How to configure

Through out this document when a file is referenced you will find to the right of the reference in parenthesis the source file containing the example. The files are contained within the attached tar file. For example: “Here is an example LDIF file and command to reset Anonymous access: LDIF file: (anonymous/onLDAPServer/addACIsforSolaristoAccMgrAnonymous.ldif)” The file can be found in the tar ball at anonymouse/onLDAPServer.

Note 2

All files that are included in this document must be evaluated with respect to your environment.

I am sure that the dc=homeunix,dc=net through out all of the LDAP files will need to be modified.

Make sure that you look at each file before running it in your environment.

1.1 Introduction:

This Document will assist in the configuration of LDAP Authentication for Solaris Systems. Specifically this guide is for configuring authentication to a Sun Java System Access Manager LDAP instance. There are two primary components in the architecture for providing LDAP authentication for Solaris or a UNIX server. The first component is a Server configured with a Sun Java System Access Manager LDAP Directory Server. Since LDPA is the primary source for authentication into all UNIX systems, it is recommended that LDAP be configured in a Highly Available manner. There should be more than one LDAP server and they should be configured with LDAP multi-master replication. The second component in the architecture is a UNIX LDAP Client Server. This is the server to which users login.

When the Sun Java System Access Manager is installed into a Sun Java System Directory server it removes the anonymous search and read capabilities form the LDAP instance. The Solaris tools that are used to configure LDAP authentication need anonymous access to perform their task; therefore, there are certain changes that must be made to the Access Manager LDAP instance. There are two ways to configure Solaris to use an Access Manager LDAP instance and two ways to load system information into the directory server.

The need to limit access to the appropriate users on a server is another key issue in configuring LDAP as the authentication mechanism for UNIX. For example, if there are 10 Solaris servers that are all using LDAP authentication then by default any user in LDAP that has the posixaccout object class will be able to log into any of the 10 boxes. In most production environments it is important to only provide access to the users that need access to a particular server. This limiting process is done using netgroup and a modification to the passwd and shadow files. For more information see the section below on configuring 1.7 Configuring netgroup.

1.2 Configuring the LDAP Directory Server

After the Access Manager LDAP Directory server is installed on the server and is working properly the /usr/lib/ldap/idsconfig script must be executed. This script prepares the Directory Server for UNIX LDAP authentication. It adds a number of attributes, object classes and indexes that are needed to support the LDAP Authentication model. Before running this script make a backup copy of the existing LDAP Directory. To make a backup do the following:

/var/opt/mps/serverroot/slapd-{hostname}/stop-slapd

/var/opt/mps/serverroot/stop-admin

cd /var/opt/mps

tar –cf serverrootAccMgr.tar serverroot

/var/opt/mps/serverroot/slapd-{hostname}/start-slapd

/var/opt/mps/serverroot/start-admin

Now we are ready to proceed with the execution of the script. The following is a sample execution of the script:

/usr/lib/ldap/idsconfig

It is strongly recommended that you BACKUP the directory server

before running idsconfig.

Hit Ctrl-C at any time before the final confirmation to exit.

Do you wish to continue with server setup (y/n/h)? [n] y

Enter the iPlanet Directory Server's (iDS) hostname to setup: ldap

Enter the port number for iDS (h=help): [389]

Enter the directory manager DN: [cn=Directory Manager]

Enter passwd for cn=Directory Manager :

Enter the domainname to be served (h=help): [homeunix.net]

Enter LDAP Base DN (h=help): [dc=homeunix,dc=net]

Checking LDAP Base DN ...

Validating LDAP Base DN and Suffix ...

Enter the profile name (h=help): [default] homeunixUsers

Default server list (h=help): [208.27.21.248]

Preferred server list (h=help):

Choose desired search scope (one, sub, h=help): [one]

The following are the supported credential levels:

1 anonymous

2 proxy

3 proxy anonymous

Choose Credential level [h=help]: [1] 2

The following are the supported Authentication Methods:

1 none

2 simple

3 sasl/DIGEST-MD5

4 tls:simple

5 tls:sasl/DIGEST-MD5

Choose Authentication Method (h=help): [1] 2

Current authenticationMethod: simple

Do you want to add another Authentication Method? n

Do you want the clients to follow referrals (y/n/h)? [n]

Do you want to modify the server timelimit value (y/n/h)? [n] y

Enter the time limit for iDS (current=120): [-1]

Do you want to modify the server sizelimit value (y/n/h)? [n] y

Enter the size limit for iDS (current=1000): [-1]

Do you want to store passwords in "crypt" format (y/n/h)? [n] y

Do you want to setup a Service Authentication Methods (y/n/h)? [n]

Client search time limit in seconds (h=help): [30]

Profile Time To Live in seconds (h=help): [43200]

Bind time limit in seconds (h=help): [10]

