<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=Content-Type content="text/html; charset=windows-1252"> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 10"> <meta name=Originator content="Microsoft Word 10"> <link rel=File-List href="Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server_files/filelist.xml"> <title>Configuring Solaris Native LDAP Client for Fedora Directory Server</title> <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"/> <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"/> <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="date"/>  <style>  </style>  </head> <body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'> <div class=Section1> <h1>Configuring Solaris Natiive LDAP Client for Fedora Directory Server<o:p></o:p></h1> <o:p> </o:p> (SimpleBind)<o:p></o:p> (See also related documents at <a href="http://web.singnet.com.sg/~garyttt/">http://web.singnet.com.sg/~garyttt/</a>)<o:p></o:p> <o:p> </o:p> <h2>By: Gary Tay, <a href="mailto:garyttt@singnet.com.sg">garyttt@singnet.com.sg</a><o:p></o:p></h2> <o:p> </o:p> <h4>History of Updates:</h4> <h4><o:p> </o:p></h4> <h4><st1:date Year="2005" Day="26" Month="8">26-Aug-2005</st1:date>, first draft.<o:p></o:p></h4> <o:p> </o:p> Purpose: <o:p> </o:p> This document describes the steps involved in configuring a SUN Solaris8/9 Native LDAP Client to work against RedHat/Fedora Directory Server (FDS 7.1) using "simple bind authentication" on Soalris8/9. <o:p> </o:p> Fedora Directory Server is the OpenSource version (without support) of the commercial RedHat Directory Server. It is previously called Netscape Directory Server 7.1 prior to the products being bought over by RedHat, It is not a surprise that FDS/RDS (or NDS 7.1) and SUN ONE Directiry Server 5.2 (which is said to be based on NDS 6.X) share many similarities. Please visit the following URLs for more information.<o:p></o:p> <o:p> </o:p> Home: <a href="http://directory.fedora.redhat.com/wiki/Main_Page">http://directory.fedora.redhat.com/wiki/Main_Page</a> Features: <a href="http://directory.fedora.redhat.com/wiki/Features">http://directory.fedora.redhat.com/wiki/Features</a> FAQ: <a href="http://directory.fedora.redhat.com/wiki/FAQ">http://directory.fedora.redhat.com/wiki/FAQ</a> Download: <a href="http://directory.fedora.redhat.com/wiki/Download">http://directory.fedora.redhat.com/wiki/Download</a> <![if !supportLineBreakNewLine]> <![endif]><o:p></o:p> Commercial� Support is NOT FREE, however the following web sites provide �FREE� issue reportings and discussions, for LDAP directory server products, the first one is FDS specific.<o:p></o:p> <o:p> </o:p> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><o:p></o:p> <a href="http://lists.fini.net/mailman/listinfo/ldap-interop">http://lists.fini.net/mailman/listinfo/ldap-interop</a><o:p></o:p> <a href="http://supportforum.sun.com/">http://supportforum.sun.com</a> <o:p></o:p> <a href="http://www.ldapguru.com/">http://www.ldapguru.com</a><o:p></o:p> <a href="http://www.dbforums.com/">http://www.dbforums.com</a> (comp.unix.solaris)<o:p></o:p> <o:p> </o:p> GUI Based LDAP account management and data export tools other than <![if !supportLists]>� <![endif]>LDAP Browser/Editor: <a href="http://www.iit.edu/~gawojar/ldap/">�http://www-unix.mcs.anl.gov/~gawor/ldap/</a><o:p></o:p> <![if !supportLists]>� <![endif]>JXplorer Java LDAP Browser/Editor: <a href="http://pegacat.com/jxplorer/">http://pegacat.com/jxplorer/</a>� (can do SSL connection)<o:p></o:p> <![if !supportLists]>� <![endif]>Other Graphical LDAP Tools: <a href="http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html">http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html</a><o:p></o:p> <![if !supportLists]>� <![endif]>Other LDAP GUI based Tools: <a href="http://www.ldapguru.com/">http://www.ldapguru.com</a> (check the Top Download links and so on)<o:p></o:p> <![if !supportLists]>� <![endif]>LDAP Expoter: <a href="http://www.novell.com/coolsolutions/tools/14287.html">http://www.novell.com/coolsolutions/tools/14287.html</a> (export LDAP data to csv format)<o:p></o:p> <o:p> </o:p> Example used: <o:p></o:p> <o:p> </o:p> <![if !supportLists]>� <![endif]>RedHat EL4 MASTER LDAP Server: ldap1.example.com, 192.168.1.168<o:p></o:p> <![if !supportLists]>� <![endif]>Solaris8 LDAP Client: client2.example.com, 192.168.1.198<o:p></o:p> <![if !supportLists]>� <![endif]>Solaris9 LDAP Client: client3.example.com, 192.168.1.208<o:p></o:p> <o:p> </o:p> Assumptions: A Fedora Directory Server has been installed with sample data (ou=People and ou=Groups, some sample Groups entries), its "slapd" and admin server have been successfully started.