Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ldap(1)				 User Commands			       ldap(1)

       ldap - LDAP as a	naming repository

       LDAP  refers  to	Lightweight Directory Access Protocol, which is	an in-
       dustry standard for accessing directory servers.	 By  initializing  the
       client using ldapclient(1M) and using the keyword ldap in the name ser-
       vice switch file, /etc/nsswitch.conf, Solaris clients can obtain	naming
       information  from  an LDAP server. Information such as usernames, host-
       names, and passwords are	stored on the LDAP server in a	Directory  In-
       formation  Tree	or  DIT. The DIT consists of entries which in turn are
       composed	of attributes. Each attribute has a type and one or more  val-

       Solaris LDAP clients use	the LDAP v3 protocol to	access naming informa-
       tion from LDAP servers. The LDAP	server must support the	object classes
       and  attributes	defined	 in  RFC2307bis	(draft), which maps the	naming
       service model on	to LDAP. As an alternate to using the  schema  defined
       in RFC2307bis (draft), the system can be	configured to use other	schema
       sets and	the schema mapping feature is configured to  map  between  the
       two.  Refer  to	the  System Administration Guide: Naming and Directory
       Services	(DNS, NIS, and LDAP) for more details.

       The ldapclient(1M) utility can make a Solaris machine an	LDAP client by
       setting up the appropriate directories, files, and configuration	infor-
       mation.	The LDAP client	caches this configuration information in local
       cache  files.  This  configuration  information is accessed through the
       ldap_cachemgr(1M) daemon.  This daemon also refreshes  the  information
       in  the configuration files from	the LDAP server, providing better per-
       formance	and security. The ldap_cachemgr	must run at all	times for  the
       proper operation	of the naming services.

       There  are  two	types  of  configuration  information, the information
       available through a profile, and	the information	configured per client.
       The profile contains all	the information	as to how the  client accesses
       the directory.  The credential information for proxy user is configured
       on a per	client basis and is not	downloaded through the profile.

       The  profile  contains  server-specific parameters  that	 are  required
       by  all clients to locate the servers for the desired LDAP domain. This
       information  could be the  server's IP address and the search base Dis-
       tinguished Name (DN), for instance. It is configured on the client from
       the default profile during  client  initialization and is  periodically
       updated by the ldap_cachemgr  daemon  when  the	expiration  time   has

       Client profiles can be stored on	the LDAP server	and may	be used	by the
       ldapclient utility to initialize	an LDAP	client.	Using the client  pro-
       file  is	 the  easiest  way  to configure a  client  machine. See ldap-

       Credential information includes	client-specific	 parameters  that  are
       used  by	 a client. This	information could be the Bind DN (LDAP "login"
       name) of	the client and the password. If	these parameters are required,
       they  are  manually  defined  during  the  initialization through ldap-

       The naming information is stored	in containers on the  LDAP  server.  A
       container  is  a	non-leaf entry in the DIT that contains	naming service
       information. Containers are similar to maps in NIS and tables in	 NIS+.
       A  default  mapping  between  the NIS databases	and the	containers  in
       LDAP is presented
	below. The location of these containers	as well	as their names	can be
       overridden through the use of serviceSearchDescriptors. For more	infor-
       mation see ldapclient(1M).

       |Database	    |Object Class	 | Container		     |
       |passwd		    |posixAccount	 | ou=people,dc=...	     |
       |		    |shadowAccount	 |			     |
       |group		    |posixGroup		 | ou=Group,dc=...	     |
       |services	    |ipService		 | ou=Services,dc=...	     |
       |protocols	    |ipProtocol		 | ou=Protocols,dc=...	     |
       |rpc		    |oncRpc		 | ou=Rpc,dc=...	     |
       |hosts		    |ipHost		 | ou=Hosts,dc=...	     |
       |ipnodes		    |			 |			     |
       |ethers		    |ieee802Device	 | ou=Ethers,dc=...	     |
       |bootparams	    |bootableDevice	 | ou=Ethers,dc=...	     |
       |networks	    |ipNetwork		 | ou=Networks,dc=...	     |
       |netmasks	    |ipNetwork		 | ou=Networks,dc=...	     |
       |netgroup	    |nisNetgroup	 | ou=Netgroup,dc=...	     |
       |aliases		    |mailGroup		 | ou=Aliases,dc=...	     |
       |publickey	    |nisKeyObject	 |			     |
       |generic		    |nisObject		 | nisMapName=...,dc=...     |
       |printers	    |printerService	 | ou=Printers,dc=...	     |
       |auth_attr	    |SolarisAuthAttr	 | ou=SolarisAuthAttr,dc=... |
       |prof_attr	    |SolarisProfAttr	 | ou=SolarisProfAttr,dc=... |
       |exec_attr	    |SolarisExecAttr	 | ou=SolarisProfAttr,dc=... |
       |user_attr	    |SolarisUserAttr	 | ou=people,dc=...	     |
       |audit_attr	    |SolarisAuditAttr	 | ou=people,dc=...	     |

