile 4 Default Server List : 192.168.0.1 5 Preferred Server List : 6 Default Search Scope : one 7 Credential Level : proxy 8 Authentication Method : simple 9 Enable Follow Referrals : FALSE 10 Server Time Limit : -1 11 Server Size Limit : -1 12 Enable crypt password storage : TRUE 13 Service Auth Method pam_ldap : 14 Service Auth Method keyserv : 15 Service Auth Method passwd-cmd: 16 Search Time Limit : 30 17 Profile Time to Live : 43200 18 Bind Limit : 10 19 Service Search Descriptors Menu Enter config value to change: (1-19 0=commit changes) [0] Enter DN for proxy agent:[cn=proxyagent,ou=profile,dc=west,dc=example,dc=com] Enter passwd for proxyagent: Re-enter passwd: WARNING: About to start committing changes. (y=continue, n=EXIT) Y1. Changed timelimit to -1 in cn=config. 2. Changed sizelimit to -1 in cn=config. 3. Changed passwordstoragescheme to "crypt" in cn=config. 4. Schema attributes have been updated. 5. Schema objectclass definitions have been added. 6. Created DN component dc=west. 7. NisDomainObject added to dc=west,dc=example,dc=com. 8. Top level "ou" containers complete. 9. automount maps: auto_home auto_direct auto_master auto_shared processed. 10. ACI for dc=west,dc=example,dc=com modified to disable self modify. 11. Add of VLV Access Control Information (ACI). 12. Proxy Agent cn=proxyagent,ou=profile,dc=west,dc=example,dc=com added. 13. Give cn=proxyagent,ou=profile,dc=west,dc=example,dc=com read permission for password. 14. Generated client profile and loaded on server. 15. Processing eq,pres indexes: uidNumber (eq,pres) Finished indexing. ipNetworkNumber (eq,pres) Finished indexing. gidnumber (eq,pres) Finished indexing. oncrpcnumber (eq,pres) Finished indexing. automountKey (eq,pres) Finished indexing. 16. Processing eq,pres,sub indexes: ipHostNumber (eq,pres,sub) Finished indexing. membernisnetgroup (eq,pres,sub) Finished indexing. nisnetgrouptriple (eq,pres,sub) Finished indexing. 17. Processing VLV indexes: west.example.com.getgrent vlv_index Entry created west.example.com.gethostent vlv_index Entry created west.example.com.getnetent vlv_index Entry created west.example.com.getpwent vlv_index Entry created west.example.com.getrpcent vlv_index Entry created west.example.com.getspent vlv_index Entry created west.example.com.getauhoent vlv_index Entry created west.example.com.getsoluent vlv_index Entry created west.example.com.getauduent vlv_index Entry created west.example.com.getauthent vlv_index Entry created west.example.com.getexecent vlv_index Entry created west.example.com.getprofent vlv_index Entry created west.example.com.getmailent vlv_index Entry created west.example.com.getbootent vlv_index Entry created west.example.com.getethent vlv_index Entry created west.example.com.getngrpent vlv_index Entry created west.example.com.getipnent vlv_index Entry created west.example.com.getmaskent vlv_index Entry created west.example.com.getprent vlv_index Entry created west.example.com.getip4ent vlv_index Entry created west.example.com.getip6ent vlv_index Entry created idsconfig: Setup of myserver is complete. Note: idsconfig has created entries for VLV indexes. Use the directoryserver(1m) script on myserver to stop the server and then enter the following vlvindex sub-commands to create the actual VLV indexes: directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getgrent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.gethostent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getnetent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getpwent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getrpcent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getspent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getauhoent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getsoluent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getauduent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getauthent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getexecent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getprofent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getmailent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getbootent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getethent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getngrpent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getipnent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getmaskent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getprent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getip4ent directoryserver -s myserver vlvindex -n userRoot -T west.example.com.getip6ent Sun Java System server setupload data into directory server ldapaddentBefore populating the directory server with data, you must configure the server to store passwords in UNIX Crypt format if you are using pam_unix. If you are using pam_ldap, you can store passwords in any format. For more information about setting the password in UNIX crypt format, see the Sun Java System Directory Server documents. ldapaddent reads from the standard input (that being an /etc/filename like passwd) and places this data to the container associated with the service. Client configuration determines how the data will be written by default.ldapaddent1M can only run on an LDAP client. Chapter 12, Setting Up LDAP Clients (Tasks) describes how to configure a client for the LDAP naming service. See ldapaddent1M. See Chapter 9, LDAP Basic Components and Concepts (Overview) for information about LDAP security and write-access to the directory server. Use the ldapaddent command to add /etc/passwd entries to the server.