| Skip Navigation Links | |
| Exit Print View | |
 | man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
| man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
- initialize LDAP client machine or output an LDAP client profile in LDIF format
/usr/sbin/ldapclient [-v |-q] init [-a profileName=profileName] [-a domainName=domain] [-a proxyDN=proxyDN] [-a proxyPassword=password] [-a authenticationMethod=authenticationMethod] [-a enableShadowUpdate=true | false] [-a adminDN=adminDN] [-a adminPassword=adminPassword] [-a certificatePath=path] [-dbindDN] [-wbindPassword] [-jpasswdFile] [-ypasswdFile] [-zadminrPasswdFile]LDAP_server[:port_number]
/usr/sbin/ldapclient [-v |-q] manual [-a attrName=attrVal]
/usr/sbin/ldapclient [-v |-q] mod [-a attrName=attrVal]
/usr/sbin/ldapclient [-v |-q] list
/usr/sbin/ldapclient [-v |-q] uninit
/usr/sbin/ldapclient [-v |-q] genprofile-a profileName=profileName [-a attrName=attrVal]
Theldapclient utility can be used to:
initialize LDAP client machines
restore the network service environment on LDAP clients
list the contents of the LDAP client cache in human readable format.
Theinit form of theldapclient utility is used to initialize anLDAP client machine, using a profile stored on an LDAP server specifiedbyLDAP_server. The LDAP client will use the attributes in the specifiedprofile to determine the configuration of the LDAP client. Using a configuration profileallows for easy installation of LDAP client and propagation of configuration changesto LDAP clients. Theldap_cachemgr(1M) utility will update the LDAP client configurationwhen its cache expires by reading the profile. For more information onthe configuration profile refer to IETF documentA Configuration Schema for LDAP Based Directory User Agents.
Themanual form of theldapclient utility is used to initialize anLDAP client machine manually. The LDAP client will use the attributes specifiedon the command line. Any unspecified attributes will be assigned their defaultvalues. At least one server must be specified in thedefaultServerList or thepreferredServerList attributes.ThedomainName attribute must be specified if the client'sdomainName isnot set.
Themod form of theldapclient utility is used to modify theconfiguration of an LDAP client machine that was setup manually. This optionmodifies only those LDAP client configuration attributes specified on the command line.Themod option should only be used on LDAP clients that were initializedusing themanual option.
Regardless of which method is used for initialization, if a client isto be configured to use a proxycredentialLevel, proxy credentials must beprovided using-aproxyDN=proxyDN and-aproxyPassword=proxyPassword options. However, if-aproxyPassword=proxyPasswordis not specified,ldapclient will prompt for it. Note thatNULL passwordsare not allowed in LDAP. If a selfcredentialLevel is configured,authenticationMethod mustbesasl/GSSAPI.
Similarily, if a client is to be configured to enable shadow informationupdate and use a proxy credentialLevel, administrator credentials must be provided using-aadminDN=adminDN and-aadminPassword=adminPassword. However, the shadow information update does notneed the administrator credentials if a selfcredentialLevel is configured.
The naming service-specific configuration properties are stored in thesvc:/network/ldap/client SMF service.Modifying the SMF properties directly is not advised. Use this tool instead.
Other configuration might be modified during installation. It will be backed upto/var/ldap/restore. The files that are typically modified during initialization are:
/etc/nsswitch.conf
/etc/defaultdomain (if it exists)
/var/yp/binding/`domainname` (for a NIS [YP] client)
ldapclient does not set up a client to resolve hostnames using DNS.It simply copies/etc/nsswitch.ldap to/etc/nsswitch.conf. If you prefer to use DNSfor host resolution, please refer to the DNS documentation for information on settingup DNS. Seeresolv.conf(4). If you want to usesasl/GSSAPI as theauthentication method, you have to use DNS forhosts andipnodes resolution.
Thelist form of theldapclient utility is used to list theLDAP client configuration. The output will be human readable. LDAP configuration filesare not guaranteed to be human readable. Note that for security reason,the values for adminDN and adminPassword will not be displayed.