Do you wish to setup Service Search Descriptors (y/n/h)? [n]

Summary of Configuration

1 Domain to serve : homeunix.net

2 Base DN to setup : dc=homeunix,dc=net

3 Profile name to create : homeunixUsers

4 Default Server List : 208.27.21.248

5 Preferred Server List :

6 Default Search Scope : one

7 Credential Level : proxy

8 Authentication Method : simple

9 Enable Follow Referrals : FALSE

10 iDS Time Limit : -1

11 iDS Size Limit : -1

12 Enable crypt password storage : TRUE

13 Service Auth Method pam_ldap :

14 Service Auth Method keyserv :

15 Service Auth Method passwd-cmd:

16 Search Time Limit : 30

17 Profile Time to Live : 43200

18 Bind Limit : 10

19 Service Search Descriptors Menu

Enter config value to change: (1-19 0=commit changes) [0]

Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=homeunix,dc=net]

Enter passwd for proxyagent:

Re-enter passwd:

WARNING: About to start committing changes. (y=continue, n=EXIT) y

1. Changed timelimit to -1 in cn=config.

2. Changed sizelimit to -1 in cn=config.

3. Changed passwordstoragescheme to "crypt" in cn=config.

4. Schema attributes have been updated.

5. Schema objectclass definitions have been added.

6. NisDomainObject added to dc=homeunix,dc=net.

7. Top level "ou" containers complete.

8. automount maps: auto_home auto_direct auto_master auto_shared processed.

9. ACI for dc=homeunix,dc=net modified to disable self modify.

10. Add of VLV Access Control Information (ACI).

11. Proxy Agent cn=proxyagent,ou=profile,dc=homeunix,dc=net added.

12. Give cn=proxyagent,ou=profile,dc=homeunix,dc=net read permission for password.

13. Generated client profile and loaded on server.

14. Processing eq,pres indexes:

uidNumber (eq,pres) Finished indexing.

ipNetworkNumber (eq,pres) Finished indexing.

gidnumber (eq,pres) Finished indexing.

oncrpcnumber (eq,pres) Finished indexing.

automountKey (eq,pres) Finished indexing.

15. Processing eq,pres,sub indexes:

ipHostNumber (eq,pres,sub) Finished indexing.

membernisnetgroup (eq,pres,sub) Finished indexing.

nisnetgrouptriple (eq,pres,sub) Finished indexing.

16. Processing VLV indexes:

homeunix.net.getgrent vlv_index Entry created

homeunix.net.gethostent vlv_index Entry created

homeunix.net.getnetent vlv_index Entry created

homeunix.net.getpwent vlv_index Entry created

homeunix.net.getrpcent vlv_index Entry created

homeunix.net.getspent vlv_index Entry created

homeunix.net.getauhoent vlv_index Entry created

homeunix.net.getsoluent vlv_index Entry created

homeunix.net.getauduent vlv_index Entry created

homeunix.net.getauthent vlv_index Entry created

homeunix.net.getexecent vlv_index Entry created

homeunix.net.getprofent vlv_index Entry created

homeunix.net.getmailent vlv_index Entry created

homeunix.net.getbootent vlv_index Entry created

homeunix.net.getethent vlv_index Entry created

homeunix.net.getngrpent vlv_index Entry created

homeunix.net.getipnent vlv_index Entry created

homeunix.net.getmaskent vlv_index Entry created

homeunix.net.getprent vlv_index Entry created

homeunix.net.getip4ent vlv_index Entry created

homeunix.net.getip6ent vlv_index Entry created

idsconfig: Setup of iDS server ldap is complete.

Note: idsconfig has created entries for VLV indexes. Use the

directoryserver(1m) script on ldap to stop

the server and then enter the following vlvindex

sub-commands to create the actual VLV indexes:

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getgrent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.gethostent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getnetent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getpwent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getrpcent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getspent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getauhoent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getsoluent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getauduent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getauthent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getexecent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getprofent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getmailent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getbootent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getethent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getngrpent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getipnent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getmaskent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getprent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getip4ent

directoryserver -s ldap vlvindex -n userRoot -T homeunix.net.getip6ent

On occasion I have run this script and it has creating the indexes. If the scripted failed then perform the work around described in section 1.10 Appendix 1: Work around for idsconfig failing to build indexes.

