Docstoc

Secure LDAP server installation and configuration

Document Sample
Secure LDAP server installation and configuration Powered By Docstoc
					Secure LDAP server installation and configuration
You need obtain the following software before the installation: Sun One Directory Server 5.2 (44Mb) Java 1.4 or above (61Mb) Java 64 bit packages (6Mb) Sun One Directory Server SDK (57Mb) optional but recommended Solaris 9 O/S Solaris 9 recommended patch cluster Sun patch 112960-?? (2Mb) Note before installation: As Sun One Directory server by default installs in /var/mps is might be worth setting up its own filesystem. Install the Solaris 9 O/S software and patch the server with the recommended patch cluster, make sure that the server is also configured for 64 Bit. Also you need to setup a ldapuser account and the ldap group(this is optional but advised to), also check that the following network ports are not used (use the netstat -an command): 389 390 636 LDAP directory server port LDAP adminstration port Secure LDAP directory server port

LDAP directory server setup Once the above has been configured it is time to setup the directory server, install the following packages including the 64 Bit ones. If you wish only to setup the directory server then refer to Sun's web site on what packages you should setup. SUNWascv, SUNWasvcp, SUNWasvr, SUNWasvu, SUNWdsvcp, SUNWdsvh, SUNWdsvhx, SUNWdsvpl, SUNWdsvr, SUNWdsvu, SUNWdsvx, SUNWicu, SUNWicux, SUNWjss, SUNWldk, SUNWldkx, SUNWpr, SUNWprx, SUNWsasl, SUNWsaslx, SUNWtls, SUNWtlsx,

64-bit Directory Server, 32-bit Administration Server, and Console

It is recommended to install the 64Bit packages if you expect to have high volumes of LDAP traffic. Once the packages have been installed it is best to run idsktune before configuring the directory server which checks for any patches required or recommendations, install the recommended patches and update the /etc/system to reflect the recommended system parameter settings # ./idsktune Sun ONE Directory Server system tuning analysis version 9-MAY-2003. Copyright 2002-2003 Sun Microsystems, Inc.

NOTICE : System is usparc-SUNW,Ultra-4-solaris5.9_s9s_u7wos_09 (3 processors). NOTICE : Patch 112902-12 (SunOS 5.9: kernel/drv/ip Patch) is not installed. NOTICE : Patch 113023-01 (SunOS 5.9: Broken preremove scripts in S9 ALC packages) is not installed. NOTICE : Solaris patches can be obtained from http://sunsolve.sun.com or your Solaris support representative. NOTICE : /etc/system does not have a setting for tcp:tcp_conn_hash_size The default is 256. NOTICE : The tcp_conn_req_max_q value is currently 128, which will limit the value of listen backlog which can be configured. It can be raised by adding to the end of the /etc/init.d/inetinit a line similar to: ndd -set /dev/tcp tcp_conn_req_max_q 1024 NOTICE : The tcp_keepalive_interval is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. NOTICE : The tcp_keepalive_interval can be reduced by adding the following line to the end of the /etc/init.d/inetinit: ndd -set /dev/tcp tcp_keepalive_interval 600000 NOTICE : The NDD tcp_ip_abort_cinterval is currently set to 180000 milliseconds (180 seconds). This may cause long delays in establishing outgoing connections if the destination server is down. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding to the end of the file /etc/init.d/inetinit: ndd -set /dev/tcp tcp_ip_abort_cinterval 10000 NOTICE : The NDD tcp_ip_abort_interval is currently set to 180000 milliseconds (180 seconds). This may cause long delays in detecting connection failure if the destination server is down. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding to the end of the file /etc/init.d/inetinit: ndd -set /dev/tcp tcp_ip_abort_interval 60000 NOTICE : The TCP initial sequence number generation is not based on RFC 1948. If this directory service is intended for external access, add the following to the end of /etc/init.d/inetinit: ndd -set /dev/tcp tcp_strong_iss 2 NOTICE : The NDD tcp_smallest_anon_port is currently 32768. This allows a