Theuninit form of theldapclient utility is used to uninitialize thenetwork service environment, restoring it to the state it was in priorto the last execution ofldapclient usinginit ormanual. The restoration willsucceed only if the machine was initialized with theinit ormanualform ofldapclient, as it uses the backup files created by theseoptions.
Thegenprofile option is used to write an LDIF formatted configuration profilebased on the attributes specified on the command line to standard output.This profile can then be loaded into an LDAP server to beused as the client profile, which can be downloaded by means of theldapclient init command. Loading the LDIF formatted profile to the directory server canbe done throughldapadd(1), or through any server specific import tool. Note thatthe attributesproxyDN,proxyPassword,certificatePath,domainName,enableShadowUpdate,adminDN, andadminPassword are not partof the configuration profile and thus are not permitted.
You must have superuser privileges to run theldapclient command, except withthegenprofile option.
To access the information stored in the directory, clients can either authenticateto the directory, or use an unauthenticated connection. The LDAP client isconfigured to have a credential level of eitheranonymous orproxy. Inthe first case, the client does not authenticate to the directory. In thesecond case, client authenticates to the directory using a proxy identity forread access, and using a administrator identity for write access ifenableShadowUpdateis configured. In the third case, client authenticates to the directory using aKerberos principal that is mapped to an LDAP identity by the LDAPserver. Refer to the chapter on implementing security in theOracle Solaris Administration: Naming and Directory Services oryour appropriate directory server documentation for identity mapping details.
If a client is configured to use an identity, you can configurewhich authentication method the client will use. The LDAP client supports thefollowing authentication methods:
|
Note that some directory servers may not support all of these authenticationmethods. Forsimple, be aware that the bind password will be sentin the clear to the LDAP server. For those authentication methods usingTLS (transport layer security), the entire session is encrypted. You will need toinstall the appropriate certificate databases to use TLS.
The following commands are supported:
Initialize client from a profile on a server.
Manually initialize client with the specified attribute values.
Modify attribute values in the configuration file after a manual initialization of the client.
Write the contents of the LDAP client cache to standard output in human readable form.
Uninitialize an LDAP client, assuming thatldapclient was used to initialize the client.
Generate a configuration profile in LDIF format that can then be stored in the directory for clients to use, with theinit form of this command.
The following attributes are supported:
Specify the Bind Distinguished Name for the administrator identity that is used for shadow information update. This option is required if the credential level isproxy, andenableShadowUpdate is set totrue. There is no default value.
Specify the administrator password. This option is required if the credential level isproxy, andenableShadowUpdate is set totrue. There is no default value.
Specify a mapping from an attribute defined by a service to an attribute in an alternative schema. This can be used to change the default schema used for a given service. The syntax ofattributeMap is defined in the profile IETF draft. This option can be specified multiple times. The default value for all services isNULL. In the example,
attributeMap: passwd:uid=employeeNumber
the LDAP client would use the LDAP attributeemployeeNumber rather thanuid for thepasswd service. This is a multivalued attribute.
Specify the default authentication method used by all services unless overridden by theserviceAuthenticationMethod attribute. Multiple values can be specified by using a semicolon-separated list. The default value isnone. For those services that usecredentialLevel andcredentialLevel isanonymous, this attribute is ignored. Services such aspam_ldap will use this attribute, even ifcredentialLevel is anonymous. The supported authentication methods are described above. If the authenticationMethod issasl/GSSAPI, thehosts andipnodes of/etc/nsswitch.conf must be configured with DNS support, for example:
hosts: dns filesipnodes: dns files
The maximum time in seconds that a client should spend performing a bind operation. Set this to a positive integer. The default value is 30.
The certificate path for the location of the certificate database. The value is the path where security database files reside. This is used for TLS support, which is specified in theauthenticationMethod andserviceAuthenticationMethod attributes. The default is/var/ldap.