       The security model for clients is defined by a combination of the  cre-
       dential level to	be used, the authentication method, and	the PAM	module
       to be used, that	is, pam_unix versus  pam_ldap.	The  credential	 level
       defines	what	  credentials the client should	use to authenticate to
       the  directory server, and the authentication method defines the	method
       of  choice.   Both  these can be	set with multiple values.  The Solaris
       LDAP supports the following values for credential level :



       The Solaris LDAP	 supports  the	following  values  for	authentication








       More  protection	 can be	provided by means of  access control, allowing
       the server to grant access for certain containers  or  entries.	Access
       control	is  specified by Access	Control	Lists (ACL's) that are defined
       and stored in the LDAP server. The Access Control  Lists	 on  the  LDAP
       server  are  called  Access  Control   Instructions  (ACI's) by the the
       iPlanet Directory Server. Each ACL or ACI specifies one or more	direc-
       tory  objects,  for  example, the cn attribute in a specific container,
       one or more clients to whom you grant or	deny access, and one  or  more
       access  rights  that  determine	what the clients can do	to or with the
       objects.	Clients	can be users or	 applications. Access  rights  can  be
       specified  as read and write, for  example. Refer to the	 System	Admin-
       istration Guide:	Naming and Directory Services (DNS, NIS, and LDAP) re-
       garding the restrictions	on ACL's and ACI's when	using LDAP as a	naming

       A sample	nsswitch.conf(4) file called nsswitch.ldap is provided in  the
       /etc  directory.	  This	is  copied to /etc/nsswitch.conf  by the ldap-
       client(1M) utility. This	file uses LDAP as a repository for the differ-
       ent databases in	the  nsswitch.conf file.

       The following is	a list of the user commands related to LDAP:

	     Prepares  an  iPlanet Directory Server to be ready	to support So-
	     laris LDAP	clients.`

	     Create LDAP entries from corresponding /etc files.

	     Initialize	LDAP clients, or generate a configuration  profile  to
	     be	stored in the directory.

	     List the contents of the LDAP naming space.


	     Files  that contain the LDAP configuration	of the client.	Do not
	     manually modify these files. Their	content	is not	guaranteed  to
	     be	human readable.	Use ldapclient(1M) to update them.

	     Configuration file	for the	name-service switch

	     Sample  configuration file	for the	name-service switch configured
	     with LDAP and files

	     PAM framework configuration file.

       ldaplist(1), idsconfig(1M),  ldap_cachemgr(1M),	ldapaddent(1M),	 ldap-
       client(1M),    nsswitch.conf(4),	  pam.conf(4),	 pam_authtok_check(5),
       pam_authtok_get(5), pam_authtok_store(5),  pam_dhkeys(5),  pam_ldap(5),
       pam_passwd_auth(5), pam_unix(5),	pam_unix_account(5), pam_unix_auth(5),

       System Administration Guide: Naming and Directory Services  (DNS,  NIS,
       and LDAP)

       The pam_unix(5) module might not	be supported in	a future release. Sim-
       ilar  functionality  is	provided  by  pam_authtok_check(5),  pam_auth-
       tok_get(5),  pam_authtok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5),
       pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).

SunOS 5.9			  7 Jan	2002			       ldap(1)


Want to link to this manual page? Use this URL:

home | help