svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
ldapservercfg(8)
System Administration Commands ldapservercfg(8)
NAME
ldapservercfg - prepare a directory server to be populated with data
and serve LDAP clients
SYNOPSIS
ldapservercfg [-avq] [-d debug-level] server-type
DESCRIPTION
The ldapservercfg utility is used to configure and populate a directory
server to serve LDAP clients.
The ldapservercfg utility uses server-type to specify the type of
directory server to be configured. The current supported server types
are:
oud Oracle Unified Directory (version 11.1.2.3 and later)
openldap OpenLDAP (version as packaged with Oracle Solaris)
The directory server is configured to support Oracle Solaris naming
services, as defined in /usr/share/lib/ldif/nameservice.ldif, and Ker‐
beros services as defined in /usr/share/lib/ldif/kerberos.ldif.
The Directory Information Tree (DIT) structure recommended in
RFC2307bis-02 is created.
A default LDAP configuration profile is created to allow automatic con‐
figuration of LDAP clients.
Oracle Unified Directory
When the oud option is selected, it is assumed that the Oracle Unified
Directory server has been installed and enabled according to the proce‐
dures documented in section "Setting Up the Directory Server" in OUD
Administration Guide. Ensure the security features such as SSL/TLS,
sasl/DIGEST or sasl/GSSAPI are enabled on server side if you want to
access the server through corresponding security mechanism.
The tool supplies a default settings for its parameters and allows the
user to edit them.
OpenLDAP
Configures OpenLDAP using the rights profile OpenLDAP, which includes
the required user, group, authorizations and privileges to properly
execute ldapservercfg and to configure and enable the slapd server.
ldapservercfg should be started through a profile shell like pfexec.
The tool reads initial parameter values from svc:/net‐
work/ldap/server:openldap.
If necessary, the server is converted to use Online Configuration
(OLC). The server is configured to accept unencrypted connections on
port 389, encrypted connections (with STARTTLS) on port 389, and
encrypted connections (using raw TLS) on port 636.
When the server configuration is successful, the configuration proper‐
ties in svc:/network/ldap/server:openldap are updated.
Special Accounts
Four special accounts might be created. Their names, default Distin‐
guished Name (DN) and use is:
Configuration (OpenLDAP only)
DN: cn=config
The configuration account is used to create new databases or load
additional schemas. Its password is set the same as the Backend
Manager password.
Backend Manager (OpenLDAP only)
DN: cn=Manager, Search_base (default)
The backend account is the manager for the directory. It has com‐
plete access to all data in the directory.
Admin
DN: cn=admin, ou=profile, search_base (default)
The admin account is created if shadow update is enabled. Clients
use this account to add or modify users.
Users with the solaris.password.assign authorization are able to
change other users' passwords only if the client system is config‐
ured with an administrator account & password and enableShadowUp‐
date is configured, See ldapclient(8) for details.
Proxy
DN: cn=proxyagent, ou=profile, search_base (default)
This account is created if proxy access is enabled. Clients will be
configured to bind as this account.
OPTIONS
The following options are supported:
-d debug-level
Specifies the debug-level.
0 Turns off debugging
1 Turns on debugging and opens tracing
2 Function Stacks
-a (OpenLDAP only)
Specifies that the server should be configured with no human inter‐
action by using SMF property values and default values. For more
information, see the PARAMETERS section below.
The SMF service svc:/network/ldap/server:openldap uses this option
the first time the service is enabled.
-q
Quietly.
-v
Verbose output.
PARAMETERS
For OpenLDAP installations, server configuration parameters can be
specified through properties on svc:/network/ldap/server:openldap.
Writing these properties requires the authorization
solaris.smf.value.name-service.ldap.server.
Reading the properties in the cred property group requires the autho‐
rization solaris.smf.read.name-service.ldap.server.
Account credentials
Some of the Special Account names can be configured in SMF property
values. Below each account property name is paired with its password
property.
The password properties are only used by ldapservercfg during non-
interactive use. When setting passwords into properties they should be
hashed using slappasswd(8oldap).
Backend Manager (OpenLDAP only)
cred/backend_cn
cred/backend_passwd
cred/backend_cn defaults to Manager when not set.
cred/backend_passwd defaults to the system's root password and is
also used for the Configuration account.