Specify the credential level the client should use to contact the directory. The credential levels supported are eitheranonymous orproxy. If aproxy credential level is specified, then theauthenticationMethod attribute must be specified to determine the authentication mechanism. Also, if the credential level isproxy and at least one of the authentication methods require a bind DN, theproxyDN andproxyPassword attribute values must be set. In addition, ifenableShadowUpdate is set totrue, theadminDN andadminPassword values must be set. If a self credential level is specified, theauthenticationMethod must besasl/GSSAPI.
Specify the default search base DN. There is no default. TheserviceSearchDescriptor attribute can be used to override thedefaultSearchBase for given services.
Specify the default search scope for the client's search operations. This default can be overridden for a given service by specifying aserviceSearchDescriptor. The default is one level search.
A space separated list of server names or server addresses, either IPv4 or IPv6. If you specify server names, be sure that the LDAP client can resolve the name without the LDAP name service. You must resolve the LDAP servers' names by using eitherfiles ordns. If the LDAP server name cannot be resolved, your naming service will fail.
The port number is optional. If not specified, the default LDAP server port number 389 is used, except when TLS is specified in the authentication method. In this case, the default LDAP server port number is 636.
The format to specify the port number for an IPv6 address is:
[ipv6_addr]:port
To specify the port number for an IPv4 address, use the following format:
ipv4_addr:port
If the host name is specified, use the format:
host_name:port
If you use TLS, the LDAP server's hostname must match the hostname in the TLS certificate. Typically, the hostname in the TLS certificate is a fully qualified domain name. With TLS, the LDAP server host addresses must resolve to the hostnames in the TLS certificate. You must usefiles ordns to resolve the host address.
Specify the DNS domain name. This becomes the default domain for the machine. The default is the current domain name. This attribute is only used in client initialization.
Specify whether the client is allowed to update shadow information. If set totrue and the credential level isproxy,adminDN andadminPassword must be specified.
Specify the referral setting. A setting of true implies that referrals will be automatically followed and false would result in referrals not being followed. The default is true.
Specify a mapping from anobjectclass defined by a service to anobjectclass in an alternative schema. This can be used to change the default schema used for a given service. The syntax ofobjectclassMap is defined in the profile IETF draft. This option can be specified multiple times. The default value for all services isNULL. In the example,
objectclassMap=passwd:posixAccount=unixAccount
the LDAP client would use the LDAPobjectclass ofunixAccount rather than theposixAccount for thepasswd service. This is a multivalued attribute.
Specify the space separated list of server names or server addresses, either IPv4 or IPv6, to be contacted before servers specified by thedefaultServerList attribute. If you specify server names, be sure that the LDAP client can resolve the name without the LDAP name service. You must resolve the LDAP servers' names by using eitherfiles ordns. If the LDAP server name cannot be resolved, your naming service will fail.
The port number is optional. If not specified, the default LDAP server port number 389 is used, except when TLS is specified in the authentication method. In this case, the default LDAP server port number is 636.
The format to specify the port number for an IPv6 address is:
[ipv6_addr]:port
To specify the port number for an IPv4 address, use the following format:
ipv4_addr:port
If the host name is specified, use the format:
host_name:port
If you use TLS, the LDAP server's hostname must match the hostname in the TLS certificate. Typically, the hostname in the TLS certificate is a fully qualified domain name. With TLS, the LDAP server host addresses must resolve to the hostnames in the TLS certificate. You must usefiles ordns to resolve the host address.
Specify the profile name. Forldapclient init, this attribute is the name of an existing profile which may be downloaded periodically depending on the value of theprofileTTL attribute. Forldapclient genprofile, this is the name of the profile to be generated. The default value isdefault.
Specify the TTL value in seconds for the client information. This is only relevant if the machine was initialized with a client profile. If you do not wantldap_cachemgr(1M) to attempt to refresh the LDAP client configuration from the LDAP server, setprofileTTL to 0 (zero). Valid values are either zero 0 (for no expiration) or a positive integer in seconds. The default value is 12 hours.