<o:p></o:p> <o:p> </o:p> Preparation Steps:<o:p></o:p> <o:p> </o:p> Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts<o:p></o:p> Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain, "domainname `cat /etc/defaultdomain`" could be run to change the domainname with immediate effect.<o:p></o:p> <o:p> </o:p> Please also complete these VERY ESSENTIAL Preparation Steps:<o:p></o:p> <o:p> </o:p> P1) For Solaris8 client, latest kernel patch and LDAP patch 108993 must be applied.<o:p></o:p> <o:p> </o:p> P2) For Solaris9 client, latest kernel patch and LDAP patch 112960 must be applied.<o:p></o:p> Please refer to Appendix for a useful script to check multiple patches, modify to suit your need.<o:p></o:p> <o:p> </o:p> P3) At the FDS7.1 Server, copy 61DUAConfigProfile.ldif (see Appendix) to $FDS7_ROOT/slapd-`hostname`/config/schema directory, and restart FDS to activate this customized schema.<o:p></o:p> <o:p> </o:p> P4) Change default password storage scheme in Fedora Management Console, open directory server, click Directory TAB, click "config (XXX acis)", right click and edit its properties, change "passwordStorageScheme" from the default "SSHA" to "CRYPT", this is to facilitate the migration of UNIX /etc/shadow and NIS CRYPTed passwords into LDAP DIT.<o:p></o:p> <o:p> </o:p> P5) Add TWO Access Control Instructioins (ACIs) to the rootDN in Fedora Management Console, click "dc=example,dc=com", click "Set Access Permissions", add new entry by copying and pasting the followings.<o:p></o:p> <o:p> </o:p> (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)<o:p></o:p> <o:p> </o:p> and<o:p></o:p> <o:p> </o:p> (target="ldap:///dc=example,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com";)<o:p></o:p> <o:p> </o:p> <o:p> </o:p> <h3>Step 1:� Populate the directory server with People, group, proxyAgent and profile data</h3> <o:p> </o:p> This step is for LDAP Server, it is intended to add some testing users/groups, and add DUAConfigProfile based LDAP profiles for subsequent Solaris LDAP Client "initialization".<o:p></o:p> <o:p> </o:p> Prepare People.ldif and group.ldif and add them into directory data. You may also manually add directory data using Fedora Management Console. <o:p> </o:p> Note that as FDS default installation does not create an "ou=group" which is more commonly used for group data than "ou=Groups" in setting up UNIX name service, the group.ldif should take care of ou=group creation. <o:p> </o:p> Tips 1: When you use Fedora Management Console to add "People" entry, remember to check the �posix� user (posixAccount) option, so that uidNumber and gidNumber could be entered.<o:p></o:p> <o:p> </o:p> Tips 2: Use $FDS7_ROOT/slapd-`hostname`/getpwenc command to find the encrypted format of LDAP userPassword.<o:p></o:p> <o:p> </o:p> # cd /opt/fedora-ds/slapd-ldap1<o:p></o:p> # ./getpwenc CRYPT testpassword<o:p></o:p> {crypt}GFOZa/ZLlDdng<o:p></o:p> <o:p> </o:p> A sample People.ldif with only two entries is shown here<o:p></o:p> <o:p> </o:p> dn: uid=gtay, ou=People, dc=example,dc=com<o:p></o:p> givenName: <st1:City><st1:place>Gary</st1:place></st1:City><o:p></o:p> sn: <st1:place>Tay</st1:place><o:p></o:p> loginShell: /bin/bash<o:p></o:p> uidNumber: 6167<o:p></o:p> gidNumber: 102<o:p></o:p> objectClass: top<o:p></o:p> objectClass: person<o:p></o:p> objectClass: organizationalPerson<o:p></o:p> objectClass: inetorgperson<o:p></o:p> objectClass: posixAccount<o:p></o:p> objectClass: shadowAccount<o:p></o:p> uid: gtay<o:p></o:p> cn: Gary Tay<o:p></o:p> homeDirectory: /home/gtay<o:p></o:p> shadowLastChange: -1<o:p></o:p> shadowMin: -1<o:p></o:p> shadowMax: 99999<o:p></o:p> shadowWarning: 7<o:p></o:p> shadowInactive: -1<o:p></o:p> shadowExpire: -1<o:p></o:p> shadowFlag: 0<o:p></o:p> gecos: Gary Tay<o:p></o:p> userPassword: {CRYPT}U8bo2twhJ9Kkg<o:p></o:p> <o:p> </o:p> dn: uid=tuser, ou=People, dc=example,dc=com<o:p></o:p> givenName: Test<o:p></o:p> sn: User<o:p></o:p> loginShell: /bin/bash<o:p></o:p> uidNumber: 9999<o:p></o:p> gidNumber: 102<o:p></o:p> objectClass: top<o:p></o:p> objectClass: person<o:p></o:p> objectClass: organizationalPerson<o:p></o:p> objectClass: inetorgperson<o:p></o:p> objectClass: posixAccount<o:p></o:p> objectClass: shadowAccount<o:p></o:p> uid: tuser<o:p></o:p> cn: Test User<o:p></o:p> homeDirectory: /home/tuser<o:p></o:p> shadowLastChange: -1<o:p></o:p> shadowMin: -1<o:p></o:p> shadowMax: 99999<o:p></o:p> shadowWarning: 7<o:p></o:p> shadowInactive: -1<o:p></o:p> shadowExpire: -1<o:p></o:p> shadowFlag: 0<o:p></o:p> gecos: Test