Secure LDAP server installation and configuration

You need obtain the following software before the installation:

Sun One Directory Server 5.2 (44Mb)
Java 1.4 or above (61Mb)
Java 64 bit packages (6Mb)
Sun One Directory Server SDK (57Mb) optional but recommended

Solaris 9 O/S
Solaris 9 recommended patch cluster
Sun patch 112960-?? (2Mb)

Note before installation: As Sun One Directory server by default installs in /var/mps is might be worth setting up its own filesystem.

Install the Solaris 9 O/S software and patch the server with the recommended patch cluster, make sure that the server is also configured for 64 Bit.

Also you need to setup a ldapuser account and the ldap group(this is optional but advised to), also check that the following network ports are not used (use the netstat -an command):

389 LDAP directory server port
390 LDAP adminstration port
636 Secure LDAP directory server port

LDAP directory server setup

Once the above has been configured it is time to setup the directory server, install the following packages including the 64 Bit ones. If you wish only to setup the directory server then refer to Sun's web site on what packages you should setup.

64-bit Directory Server, 32-bit Administration Server, and Console

SUNWascv, SUNWasvcp, SUNWasvr, SUNWasvu, SUNWdsvcp, SUNWdsvh, SUNWdsvhx, SUNWdsvpl, SUNWdsvr, SUNWdsvu, SUNWdsvx, SUNWicu, SUNWicux, SUNWjss, SUNWldk, SUNWldkx, SUNWpr, SUNWprx, SUNWsasl, SUNWsaslx, SUNWtls, SUNWtlsx,

It is recommended to install the 64Bit packages if you expect to have high volumes of LDAP traffic.

Once the packages have been installed it is best to run idsktune before configuring the directory server which checks for any patches required or recommendations, install the recommended patches and update the /etc/system to reflect the recommended system parameter settings

  # ./idsktune
Sun ONE Directory Server system tuning analysis version 9-MAY-2003.
Copyright 2002-2003 Sun Microsystems, Inc.

NOTICE : System is usparc-SUNW,Ultra-4-solaris5.9_s9s_u7wos_09 (3 processors).

NOTICE : Patch 112902-12 (SunOS 5.9: kernel/drv/ip Patch) is not installed.

NOTICE : Patch 113023-01 (SunOS 5.9: Broken preremove scripts in S9 ALC packages) is not installed.

NOTICE : Solaris patches can be obtained from http://sunsolve.sun.com or your
Solaris support representative.

NOTICE : /etc/system does not have a setting for tcp:tcp_conn_hash_size
The default is 256.

NOTICE : The tcp_conn_req_max_q value is currently 128, which will limit the
value of listen backlog which can be configured. It can be raised by adding
to the end of the /etc/init.d/inetinit a line similar to:
ndd -set /dev/tcp tcp_conn_req_max_q 1024

NOTICE : The tcp_keepalive_interval is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.

NOTICE : The tcp_keepalive_interval can be reduced by adding the following line
to the end of the /etc/init.d/inetinit:
ndd -set /dev/tcp tcp_keepalive_interval 600000

NOTICE : The NDD tcp_ip_abort_cinterval is currently set to 180000
milliseconds (180 seconds). This may cause long delays in establishing
outgoing connections if the destination server is down.

NOTICE : If the directory service is intended only for LAN or private
high-speed WAN environment, this interval can be reduced by adding to the end
of the file /etc/init.d/inetinit:
ndd -set /dev/tcp tcp_ip_abort_cinterval 10000

NOTICE : The NDD tcp_ip_abort_interval is currently set to 180000
milliseconds (180 seconds). This may cause long delays in detecting
connection failure if the destination server is down.