Once this script has completed we need to build the indexes as described at the end of the script run. Perform the following task:

1. Stop the LDAP Server by using the following command

/var/opt/mps/serverroot/slapd-hostname/stop-slapd

2. Build the indexes as stated in the idsconfig script. Use the following commands (manual/onLDAPServer/buildIndexes.sh):

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getgrent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.gethostent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getnetent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getpwent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getrpcent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getspent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getauhoent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getsoluent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getauduent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getauthent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getexecent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getprofent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getmailent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getbootent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getethent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getngrpent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getipnent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getmaskent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getprent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getip4ent

directoryserver -s ldap vlvindex -n userRoot -T novainfo.com.getip6ent

As described earlier in this document the installation of Access Manager removes access to the LDAP directory that is key to the Client configuration. There are two methods for restoring access. The first method is to add back an Access Control Instruction (ACI) for Anonymous access to the directory’s root tree where the Solaris authentication information is stored. Since this method provides read access to the entire tree to anyone that has an LDAPBrowser and network access to the server it is not recommended. However, for completeness this document will describe the steps to configure LDAP authentication using Anonymous access. The following LDIF file and command can be used to configure anonymous access to the LDAP server. The value in providing anonymous access to the directory is so that the ldapclient command can automatically configure a new Solaris server for LDAP authentication.

Here is an example LDIF file and command to reset Anonymous access:

LDIF file: (anonymous/onLDAPServer/addACIsforSolaristoAccMgrAnonymous.ldif)

dn:dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///dc=homeunix,dc=net")(targetattr="*")

(version 3.0; acl "proxyAgent read"; allow (read,search)

userdn = "ldap:///anyone";)

the command is: (anonymous/onLDAPServer/addACIsAnonymous)

ldapmodify -h ldapserver -D "cn=Directory Manager" -f addACIsforSolaristoAccMgrAnonymous.ldif

Once Anonymous access is configured you can proceed to section 1.3 Configuring a Solaris Server to be an LDAP Client with Anonymous Access.

If you are NOT enabling Anonymous access we must add 19 ACIs to the Directory Server to allow the LDAP Client access to the necessary information. When the ldapclient application is executed it sets up a proxy account to be used for all such access. The ACIs that are added back provide read and search access to the proxy account. The default proxy account is cn=proxyagent,ou=profile. The following is an example LDIF file and the command to enable the proxyAgent access to the directory server:

LDIF file: (manual/onLDAPServer/addACIsforSolaristoAccMgr.ldif)

dn:dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///ou=people,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to People"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=group,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to group"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=protocols,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to protocols"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=rpc,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to rpc"; allow (read, search, compare)

userdn = "ldap:///cn=networks,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=networks,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to protocols"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=netgroup,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to netgroup"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=aliases,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to aliases"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=hosts,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to hosts"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=services,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to services"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=ethers,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to ethers"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=profile,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to profile"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=printers,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to printers"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=SolarisAuthAttr,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to SolarisAuthAttr"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=SolarisProfAttr,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to SolarisProfAttr"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=Timezone,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to TimeZone"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=auto_home,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_home"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=auto_direct,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_direct"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=auto_master,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_master"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

aci: (target="ldap:///ou=auto_shared,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_shared"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

The command is: (manual/onLDAPServer/addACIs)

ldapmodify -h ldapserver -D "cn=Directory Manager" -f addACIsforSolaristoAccMgr.ldif

At this point the Directory server is configured and you should proceed to section 1.4 Configuring a Solaris Server to be an LDAP Client without Anonymous Access.

1.3 Configuring a Solaris Server to be an LDAP Client with Anonymous Access

NOTE: If you are configuring a Solaris 8 Client then go to section 1.11 Appendix 2: Configuring Solaris 8 as an LDAP Client. After the LDAP Directory Server has been properly configured and the Anonymous Access restored to the directory we are ready to configure the Solaris LDAP Client. With Anonymous access enabled in the directory server the ldapclient application can automatically configure the Solaris Server. This utility configures the necessary connection information and modifies the nsswitch.conf file to have all of the services check LDAP for information. The following command is an example of an ldapclient command to configure the client: (This command is contained in anonymous/onClient/makeClient) (This command is run on the client Solaris server!):

/usr/sbin/ldapclient init -a profileName=homeunixUsers \

-a domainName=homeunix.net \

-a proxyDN="cn=proxyagent,ou=profile,dc=homeunix,dc=net" \

-a proxyPassword="password" 208.27.21.248

Where

profileName is the name of the client profile that will be downloaded from the Directory Server from time to time containing important information on accessing the server. This profile name was defined when the idsconfig script was ran earlier.

domainName is the Domain Name of the LDAP server

proxyDN is the Proxy Agent that will be used to access the Directory Server. The shown value is the default.

proxyPassword is the password that will be used by the Proxy Agent.

ipAddress is the last parameter and it is the IP address of the LDAP server.

In addition to executing the ldapclient command it is recommended to modify the nsswitch.conf file to only point to LDAP for those services that we will be configuring. (see manual/onClient/nsswitch.conf.withoutNetGroup for a sample) All entries in the file should be changed to files with the exception of passwd, group and netgroup. The host entry may need to be altered to also include DNS.