User<o:p></o:p> userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=<o:p></o:p> <o:p> </o:p> A sample group.ldif with only one entry is shown here<o:p></o:p> <o:p> </o:p> dn: ou=group,dc=example,dc=com<o:p></o:p> objectClass: organizationalUnit<o:p></o:p> objectClass: top<o:p></o:p> ou: group<o:p></o:p> <o:p> </o:p> dn: cn=Users,ou=group,dc=example,dc=com<o:p></o:p> cn: Users<o:p></o:p> gidNumber: 102<o:p></o:p> objectClass: top<o:p></o:p> objectClass: posixGroup<o:p></o:p> memberUid: gtay<o:p></o:p> memberUid: tuser<o:p></o:p> <o:p> </o:p> A sample proxyAgent_and_profile.ldif containing ou=profile, proxyAgent and "default" (using simple bind authentication method) DUAConfigProfile based profile is show below:<o:p></o:p> <o:p> </o:p> dn: ou=profile,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: organizationalUnit<o:p></o:p> ou: profile<o:p></o:p> <o:p> </o:p> dn: cn=proxyAgent,ou=profile,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: person<o:p></o:p> cn: proxyAgent<o:p></o:p> sn: proxyAgent<o:p></o:p> userPassword: {CRYPT}l14aeXtphVSUg<o:p></o:p> <o:p> </o:p> dn: cn=default,ou=profile,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: DUAConfigProfile<o:p></o:p> defaultServerList: 192.168.1.168<o:p></o:p> defaultSearchBase: dc=example,dc=com<o:p></o:p> authenticationMethod: simple<o:p></o:p> followReferrals: TRUE<o:p></o:p> defaultSearchScope: one<o:p></o:p> searchTimeLimit: 30<o:p></o:p> profileTTL: 43200<o:p></o:p> cn: default<o:p></o:p> credentialLevel: proxy<o:p></o:p> bindTimeLimit: 2<o:p></o:p> serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one<o:p></o:p> serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one<o:p></o:p> serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one<o:p></o:p> serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one<o:p></o:p> <o:p> </o:p> # /usr/bin/ldapadd -c -D "cn=Directory Manager" -f People.ldif<o:p></o:p> <o:p> </o:p> # /usr/bin/ldapadd -c -D "cn=Directory Manager" -f group.ldif<o:p></o:p> <o:p> </o:p> # /usr/bin/ldapadd -c -D "cn=Directory Manager" -f proxyAgent_and_profile.ldif<o:p></o:p> <o:p> </o:p> For massive import of People and group entries, you may use �/usr/sbin/ldapaddent� command, see �man ldapaddent� for more details, or you may use PADL�s MigrationTools.<o:p></o:p> <o:p> </o:p> <a href="http://www.padl.com/OSS/MigrationTools.html">http://www.padl.com/OSS/MigrationTools.html</a><o:p></o:p> <o:p> </o:p> Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of �-p� to create userPassword attribute and the CRYPT password is only added when the DB is shadow.<o:p></o:p> <o:p> </o:p> <pre># cat test.txt<o:p></o:p></pre><pre>test9991:x:9991:102:test9991:/var/tmp:/bin/sh<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># ldapaddent -v -f test.txt -D "cn=Directory Manager" -p passwd<o:p></o:p></pre><pre>Enter password:<o:p></o:p></pre><pre>SERVICE = passwd<o:p></o:p></pre><pre>Adding entry : test9991<o:p></o:p></pre><pre>1 entries added<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># cat tests.txt<o:p></o:p></pre><pre>test9991:ElnMr/iU805dA:12881::::::<o:p></o:p></pre><pre><o:p> </o:p></pre><pre># ldapaddent -v -f tests.txt -D "cn=Directory Manager" shadow<o:p></o:p></pre><pre>Enter password:<o:p></o:p></pre><pre>SERVICE = shadow<o:p></o:p></pre><pre>Adding entry : test9991<o:p></o:p></pre><pre>1 entries added<o:p></o:p></pre><pre>#<o:p></o:p></pre> <o:p> </o:p> IMPORTANT NOTE ABOUT LDIF IMPORT FILES:<o:p></o:p> <o:p> </o:p> When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of� LDAP data import using ldapadd command, please make sure that ALL LEADING AND TRAILING SPACES at every line in the .ldif files be removed or else �ldapadd� command will throw errors.<o:p></o:p> <o:p> </o:p> Try to list the LDAP content at the Solaris client by binding "anonymous"ly (<a name="OLE_LINK1">without "-D" option</a>), note that userPassword never get listed due to the ACI we have set at the server end. <o:p> </o:p> # /usr/bin/ldapsearch �h ldap1.example.com -b "dc=example,dc=com" -L "objectclass=*"<o:p></o:p> dn: dc=example,dc=com<o:p></o:p> dc: example<o:p></o:p> objectClass: top<o:p></o:p> objectClass: domain<o:p></o:p> objectClass: nisDomainObject<o:p></o:p> nisDomain: example.com<o:p></o:p> <o:p> </o:p> dn: cn=Directory Administrators, dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: groupofuniquenames<o:p></o:p> cn: Directory Administrators<o:p></o:p> <o:p> </o:p> dn: ou=Groups, dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: organizationalunit<o:p></o:p> ou: Groups<o:p></o:p> <o:p> </o:p> dn: ou=People, dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: organizationalunit<o:p></o:p> ou: People<o:p></o:p> <o:p> </o:p> dn: ou=Special Users,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: organizationalUnit<o:p></o:p> ou: Special Users<o:p></o:p> description: Special Administrative Accounts<o:p></o:p> <o:p> </o:p> dn: cn=Accounting Managers,ou=groups,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: groupOfUniqueNames<o:p></o:p> cn: Accounting Managers<o:p></o:p> ou: groups<o:p></o:p> description: People who can manage accounting entries<o:p></o:p> <o:p> </o:p> dn: cn=HR Managers,ou=groups,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: groupOfUniqueNames<o:p></o:p> cn: HR Managers<o:p></o:p> ou: groups<o:p></o:p> description: People who can manage HR entries<o:p></o:p> <o:p> </o:p> dn: cn=QA Managers,ou=groups,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: groupOfUniqueNames<o:p></o:p> cn: QA Managers<o:p></o:p> ou: groups<o:p></o:p> description: People who can manage QA entries<o:p></o:p> <o:p> </o:p> dn: cn=PD Managers,ou=groups,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: groupOfUniqueNames<o:p></o:p> cn: PD Managers<o:p></o:p> ou: groups<o:p></o:p> description: People who can manage engineer entries<o:p></o:p> <o:p> </o:p> dn: ou=group,dc=example,dc=com<o:p></o:p> ou: group<o:p></o:p> objectClass: top<o:p></o:p> objectClass: organizationalUnit<o:p></o:p> <o:p> </o:p> dn: ou=profile,dc=example,dc=com<o:p></o:p> ou: profile<o:p></o:p> objectClass: top<o:p></o:p> objectClass: organizationalUnit<o:p></o:p> <o:p> </o:p> dn: cn=proxyagent,ou=profile,dc=example,dc=com<o:p></o:p> cn: proxyagent<o:p></o:p> sn: proxyagent<o:p></o:p> objectClass: top<o:p></o:p> objectClass: person<o:p></o:p> <o:p> </o:p> dn: cn=default,ou=profile,dc=example,dc=com<o:p></o:p> objectClass: top<o:p></o:p> objectClass: DUAConfigProfile<o:p></o:p> defaultServerList: 192.168.1.168<o:p></o:p> defaultSearchBase: dc=example,dc=com<o:p></o:p> authenticationMethod: simple<o:p></o:p> followReferrals: TRUE<o:p></o:p> defaultSearchScope: one<o:p></o:p> searchTimeLimit: 30<o:p></o:p> profileTTL: 43200<o:p></o:p> cn: default<o:p></o:p> credentialLevel: proxy<o:p></o:p> serviceSearchDescriptor: passwd:ou=People,dc=example,dc=com?one<o:p></o:p> serviceSearchDescriptor: group:ou=group,dc=example,dc=com?one<o:p></o:p> serviceSearchDescriptor: shadow:ou=People,dc=example,dc=com?one<o:p></o:p> serviceSearchDescriptor: netgroup:ou=netgroup,dc=example,dc=com?one<o:p></o:p> bindTimeLimit: 10<o:p></o:p> <o:p> </o:p> dn: uid=gtay, ou=People, dc=example,dc=com<o:p></o:p> givenName: Gary<o:p></o:p> sn: Tay<o:p></o:p> loginShell: /bin/bash<o:p></o:p> uidNumber: 6167<o:p></o:p> gidNumber: 102<o:p></o:p> objectClass: top<o:p></o:p> objectClass: person<o:p></o:p> objectClass: organizationalPerson<o:p></o:p> objectClass: inetorgperson<o:p></o:p> objectClass: posixAccount<o:p></o:p> objectClass: shadowAccount<o:p></o:p> uid: gtay<o:p></o:p> cn: Gary Tay<o:p></o:p> homeDirectory: /home/gtay<o:p></o:p> <o:p> </o:p> dn: uid=tuser, ou=People, dc=example,dc=com<o:p></o:p> givenName: Test<o:p></o:p> sn: User<o:p></o:p> loginShell: /bin/bash<o:p></o:p> uidNumber: 9999<o:p></o:p> gidNumber: 102<o:p></o:p> objectClass: top<o:p></o:p> objectClass: person<o:p></o:p> objectClass: organizationalPerson<o:p></o:p> objectClass: inetorgperson<o:p></o:p> objectClass: posixAccount<o:p></o:p> objectClass: shadowAccount<o:p></o:p> uid: tuser<o:p></o:p> cn: Test User<o:p></o:p> homeDirectory: /home/tuser<o:p></o:p> <o:p> </o:p> dn: cn=Users,ou=group,dc=example,dc=com<o:p></o:p> cn: Users<o:p></o:p> gidNumber: 102<o:p></o:p> objectClass: top<o:p></o:p> objectClass: posixGroup<o:p></o:p> memberUid: gtay<o:p></o:p> memberUid: tuser <o:p></o:p> <o:p> </o:p> Congratulation!!! You have populated a LDAP server that is capable for answering name service (uid) lookup requests from any LDAP Client.<o:p></o:p> <o:p> </o:p> <h3>Step 2: Configure Solaris Native LDAP Client (SUN Native LDAP libraries)</h3> <o:p> </o:p> This step is for Solaris8 and Solaris9 Native LDAP Clients.<o:p></o:p> <o:p> </o:p> Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively. <o:p></o:p> <o:p> </o:p> Please note that for Solaris8 LDAP Client, lastest kernel patch and LDAP VERSION 2 Patch 108993-XX must be applied, for Solaris9 LDAP Client, latest kernel patch and LDAP Patch 112960-XX must be applied.<o:p></o:p> <o:p> </o:p> Log in to client2 or client3 as �root�.<o:p></o:p> <o:p> </o:p> There are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred, the first contain all parameters and the second the password of �proxyAgent�.