Admin
cred/admin_cn
cred/admin_passwd
When not set cred/admin_cn defaults to admin
When ldapservercfg is run non-interactively this account will be
created and shadow update enabled only if a password hash is set.
See Example 4 below.
Proxy
cred/proxy_cn
cred/proxy_passwd
When not set cred/proxy_cn defaults to proxyagent
When ldapservercfg is run non-interactively this account will be
created if default/credential_level specifies proxy and
cred/proxy_passwd is set. When it is not set the default/creden‐
tial_level of proxy is ignored and anonymous is used instead.
LDAP configuration properties
These properties are used to configure LDAP service and to save a
client profile within the Directory.
Search Base (base DN):
profile/default/search_base
Default: derived from system's DNS domain name or, if not avail‐
able, dc=example,dc=com
Containers are created relative to this DN.
Clients are instructed to search relative to this DN.
For example, if the host name is ldap.example.net, the default
Search Base DN would be "dc=example,dc=net".
Client Authentication:
profile/default/authentication_method
Default: tls:simple
This property controls what authentication method the generated
LDAP client profile directs client systems to use.
For a full list of supported authentication methods and additional
information see ldapclient(8).
Credential Level:
profile/default/credential_level
Default: proxy
Specify the credential level the client should use to contact the
directory. The credential levels supported are anonymous, proxy,
and self. If a proxy credential level is specified, then the
authentication_method attribute must be specified to determine the
authentication mechanism. Also, if the credential level is proxy
and at least one of the authentication methods require a bind DN,
the cred/proxy_cn and cred/proxy_passwd attribute values must be
set.
If a self credential level is specified, the authentication_method
must be sasl/GSSAPI.
Search Scope:
profile/default/search_scope
Default: one
Specify the default search scope for the client's search opera‐
tions. This default can be overridden for a given service by speci‐
fying a service_search_descriptor. The default is one level search.
Server List
profiles/default/server_list
Default: system's host name
A multi-valued property providing LDAP server names that the LDAP
client can resolve the addresses of without the LDAP name service.
Client's must resolve the LDAP servers' names to addresses by using
either files or dns. If the LDAP server name cannot be resolved,
your naming service will fail.
The fully qualified domain names MUST also match those provided in
any Certificates.
See Example 2 below.
Service Search Descriptor:
profile/default/service_search_descriptor
Override the default base DN for LDAP searches for a given service.
The format of the descriptors also allow overriding the default
search scope and search filter for each service. The default value
for all services is NULL. This is a multi-valued attribute with one
value per service.
The syntax of service_search_descriptor is defined in the profile
IETF draft, its basic format is:
service:[base][?[scope][?[filter]]][;[base][?[scope][?[filter]]]]
In the example SSD:
passwd:ou=staff,dc=example,dc=com?sub?(&(objectClass=posixAccount)
(fulltimeEmployee=TRUE);ou=volunteer,dc=example,dc=com?one
the LDAP client would do a sub level search in ou=staff,dc=exam‐
ple,dc=com applying filter (&(objectClass=posixAccount)(fulltimeEm‐
ployee=TRUE) and search ou=volunteer,dc=example,dc=com at the sin‐
gle level (one with the default filter (objectClass=posixAccount)
for the passwd service.
See Example 3 below for pre-setting multiple services.
Schema and DIT Structure
The following schema elements are added to the server if they are not
already installed:
Object classes:
SolarisQualifiedUserAttr
DUAConfigProfile
Attribute types:
SolarisUserAttrEntry
SolarisUserType
Access control lists are set so that:
|-----------------|---------------------------------------------------|
| Options | Results |
| | Non-Sensitive | Sensitive |
| Proxy? | Admin? | Anon? | Proxy? | Admin? | Anon? | Proxy? | Admin? |
|--------|--------|-------|--------|--------|-------|--------|--------|
| No[1] | No | Read | - | - | No | - | - |
| No | Yes | Read | - | Write | No | - | Write |
| Yes | No | No | Read | - | No | Read | - |
| Yes | Yes | No | Read | Write | No | Read | Write |
|--------|--------|-------|--------|--------|-------|--------|--------|
Default Configuration
Non-sensitive attributes are:
o uid
o uidNumber
o gidNumber
o cn
o objectClass
o memberUid
o memberGid
o loginShell
o homeDirectory
o gecos
o description
o nisDomain
o automountMapName
o SolarisAttrKeyValue
o SolarisAttrShortDesc
o SolarisAttrLongDesc
o SolarisKernelSecurityPolicy
o SolarisProfileType
o SolarisProfileId
o SolarisUserQualifier
o SolarisProjectId
o SolarisProjectName
o SolarisProjectAttr
o SolarisUserAttrEntry
o SolarisUserType
o SolarisAttrReserved1
o SolarisAttrReserved2
Security-critical attributes are:
o userPassword
o shadowLastChange
o shadowMin
o shadowMax
o shadowWarning
o shadowInactive
o shadowExpire
o shadowFlag
In addition, userPassword is writable by the particular user.