After the ldapclient command has been successfully executed it is possible to authenticate to the Solaris server with any user in the configured tree of the LDAP Directory that has the posixaccount objectclass assigned to it and the necessary attributes. To load data into the Directory Server see section 1.6 Loading Solaris Server information into LDAP. If you would like to have Access Manager create UNIX accounts in LDAP see section 1.5 Configuring Access Manager for UNIX User Creation.

1.4 Configuring a Solaris Server to be an LDAP Client without Anonymous Access

NOTE: If you are configuring a Solaris 8 Client then go to section 1.11 Appendix 2: Configuring Solaris 8 as an LDAP Client. After the LDAP Directory Server has had the idsconfig utility executed against it and the ACIs necessary to allow proxyAgent Access to the directory have been added, we are ready to manually configure the Solaris LDAP Client. To execute the ldapclient application in manual mode more information about the environment must be known. This utility configures the necessary connection information and modifies the nsswitch.conf file to have all of the services check LDAP for information. The following command is an example of an ldapclient command to configure the client: (This command is contained in manual/onClient/makeClient) ((This command is run on the client Solaris server!)):

ldapclient manual \

-a credentialLevel=proxy \

-a authenticationMethod=simple \

-a proxyPassword=password \

-a proxyDN=cn=proxyagent,ou=profile,dc=homeunix,dc=net \

-a defaultSearchBase=dc=homeunix,dc=net \

-a domainName=homeunix.net \

-a followReferrals=false \

-a defaultServerList=208.27.21.248

Where

credentialLevel is the type of access to the Directory server.

authenticationMethod is the type of authentication to use when attaching to the directory server.

proxyDN is the Proxy Agent that will be used to access the Directory Server. The shown value is the default.

proxyPassword is the password to be used to authenticate as the proxy agent.

defaultSearchBase is the root suffix in the directory server to look for Solaris authentication information.

domainName is the DNS domain name of the server.

followReferrals indicates to the directory server if referrals should be followed when doing searches in the directory

defaultServerList is the list of LDAP servers to check for authentication information.

domainName is the Domain Name of the LDAP server

proxyPassword is the password that will be used by the Proxy Agent.

After the ldapclient command has been successfully executed it is possible to authenticate to the Solaris server with any user in the configured tree of the LDAP Directory that has the posixaccount objectclass assigned to it and the necessary attributes. To load data into the Directory Server see section 1.6 Loading Solaris Server information into LDAP. If you would like to have Access Manager create UNIX accounts in LDAP see section 1.5 Configuring Access Manager for UNIX User Creation.

1.5 Configuring Access Manager for UNIX User Creation

Access Manager can be configured so that any new accounts that are created will provide both access to Access Manager as well as to a UNIX server. To configure this capability a new service must be added to Access Manager. The following is an example XML file that can configure the service:

File: (manual/onLDAPServer/accessManagerService/LDAPSolarisService_i18n.xml)

<?xml version="1.0" encoding="iso-8859-1"?>

<!DOCTYPE ServicesConfiguration

PUBLIC "=//iPlanet//Service Management Services (SMS) 1.0 DTD//EN"

"jar://com/sun/identity/sm/sms.dtd">

<ServicesConfiguration>

<Service name="isnLDAPSolarisService" version="1.0">

<Schema

serviceHierarchy="/DSAMEConfig/isnLDAPSolarisService"

i18nFileName="isnLDAPSolarisService"

i18nKey="isn-LDAP-Solaris-service-description">

<Global>

<AttributeSchema name="serviceObjectClasses"

type="list"

syntax="string"

i18nKey="">

<DefaultValues>

<Value>posixaccount</Value>

<Value>shadowaccount</Value>

<Value>account</Value>

</DefaultValues>

</AttributeSchema>

</Global>

<User>

<AttributeSchema name="uidnumber"

type="single"

any="required|filter|display"

syntax="string"

i18nKey="u150">

</AttributeSchema>

<AttributeSchema name="gidnumber"

type="single"

any="required|filter|display"

syntax="string"

i18nKey="u151">

</AttributeSchema>

<AttributeSchema name="homedirectory"

type="single"

any="required|filter|display"

syntax="string"

i18nKey="u152">

</AttributeSchema>

<AttributeSchema name="loginshell"

type="single"

any="optional|filter|display"

syntax="string"

i18nKey="u153">

</AttributeSchema>

</User>

</Schema>

</Service>

</ServicesConfiguration>

The corresponding property file must be copied to the /opt/SUNWam/locale/ directory. Here is an example:

File: (manual/onLDAPServer/accessManagerService/LDAPSolarisService.properties)

isn-LDAP-Solaris-service-description=LDAP Solaris Authentication Service

u150=UNIX UID Number

u151=UNIX Group Number

u152=UNIX Home Directory

u153=UNIX Login Shell

Here is a sample script that will move the files to the correct locations, load the service and restart the Access Manager:

File: (manual/onLDAPServer/accessManagerService/loadService)

echo copy files to locations

cp isnLDAPSolarisService_i18n.xml /etc/opt/SUNWam/config/xml/.

cp isnLDAPSolarisService.properties /opt/SUNWam/locale/.

ln -s /opt/SUNWam/locale/isnLDAPSolarisService.properties /opt/SUNWam/locale/isnLDAPSolarisService_en.properties

echo Loading Service into Access Manager

/opt/SUNWam/bin/amadmin -u uid=amAdmin,ou=People,dc=homeunix,dc=net -w password --schema /etc/opt/SUNWam/config/xml/isnLDAPSolarisService_i18n.xml

echo Restarting web server

/opt/SUNWwbsvr/https-ldap.homeunix.net/stop

/opt/SUNWwbsvr/https-ldap.homeunix.net/start

After the webserver restarts, you must log into AMConsole and add the service to the list of services.

The following are the steps to enable the service inside of the AMConsole:

Login in to the AMConsole by going to http://accessManagerHost/amconsole and using the amadmin account.
Select services from the drop down list in the left hand frame.
After the page repaints click on the Add… button.
Look in the right hand frame and locate the “LDAP Solaris Authentication Service” and check the box to its left.
Then click on the OK button.

At this time the service is configured. When amadmin is used to create a new user the LDAP Solaris Authentication Service will be presented as a selectable service. If you select this item you will be prompted for the necessary fields to create a new user that can log into Access Manager as well as UNIX. NOTE: At this time the home directory is not created. This must be done manually. Here are the instructions for creating a new user using Access Manager:

Login in to the AMConsole by going to http://accessManagerHost/amconsole and using the amadmin account.
Select Users in the drop down list in the left-hand frame.
Click on the New… button
After the page repaints select “LDAP Solaris Authentication Service”
Click on the Next button
Fill in on the required fields.
Click on the Finish button

If you have completed one of the above two sections 1.3 or 1.4 it should now be possible to authenticate to the Solaris Client server using this new user. You will however see and error when logging in because this user has no home directory created. Currently this is a manual step that must be done by the Solaris Client Server administrator.

1.6 Loading Solaris Server information into LDAP

Once the Solaris server has been configured to use LDAP for authentication, Solaris information must be loaded into the Directory Server. The following data can be loaded into LDAP for management: hosts, ipnodes, rpc, protocols, networks, services, group, netmasks, ethers, netgroup, bootparams, publickey, passwd, shadow, aliases, auto_, user_attr, prof_attr, exec_attr, auth_attr and audit_user. For the purposes of these instructions only passwd, shadow, group, auto_home and netgroup will be imported.

The first method of loading data into the Directory Server is to use the /usr/sbin/ldapaddent command. This command reads a configuration file on the client machine and loads the data into the LDAP server. If ldapaddent is used then all data in the configuration file will be imported. For the passwd file this includes administrative accounts as well as user accounts. The following is an example of loading all users into the LDAP server: (Examples of these commands are contained in anonymous/onClient/makeClient) ((This command is run on the client Solaris server!)):

/usr/sbin/ldapaddent -c -D "cn=Directory Manager" -f /etc/passwd passwd

/usr/sbin/ldapaddent -c -D "cn=Directory Manager" -f /etc/shadow shadow

The second approach to loading the LDAP involves directly manipulating the LDAP Directory Server. The following is an example of an LDIF file that can add a user that has both UNIX access and Access Manager access: (manual/sampleLDIFs/barney.ldif)

dn: uid=barney,ou=People,dc=homeunix,dc=net

sn: Rubble

cn: Barney Rubble

iplanet-am-modifiable-by: cn=Top-level Admin Role,dc=homeunix,dc=net

uidNumber: 202

givenName: Barney

gidNumber: 1

inetUserStatus: Active

homeDirectory: /home/barney

uid: barney

objectClass: posixaccount

objectClass: shadowaccount

objectClass: iplanetpreferences

objectClass: iplanet-am-managed-person

objectClass: top

objectClass: iplanet-am-user-service

objectClass: organizationalperson

objectClass: inetadmin

objectClass: account

objectClass: inetorgperson

objectClass: person

objectClass: inetuser

userPassword: password

The following is LDIF is for a simple UNIX only user: (manual/sampleLDIFs/betty.ldif)

dn: uid=betty,ou=people,dc=homeunix,dc=net

objectClass: posixAccount

objectClass: shadowAccount

objectClass: account

objectClass: top

uid: betty

cn: betty

uidNumber: 202

gidNumber: 1

homeDirectory: /home/betty

loginShell: /bin/sh

userPassword: password

The command that can be used to load this into the LDAP Server is:

ldapmodify -h ldapserver -D "cn=Directory Manager" -a –f betty.ldif

If the above command was used to add the two LDIF files then you can now log in as barney or betty with the password of “password”.