<o:p></o:p> <o:p> </o:p> To generate them for Solaris8 LDAP Client, as root run ldapclient_init_defaultprofile_sol8.sh<o:p></o:p> <o:p> </o:p> Content of ldapclient_init_defaultprofile_sol8.sh:<o:p></o:p> <o:p> </o:p> /usr/sbin/ldapclient -v -i -a simple -b dc=example,dc=com -c proxy \ -D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \ -S "passwd: ou=People,dc=example,dc=com?one" \ -S "shadow: ou=People,dc=example,dc=com?one" \ -S "group: ou=group,dc=example,dc=com?one" \ -S "netgroup: ou=netgroup,dc=example,dc=com?one" \ 192.168.1.168 echo ... echo As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap echo which contains a bug in "hosts:" entry, we need to repair it sed -e '/^hosts:/s/ldap.*files$/files dns/' \ -e '/^passwd:/a\ shadow: files ldap' \ /etc/nsswitch.ldap >/etc/nsswitch.work cp /etc/nsswitch.work /etc/nsswitch.conf echo ... echo Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf /etc/init.d/nscd stop /etc/init.d/nscd start �echo Done. <o:p></o:p> <o:p> </o:p> # ./ ldapclient_init_defaultprofile_sol8.sh<o:p></o:p> Arguments parsed: �� ��domainName: example.com<o:p></o:p> �� proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com<o:p></o:p> �� profileName: tls_profile<o:p></o:p> �� proxyPassword: password<o:p></o:p> �� defaultServerList: 192.168.1.168<o:p></o:p> Handling init option<o:p></o:p> About to configure machine by downloading a profile<o:p></o:p> findBaseDN: begins<o:p></o:p> findBaseDN: Stopping ldap<o:p></o:p> findBaseDN: calling __ns_ldap_default_config()<o:p></o:p> found 2 namingcontexts<o:p></o:p> findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"<o:p></o:p> rootDN[0] dc=example,dc=com<o:p></o:p> found baseDN dc=example,dc=com for domain example.com<o:p></o:p> Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com<o:p></o:p> Proxy password: {NS1}ecfa88f3a945c411<o:p></o:p> Credential level: 1<o:p></o:p> Authentication method: 3<o:p></o:p> About to modify this machines configuration by writing the files<o:p></o:p> Stopping network services<o:p></o:p> Stopping sendmail<o:p></o:p> Stopping nscd<o:p></o:p> autofs not running<o:p></o:p> ldap not running<o:p></o:p> nisd not running<o:p></o:p> nis_cache not running<o:p></o:p> nispasswd not running<o:p></o:p> <st1:City><st1:place>nis</st1:place></st1:City>(yp) not running<o:p></o:p> Removing existing restore directory<o:p></o:p> file_backup: stat(/etc/nsswitch.conf)=0<o:p></o:p> file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)<o:p></o:p> file_backup: stat(/etc/defaultdomain)=0<o:p></o:p> file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)<o:p></o:p> file_backup: stat(/etc/.rootkey)=-1<o:p></o:p> file_backup: No /etc/.rootkey file.<o:p></o:p> file_backup: stat(/var/<st1:City><st1:place>nis</st1:place></st1:City>/NIS_COLD_START)=-1<o:p></o:p> file_backup: No /var/<st1:City><st1:place>nis</st1:place></st1:City>/NIS_COLD_START file.<o:p></o:p> file_backup: <st1:City><st1:place>nis</st1:place></st1:City> domain is "example.com"<o:p></o:p> file_backup: stat(/var/yp/binding/example.com)=-1<o:p></o:p> file_backup: No /var/yp/binding/example.com directory.<o:p></o:p> file_backup: stat(/var/ldap/ldap_client_file)=0<o:p></o:p> file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)<o:p></o:p> file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)<o:p></o:p> Starting network services<o:p></o:p> start: /usr/bin/domainname example.com... success<o:p></o:p> start: /usr/lib/ldap/ldap_cachemgr... success<o:p></o:p> start: /etc/init.d/autofs start... success<o:p></o:p> start: /etc/init.d/nscd start... success<o:p></o:p> start: /etc/init.d/sendmail start... success<o:p></o:p> <h2>System successfully configured</h2> ... As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap which contains a bug in "hosts:" entry, we need to repair it ... Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf ... Done. <o:p></o:p> <o:p> </o:p> To generate them for Solaris9 LDAP Client, as root run "ldapclient_init_defaultprofile_sol9.sh"<o:p></o:p> <o:p> </o:p> Content of ldapclient_init_defaultprofile_sol9.sh:<o:p></o:p> <o:p> </o:p> /usr/sbin/ldapclient -v init \<o:p></o:p> -a profileName=default \<o:p></o:p> -a domainName=example.com \ <o:p></o:p> -a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \<o:p></o:p> -a proxyPassword=password 192.168.1.168<o:p></o:p> # As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap<o:p></o:p> # which contains a bug in "hosts:" entry, we need to repair it<o:p></o:p> sed -e '/^hosts:/s/ldap.