Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../../usr/man/man8/ldapservercfg.8
Real path: /usr/share/man/man8/ldapservercfg.8
Zurück

'\" te .\" Copyright (c) 2016, 2020, Oracle and/or its affiliates. .TH ldapservercfg 8 "23 Jul 2020" "Oracle Solaris 11.4" "System Administration Commands" .SH NAME ldapservercfg \- prepare a directory server to be populated with data and serve \fBLDAP\fR clients .SH SYNOPSIS .LP .nf \fBldapservercfg\fR [\fB-avq\fR] [\fB-d\fR \fIdebug-level\fR] \fIserver-type\fR .fi .SH DESCRIPTION .sp .LP The \fBldapservercfg\fR utility is used to configure and populate a directory server to serve \fBLDAP\fR clients. .sp .LP The \fBldapservercfg\fR utility uses \fIserver-type\fR to specify the type of directory server to be configured. The current supported server types are: .sp .ne 2 .mk .na \fB\fBoud\fR\fR .ad .RS 12n .rt Oracle Unified Directory (version 11.1.2.3 and later) .RE .sp .ne 2 .mk .na \fB\fBopenldap\fR\fR .ad .RS 12n .rt OpenLDAP (version as packaged with Oracle Solaris) .RE .sp .LP The directory server is configured to support Oracle Solaris naming services, as defined in \fB/usr/share/lib/ldif/nameservice.ldif\fR, and Kerberos services as defined in \fB/usr/share/lib/ldif/kerberos.ldif\fR. .sp .LP The Directory Information Tree (\fBDIT\fR) structure recommended in \fBRFC2307bis-02\fR is created. .sp .LP A default LDAP configuration profile is created to allow automatic configuration of \fBLDAP\fR clients. .SS "Oracle Unified Directory" .sp .LP When the \fBoud\fR option is selected, it is assumed that the Oracle Unified Directory server has been installed and enabled according to the procedures documented in section "Setting Up the Directory Server" in OUD Administration Guide. Ensure the security features such as \fBSSL/TLS\fR, \fBsasl/DIGEST\fR or \fBsasl/GSSAPI\fR are enabled on server side if you want to access the server through corresponding security mechanism. .sp .LP The tool supplies a default settings for its parameters and allows the user to edit them. .SS "OpenLDAP" .sp .LP Configures OpenLDAP using the rights profile \fBOpenLDAP\fR, which includes the required user, group, authorizations and privileges to properly execute \fBldapservercfg\fR and to configure and enable the \fBslapd\fR server. \fBldapservercfg\fR should be started through a profile shell like \fBpfexec\fR. .sp .LP The tool reads initial parameter values from \fBsvc:/network/ldap/server:openldap\fR. .sp .LP If necessary, the server is converted to use Online Configuration (OLC). The server is configured to accept unencrypted connections on port 389, encrypted connections (with \fBSTARTTLS\fR) on port 389, and encrypted connections (using raw \fBTLS\fR) on port 636. .sp .LP When the server configuration is successful, the configuration properties in \fBsvc:/network/ldap/server:openldap\fR are updated. .SS "Special Accounts" .sp .LP Four special accounts might be created. Their names, default Distinguished Name (DN) and use is: .sp .ne 2 .mk .na \fBConfiguration (OpenLDAP only)\fR .ad .br .na \fB\fBDN: cn=config\fR\fR .ad .br .sp .6 .RS 4n The configuration account is used to create new databases or load additional schemas. Its password is set the same as the Backend Manager password. .RE .sp .ne 2 .mk .na \fBBackend Manager (OpenLDAP only)\fR .ad .br .na \fB\fBDN: cn=\fR\fIManager\fR\fB,\fR \fISearch_base\fR (default)\fR .ad .br .sp .6 .RS 4n The backend account is the manager for the directory. It has complete access to all data in the directory. .RE .sp .ne 2 .mk .na \fBAdmin\fR .ad .br .na \fB\fBDN: cn=\fR\fIadmin\fR\fB, ou=profile,\fR \fIsearch_base\fR (default) \fR .ad .br .sp .6 .RS 4n The admin account is created if \fBshadow\fR update is enabled. Clients use this account to add or modify users. .sp Users with the \fBsolaris.password.assign\fR authorization are able to change other users' passwords only if the client system is configured with an administrator account & password and \fBenableShadowUpdate\fR is configured, See \fBldapclient\fR(8) for details. .RE .sp .ne 2 .mk .na \fBProxy\fR .ad .br .na \fB\fBDN: cn=\fR\fIproxyagent\fR\fB, ou=profile\fR, \fIsearch_base\fR (default)\fR .ad .br .sp .6 .RS 4n This account is created if \fBproxy\fR access is enabled. Clients will be configured to bind as this account. .RE .SH OPTIONS .sp .LP The following options are supported: .sp .ne 2 .mk .na \fB\fB-d\fR \fIdebug-level\fR\fR .ad .br .sp .6 .RS 4n Specifies the debug-level. .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .RS 5n .rt Turns off debugging .RE .sp .ne 2 .mk .na \fB\fB1\fR\fR .ad .RS 5n .rt Turns on debugging and opens tracing .RE .sp .ne 2 .mk .na \fB\fB2\fR\fR .ad .RS 5n .rt Function Stacks .RE .RE .sp .ne 2 .mk .na \fB\fB-a\fR (OpenLDAP only)\fR .ad .br .sp .6 .RS 4n Specifies that the server should be configured with no human interaction by using SMF property values and default values. For more information, see the PARAMETERS section below. .sp The SMF service \fBsvc:/network/ldap/server:openldap\fR uses this option the first time the service is enabled. .RE .sp .ne 2 .mk .na \fB\fB-q\fR\fR .ad .br .sp .6 .RS 4n Quietly. .RE .sp .ne 2 .mk .na \fB\fB-v\fR\fR .ad .br .sp .6 .RS 4n Verbose output. .RE .SH PARAMETERS .sp .LP For \fBOpenLDAP\fR installations, server configuration parameters can be specified through properties on \fBsvc:/network/ldap/server:openldap\fR. .sp .LP Writing these properties requires the authorization \fBsolaris.smf.value.name-service.ldap.server\fR. .sp .LP Reading the properties in the \fBcred\fR property group requires the authorization \fBsolaris.smf.read.name-service.ldap.server\fR. .SS "Account credentials" .sp .LP Some of the Special Account names can be configured in SMF property values. Below each account property name is paired with its password property. .sp .LP The password properties are only used by \fBldapservercfg\fR during non-interactive use. When setting passwords into properties they should be hashed using \fBslappasswd\fR(8oldap). .sp .ne 2 .mk .na \fBBackend Manager (OpenLDAP only)\fR .ad .br .na \fB\fBcred/backend_cn\fR\fR .ad .br .na \fB\fBcred/backend_passwd\fR\fR .ad .br .sp .6 .RS 4n cred/backend_cn defaults to \fIManager\fR when not set. .sp cred/backend_passwd defaults to the system's root password and is also used for the Configuration account. .RE .sp .ne 2 .mk .na \fBAdmin\fR .ad .br .na \fB\fBcred/admin_cn\fR\fR .ad .br .na \fB\fBcred/admin_passwd\fR\fR .ad .br .sp .6 .RS 4n When not set \fBcred/admin_cn\fR defaults to \fIadmin\fR .sp When \fBldapservercfg\fR is run non-interactively this account will be created and shadow update enabled only if a password hash is set. .sp See Example 4 below. .RE .sp .ne 2 .mk .na \fBProxy\fR .ad .br .na \fB\fBcred/proxy_cn\fR\fR .ad .br .na \fB\fBcred/proxy_passwd\fR\fR .ad .br .sp .6 .RS 4n When not set \fBcred/proxy_cn\fR defaults to \fIproxyagent\fR .sp When \fBldapservercfg\fR is run non-interactively this account will be created if \fBdefault/credential_level\fR specifies \fIproxy\fR and \fBcred/proxy_passwd\fR is set. When it is not set the \fBdefault/credential_level\fR of \fIproxy\fR is ignored and \fBanonymous\fR is used instead. .RE .SS "LDAP configuration properties" .sp .LP These properties are used to configure LDAP service and