svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
ldap(7)
ldap(7) User Commands ldap(7)
NAME
ldap - LDAP as a naming repository
DESCRIPTION
LDAP refers to Lightweight Directory Access Protocol, which is an
industry standard for accessing directory servers. By initializing the
client using ldapclient(8) and using the keyword ldap in the name ser‐
vice switch file, /etc/nsswitch.conf, Oracle Solaris clients can obtain
naming information from an LDAP server. Information such as usernames,
hostnames, and passwords are stored on the LDAP server in a Directory
Information Tree or DIT. The DIT consists of entries which in turn are
composed of attributes. Each attribute has a type and one or more val‐
ues.
Oracle Solaris LDAP clients use the LDAP v3 protocol to access naming
information from LDAP servers. The LDAP server must support the object
classes and attributes defined in RFC2307bis (draft), which maps the
naming service model on to LDAP. As an alternate to using the schema
defined in RFC2307bis (draft), the system can be configured to use
other schema sets and the schema mapping feature is configured to map
between the two.
The ldapclient(8) utility can make an Oracle Solaris machine an LDAP
client by setting up the appropriate directories, files, and configura‐
tion information. The LDAP client caches this configuration information
in local cache files. This configuration information is accessed
through the ldap_cachemgr(8) daemon. This daemon also refreshes the
information in the configuration files from the LDAP server, providing
better performance and security. The ldap_cachemgr must run at all
times for the proper operation of the naming services.
There are two types of configuration information, the information
available through a profile, and the information configured per client.
The profile contains all the information as to how the client accesses
the directory. The credential information for proxy user is configured
on a per client basis and is not downloaded through the profile.
The profile contains server-specific parameters that are required by
all clients to locate the servers for the desired LDAP domain. This
information could be the server's IP address and the search base Dis‐
tinguished Name (DN), for instance. It is configured on the client from
the default profile during client initialization and is periodically
updated by the ldap_cachemgr daemon when the expiration time has
elapsed.
Client profiles can be stored on the LDAP server and can be used by the
ldapclient utility to initialize an LDAP client. Using the client pro‐
file is the easiest way to configure a client machine. See ldap‐
client(8).
Credential information includes client-specific parameters that are
used by a client. This information could be the Bind DN (LDAP "login"
name) of the client and the password. If these parameters are required,
they are manually defined during the initialization through ldap‐
client(8).
The naming information is stored in containers on the LDAP server. A
container is a non-leaf entry in the DIT that contains naming service
information. Containers are similar to maps in NIS. A default mapping
between the NIS databases and the containers in LDAP is presented
below. The location of these containers as well as their names can be
overridden through the use of serviceSearchDescriptors. For more infor‐
mation, see ldapclient(8).
tab() box; lw(1.83i) |lw(1.83i) |lw(1.83i) lw(1.83i) |lw(1.83i)
|lw(1.83i) DatabaseObject ClassContainer _ passwdposixAccountou=peo‐
ple,dc=... shadowAccount _ groupposixGroupou=Group,dc=... _ service‐
sipServiceou=Services,dc=... _ protocolsipProtocolou=Protocols,dc=...
_ rpconcRpcou=Rpc,dc=... _ hostsipHostou=Hosts,dc=... ipnodesipHos‐
tou=Hosts,dc=... _ ethersieee802Deviceou=Ethers,dc=... _ bootparams‐
bootableDeviceou=Ethers,dc=... _ networksipNetworkou=Networks,dc=...
netmasksipNetwork ou=Networks,dc=... _ netgroupnisNetgroupou=Net‐
group,dc=... _ aliasesmailGroupou=Aliases,dc=... _ publickeynisKeyOb‐
ject _ genericnisObjectnisMapName=...,dc=... _ printersprinterSer‐
viceou=Printers,dc=... _ auth_attrSolarisAuthAttrou=Solar‐
isAuthAttr,dc=... _ prof_attrSolarisProfAttrou=SolarisProfAttr,dc=...
_ exec_attrSolarisExecAttrou=SolarisProfAttr,dc=... _ user_attrSolar‐
isUserAttrou=people,dc=...