maximum of 32768 simultaneous connections. More ports can be made available by adding a line to the end of /etc/init.d/inetinit: ndd -set /dev/tcp tcp_smallest_anon_port 8192 NOTICE : / partition has less space available, 2421MB, than the largest allowable core file size of 3884MB. A daemon process which dumps core could cause the root partition to be filled. Once the above has been carried out it is time to configure the directory server using the directoryserver command # ./directoryserver configure -nodisplay *********************************************** This script deals with version 5.2 of Directory Server. Use /usr/sbin/directoryserver.51bak to manage Directory Server 5.1. *********************************************** You are running the installation program for Directory Server. This program asks you to supply configuration preference settings that it uses to install the server. The installation program consists of one or more selections that provide you with information and let you enter preferences that determine how Directory Server is installed and configured. When you are presented with the following question, the installation process pauses to allow you to read the information that has been presented. When you are ready, press Enter to continue. <Press ENTER to Continue> Some questions require you to type a response with more detailed information. The question may have a default value that is displayed in brackets []. For example, the following question has a default answer of yes: Are you sure? [yes] If you want to accept the default answer, press only the Enter key (which on some keyboards is labeled Return). If you want to provide a different answer, type it at the command prompt and then press Enter. You may type yes or y for an affirmative answer, and no or n for a negative answer.

If you wish to exit the installation at any time, press the ! key and you will be given the option to exit or continue. <Press ENTER to Continue> Welcome to the Directory Server Installation Program We strongly recommend that you exit all programs before running the installation program. If you have other programs running, type Ctrl-C to end the installation program and then close any other programs you have running. Warning: This program is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible under law. <Press ENTER to Continue> Server Root Information Server Root [/var/mps/serverroot] {"<" goes back, "!" exits}: (location of where to install directory server) Enter the fully qualified name of the computer Fully Qualified Computer Name [ukstsg10.ggr.co.uk] {"<" goes back, "!" exits}: (host name of the directory server including FQDN) Choose the type of installation you prefer from the following choices: Express - Installation option choices are made automatically. The easiest installation and recommended for evaluating the product. Typical - Software will be installed with the most common options. Recommended for most deployments. Custom - You may choose the options you want to install. Recommended for advanced users. 1. Express 2. Typical 3. Custom What would you like to do [2] {"<" goes back, "!" exits}? 2 Choose the system user and group names under whose identity the Sun ONE Directory server will run. System User [root] {"<" goes back, "!" exits}: ldapuser

System Group [other] {"<" goes back, "!" exits}: ldapgroup You may store Sun ONE server configuration information in another Sun ONE Directory Server. If you have already prepared a configuration server, you may configure the new server to use it. 1. The new instance will be the configuration Directory Server 2. Use existing configuration Directory Server What would you like to do [1] {"<" goes back, "!" exits}? 1 Configuration Directory Server Administrator Administrator ID [admin] {"<" goes back, "!" exits}: Password: (enter password of your choice) Password (again): (re-enter password of your choice) You may already have a Directory Server where you store user and group information. 1. Store data in the new Directory Server 2. Store data in an existing Directory Server What would you like to do [1] {"<" goes back, "!" exits}? 1 Settings the new server will use for basic operation Server Identifier [ukstsg10] {"<" goes back, "!" exits}: (server hostname) Server Port [389] {"<" goes back, "!" exits}: (port number) Suffix [dc=example, dc=com] {"<" goes back, "!" exits}: (your companies domain) Administration Domain Administration Domain [example.com] {"<" goes back, "!" exits}: (your companies domain) Enter a Distinguished Name (DN) for the Directory Manager and a password at least 8 characters long. Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}: Password: (enter password of your choice) Password (again): (enter password of your choice) Installing Directory Server |-1%--------------25%-----------------50%-----------------75%--------------100%| Update of the Directory Server layout ... done Update of the links between server root and Directory Server Layout ... done [slapd-ukstsg10]: starting up server ... [slapd-ukstsg10]: [31/Aug/2005:15:33:03 +0100] - Sun-ONE-Directory/5.2 B2003. 143.0020 (32-bit) starting up [slapd-ukstsg10]: [31/Aug/2005:15:33:07 +0100] - Listening on all interfaces

port 389 for LDAP requests [slapd-ukstsg10]: [31/Aug/2005:15:33:07 +0100] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server.

Configuration of the server(s) succeeded.