As recommended by RFC2307bis-02, the DIT tree under the base DN is laid
out with containers for each type of object stored:
ou=people posixAccount
shadowAcount
ou=group posixGroup
ou=services ipService
ou=protocols ipProtocol
ou=rpc oncRpc
ou=hosts ipHost
ou=ethers ieee802Device
bootableDevice
ou=networks ipNetwork
ou=netgroup nisNetgroup
nisMapName=... nisObject
automountMapName=... automountMap
An RFC 4876 profile is created at cn=default, ou=profile, search_base.
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
EXAMPLES
Example 1 Prompting the User for Input
In the following example, the user is prompted for information to set
up OUD.
example# ldapservercfg oud
Example 2 Setting profile/default/server_list
Using svccfg(8) delpropvalue is used to delete the property values,
followed by addpropvalue twice to add two qualified server names.
example# svccfg -s ldap/server:openldap delpropvalue \fR
> profile/default/server_list '*'
example# svccfg -s ldap/server:openldap addpropvalue \fR
> profile/default/server_list "serv1.example.com"
example# svccfg -s ldap/server:openldap addpropvalue \fR
> profile/default/server_list "serv2.example.com"
example# svccfg -s ldap/server:openldap refresh
Example 3 Setting profile/default/service_search_descriptor (SSD)
Using svccfg(8) setprop to overwrite all current values, followed by
addpropvalue to add an additional value. The SMF instance is then
refreshed using svcadm(8), to commit the changes. The values are then
displayed with svcprop(1) and piped through fmt(1) for brevity.
example# svccfg -s ldap/server:openldap \fR
> setprop profile/default/service_search_descriptor = \fR
> "printers:ou=hc,dc=example,dc=com?one"
example# svccfg -s ldap/server:openldap addpropvalue \fR
> profile/default/service_search_descriptor \fR
> "ethers:ou=mac,dc=example,dc=com?sub"
example# svcadm refresh ldap/server:openldap
example# svcprop -p profile/default/service_search_descriptor
> ldap/server:openldap | fmt -60
"printers:ou=hc,dc=example,dc=com?one"
"ethers:ou=mac,dc=example,dc=com?sub"
Example 4 Setting cred/admin_passwd value for openLDAP non-interactive
configuration
Using svccfg(8) in combination with slappasswd(8oldap) to prompt for
and save the password. The use of mktemp(1) keeps the password off of
the command line.
example# tmp=`mktemp` &&
> (/usr/bin/echo 'setprop cred/admin_passwd = astring: > /usr/sbin/slappasswd) > $tmp &&
> svccfg -s ldap/server:openldap -f $tmp; rm $tmp
New password:
Re-enter new password:
example# svcadm refresh ldap/server:openldap
FILES
/etc/openldap/certs/server.pem (OpenLDAP)
/etc/openldap/certs/server.key (OpenLDAP)
A self-signed certificate and private key are generated. They can
be replaced as desired.
/etc/certs/ca-certificates.crt
Contains a list of root certificates that the server trusts. This
list should include the certificates used to sign the server's cer‐
tificate, if a CA-signed certificate is used.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/network/ldap _ Interface Stability‐
Committed
SEE ALSO
attributes(7), idsconfig(8), ldap(7), ldap_cachemgr(8), ldapaddent(8),
ldapclient(8), ldaplist(1), resolv.conf(5), slapd(8oldap), slap‐
passwd(8oldap)
RFC 4876: A Configuration Profile Schema for Lightweight Directory
Access Protocol (LDAP)-Based Agents
RFC 2307: An Approach for Using LDAP as a Network Information Service
Oracle Solaris Schema:
https://docs.oracle.com/cd/E37838_01/html/E61012/appendixa-5.html
Oracle Solaris 11.4 23 Jul 2020 ldapservercfg(8)