1.7 Configuring netgroup

A netgroup defines a network-wide group of hosts and users. netgroup can be used to restrict access to shared NFS file systems and to restrict remote login and shell access. These instructions use netgroup to restrict access to a server. Network groups are stored in a network information services, such as LDAP, NIS, or NIS+, not in a local file. There is a local file /etc/netgroup that can be used to define netgroup and then loaded into the LDAP using ldapaddent but the file is not used during authentication. The following is a sample /etc/netgroup file:

Sample file: (manual/sampleConfigFiles/netgroup)

group1 (,barney,) (,betty,)

group2 (, fred,) (,wilma,)

in the above example group1 provides access to both barney and betty on the server that group1 is loaded into the passwd and shadow files. To load this file using ldapaddent the following command would be used (This command is run on the client Solaris server!):

/usr/sbin/ldapaddent -c -D "cn=Directory Manager" -f /etc/netgroup netgroup

The other approach to managing netgroup is to use an LDIF file to define the group and load it manually into the LDAP Directory Server.

The following is a sample LDIF file that can be manually loaded:

File: (manual/sampleLDIFs/netgroup.ldif)

dn: cn=group1,ou=netgroup,dc=homeunix,dc=net

objectClass: nisNetgroup

objectClass: top

cn: group1

nisNetgroupTriple: (,barney,)

nisNetgroupTriple: (,betty,)

dn: cn=group2,ou=netgroup,dc=homeunix,dc=net

objectClass: nisNetgroup

objectClass: top

cn: group2

nisNetgroupTriple: (,fred,)

nisNetgroupTriple: (,wilma,)

use this command to load this LDIF into the Directory Server:

ldapmodify -h ldapserver -D "cn=Directory Manager" -a –f netgroup.ldif

Once the netgroups have been loaded into the Directory Server there are changes that must be made to /etc/nsswitch.conf, /etc/passwd and /etc/shadow files.

In the /etc/nsswitch.conf file on the Solaris client change: (/manual/onClient/nsswitch.conf.withNetGroup)

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd: ldap [NOTFOUND = return] files

to:

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd: compat

passwd_compat: files ldap

and then verify that the netgroup line exists and looks like:

netgroup: ldap

The actually restriction of which users can authenticate to a server is determined by evaluating the group entries in the passwd and shadow files. Once the changes to the nsswitch.conf file have been made no LDAP users will be able to authenticate to the server until a netgroup entry is added to the passwd and shadow files. The easiest way to add this entry is to do the following two commands (This command is run on the client Solaris server!):

echo +@group1 >>/etc/passwd

pwconv

Note: the pwconv command will result in the following warning:

“pwconv: WARNING user +@group1 has no password”

pwconv is notifying you that the new entry does not have a password. This entry does not require a password; thus it is not a problem and you may ignore the warning. The pwconv utility makes the necessary changes to the /etc/shadow file as a result of the change we made to the /etc/passwd file.

At this point only users that are in the /etc/passwd file and users that are part of the group1 netgroup will be able to authenticate to this server.

1.8 Configuring Solaris Groups Support in LDAP

Solaris groups can also be managed by LDAP. One restriction that is put in place by using LDAP to manage groups is that either a corporation must have a group naming convention that is unique for each server or the group names and group numbers but be consistent across all servers. For example if you belong to the app1admin group on two servers then each server must use the same name and the same group number. LDAP stores all groups in the same location in the directory server meaning app1admin group on server 1 using a group ID of 200 must be the same on server2.

Once the group number issue has been resolved there are two mechanisms for loading group information into LDAP. The first mechanism is to use ldapaddent to load the existing /etc/group file into LDAP. Use the following command to load the group information using ldapaddent (This command is run on the client Solaris server!):

/usr/sbin/ldapaddent -c -D "cn=Directory Manager" -f /etc/group group

Remember that this group exists only one time so all users that are members of this group must be listed at the end of each group definition in the file. For example, fred is part of app1admin group on server 1 and barney is part of the group on server2. Even though neither user has an account on both servers the group entry in the /etc/group file must look like this:

app1admin::200:fred,barney

The netgroup (see section 1.7) entry will prevent fred and barney from logging into the server that they do not have an access to; thus restricting the access of the group to the correct servers.

The second approach is to add the groups directly to the ldap. The following is an sample LDIF file and command for loading the app1admin group:

File: (manual/sampleLDIFs/app1adminGroup.ldif)

dn: cn=app1admin,ou=group,dc=homeunix,dc=net

objectClass: posixGroup

objectClass: top

cn: app1admin

gidNumber: 200

memberUid: fred

memberUid: barney

the command to load:

ldapmodify -h ldapserver -D "cn=Directory Manager" -a –f app1adminGroup.ldif

Once the groups have been added to LDAP we must insure that the /etc/nsswitch.conf file is configured properly. The group line in the file should reference ldap and should look like this:

group: files ldap

If you have completed all the steps up to this point in this document then a user should be able to authenticate using LDAP, be restricted to the hosts they have access to and be associated with the UNIX groups they are members of.