*files$/files dns/' \<o:p></o:p> �� -e '/^passwd:/a\<o:p></o:p> shadow:�� files ldap' \<o:p></o:p> �� /etc/nsswitch.ldap >/etc/nsswitch.work<o:p></o:p> cp /etc/nsswitch.work /etc/nsswitch.conf<o:p></o:p> # Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf<o:p></o:p> /etc/init.d/nscd stop<o:p></o:p> /etc/init.d/nscd start<o:p></o:p> <o:p> </o:p> # ./ ldapclient_init_defaultprofile_sol9.sh<o:p></o:p> Parsing profileName=default<o:p></o:p> Parsing domainName=example.com<o:p></o:p> Parsing proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com<o:p></o:p> Parsing proxyPassword=password<o:p></o:p> Arguments parsed:<o:p></o:p> �� domainName: example.com<o:p></o:p> �� proxyDN: cn=proxyagent,ou=profile, dc=example,dc=com<o:p></o:p> �� profileName: default<o:p></o:p> �� proxyPassword: password<o:p></o:p> �� defaultServerList: 192.168.1.168<o:p></o:p> Handling init option<o:p></o:p> About to configure machine by downloading a profile<o:p></o:p> findBaseDN: begins<o:p></o:p> findBaseDN: Stopping ldap<o:p></o:p> findBaseDN: calling __ns_ldap_default_config()<o:p></o:p> found 2 namingcontexts<o:p></o:p> findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain= example.com))"<o:p></o:p> rootDN[0] dc=example,dc=com<o:p></o:p> found baseDN dc=example,dc=com for domain example.com<o:p></o:p> Proxy DN: cn=proxyagent,ou=profile, dc=example,dc=com<o:p></o:p> Proxy password: {NS1}ecfa88f3a945c411<o:p></o:p> Credential level: 1<o:p></o:p> Authentication method: 1<o:p></o:p> About to modify this machines configuration by writing the files<o:p></o:p> Stopping network services<o:p></o:p> Stopping sendmail<o:p></o:p> Stopping nscd<o:p></o:p> Stopping autofs<o:p></o:p> ldap not running<o:p></o:p> nisd not running<o:p></o:p> nis_cache not running<o:p></o:p> nispasswd not running<o:p></o:p> <st1:City><st1:place>nis</st1:place></st1:City>(yp) not running<o:p></o:p> Removing existing restore directory<o:p></o:p> file_backup: stat(/etc/nsswitch.conf)=0<o:p></o:p> file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)<o:p></o:p> file_backup: stat(/etc/defaultdomain)=0<o:p></o:p> file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)<o:p></o:p> file_backup: stat(/var/<st1:City><st1:place>nis</st1:place></st1:City>/NIS_COLD_START)=-1<o:p></o:p> file_backup: No /var/<st1:City><st1:place>nis</st1:place></st1:City>/NIS_COLD_START file.<o:p></o:p> file_backup: <st1:City><st1:place>nis</st1:place></st1:City> domain is "example.com"<o:p></o:p> file_backup: stat(/var/yp/binding/example.com)=-1<o:p></o:p> file_backup: No /var/yp/binding/example.com directory.<o:p></o:p> file_backup: stat(/var/ldap/ldap_client_file)=0<o:p></o:p> file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)<o:p></o:p> file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)<o:p></o:p> Starting network services<o:p></o:p> start: /usr/bin/domainname example.com... success<o:p></o:p> start: /usr/lib/ldap/ldap_cachemgr... success<o:p></o:p> start: /etc/init.d/autofs start... success<o:p></o:p> start: /etc/init.d/nscd start... success<o:p></o:p> start: /etc/init.d/sendmail start... success<o:p></o:p> System successfully configured <o:p></o:p> # <o:p></o:p> <o:p> </o:p> Now that /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred are generated, do take a look at their contents.<o:p></o:p> <o:p> </o:p> Coment of /var/ldap/ldap_client_file: <o:p> </o:p> NS_LDAP_FILE_VERSION= 2.0<o:p></o:p> NS_LDAP_SERVERS= 192.168.1.168<o:p></o:p> NS_LDAP_SEARCH_BASEDN= dc=example,dc=com<o:p></o:p> NS_LDAP_AUTH= simple<o:p></o:p> NS_LDAP_SEARCH_REF= TRUE<o:p></o:p> NS_LDAP_SEARCH_SCOPE= one<o:p></o:p> NS_LDAP_SEARCH_TIME= 30<o:p></o:p> NS_LDAP_CACHETTL= 43200<o:p></o:p> NS_LDAP_PROFILE= default<o:p></o:p> NS_LDAP_CREDENTIAL_LEVEL= proxy<o:p></o:p> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one<o:p></o:p> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one<o:p></o:p> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one<o:p></o:p> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one<o:p></o:p> NS_LDAP_BIND_TIME= 10<o:p></o:p> <o:p> </o:p> Coment of /var/ldap/ldap_client_cred:<o:p></o:p> <o:p> </o:p> NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com<o:p></o:p> NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411<o:p></o:p> <o:p> </o:p> (Tips: see Appendix for a script called cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of proxyAgent, this script can only be run on Solaris8)<o:p></o:p> <o:p> </o:p> Check and change the file permission of BOTH ldap_client_file and ldap_client_cred if needed<o:p></o:p> <o:p> </o:p> # cd /var/ldap<o:p></o:p> # chmod 400 ldap_client_file ldap_client_cred<o:p></o:p> <o:p> </o:p> Edit /etc/nsswitch.conf, make