Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
16.  Client Setup (Task) Initializing a Client Initializing a Client Manually How to initialize a client manually.  Previous   Contents   Next 
   
 

Modifying a Manual Client Configuration

How to modify a manual configuration

  1. Become superuser

  2. Use the ldapclient mod to change the authentication method to simple.

    # ldapclient mod -a authenticationMethod=simple

  3. Use ldapclient list to verify the change was made.

    # ldapclient list

    NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 192.168.0.0
NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CREDENTIAL_LEVEL= proxy

Un-initializing a Client

How to un-initialize a client

  1. Become superuser.

  2. Use ldapclient uninit.

    # ldapclient uninit

    System successfully recovered

ldapclient uninit restores the client name service to what it was prior to the most recent init, modify, or manual operation. In other words, it performs an "undo" on the last step taken. For example, if the client was configured to use profile1 and was then changed to use profile2, using ldapclient uninit would revert the client back to using profile1.

TLS Security Setup

Caution - The cert7.db and key3.db files must be readable by everyone. Be sure not to include any private keys in the key3.db file.

If using TLS, the necessary security databases must be installed. In particular, the files cert7.db and key3.db are needed. The cert7.db file contains the database of trusted certificates. The key3.db file contains the client's keys. Although the LDAP naming service client does not use client keys, this file must be present.

Before running ldapclient, you should set up and install the needed security database files described in this section.

See the section 'Configuring LDAP Clients to Use SSL' in the Managing SSL chapter of the iPlanet Directory Server 5.1 Administrator's Guide for information on how to create and manage these files. Once configured, these files must be stored in the location expected by the LDAP naming service client. The attribute certificatePath is used to determine this location. This is by default /var/ldap.

For example, after setting up the necessary cert7.db and key3.db files using Netscape Communicator, copy them to the default location.

# cp $HOME/.netscape/cert7.db /var/ldap

# cp $HOME/.netscape/key3.db /var/ldap

Next, give everyone read access.

# chmod 444 /var/ldap/cert7.db

# chmod 444 /var/ldap/key3.db

Note - Netscape will manage the cert7.db and key3.db in the $HOME/.netscape directory. Copies of these security databases must be stored on a local file system if you are using them for the LDAP naming service client.

Configuring PAM

If you are using pam_ldap, follow the sample pam.conf file included in "An example pam.conf file for pam_ldap" and add the lines containing pam_ldap.so.1 to the client's /etc/pam.conf file. Not every line containing pam_ldap.so.1 is needed. Only the section for the command, login and password, for example, which requires pam_ldap, needs to be modified. For details, see pam.conf(4).

Retrieving Naming Service Information

Using ldaplist

ldaplist is an LDAP utility to list the naming information from the LDAP servers in LDIF format. It can be useful for troubleshooting. See ldaplist(1) for further information.

Listing All LDAP Containers

ldaplist displays its output with a blank line separating records, which is helpful for big multiline records.

Note - The output of ldaplist depends upon the client configuration. For example, if the value of ns_ldap_search is sub rather than one, ldaplist lists all the entries under the current search baseDN.

The following is and example of ldaplist output.

# ldaplist

dn: ou=people,dc=west,dc=example,dc=com

dn: ou=group,dc=west,dc=example,dc=com

dn: ou=rpc,dc=west,dc=example,dc=com

dn: ou=protocols,dc=west,dc=example,dc=com

dn: ou=networks,dc=west,dc=example,dc=com

dn: ou=netgroup,dc=west,dc=example,dc=com

dn: ou=aliases,dc=west,dc=example,dc=com

dn: ou=hosts,dc=west,dc=example,dc=com

dn: ou=services,dc=west,dc=example,dc=com

dn: ou=ethers,dc=west,dc=example,dc=com

dn: ou=profile,dc=west,dc=example,dc=com

dn: automountmap=auto_home,dc=west,dc=example,dc=com

dn: automountmap=auto_direct,dc=west,dc=example,dc=com

dn: automountmap=auto_master,dc=west,dc=example,dc=com

dn: automountmap=auto_shared,dc=west,dc=example,dc=com

Listing All User Entry Attributes

To list specific information such as a user's passwd entry, use getent as follows.

# getent passwd user1

user1::30641:10:Joe Q. User:/home/user1:/bin/csh

If you want to list all attributes, use ldaplist with the -l option.

# ldaplist -l passwd user1

dn: uid=user1,ou=People,dc=west,dc=example,dc=com
        uid: user1
        cn: user1
        uidNumber: 30641
        gidNumber: 10
        gecos: Joe Q. User
        homeDirectory: /home/user1
        loginShell: /bin/csh
        objectClass: top
        objectClass: shadowAccount
        objectClass: account
        objectClass: posixAccount
        shadowLastChange: 6445
        userPassword: {crypt}J6vlYXRU.sW8c
 		 
 
  Previous   Contents   Next