LDAP Client setup

I was using a ultra 30 with solaris 8 installed and with updated cluster patch applied, we need to apply the following patches (if not already installed) to update the ldap client software, .


Once we have patched the client we now need to download the client profile from the ldap server, this will create two files in the /var/ldap directory, ldap_client_file (ldap server entries) and ldap_client_cred (contains bind parameters). We will use the automount_profile that we created earlier.


# ldapclient -v -P automount_profile -D cn=proxyagent,ou=profile,dc=example,dc=com -w ******** ukstsg10.example.com
Arguments parsed:
proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
profileName: default
proxyPassword: ********
defaultServerList: ukstsg10.example.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[0] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}eb376635c18412b048
Credential level: 1
Authentication method: 1
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configure


Note: in version 5.2 the ldapclient command has changed

ldapclient init -v -a proxyDN=cn=proxyagent,ou=profile,dc=example.com \
-a domainName=example.com \
-a profileName=automount_profile \
-a proxyPassword=XXXX \


# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}eb376635c18412b048


# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_PROFILE= automount_profile
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=people,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=example,dc=com?one
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry
NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject

When the client has created the ldap client files using the profile information on the ldap server, the ldap_cachemgr daemon is started, also the /etc/nsswitch.conf file is copied over with the /etc/nsswitch.ldap file. It might be a good idea to edit the /etc/nsswitch.conf and change the following otherwise on a reboot the client may hang:

passwd: ldap [NOTFOUND=return files
group: ldap [NOTFOUND=return files
hosts: ldap [NOTFOUND=return] files


passwd: files ldap
group: files ldap
hosts: dns files

Be aware that the ldap_cachemgr daemon updates only the ldap_client_file when restarted, so any changes to the profile on the ldap server will be updated here, the ldap_cachemgr can be restarted by the /etc/init.d/ldap.client start/stop command. At this point the client should be able to connect the the ldap server to test run the following commands:

# getent passwd jripper
jripper::5450:1028:Jack Ripper:/export/home/jripper:/bin/ksh

# ldaplist
dn: cn=3270_mapper,ou=rpc,dc=example,dc=com
dn: cn=Accounting Managers,ou=groups,dc=example,dc=com
dn: cn=activity,ou=rpc,dc=example,dc=com
dn: uid=adm,ou=people,dc=example,dc=com
dn: cn=adm,ou=group,dc=example,dc=com

ldaplist -l passwd
dn: uid=adm,ou=people,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowaccount
uid: adm
uidNumber: 4
gidNumber: 4
gecos: Admin
homeDirectory: /var/adm
cn: adm
userPassword: {SSHA}rhFuTDacE7Pc6mfzTM/cGssLPeB3EW5RVEgDVQ==

The last command will only work if you have users in the organizational unit group people (see setting up the server to add users).

To configure automount to work with the directory server we edit the directory server configuration by opening up the directory GUI and selecting configuration tab, select schema and at the User Defined Object Classes: select automount, select edit add cn to allowed attributes and click OK. Select automountMap click edit and add ou to allow attributes and lastly click OK.

On the ldap server we need to create the automount maps using the following ldif files (delete any already created ones).

dn: automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_master

dn: automountkey=/export/home,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /export/home
automountInformation: auto_home -nobrowse

dn: automountkey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
automountInformation: auto_direct

dn: automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_home

dn: automountkey=*,automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: *
automountInformation: ukstsg10.example.com:/export/home/&

Add the maps to the directory server

# ldapadd -c -D "cn=Directory manager" -f automount.ldif
Bind Password:
adding new entry automountMapName=auto_master,dc=example,dc=com
adding new entry automountkey=/export/home,automountMapName=auto_master,dc=example,dc=com
adding new entry automountkey=/-,automountMapName=auto_master,dc=example,dc=com
adding new entry automountMapName=auto_home,dc=example,dc=com
adding new entry automountkey=*,automountMapName=auto_home,dc=example,dc=com

To check that everything is working run the following command on the client:

# ldaplist -l auto_master
dn: automountkey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
automountInformation: auto_direct

dn: automountkey=/export/home,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /export/home
automountInformation: auto_home -nobrowse

Check that the automount files have been setup correctly on the client:

# cat /etc/auto_master
# Master map for automounter
/net -hosts -nosuid,nobrowse
/home auto_home -nobrowse
/xfn -xfn
/- auto_direct

# cat /etc/auto_home
# Home directory map for automounter

# cat /etc/auto_direct

Updating the pam configuration

We will alter the authenication process that the user will take when logging into the server, will get the ldap server to authenicate first then unix. To do this we must add the following to /etc/pam.conf file

Note: backup this file first and always leave a session logged in as root, the first test after altering this file will be to login as root on another session to make sure everything is OK. The could be a possibility that you can lock yourself out of the system BECAREFUL

# cat /var/tmp/pam.conf.ldap
#ident "@(#)pam.conf 1.15 00/02/14 SMI"
# Copyright (c) 1996-1999 by Sun Microsystems, Inc.
# All rights reserved.
# PAM configuration
# Authentication management
login auth requisite pam_authtok_get.so.1
login auth sufficient pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 try_first_pass
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth required pam_unix_auth.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
rsh auth required pam_ldap.so.1 try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
other auth required pam_ldap.so.1 try_first_pass
# Account management
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
# Session management
other session required pam_unix_session.so.1
# Password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
other password required pam_ldap.so.1 try_first_pass
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth required pam_unix_auth.so.1
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#dtlogin auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#dtlogin account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 try_first_pass
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
cron account required pam_unix_account.so.1
#cron account optional pam_krb5.so.1

Now try to login as a user and check that the automount has worked.

Adding Netgroups

First we need to update the /etc/nsswitch.conf:

passwd: files ldap
netgroup: files


passwd: compat
passwd_compat: ldap
netgroup: ldap

Add the following to the bottom of the /etc/passwd file and then run pwconv to update the shadow file


On the ldap server we need to create the netgroup maps, again using a ldif file

dn: cn=webusers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisnetgrouptriple: (,jripper,)
cn: webusers

dn: cn=dbausers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisnetgrouptriple: (,dbauser,)
cn: dbausers

Now update the ldap server

# ldapadd -c -D "cn=Directory manager" -f netgroup.ldif

Now login as the user to test the netgroup then login as a non-privilage account again to make sure that the netgroup is working.


to list the entire class you can use the following

# ldapsearch -h -D "cn=Directory manager" -b "dc=example,dc=com" -s sub "objectclass=*"

if you got the client running properly you could obmit the "-D" option

# ldapsearch -h -b "dc=example,dc=com" -s sub "objectclass=*"

for a particular user details

# ldapsearch -h -b "dc=example,dc=com" "cn=jripper"

for a particular users email or uid and loginshell
# ldapsearch -h -b "dc=example,dc=com" "cn=jripper" mail
# ldapsearch -h -b "dc=example,dc=com" "cn=jripper" uid loginshell


delete a particular host entry

# ldapdelete -h -D "cn=Directory manager" "cn=localhost,ou=Hosts,dc=example,dc=com"