sure that these lines exist:<o:p></o:p> <o:p> </o:p> passwd:�� files ldap<o:p></o:p> group:�� files ldap<o:p></o:p> shadow:�� files ldap<o:p></o:p> hosts:�� files dns<o:p></o:p> <o:p> </o:p> Now try refreshing ldap_cachemgr and nscd<o:p></o:p> <o:p> </o:p> # /etc/init.d/ldap.client stop<o:p></o:p> # /etc/init.d/ldap.client start<o:p></o:p> # ps -ef | grep ldap<o:p></o:p> # /etc/init.d/nscd stop<o:p></o:p> # /etc/init.d/nscd start<o:p></o:p> # ps -ef | grep nscd<o:p></o:p> <o:p> </o:p> Make sure also that ldap1.example is defined in BOTH "/etc/hosts" files and DNS, and that "hosts: files dns" instead of "host: files ldap" is defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there will be error messages during login, i.e. "unknown host or invalid literal address".<o:p></o:p> <o:p> </o:p> To test the name service, on top of using "id" and "getent", there is also "ldaplist" command<o:p></o:p> <o:p> </o:p> # /usr/lib/ldap/ldap_cachemgr -g<o:p></o:p> # id tuser<o:p></o:p> uid=9999(tuser) gid=102(Users)<o:p></o:p> # getent passwd tuser<o:p></o:p> tuser::9999:102::/home/tuser:/bin/bash<o:p></o:p> # ldaplist -l passwd tuser<o:p></o:p> dn: uid=tuser,ou=People,dc=example,dc=com<o:p></o:p> �� givenName: Test<o:p></o:p> �� sn: User<o:p></o:p> �� loginShell: /bin/bash<o:p></o:p> �� uidNumber: 9999<o:p></o:p> �� gidNumber: 102<o:p></o:p> �� objectClass: top<o:p></o:p> �� objectClass: person<o:p></o:p> �� objectClass: organizationalPerson<o:p></o:p> �� objectClass: inetorgperson<o:p></o:p> �� objectClass: posixAccount<o:p></o:p> �� objectClass: shadowAccount<o:p></o:p> �� uid: tuser<o:p></o:p> �� cn: Test User<o:p></o:p> �� homeDirectory: /home/tuser<o:p></o:p> <o:p> </o:p> Tips 1: If there is problem looking up the LDAP entries, try to look for errors in /var/adm/messages and/or /var/log/syslog. The LDAP Server log files are also good source to pick up clues.<o:p></o:p> <h3><o:p> </o:p></h3> Tips 2: How could we prevent �userPassword� from being listed by �ldaplist -l� or �ldapaddent -d�?<o:p></o:p> <o:p> </o:p> In Fedora Managemant Console, open Directory Server, select defaultSearchBase, i.e. dc=example,dc=com and edit one of the listed ACIs, which is usually named �LDAP_Naming_Services_proxy_password_read�:<o:p></o:p> <o:p> </o:p> Change it.<o:p></o:p> From:<o:p></o:p> (target="<a href="ldap://dc=example" target="_blank">ldap:///dc=example</a>,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,read,search) userdn = "<a href="ldap://cn=proxyagent" target="_blank">ldap:///cn=proxyagent</a>,ou=profile,dc=example,dc=com";)<o:p></o:p> <o:p> </o:p> To:<o:p></o:p> (target="<a href="ldap://dc=example" target="_blank">ldap:///dc=example</a>,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "<a href="ldap://cn=proxyagent" target="_blank">ldap:///cn=proxyagent</a>,ou=profile,dc=example,dc=com";)<o:p></o:p> <o:p> </o:p> <o:p> </o:p> Congratulation!!! You have successfully configured a Solaris Native LDAP Client that is capable for querying name service (uid) from the LDAP Server.<o:p></o:p> <o:p> </o:p> <o:p> </o:p> Appendix:<o:p></o:p> <o:p> </o:p> Appendix 1: Content of chk_patches_sjes_ds52.sh:<o:p></o:p> <pre><o:p> </o:p></pre><pre>#! /bin/sh</pre><pre>#</pre><pre># chk_patches_sjes_ds52.sh</pre><pre>#</pre><pre># Gary Tay, <st1:date Month="4" Day="1" Year="2005">1-Apr-2005</st1:date> written</pre><pre>#</pre><pre># Pls customize the patches you are checking, use blank to separate</pre><pre># multiple patch ids, eg: 5.9:112345 113456</pre><pre>#</pre><pre># Pls refer to:</pre><pre># <a href="http://docs.sun.com/source/817-7611/index.html#wp33336">http://docs.sun.com/source/817-7611/index.html#wp33336</a></pre><pre>#</pre><pre>#114677-08 SunOS 5.9: International Components for Unicode Patch</pre><pre>#117724-10 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0</pre><pre>#115342-01 SunOS 5.9: Simple Authentication and Security Layer (2.01)</pre><pre>#115610-18 SunOS 5.9_sparc: Administration Server 5.2 patch</pre><pre>#115614-20 SunOS 5.9: Directory Server 5.2 patch</pre><pre>#117015-16 Patch for localized Solaris packages</pre><pre>#116837-02 LDAP CSDK - SUNWldk, SUNWldkx</pre><pre>#</pre><pre># Solaris 8: (DS 5.2 Patch3 for the package version)</pre><pre>#115610 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (Adminserv)</pre><pre>#115614 SunOS 5.9 : Sun Java(TM) System Directory Server 5.2 patch 3 (DS)</pre><pre>#117722 SunOS 5.8: NSPR 4.5.1 / NSS 3.9.5 / JSS 4.0...