Installation Details: Product Result More Information 1. Directory Server Installed Available 2. Done Enter the number corresponding to the desired selection for more information, or enter 2 to continue [2] {"!" exits}: 2 The directory has now been installed in /var/mps/serverroot, the binary files and directory server databases have been setup. It is time to setup the admin server using the mpsadmserver command # ./mpsadmserver configure -nodisplay Enter the fully qualified name of the computer Fully Qualified Computer Name [ukstsg10.ggr.co.uk] {"<" goes back, "!" exits}: (hostname of directory server including FQDN) Server Root Information Server Root: : /var/mps/serverroot Choose the type of installation you prefer from the following choices: Express - Installation option choices are made automatically. The easiest installation and recommended for evaluating the product. Typical - Software will be installed with the most common options. Recommended for most deployments. 1. Express 2. Typical What would you like to do [2] {"<" goes back, "!" exits}? 2

Configuration Directory Server Administrator Administrator ID [admin] {"<" goes back, "!" exits}: Password: (enter password of your choice) Administration Domain Administration Domain [example.com] {"<" goes back, "!" exits}: (domain) The Administration Server runs on a different network port from other servers. Specify the number of the port. Administration Port [390] {"<" goes back, "!" exits}: 390 Installing Administration Server |-1%--------------25%-----------------50%-----------------75%--------------100%| Checking connection to the Configuration Directory Server... done. Updating Administration Server layout... done. Updating links between Server Root and Administration Server layout... done. Registering Administration Server with Configuration Directory Server... done. Loading Administration Server tasks... done. Loading global Administration Server configuration... done. Generating configuration files ... done. Configuration of the Administration Server succeeded. SunONE-WebServer-Enterprise/6.0SP3 B05/14/2003 17:58 warning: daemon is running as super-user [LS ls1] http://ukstsg10.example.com, port 390 ready to accept requests startup: server started successfully Administration server started properly.

Installation Details: Product Result More Information 1. Administration Server Installed Available 2. Done Enter the number corresponding to the desired selection for more information, or enter 2 to continue [2] {"!" exits}: 2 Hopefully the admin server should connect to the directory server. You can setup the directory server in slient mode by editing or copying the /usr/ds/v5.2/setup/typical.ins file, then running the following command:

#/usr/sbin/directoryserver configure -f <myfile.ins> To setup the admin server in slient mode run the following: #/usr/sbin/mpsadmserver configure -f <filename> Now we need to create the object classes, containers, ACI's and client profiles and a handy script called idsconfig will do this for us. # ./idsconfig -d It is strongly recommended that you BACKUP the directory server before running idsconfig. Hit Ctrl-C at any time before the final confirmation to exit. Do you wish to continue with server setup (y/n/h)? [n] y In prompt_config_info() Enter the iPlanet Directory Server's (iDS) hostname to setup: ukstsg10.example.com Enter the port number for iDS (h=help): [389] 389 In chk_ids_version() VLV controls found on LDAP server. Enter the directory manager DN: [cn=Directory Manager] cn=Directory Manager In get_passwd_nochk() Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [ggr.co.uk] example.com Enter LDAP Base DN (h=help): [dc=example,dc=com] dc=example,dc=com Checking baseDN: dc=example,dc=com In check_attrName() check_attrName: Input Param = dc check_baseDN: valid key=dc In check_attrName() check_attrName: Input Param = dc check_baseDN: valid key=dc Enter the profile name (h=help): [default] default Default server list (h=help): [147.184.30.10] (directory server IP address) Preferred server list (h=help): In get_search_scope() Choose desired search scope (one, sub, h=help): [one] one In get_cred_level() The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy anonymous Choose Credential level [h=help]: [1] 2 In get_auth() The following are the supported Authentication Methods: 1 none 2 simple 3 sasl/DIGEST-MD5 4 tls:simple

5 tls:sasl/DIGEST-MD5 Choose Authentication Method (h=help): [1] 2 Current authenticationMethod: simple Do you want to add another Authentication Method? n Do you want the clients to follow referrals (y/n/h)? [n] n Do you want to modify the server timelimit value (y/n/h)? [n] n Do you want to modify the server sizelimit value (y/n/h)? [n] n Do you want to store passwords in "crypt" format (y/n/h)? [n] y Do you want to setup a Service Authentication Methods (y/n/h)? [n] n Client search time limit in seconds (h=help): [30] Profile Time To Live in seconds (h=help): [43200] Bind time limit in seconds (h=help): [10] In reset_ssd_file() In prompt_ssd() Do you wish to setup Service Search Descriptors (y/n/h)? [n] y A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] a In add_ssd() Enter the service id: passwd Enter the base: ou=people,dc=example,dc=com Enter the scope: one A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] a In add_ssd() Enter the service id: group Enter the base: ou=group,dc=example,dc=com Enter the scope: one A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu

Enter menu choice: [Quit] a In add_ssd() Enter the service id: shadow Enter the base: ou=people,dc=example,dc=com Enter the scope: one A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] quit In add_ssd() Enter the service id: netgroup Enter the base: ou=netgroup,dc=example,dc=com Enter the scope: one A Add a Service Search Descriptor D Delete a SSD M Modify a SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] quit

IDS_SERVER = ukstsg10.example.com IDS_PORT = 389 LDAP_ROOTDN = cn=Directory Manager LDAP_ROOTPWD = ********* LDAP_DOMAIN = example.com LDAP_TREETOP = LDAP_BASEDN = dc=example,dc=com LDAP_PROFILE_NAME = default LDAP_SERVER_LIST = 147.184.30.10 LDAP_PREF_SRVLIST = LDAP_SEARCH_SCOPE = one LDAP_CRED_LEVEL = proxy LDAP_AUTHMETHOD = simple LDAP_FOLLOWREF = FALSE IDS_TIMELIMIT = IDS_SIZELIMIT = NEED_CRYPT = FALSE NEED_SRVAUTH_PAM = 0 NEED_SRVAUTH_KEY = 0 NEED_SRVAUTH_CMD = 0 LDAP_SRV_AUTHMETHOD_PAM = LDAP_SRV_AUTHMETHOD_KEY =

LDAP_SRV_AUTHMETHOD_CMD = LDAP_SEARCH_TIME_LIMIT = 30 LDAP_PROFILE_TTL = 43200 LDAP_BIND_LIMIT = 10 LDAP_SERV_SRCH_DES = In display_summary() Summary of Configuration 1 Domain to serve : example.com 2 Base DN to setup : dc=example,dc=com 3 Profile name to create : default 4 Default Server List : 147.184.30.10 5 Preferred Server List : 6 Default Search Scope : one 7 Credential Level : proxy 8 Authentication Method : tls:simple 9 Enable Follow Referrals : FALSE 10 iDS Time Limit : 11 iDS Size Limit : 12 Enable crypt password storage : FALSE 13 Service Auth Method pam_ldap : 14 Service Auth Method keyserv : 15 Service Auth Method passwd-cmd: 16 Search Time Limit : 30 17 Profile Time to Live : 43200 18 Bind Limit : 10 19 Service Search Descriptors Menu Enter config value to change: (1-19 0=commit changes) [0] 0 Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com] In get_passwd() Enter passwd for proxyagent: Re-enter passwd: IDS_SERVER = ukstsg10.example.com IDS_PORT = 389 LDAP_ROOTDN = cn=Directory Manager LDAP_ROOTPWD = ******** LDAP_DOMAIN = example.com LDAP_TREETOP = LDAP_BASEDN = dc=example,dc=com LDAP_PROFILE_NAME = default LDAP_SERVER_LIST = 147.184.30.10 LDAP_PREF_SRVLIST = LDAP_SEARCH_SCOPE = sub LDAP_CRED_LEVEL = proxy LDAP_AUTHMETHOD = tls:simple LDAP_FOLLOWREF = FALSE IDS_TIMELIMIT = IDS_SIZELIMIT = NEED_CRYPT = FALSE

NEED_SRVAUTH_PAM = 0 NEED_SRVAUTH_KEY = 0 NEED_SRVAUTH_CMD = 0 LDAP_SRV_AUTHMETHOD_PAM = LDAP_SRV_AUTHMETHOD_KEY = LDAP_SRV_AUTHMETHOD_CMD = LDAP_SEARCH_TIME_LIMIT = 30 LDAP_PROFILE_TTL = 43200 LDAP_BIND_LIMIT = 10 LDAP_PROXYAGENT = cn=proxyagent,ou=profile,dc=example,dc=com LDAP_PROXYAGENT_CRED = ******** NEED_PROXY = 1 LDAP_SERV_SRCH_DES = WARNING: About to start committing changes. (y=continue, n=EXIT) y In discover_serv_info() LDAP_TREETOP = dc=example,dc=com In modify_cn() In update_schema_attr() 1. Schema attributes have been updated. In update_schema_obj() 2. Schema objectclass definitions have been added. In add_base_objects() In set_nisdomain() 3. NisDomainObject added to dc=example,dc=com. In add_new_containers() 4. Top level "ou" containers complete. In add_auto_maps() 5. automount maps: auto_home auto_direct auto_master auto_shared processed. In modify_top_aci() 6. ACI for dc=example,dc=com modified to disable self modify. In add_vlv_aci() 7. Add of VLV Access Control Information (ACI). In add_proxyagent() 8. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added. In allow_proxy_read_pw() 9. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for password. In add_profile() In ssd_2_profile() 10. Generated client profile and loaded on server. In add_eq_indexes() 11. Processing eq,pres indexes: Adding index for uidNumber uidNumber (eq,pres) Finished indexing. Adding index for ipNetworkNumber ipNetworkNumber (eq,pres) Finished indexing. Adding index for gidnumber gidnumber (eq,pres) Finished indexing. Adding index for oncrpcnumber oncrpcnumber (eq,pres) Finished indexing.