Specify the Bind Distinguished Name for the proxy identity. This option is required if the credential level isproxy, and at least one of the authentication methods requires a bind DN. There is no default value.
Specify client proxy password. This option is required if the credential level isproxy, and at least one of the authentication methods requires a bind DN. There is no default.
Specify maximum number of seconds allowed for an LDAP search operation. The default is 30 seconds. The server may have its own search time limit.
Specify authentication methods to be used by a service in the formservicename:authenticationmethod, for example:
pam_ldap:tls:simple
For multiple authentication methods, use a semicolon-separated list. The default value is no service authentication methods, in which case, each service would default to theauthenticationMethod value. The supported authentications are described above.
Three services support this feature:passwd-cmd,keyserv, andpam_ldap. Thepasswd-cmd service is used to define the authentication method to be used bypasswd(1) to change the user's password and other attributes. Thekeyserv service is used to identify the authentication method to be used by thechkey(1) andnewkey(1M) utilities. Thepam_ldap service defines the authentication method to be used for authenticating users whenpam_ldap(5) is configured. If this attribute is not set for any of these services, theauthenticationMethod attribute is used to define the authentication method. This is a multivalued attribute.
Specify credential level to be used by a service. Multiple values can be specified in a space-separated list. The default value for all services isNULL. The supported credential levels are:anonymous orproxy. At present, no service uses this attribute. This is a multivalued attribute.
Override the default base DN for LDAP searches for a given service. The format of the descriptors also allow overriding the default search scope and search filter for each service. The syntax ofserviceSearchDescriptor is defined in the profile IETF draft. The default value for all services isNULL. This is a multivalued attribute. In the example,
serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one
the LDAP client would do a one level search inou=people,dc=a1,dc=acme,dc=com rather thanou=people,defaultSearchBase for thepasswd service.
The following options are supported:
SpecifyattrName and its value. SeeSYNOPSIS for a complete list of possible attribute names and values.
Specifies an entry that has read permission for the requested database.
Specify a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the-w option.
Quiet mode. No output is generated.
Verbose output.
Password to be used for authenticating the bind DN. If this parameter is missing, the command will prompt for a password.NULL passwords are not supported in LDAP.
When you use-wbindPassword to specify the password to be used for authentication, the password is visible to other users of the system by means of theps command, in script files, or in shell history.
If you supply “-” (hyphen) as a password, the command will prompt for a password.
Specify a file containing the password for the proxy DN. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the-aproxyPassword option.
Specify a file containing the password for theadminDN. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the-aadminPassword option.
The following operand is supported:
An address or a name for the LDAP server from which the profile will be loaded. The current naming service specified in thensswitch.conf file is used. Once the profile is loaded, thepreferredServerList anddefaultServerList specified in the profile are used.
Example 1 Setting Up a Client By Using the Default Profile Stored on a Specified LDAP Server
The following example shows how to set up a client using thedefault profile stored on the specified LDAP server. This command will onlybe successful if either the credential level in the profile is settoanonymous or the authentication method is set tonone.
example#ldapclient init 172.16.100.1
Example 2 Setting Up a Client By Using thesimple Profile Stored on a Specified LDAP Server
The following example shows how to set up a client using thesimple profile stored on the specified LDAP server. The domainname is settoxyz.mycompany.com and the proxyPassword issecret.
example#ldapclient init -a profileName=simple \ -a domainName=xyz.mycompany.com \ -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \ -a proxyPassword=secret '['fe80::a00:20ff:fea3:388']':386
Example 3 Setting Up a Client Using Only One Server
The following example shows how to set up a client using onlyone server. The authentication method is set tonone, and the searchbase isdc=mycompany,dc=com.
example#ldapclient manual -a authenticationMethod=none \ -a defaultSearchBase=dc=mycompany,dc=com \ -a defaultServerList=172.16.100.1
Example 4 Setting Up a Client Using Only One Server That Does Not Follow Referrals
The following example shows how to set up a client using onlyone server. The credential level is set toproxy. The authentication methodof issasl/CRAM-MD5, with the option not to follow referrals. The domainname isxyz.mycompany.com, and the LDAP server is running on port number 386at IP address172.16.100.1.