The security model for clients is defined by a combination of the cre‐
dential level to be used, the authentication method, and the PAM mod‐
ules to be used. The credential level defines what credentials the
client should use to authenticate to the directory server, and the
authentication method defines the method of choice. Both these can be
set with multiple values. The Oracle Solaris LDAP supports the follow‐
ing values for credential level :
anonymous
proxy
self
The Oracle Solaris LDAP supports the following values for authentica‐
tion method:
none
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
sasl/GSSAPI
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5
When the credential level is configured as self, DNS must be configured
and the authentication method must be sasl/GSSAPI. The hosts and ipn‐
odes in /etc/nsswitch.conf must be configured to use DNS, for example
hosts: dns files and ipnodes: dns files.
sasl/GSSAPI automatically uses GSSAPI confidentiality and integrity
options, if they are configured on the directory server.
The credential level of self enables per-user naming service lookups,
or lookups that use the GSSAPI credentials of the user when connecting
to the directory server. Currently the only GSSAPI mechanism supported
in this model is Kerberos V5. Kerberos must be configured before you
can use this credential level.
When TLS is specified, the default acceptable minimum protocol is
TLSv1.1. The minimum acceptable TLS protocol can be overridden by the
environment variable LDAPTLS_PROTOCOL_MIN. SSLv3 is specified as "3.0",
TLSv1.0 is "3.1", TLSv1.1 is "3.2", and TLSv1.2 is "3.3". The accept‐
able cipher suites can be overridden by the environment variable
LDAPTLS_CIPHER_SUITE. The cipher suites list is a colon separated list.
The cipher suite names are used by OpenSSL. These environment variables
are defined by the OpenLDAP client configuration in ldap.conf(5oldap).
More protection can be provided by means of access control, allowing
the server to grant access for certain containers or entries. Access
control is specified by Access Control Lists (ACLs) that are defined
and stored in the LDAP server. The Access Control Lists on the LDAP
server are called Access Control Instructions (ACIs) by the Oracle
Directory Server Enterprise Edition (DSEE). Each ACL or ACI specifies
one or more directory objects, for example, the cn attribute in a spe‐
cific container, one or more clients to whom you grant or deny access,
and one or more access rights that determine what the clients can do to
or with the objects. Clients can be users or applications. Access
rights can be specified as read and write, for example.
A sample nsswitch.conf(5) file called nsswitch.ldap is provided in the
/etc directory. This is copied to /etc/nsswitch.conf by the ldap‐
client(8) utility. This file uses LDAP as a repository for the differ‐
ent databases in the nsswitch.conf file.
The following list consists of the user commands related to LDAP:
idsconfig(8) Prepares a DSEE server to be ready to support Solaris
LDAP clients.
ldapservercfg(8) Prepares other directory servers to be ready to sup‐
port Solaris LDAP clients.
ldapaddent(8) Creates LDAP entries from corresponding /etc files.
ldapclient(8) Initializes LDAP clients, or generates a configura‐
tion profile to be stored in the directory.
ldaplist(1) Lists the contents of the LDAP naming space.
FILES
/var/ldap/ldap_client_cred Files that contain the LDAP configuration
/var/ldap/ldap_client_file of the client. Do not manually modify
these files. Their content is not guaran‐
teed to be human readable. Use ldap‐
client(8) to update them.
/etc/nsswitch.conf Configuration file for the name-service
switch.
/etc/nsswitch.ldap Sample configuration file for the name-
service switch configured with LDAP and
files.
/etc/pam.conf PAM framework configuration file.
/etc/pam.d/service Alternate PAM framework configuration
files.
SEE ALSO
ldaplist(1), nsswitch.conf(5), ldap.conf(5oldap), pam.conf(5),
pam_authtok_check(7), pam_authtok_get(7), pam_authtok_store(7),
pam_dhkeys(7), pam_ldap(7), pam_passwd_auth(7), pam_unix_account(7),
pam_unix_auth(7), pam_unix_session(7), idsconfig(8), ldap_cachemgr(8),
ldapaddent(8), ldapclient(8), ldapservercfg(8), slapd(8oldap)
Oracle Solaris 11.4 25 Mar 2020 ldap(7)