# ldapaddent D "cn=directory manager" f /etc/passwd passwd To add printer entries to the LDAP directory, use either the printmgr configuration tool or the lpset n ldap command-line utility. See lpset1M. Note that the printer objects added to the directory only define the connection parameter, required by print system clients, of printers. Local print server configuration data is still held in files. A typical printer entry would look like the following:printer-uri=myprinter,ou=printers,dc=mkg,dc=example,dc=com objectclass=top objectclass=printerService objectclass=printerAbstract objectclass=sunPrinter printer-name=myprinter sun-printer-bsdaddr=printsvr.example.com,myprinter,Solaris sun-printer-kvp=description=HP LaserJet (PS) printer-uri=myprinter lpget1M can be used to list all printer entries known by the LDAP client's LDAP directory. If the LDAP client's LDAP server is a replica server, then printers listed might not be the same as that in the master LDAP server depending on the update replication agreement. See lpget1M for more information.For example, to list all printers for a given base DN, type the following:# lpget n ldap list myprinter: dn=myprinter,ou=printers,dc=mkt,dc=example,dc=com bsdaddr=printsvr.example.com,myprinter,Solaris description=HP LaserJet (PS) Use ldapclient with the genprofile option to create an LDIF representation of a configuration profile, based on the attributes specified. The profile you create can then be loaded into an LDAP server to be used as the client profile. The client profile can be downloaded by the client by using ldapclient init.Refer to ldapclient1M for information about using ldapclient genprofile.Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services. Use ldapclient with the genprofile command.# ldapclient genprofile \ a profileName=myprofile \ a defaultSearchBase=dc=west,dc=example,dc=com \ a "defaultServerList=192.168.0.1 192.168.0.2:386" \> myprofile.ldif Upload the new profile to the server.# ldapadd h 192.168.0.1 D “cn=directory manager” f myprofile.ldif In order for pam_ldap to work properly, the password and account lockout policy must be properly configured on the server. You can use the Directory Server Console or ldapmodify to configure the account management policy for the LDAP directory. For procedures and more information, see the “User Account Management” chapter in the Administration Guide for the version of Sun Java System Directory Server that you are using.&pamldapnote;Passwords for proxy users should never be allowed to expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script.# ldapmodify h ldapserver D administrator DN \ w administrator password <<EOF dn: proxy user DN DNchangetype: modify replace: passwordexpirationtime passwordexpirationtime: 20380119031407Z EOFpam_ldap account management relies on Sun Java System Directory Server to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. pam_unix, however, examines the shadow data to determine if accounts are locked or if passwords are aged. Since the shadow data is not kept up to date by the LDAP naming services or the directory server, pam_unix should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword attribute. Denying proxy users read access to userPassword prevents pam_unix from making an invalid account validation. migrationdirectory server Sun Java System Directory Servermigration directory servermigration Schema changes were implemented between the release of Sun Java System Directory Server 5.1 (formerly Sun ONE Directory Server) and the release of Sun Java System Directory Server 5.2. The ldapaddent command now adds objectclass: device to the entries of ethers/bootparams. Therefore, if you choose to use the LDAP commands to migrate directory data from Sun Java System Directory Server 5.1 to 5.2, you must use ldapaddent d to export data and ldapaddent to import data. Otherwise, if you use the Sun Java System Directory Server tools db2ldif and ldif2db to migrate data, you must apply Sun Java System Directory Server 5.2 with all patches before migrating the data, or the data import could fail.For information about configuring the Sun Java System Directory Server 5.2, see the Sun Java System Directory Server documentation, that is included with the Sun Java Enterprise System.