</pre><pre>#118615 LDAP Java Development Kit 4.17 SunOS 5.8 5.9 _x86: genesis patch</pre><pre>#</pre><pre># Solaris 8: LDAP-Client</pre><pre>#108993 LDAP-Client for Solaris 8 (phase II)</pre><pre>#108808 LDAP-Client for Solaris 8 (man-pages)</pre><pre>#</pre><pre># And at your option for for JES 114045</pre><pre><o:p> </o:p></pre><pre>cat >/tmp/chk_patches$$.tmp <<EOF</pre><pre>5.8:108993 115610 115614 117722 118615 108808 114045</pre><pre>5.9:114677 117724 115342 115610 115614 117015 116837</pre><pre>EOF</pre><pre>SOLARIS_VER=`uname -r`</pre><pre>PATCH_IDS=`grep "$SOLARIS_VER" /tmp/chk_patches$$.tmp | cut -d: -f2`</pre><pre>for i in `echo $PATCH_IDS`</pre><pre>do</pre><pre>�� RESULT=`showrev -p | grep "^Patch: $i-"`</pre><pre>�� [ -n "$RESULT" ] && echo $RESULT</pre><pre>�� [ -z "$RESULT" ] && echo PATCH $i not found...</pre><pre>done</pre><pre>/bin/rm -f /tmp/chk_patches$$.tmp</pre><pre><o:p> </o:p></pre> Example of running chk_patches_sjes_ds52.sh:<o:p></o:p> <o:p> </o:p> # ./chk_patches_sjes_ds52.sh Patch: 114677-08 Obsoletes: Requires: Incompatibles: Packages: SUNWicu, SUNWicux Patch: 117724-10 Obsoletes: 115926-10 Requires: Incompatibles: Packages: SUNWtls, SUNWtlsx, SUNWpr, SUNWjss, SUNWprx Patch: 115342-01 Obsoletes: Requires: Incompatibles: Packages: SUNWsasl, SUNWsaslx Patch: 115610-17 Obsoletes: Requires: Incompatibles: Packages: SUNWasvc, SUNWasvu, SUNWasvr, SUNWasvcp Patch: 115614-19 Obsoletes: 117907-02 Requires: 115610-17 Incompatibles: Packages: SUNWdsvr, SUNWdsvcp, SUNWdsvh, SUNWdsvhx, SUNWdsvu, SUNWdsvx, SUNWdsvpl<o:p></o:p> PATCH 117015 not found... Patch: 116837-02 Obsoletes: Requires: Incompatibles: Packages: SUNWldk # <pre><o:p> </o:p></pre> Appendix 2: Troubleshooting LDAP Search issue in access log<o:p></o:p> (From Fedora Directory Server mail list archive)<o:p></o:p> <pre><o:p> </o:p></pre><pre>Look in the access log on the FDS server for connections from that </pre><pre>workstation (grep on the IP of that workstations, or one of the user </pre><pre>id's that are trying to auth, etc).� When you find it, grep out conn=xxx</pre><pre><o:p> </o:p></pre><pre>(where xxx is the connection # from that IP) so you get the complete </pre><pre>connection from start to finish.</pre><pre><o:p> </o:p></pre><pre>- Look at the BIND lines to see what that workstation is binding as.</pre><pre>- Look at the SRCH lines, to see what basedn and filter is being used.� </pre><pre>- Look at the result line (right after the SRCH line) to see what the </pre><pre>results are (though you'll probably just see err=32, which is no such </pre><pre>object).� If there are multiple SRCH lines, check each one.</pre><pre>- Check the ACI's set on your suffix - in console, click on the </pre><pre>Directory tab then right click on the top entry in your tree, and select</pre><pre><o:p> </o:p></pre><pre>"set permissions" (something like that - doing this from memory).� Make </pre><pre>sure the appropriate access is set.</pre><pre><o:p> </o:p></pre><pre>You may have to look throughout your tree for aci's to be sure you find everything. </pre><pre>(ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)" </pre><pre>"aci"� to find 'em all.)</pre><pre><o:p> </o:p></pre> <h4>Appendix 3: Content of cr_proxyAgent_pw_in_NS1_format.sh (Solaris8 specific ldap_gen_profile command)<o:p></o:p></h4> <o:p> </o:p> # cat cr_proxyAgent_pw_in_NS1_format.sh<o:p></o:p> /usr/sbin/ldap_gen_profile -P testprofile -b "dc=example,dc=com" \ -D "cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w password \ 192.168.1.168 <o:p></o:p> # ./cr_proxyAgent_pw_in_NS1_format.sh dn: cn=testprofile,ou=profile,dc=example,dc=com SolarisBindDN: cn=proxyAgent,ou=profiLe,dc=example,dc=com SolarisBindPassword: {NS1}ecfa88f3a945c411 SolarisLDAPServers: 192.168.1.168 SolarisSearchBaseDN: dc=example,dc=com SolarisAuthMethod: NS_LDAP_AUTH_NONE SolarisTransportSecurity: NS_LDAP_SEC_NONE SolarisSearchReferral: NS_LDAP_FOLLOWREF SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL SolarisSearchTimeLimit: 30 SolarisCacheTTL: 43200 cn: testprofile SolarisBindTimeLimit: 30 ObjectClass: top ObjectClass: SolarisNamingProfile <![if !supportLineBreakNewLine]> <![endif]> Appendix 4: Content of 61DUAConfigProfile.ldif:<o:p></o:p> <pre><o:p> </o:p></pre><pre>dn: cn=schema<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<o:p></o:p></pre><pre>objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )<o:p></o:p></pre><pre>dn: cn=schema<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )<o:p></o:p></pre><pre>attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )<o:p></o:p></pre><pre>objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )<o:p></o:p></pre><pre><o:p> </o:p></pre> <h3>--- End-of-Doc ---</h3> <o:p> </o:p> </div> </body> </html>