1.9 Configuring the Solaris Auto_Home Capability in LDAP

Solaris provides auto mount capabilities for the automatically mounting the user’s home directory upon authentication. The concept is when a user logs into a server the user’s home directory is mounted from a remote location. This file system can also be mounted on the local server using localhost. (All of these changes are made on the Solaris Client server.)

The setup for Solaris itself, without LDAP, requires two files to be configured. The /etc/auto_master and /etc/auto_home files. The /etc/auto_master file is used to define the maps for file systems to be auto mounted. The following is an example and is installed as a default when Solaris is installed:

# Use is subject to license terms.

# ident "@(#)auto_master 1.8 03/04/28 SMI"

# Master map for automounter

+auto_master

/net -hosts -nosuid,nobrowse

/home auto_home -nobrowse

In the above example all auto mounts from the auto_home file will be mounted as /home. The following is an example of the /etc/auto_home file (Note that the last two lines in this file have been added for the purposes of these instructions. The Solaris default file ends with +auto_home):

# Use is subject to license terms.

# ident "@(#)auto_home 1.6 03/04/28 SMI"

# Home directory map for automounter

+auto_home

fred localhost:/export/home/&

barney localhost:/export/home/&

The above example will auto mount the /export/home/{username} directory from the localhost when fred or barney log into the system. It is also possible to replace the username field with an “*” and then all users will be mounted from /export/home/{username} without having to enter a value for each person.

You can configure Solaris to use LDAP for auto mount using ldapaddent or by manipulating the directory server directly. After the first Solaris server has been configured to use LDAP on a directory server that does not have Anonymous access configured for the root tree that contains the Solaris information, we must add additional ACIs to the directory. The ACIs must be added no matter which of the two methods were used to configure Solaris.

1.9.1 Using ldapaddent

Using ldapaddent the following commands must be performed to configure the auto mount capability (This command is run on the client Solaris server!):

/usr/sbin/ldapaddent -c -D "cn=Directory Manager" -f /etc/auto_master auto_master

/usr/sbin/ldapaddent -c -D "cn=Directory Manager" -f /etc/auto_home auto_home

Next we must add the ACIs for an LDAP instance that does not have Anonymous access defined for the root tree containing the Solaris information. This can be done by using the following LDIF file and command:

File: (manual/onLDAPServer/autoMountUsingLDAPADDENT/autoMountACIs.ldif)

dn:automountMapName=auto_master,dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///automountMapName=auto_master,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_master"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

dn:automountMapName=auto_home,dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///automountMapName=auto_home,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_home"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

Command: (manual/onLDAPServer/autoMountUsingLDAPADDENT/setAutoMountACIs)

ldapmodify -h ldapserver -D "cn=Directory Manager" -f autoMountACIs.ldif

Once this is completed we must insure that the /etc/nsswitch.conf file on the client machine is pointing to LDAP to resolve the automount capability. Look at the /etc/nsswitch.conf file (see manual/onClient/ and select the correct nsswitch based on netgroup setting) and make sure that the automount line looks like this:

automount: ldap

Note: There are times that I have seen the Auto_Home capability not start working until the server has been rebooted. It is possible that there is a service that can be re-started but at this time I am unaware of the service name.

1.9.2 Using LDAP Manipulation

To configure the Auto_Home capability using LDAP the following LDIF file must be loaded. The following is an example of an LDIF file that can configure Auto_Home:

File: (manual/onLDAPServer/autoMountUsingLDAP/createAutoMount.ldif)

dn: automountKey=/net,automountMapName=auto_master,dc=homeunix,dc=net

objectClass: automount

objectClass: top

automountKey: /net

automountInformation: -hosts -nosuid,nobrowse

dn: automountKey=/home,automountMapName=auto_master,dc=homeunix,dc=net

objectClass: automount

objectClass: top

automountKey: /home

automountInformation: auto_home -nobrowse

dn:automountMapName=auto_master,dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///automountMapName=auto_master,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_master"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

dn:automountMapName=auto_home,dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///automountMapName=auto_home,dc=homeunix,dc=net")

(targetfilter=(!(objectclass=sunServiceComponent)))(targetattr = "*")

(version 3.0; acl "LDAP ProxyAgent Access to auto_home"; allow (read, search, compare)

userdn = "ldap:///cn=proxyagent,ou=profile,dc=homeunix,dc=net";)

The command to load the above LDIF file is (manual/onLDAPServer/autoMountUsingLDAP/createAutoMount):

ldapmodify -h ldapserver -D "cn=Directory Manager" –a -f createAutoMount.ldif

Since we are manually manipulating LDAP we must now create LDIF files for all of the users and load them into the directory. Here is a sample LDIF file for enabling Auto_Home for Betty:

File: (manual/onLDAPServer/autoMountUsingLDAP/bettyAutoHome.ldif)

dn: automountKey=betty, automountMapName=auto_home,dc=homeunix,dc=net

objectClass: automount

objectClass: top

automountKey: betty

automountInformation: localhost:/export/home/&

Command (manual/onLDAPServer/autoMountUserLDAP/addBettyAutoHome):

ldapmodify -h ldapserver -D "cn=Directory Manager" –a -f bettyAutoHome.ldif

Once this is completed we must insure that the /etc/nsswitch.conf file is pointing to LDAP to resolve the automount capability. Look at the /etc/nsswitch.conf file and make sure that the automount line looks like this:

automount: ldap

At this point if Betty logs into the server and she has an already existing home directory at /export/home/betty then the device will be automatically mounted for her.

1.10 Appendix 1: Work around for idsconfig failing to build indexes

Before performing the work around let’s put the directory server back to its original condition using our earlier backup. Do the following to restore the directory server:

/var/opt/mps/serverroot/slapd-{hostname}/stop-slapd

cd /var/opt/mps

rm –r serverroot

tar –xf serverrootAccMgr.tar

/var/opt/mps/serverroot/slapd-{hostname}/start-slapd

Then perform the following work around:

# cd /usr/lib/ldap
# mv idsconfig idsconfig.orig
# cp idsconfig.orig idsconfig
# vi idsconfig

Replace line:
grep -i -v NetscapeRoot > ${TMPDIR}/treeTOP
with:
grep -i -v NetscapeRoot | grep -i -v dc=example > ${TMPDIR}/treetop

Now go back and redo the idsconfig script as described in section 1.2 Configuring the LDAP Directory Server.

1.11 Appendix 2: Configuring Solaris 8 as an LDAP Client

Solaris 8 does not appear to support a manual way of configuring LDAP Authentication through the ldapclient command. Since there is no manual mechanism available, Solaris 8 cannot be configured against a non-Anonymous LDAP server. Ldapclient performs a number of changes to the system that are not easy to reproduce manually; therefore, in order to successfully configure Solaris 8 as a client we must enable anonymous access to the directory server. Anonymous access is only necessary while executing the ldapclient application. Once ldapclient has been successfully executed the anonymous access can be disabled on the LDAP server. All other configuration requirements defined in this document work for Solaris 8, 9 and 10.

Here are the steps for configuring a Solaris 8 client for LDAP authentication:

Insure that the latest cluster patch is installed on Solaris 8. (Without the patches the LDAP authentication does not work!)
Anonymous access to the directory server must be enabled. If it is already enabled then proceed to step 2; if not on the LDAP server the following LDIF file and command can be used to enable it:

LDIF file: (anonymous/onLDAPServer/addACIsforSolaristoAccMgrAnonymous.ldif)

dn:dc=homeunix,dc=net

changetype: modify

add: aci

aci: (target="ldap:///dc=homeunix,dc=net")(targetattr="*")

(version 3.0; acl "proxyAgent read"; allow (read,search)

userdn = "ldap:///anyone";)

the command is: (anonymous/onLDAPServer/addACIsAnonymous)

ldapmodify -h ldapserver -D "cn=Directory Manager" -f addACIsforSolaristoAccMgrAnonymous.ldif

Execute the ldapclient application on the Solaris 8 client. You must know the name of the profile that was configured in section 1.2. In our example the name of the profile was homeunixUsers. Execute the following command (solaris8/configClient):

ldapclient -P homeunixUsers -D "cn=proxyAgent,ou=profile,dc=homeunix,dc=net" -w password ldapserver

At this point Solaris 8 requires the system to be rebooted.

Once the system is rebooted it should be possible to authenticate with any user that is configured in the LDAP server. (Since netgroup is not currently enabled there is no restrictions to the users that can authenticate to the server.)

If in your configuration you intend for Anonymous access to be enabled then proceed to step 7; if not Disable Anonymous access to the directory server. On the LDAP server the following LDIF file and command can be used to disable it:

LDIF file: (anonymous/onLDAPServer/delACIsforSolaristoAccMgrAnonymous.ldif)

dn:dc=homeunix,dc=net

changetype: modify

delete: aci

aci: (target="ldap:///dc=homeunix,dc=net")(targetattr="*")

(version 3.0; acl "proxyAgent read"; allow (read,search)

userdn = "ldap:///anyone";)

the command is: (anonymous/onLDAPServer/delACIsAnonymous)

ldapmodify -h ldapserver -D "cn=Directory Manager" -f delACIsforSolaristoAccMgrAnonymous.ldif

Proceed to Section 1.5 Configuring Access Manager for UNIX User Creation