example#ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=sasl/CRAM-MD5 \ -a proxyPassword=secret \ -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=mycompany,dc=com \ -a defaultSearchBase=dc=xyz,dc=mycompany,dc=com \ -a domainName=xyz.mycompany.com \ -a followReferrals=false \ -a defaultServerList=172.16.100.1:386
Example 5 Usinggenprofile to Set Only thedefaultSearchBase and the Server Addresses
The following example shows how to use thegenprofile command to setthedefaultSearchBase and the server addresses.
example#ldapclient genprofile -a profileName=myprofile \ -a defaultSearchBase=dc=eng,dc=sun,dc=com \ -a "defaultServerList=172.16.100.1 172.16.234.15:386" \ > myprofile.ldif
Example 6 Creating a Profile on IPv6 servers
The following example creates a profile on IPv6 servers
example#ldapclient genprofile -a profileName=eng \ -a credentialLevel=proxy \ -a authenticationMethod=sasl/DIGEST-MD5 \ -a defaultSearchBase=dc=eng,dc=acme,dc=com \ -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one"\ -a preferredServerList= '['fe80::a00:20ff:fea3:388']' \ -a "defaultServerList='['fec0::111:a00:20ff:fea3:edcf']' \ '['fec0::111:a00:20ff:feb5:e41']'" > eng.ldif
Example 7 Creating a Profile That Overrides Every Default Value
The following example shows a profile that overrides every default value.
example#ldapclient genprofile -a profileName=eng \ -a credentialLevel=proxy -a authenticationMethod=sasl/DIGEST-MD5 \ -a bindTimeLimit=20 \ -a defaultSearchBase=dc=eng,dc=acme,dc=com \ -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=acme,dc=com?one"\ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a defaultSearchScope=sub \ -a attributeMap=passwd:uid=employeeNumber \ -a objectclassMap=passwd:posixAccount=unixAccount \ -a followReferrals=false -a profileTTL=6000 \ -a preferredServerList=172.16.100.30 -a searchTimeLimit=30 \ -a "defaultServerList=172.16.200.1 172.16.100.1 192.168.5.6" > eng.ldif
The following exit values are returned:
The command successfully executed.
An error occurred. An error message is output.
proxyDN andproxyPassword attributes are required, but they are not provided.
Contain the LDAP configuration of the client. These files are not to be modified manually. Their content is not guaranteed to be human readable. Useldapclient to update them.
System default domain name, matching the domain name of the data in the LDAP servers. Seedefaultdomain(4).
Configuration file for the name-service switch. Seensswitch.conf(4).
Sample configuration file for the name-service switch configured with LDAP and files.
Seeattributes(5) for descriptions of the following attributes:
|
chkey(1),ldapadd(1),ldapdelete(1),ldaplist(1),ldapmodify(1),ldapmodrdn(1),ldapsearch(1),idsconfig(1M),ldapaddent(1M),ldap_cachemgr(1M),defaultdomain(4),nsswitch.conf(4),resolv.conf(4),attributes(5)
CurrentlyStartTLS is not supported bylibldap.so.5, therefore the port number providedrefers to the port used during a TLS open, rather than theport used as part of aStartTLS sequence. To avoid timeout delays,mixed use of TLS and non-TLS authentication mechanisms is not recommended.
For example:
-h foo:1000 -a authenticationMethod=tls:simple
...or:
defaultServerList= foo:1000authenticationMethod= tls:simple
The preceding refers to a raw TLS open on hostfoo port1000, not an open, StartTLS sequence on an unsecured port 1000. Ifport 1000 is unsecured the connection will not be made.
As a second example, the following will incur a significant timeout delaywhile attempting the connection tofoo:636 with an unsecured bind.
defaultServerList= foo:636 foo:389authenticationMethod= simple
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.Legal Notices |   |