to save a client profile within the Directory. .sp .ne 2 .mk .na \fBSearch Base (base DN):\fR .ad .br .na \fB\fBprofile/default/search_base\fR\fR .ad .br .sp .6 .RS 4n Default: derived from system's DNS domain name or, if not available, \fIdc=example,dc=com\fR .sp Containers are created relative to this DN. .sp Clients are instructed to search relative to this DN. .sp For example, if the host name is \fIldap.example.net\fR, the default Search Base DN would be "\fIdc=example,dc=net\fR". .RE .sp .ne 2 .mk .na \fBClient Authentication:\fR .ad .br .na \fB\fBprofile/default/authentication_method\fR\fR .ad .br .sp .6 .RS 4n Default: \fBtls:simple\fR .sp This property controls what authentication method the generated LDAP client profile directs client systems to use. .sp For a full list of supported authentication methods and additional information see \fBldapclient\fR(8). .RE .sp .ne 2 .mk .na \fBCredential Level:\fR .ad .br .na \fB\fBprofile/default/credential_level\fR\fR .ad .br .sp .6 .RS 4n Default: proxy .sp Specify the credential level the client should use to contact the directory. The credential levels supported are \fBanonymous\fR, \fBproxy\fR, and \fBself\fR. If a \fBproxy\fR credential level is specified, then the \fBauthentication_method\fR attribute must be specified to determine the authentication mechanism. Also, if the credential level is \fBproxy\fR and at least one of the authentication methods require a bind DN, the \fBcred/proxy_cn\fR and \fBcred/proxy_passwd\fR attribute values must be set. .sp If a self credential level is specified, the \fBauthentication_method\fR must be \fBsasl/GSSAPI\fR. .RE .sp .ne 2 .mk .na \fBSearch Scope:\fR .ad .br .na \fB\fBprofile/default/search_scope\fR\fR .ad .br .sp .6 .RS 4n Default: one .sp Specify the default search scope for the client's search operations. This default can be overridden for a given service by specifying a \fBservice_search_descriptor\fR. The default is one level search. .RE .sp .ne 2 .mk .na \fBServer List\fR .ad .br .na \fB\fBprofiles/default/server_list\fR\fR .ad .br .sp .6 .RS 4n Default: system's host name .sp A multi-valued property providing LDAP server names that the LDAP client can resolve the addresses of without the LDAP name service. Client's must resolve the LDAP servers' names to addresses by using either files or dns. If the LDAP server name cannot be resolved, your naming service will fail. .sp The fully qualified domain names MUST also match those provided in any Certificates. .sp See Example 2 below. .RE .sp .ne 2 .mk .na \fBService Search Descriptor:\fR .ad .br .na \fB\fBprofile/default/service_search_descriptor\fR\fR .ad .br .sp .6 .RS 4n Override the default base DN for LDAP searches for a given service. The format of the descriptors also allow overriding the default search scope and search filter for each service. The default value for all services is \fINULL\fR. This is a multi-valued attribute with one value per service. .sp The syntax of \fBservice_search_descriptor\fR is defined in the profile \fBIETF\fR draft, its basic format is: .sp \fIservice\fR:[\fIbase\fR][?[\fIscope\fR][?[\fIfilter\fR]]][;[\fIbase\fR][?[\fIscope\fR][?[\fIfilter\fR]]]] .sp In the example SSD: .sp .sp .in +2 .nf passwd:ou=staff,dc=example,dc=com?sub?