Adding index for automountKey automountKey (eq,pres) Finished indexing. In add_sub_indexes() 12. Processing eq,pres,sub indexes: Adding index for ipHostNumber ipHostNumber (eq,pres,sub) Finished indexing. Adding index for membernisnetgroup membernisnetgroup (eq,pres,sub) Finished indexing. Adding index for nisnetgrouptriple nisnetgrouptriple (eq,pres,sub) Finished indexing. In add_vlv_indexes() 13. Processing VLV indexes: Adding index for nisnetgrouptriple example.com.getgrent vlv_index Entry created Adding index for example.com.getgrent example.com.gethostent vlv_index Entry created Adding index for example.com.gethostent example.com.getnetent vlv_index Entry created Adding index for example.com.getnetent example.com.getpwent vlv_index Entry created Adding index for example.com.getpwent example.com.getrpcent vlv_index Entry created Adding index for example.com.getrpcent example.com.getspent vlv_index Entry created Adding index for example.com.getspent example.com.getauhoent vlv_index Entry created Adding index for example.com.getauhoent example.com.getsoluent vlv_index Entry created Adding index for example.com.getsoluent example.com.getauduent vlv_index Entry created Adding index for example.com.getauduent example.com.getauthent vlv_index Entry created Adding index for example.com.getauthent example.com.getexecent vlv_index Entry created Adding index for example.com.getexecent example.com.getprofent vlv_index Entry created Adding index for example.com.getprofent example.com.getmailent vlv_index Entry created Adding index for example.com.getmailent example.com.getbootent vlv_index Entry created Adding index for example.com.getbootent example.com.getethent vlv_index Entry created Adding index for example.com.getethent example.com.getngrpent vlv_index Entry created Adding index for example.com.getngrpent example.com.getipnent vlv_index Entry created Adding index for example.com.getipnent example.com.getmaskent vlv_index Entry created Adding index for example.com.getmaskent example.com.getprent vlv_index Entry created Adding index for example.com.getprent

example.com.getip4ent vlv_index Entry created Adding index for example.com.getip4ent example.com.getip6ent vlv_index Entry created idsconfig: Setup of iDS server ukstsg10.example.com is complete. Note: idsconfig has created entries for VLV indexes. Use the directoryserver(1m) script on ukstsg10.example.com to stop the server and then enter the following vlvindex sub-commands to create the actual VLV indexes: directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getgrent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.gethostent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getnetent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getpwent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getrpcent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getspent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauhoent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getsoluent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauduent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauthent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getexecent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprofent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmailent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getbootent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getethent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getngrpent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getipnent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmaskent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip4ent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip6ent In cleanup() Now that object class, profile, etc have been created we need to setup the VLV indexes as described by output of idsconfig command ran earlier. The indexes are used to increase performance when browsing through large databases that contain many objects. This is a two part process, the first part is done by the idsconfig script the second part requires that the directory server be halted and the following commands run, once ran the server should be started again. # the below commands where obtained from the idsconfig command (see above) directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getgrent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.gethostent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getnetent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getpwent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getrpcent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getspent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauhoent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getsoluent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauduent

directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauthent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getexecent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprofent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmailent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getbootent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getethent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getngrpent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getipnent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmaskent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip4ent directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip6ent A final check to make sure that the NIS objects have indeed have be configured. # ldapsearch -b cn=schema objectclass=* | grep nisDomainObject objectClasses=( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top STRUCTURAL MUST nisDomain XORIGIN 'user defined' ) If you get nothing back then one of the above steps has failed, try unconfiguration the directory server and starting again. To unconfigure the directory server use the following commands: # mpsadmserver -unconfigure # directoryserver -unconfigure Adding users and groups, etc When replacing NIS with LDAP the passwd and shadow files are located in the people organizational unit group. So obtain all the config files that you wish to implement in LDAP, they can be any of the following: aliases, auto_*, bootparams, ethers, group, hosts, netgroup, netmasks, networks, passwd, shadow, protocols, publickey, rpc and services. update and trim as neccessary ready to load into the directory server make sure that the password file contains the contents from the shadow file i.e password, then run the following commands to load the files: ldapaddent -a simple -D "cn=Directory manager" -w <password> -f /etc/passwd passwd ldapaddent -a simple -D "cn=Directory manager" -w <password> -f /etc/group group ldapaddent -a simple -D "cn=Directory manager" -w <password> -f /etc/hosts hosts etc........................................... Alternatively you can create your own user files and load them into the directory server, create a file called users.ldif and add the following: dn: uid=jripper,ou=people,dc=example,dc=com givenName: jack sn: ripper objectclass: top objectclass: person objectclass: organizationalPerson

objectclass: inetorgperson objectclass: posixAccount objectclass: shadowaccount uid: jripper userPassword: {crypt}R0DoMe2dtpkKw uidNumber: 5450 gidNumber: 1028 gecos: Jack Ripper homeDirectory: /export/home/jripper loginShell: /bin/ksh cn: jripper shadowLastChange: shadowMin: shadowMax: shadowWarning: shadowInactive: shadowExpire: shadowFlag: The user jripper can be added to the directory server by running the following command: # ldapadd -c -D "cn=Directory manager" -f users.ldif Bind Password: ******** adding new entry uid=jripper,ou=people,dc=example,dc=com groups can also be added by creating a file called group.ldif dn: cn=public,ou=group,dc=example,dc=com cn: public gidNumber: 1028 objectClass: top objectClass: posixGroup memberUid: jripper Then running the following: # ldapadd -c -D "cn=Directory manager" -f group.ldif Bind password: ******** adding new entry cn=public,ou=group,dc=example,dc=com LDAP profiles LDAP profiles can be generated on the client or stored on the directory server, these profiles contain parameters that allow a client to connect to the server, parameters that are store are proxy password, proxy cn, serverlist, version, authenication, etc. The best way is to store these profiles on the ldap server that way clients will copy the most up to date version from the ldap server everytime the client reboots. The easiest way to create profiles is to create a ldif file and use ldapadd command to store on the directory server, we will create a automount_profile which will be used by the client later. Remember a default profile was already created during the idsconfig process.

dn: cn=automount_profile,ou=profile,dc=example,dc=com ObjectClass: top ObjectClass: DUAConfigProfile defaultServerList: 147.184.30.10 defaultSearchBase: dc=example,dc=com authenticationMethod: simple followReferrals: FALSE defaultSearchScope: sub searchTimeLimit: 30 profileTTL: 43200 bindTimeLimit: 10 cn: automount_profile credentialLevel: proxy serviceSearchDescriptor: passwd: ou=people,dc=example,dc=com?one serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one serviceSearchDescriptor: shadow: ou=people,dc=example,dc=com?one serviceSearchDescriptor: auto.master: nisMapName=auto.master,dc=example,dc=com?one serviceSearchDescriptor: auto.home: nisMapName=auto.home,dc=example,dc=com?one serviceSearchDescriptor: auto_master: automountMapName=auto_master,dc=example,dc=com?one serviceSearchDescriptor: auto_home: automountMapName=auto_home,dc=example,dc=com?one serviceSearchDescriptor: auto_direct: automountMapName=auto_direct,dc=example,dc=com?one objectclassMap: automount: automount=nisObject objectclassMap: automount: automountMap=nisMap attributeMap: automount: automountInformation=nisMapEntry attributeMap: automount: automountKey=cn attributeMap: automount: automountMapName=nisMapName Now store this profile to the directory # ldapadd -c -D "cn=Directory manager" -f automount_profile.ldif Bind Password: adding new entry cn=automount_profile,ou=profile,dc=example,dc=com


				
DOCUMENT INFO
Shared By:
Tags:
Stats:
views:79
posted:3/6/2009
language:English
pages:17
hao nguyen hao nguyen
About