(&(objectClass=posixAccount) (fulltimeEmployee=TRUE);ou=volunteer,dc=example,dc=com?one .fi .in -2 .sp the LDAP client would do a \fIsub\fR level search in \fIou=staff,dc=example,dc=com\fR applying filter \fI(&(objectClass=posixAccount)(fulltimeEmployee=TRUE)\fR and search \fIou=volunteer,dc=example,dc=com\fR at the single level (\fIone\fR with the default filter \fB(objectClass=posixAccount)\fR for the \fIpasswd\fR service. .sp See Example 3 below for pre-setting multiple services. .RE .SS "Schema and DIT Structure" .sp .LP The following schema elements are added to the server if they are not already installed: .sp .LP Object classes: .sp .in +2 .nf SolarisQualifiedUserAttr DUAConfigProfile .fi .in -2 .sp .sp .LP Attribute types: .sp .in +2 .nf SolarisUserAttrEntry SolarisUserType .fi .in -2 .sp .sp .LP Access control lists are set so that: .sp .in +2 .nf |-----------------|---------------------------------------------------| | Options | Results | | | Non-Sensitive | Sensitive | | Proxy? | Admin? | Anon? | Proxy? | Admin? | Anon? | Proxy? | Admin? | |--------|--------|-------|--------|--------|-------|--------|--------| | No[1] | No | Read | - | - | No | - | - | | No | Yes | Read | - | Write | No | - | Write | | Yes | No | No | Read | - | No | Read | - | | Yes | Yes | No | Read | Write | No | Read | Write | |--------|--------|-------|--------|--------|-------|--------|--------| .fi .in -2 .sp .sp .LP Default Configuration .sp .LP Non-sensitive attributes are: .RS +4 .TP .ie t \(bu .el o uid .RE .RS +4 .TP .ie t \(bu .el o uidNumber .RE .RS +4 .TP .ie t \(bu .el o gidNumber .RE .RS +4 .TP .ie t \(bu .el o cn .RE .RS +4 .TP .ie t \(bu .el o objectClass .RE .RS +4 .TP .ie t \(bu .el o memberUid .RE .RS +4 .TP .ie t \(bu .el o memberGid .RE .RS +4 .TP .ie t \(bu .el o loginShell .RE .RS +4 .TP .ie t \(bu .el o homeDirectory .RE .RS +4 .TP .ie t \(bu .el o gecos .RE .RS +4 .TP .ie t \(bu .el o description .RE .RS +4 .TP .ie t \(bu .el o nisDomain .RE .RS +4 .TP .ie t \(bu .el o automountMapName .RE .RS +4 .TP .ie t \(bu .el o SolarisAttrKeyValue .RE .RS +4 .TP .ie t \(bu .el o SolarisAttrShortDesc .RE .RS +4 .TP .ie t \(bu .el o SolarisAttrLongDesc .RE .RS +4 .TP .ie t \(bu .el o SolarisKernelSecurityPolicy .RE .RS +4 .TP .ie t \(bu .el o SolarisProfileType .RE .RS +4 .TP .ie t \(bu .el o SolarisProfileId .RE .RS +4 .TP .ie t \(bu .el o SolarisUserQualifier .RE .RS +4 .TP .ie t \(bu .el o SolarisProjectId .RE .RS +4 .TP .ie t \(bu .el o SolarisProjectName .RE .RS +4 .TP .ie t \(bu .el o SolarisProjectAttr .RE .RS +4 .TP .ie t \(bu .el o SolarisUserAttrEntry .RE .RS +4 .TP .ie t \(bu .el o SolarisUserType .RE .RS +4 .TP .ie t \(bu .el o SolarisAttrReserved1 .RE .RS +4 .TP .ie t \(bu .el o SolarisAttrReserved2 .RE .sp .LP Security-critical attributes are: .RS +4 .TP .ie t \(bu .el o userPassword .RE .RS +4 .TP .ie t \(bu .el o shadowLastChange .RE .RS +4 .TP .ie t \(bu .el o shadowMin .RE .RS +4 .TP .ie t \(bu .el o shadowMax .RE .RS +4 .TP .ie t \(bu .el o shadowWarning .RE .RS +4 .TP .ie t \(bu .el o shadowInactive .RE .RS +4 .TP .ie t \(bu .el o shadowExpire .RE .RS +4 .TP .ie t \(bu .el o shadowFlag .RE .sp .LP In addition, \fBuserPassword\fR is writable by the particular user. .sp .LP As recommended by \fBRFC2307bis-02\fR, the DIT tree under the base DN is laid out with containers for each type of object stored: .sp .in +2 .nf ou=people posixAccount shadowAcount ou=group posixGroup ou=services ipService ou=protocols ipProtocol ou=rpc oncRpc ou=hosts ipHost ou=ethers ieee802Device bootableDevice ou=networks ipNetwork ou=netgroup nisNetgroup nisMapName=... nisObject automountMapName=... automountMap .fi .in -2 .sp .sp .LP An \fBRFC 4876\fR profile is created at cn=default, ou=profile, \fIsearch_base\fR. .SH EXIT STATUS .sp .LP The following exit values are returned: .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .RS 6n .rt Successful completion. .RE .sp .ne 2 .mk .na \fB\fB>0\fR\fR .ad .RS 6n .rt An error occurred. .RE .SH EXAMPLES .LP \fBExample 1\fR Prompting the User for Input .sp .LP In the following example, the user is prompted for information to set up OUD. .sp .in +2 .nf example# \fBldapservercfg oud\fR .fi .in -2 .sp .LP \fBExample 2\fR Setting profile/default/server_list .sp .LP Using \fBsvccfg\fR(8) \fBdelpropvalue\fR is used to delete the property values, followed by \fBaddpropvalue\fR twice to add two qualified server names. .sp .in +2 .nf example# \fBsvccfg -s ldap/server:openldap delpropvalue \\fR > \fBprofile/default/server_list '*'\fR example# \fBsvccfg -s ldap/server:openldap addpropvalue \\fR > \fBprofile/default/server_list "serv1.example.com"\fR example# \fBsvccfg -s ldap/server:openldap addpropvalue \\fR > \fBprofile/default/server_list "serv2.example.com"\fR example# \fBsvccfg -s ldap/server:openldap refresh\fR .fi .in -2 .sp .LP \fBExample 3\fR Setting \fBprofile/default/service_search_descriptor\fR (SSD) .sp .LP Using \fBsvccfg\fR(8) \fBsetprop\fR to overwrite all current values, followed by \fBaddpropvalue\fR to add an additional value. The SMF instance is then refreshed using \fBsvcadm\fR(8), to commit the changes. The values are then displayed with \fBsvcprop\fR(1) and piped through \fBfmt\fR(1) for brevity. .sp .in +2 .nf example# \fBsvccfg -s ldap/server:openldap \\fR > \fBsetprop profile/default/service_search_descriptor = \\fR > \fB"printers:ou=hc,dc=example,dc=com?one"\fR example# \fBsvccfg -s ldap/server:openldap addpropvalue \\fR > \fBprofile/default/service_search_descriptor \\fR > \fB"ethers:ou=mac,dc=example,dc=com?sub"\fR example# \fBsvcadm refresh ldap/server:openldap\fR example# \fBsvcprop -p profile/default/service_search_descriptor\fR > \fBldap/server:openldap | fmt -60\fR "printers:ou=hc,dc=example,dc=com?one" "ethers:ou=mac,dc=example,dc=com?sub" .fi .in -2 .sp .LP \fBExample 4\fR Setting \fBcred/admin_passwd\fR value for openLDAP non-interactive configuration .sp .LP Using \fBsvccfg\fR(8) in combination with \fBslappasswd\fR(8oldap) to prompt for and save the password. The use of \fBmktemp\fR(1) keeps the password off of the command line. .sp .in +2 .nf example# \fBtmp=`mktemp` &&\fR > \fB(/usr/bin/echo 'setprop cred/admin_passwd = astring: \c';\fR > \fB/usr/sbin/slappasswd) > $tmp &&\fR > \fBsvccfg -s ldap/server:openldap -f $tmp; rm $tmp\fR New password: Re-enter new password: example# \fBsvcadm refresh ldap/server:openldap\fR .fi .in -2 .sp .SH FILES .sp .ne 2 .mk .na \fB\fB/etc/openldap/certs/server.pem\fR (OpenLDAP)\fR .ad .br .na \fB\fB/etc/openldap/certs/server.key\fR (OpenLDAP)\fR .ad .br .sp .6 .RS 4n A self-signed certificate and private key are generated. They can be replaced as desired. .RE .sp .ne 2 .mk .na \fB\fB/etc/certs/ca-certificates.crt\fR\fR .ad .br .sp .6 .RS 4n Contains a list of root certificates that the server trusts. This list should include the certificates used to sign the server's certificate, if a CA-signed certificate is used. .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(7) for descriptions of the following attributes: .sp .TS tab( ) box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Availability system/network/ldap _ Interface Stability Committed .TE .sp .SH SEE ALSO .sp .LP \fBattributes\fR(7), \fBidsconfig\fR(8), \fBldap\fR(7), \fBldap_cachemgr\fR(8), \fBldapaddent\fR(8), \fBldapclient\fR(8), \fBldaplist\fR(1), \fBresolv.conf\fR(5), \fBslapd\fR(8oldap), \fBslappasswd\fR(8oldap) .sp .LP RFC 4876: A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents .sp .LP RFC 2307: An Approach for Using LDAP as a Network Information Service .sp .LP Oracle Solaris Schema: .LP .nf \ \ \ \ https://docs.oracle.com/cd/E37838_01/html/E61012/appendixa-5.html .fi