NOTICE : If the directory service is intended only for LAN or private
high-speed WAN environment, this interval can be reduced by adding to the end
of the file /etc/init.d/inetinit:
ndd -set /dev/tcp tcp_ip_abort_interval 60000

NOTICE : The TCP initial sequence number generation is not based on RFC 1948.
If this directory service is intended for external access, add the following
to the end of /etc/init.d/inetinit:
ndd -set /dev/tcp tcp_strong_iss 2

NOTICE : The NDD tcp_smallest_anon_port is currently 32768. This allows a
maximum of 32768 simultaneous connections. More ports can be made available by
adding a line to the end of /etc/init.d/inetinit:
ndd -set /dev/tcp tcp_smallest_anon_port 8192

NOTICE : / partition has less space available, 2421MB, than the largest
allowable core file size of 3884MB. A daemon process which dumps core could
cause the root partition to be filled.

Once the above has been carried out it is time to configure the directory server using the directoryserver command

  # ./directoryserver configure -nodisplay

***********************************************

This script deals with version 5.2 of Directory Server.

Use /usr/sbin/directoryserver.51bak to manage Directory Server 5.1.

***********************************************

You are running the installation program for Directory Server. This program
asks you to supply configuration preference settings that it uses to install
the server.

The installation program consists of one or more selections that provide you
with information and let you enter preferences that determine how Directory
Server is installed and configured.

When you are presented with the following question, the installation process
pauses to allow you to read the information that has been presented. When you
are ready, press Enter to continue.

<Press ENTER to Continue>

Some questions require you to type a response with more detailed information.
The question may have a default value that is displayed in brackets []. For
example, the following question has a default answer of yes:

Are you sure? [yes]

If you want to accept the default answer, press only the Enter key (which on
some keyboards is labeled Return).

If you want to provide a different answer, type it at the command prompt and
then press Enter.

You may type yes or y for an affirmative answer, and no or n for a negative
answer.

If you wish to exit the installation at any time, press the ! key and you will
be given the option to exit or continue.

<Press ENTER to Continue>

Welcome to the Directory Server Installation Program

We strongly recommend that you exit all programs before running the
installation program. If you have other programs running, type Ctrl-C to end
the installation program and then close any other programs you have running.

Warning: This program is protected by copyright law and international treaties.

Unauthorized reproduction or distribution of this program, or any portion of
it, may result in severe civil and criminal penalties, and will be prosecuted
to the maximum extent possible under law.

<Press ENTER to Continue>

Server Root Information

Server Root [/var/mps/serverroot] {"<" goes back, "!" exits}: (location of where to install directory server)

Enter the fully qualified name of the computer

Fully Qualified Computer Name [ukstsg10.ggr.co.uk] {"<" goes back, "!"
exits}: (host name of the directory server including FQDN)

Choose the type of installation you prefer from the following choices:

Express - Installation option choices are made automatically. The easiest
installation and recommended for evaluating the product.

Typical - Software will be installed with the most common options. Recommended
for most deployments.

Custom - You may choose the options you want to install. Recommended for
advanced users.

1. Express
2. Typical
3. Custom

What would you like to do [2] {"<" goes back, "!" exits}? 2

Choose the system user and group names under whose identity
the Sun ONE Directory server will run.

System User [root] {"<" goes back, "!" exits}: ldapuser
System Group [other] {"<" goes back, "!" exits}: ldapgroup

You may store Sun ONE server configuration information in another Sun ONE
Directory Server. If you have already prepared a configuration server, you may
configure the new server to use it.

1. The new instance will be the configuration Directory Server
2. Use existing configuration Directory Server

What would you like to do [1] {"<" goes back, "!" exits}? 1

Configuration Directory Server Administrator

Administrator ID [admin] {"<" goes back, "!" exits}:
Password: (enter password of your choice)
Password (again): (re-enter password of your choice)

You may already have a Directory Server where you store user and group
information.

1. Store data in the new Directory Server
2. Store data in an existing Directory Server

What would you like to do [1] {"<" goes back, "!" exits}? 1

Settings the new server will use for basic operation

Server Identifier [ukstsg10] {"<" goes back, "!" exits}: (server hostname)
Server Port [389] {"<" goes back, "!" exits}: (port number)
Suffix [dc=example, dc=com] {"<" goes back, "!" exits}: (your companies domain)

Administration Domain

Administration Domain [example.com] {"<" goes back, "!" exits}: (your companies domain)

Enter a Distinguished Name (DN) for the Directory Manager and a password at
least 8 characters long.

Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}:
Password: (enter password of your choice)
Password (again): (enter password of your choice)

Installing Directory Server
|-1%--------------25%-----------------50%-----------------75%--------------100%|
Update of the Directory Server layout ... done
Update of the links between server root and Directory Server Layout ... done

[slapd-ukstsg10]: starting up server ...
[slapd-ukstsg10]: [31/Aug/2005:15:33:03 +0100] - Sun-ONE-Directory/5.2 B2003.
143.0020 (32-bit) starting up
[slapd-ukstsg10]: [31/Aug/2005:15:33:07 +0100] - Listening on all interfaces
port 389 for LDAP requests
[slapd-ukstsg10]: [31/Aug/2005:15:33:07 +0100] - slapd started.
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.

 

Configuration of the server(s) succeeded.

 

Installation Details:

Product Result More Information
1. Directory Server Installed Available

2. Done

Enter the number corresponding to the desired selection for more
information, or enter 2 to continue [2] {"!" exits}: 2

The directory has now been installed in /var/mps/serverroot, the binary files and directory server databases have been setup. It is time to setup the admin server using the mpsadmserver command

  # ./mpsadmserver configure -nodisplay

Enter the fully qualified name of the computer

Fully Qualified Computer Name [ukstsg10.ggr.co.uk] {"<" goes back, "!"
exits}: (hostname of directory server including FQDN)

Server Root Information

Server Root: : /var/mps/serverroot

Choose the type of installation you prefer from the following choices:

Express - Installation option choices are made automatically. The easiest
installation and recommended for evaluating the product.

Typical - Software will be installed with the most common options. Recommended
for most deployments.

1. Express
2. Typical

What would you like to do [2] {"<" goes back, "!" exits}? 2

Configuration Directory Server Administrator

Administrator ID [admin] {"<" goes back, "!" exits}:
Password: (enter password of your choice)

Administration Domain

Administration Domain [example.com] {"<" goes back, "!" exits}: (domain)

The Administration Server runs on a different network port from other servers.
Specify the number of the port.

Administration Port [390] {"<" goes back, "!" exits}: 390

Installing Administration Server
|-1%--------------25%-----------------50%-----------------75%--------------100%|
Checking connection to the Configuration Directory Server... done.

Updating Administration Server layout... done.
Updating links between Server Root and Administration Server layout... done.
Registering Administration Server with Configuration Directory Server... done.
Loading Administration Server tasks... done.
Loading global Administration Server configuration... done.
Generating configuration files ... done.

Configuration of the Administration Server succeeded.

SunONE-WebServer-Enterprise/6.0SP3 B05/14/2003 17:58
warning: daemon is running as super-user
[LS ls1] http://ukstsg10.example.com, port 390 ready to accept requests
startup: server started successfully

Administration server started properly.

 

Installation Details:

Product Result More Information
1. Administration Server Installed Available

2. Done

Enter the number corresponding to the desired selection for more
information, or enter 2 to continue [2] {"!" exits}: 2

Hopefully the admin server should connect to the directory server.

You can setup the directory server in slient mode by editing or copying the /usr/ds/v5.2/setup/typical.ins file, then running the following command:

#/usr/sbin/directoryserver configure -f <myfile.ins>

To setup the admin server in slient mode run the following:

#/usr/sbin/mpsadmserver configure -f <filename>

Now we need to create the object classes, containers, ACI's and client profiles and a handy script called idsconfig will do this for us.

  # cd /usr/lib/ldap
# ./idsconfig -d

It is strongly recommended that you BACKUP the directory server
before running idsconfig.

Hit Ctrl-C at any time before the final confirmation to exit.

Do you wish to continue with server setup (y/n/h)? [n] y
In prompt_config_info()
Enter the iPlanet Directory Server's (iDS) hostname to setup: ukstsg10.example.com
Enter the port number for iDS (h=help): [389] 389
In chk_ids_version()
VLV controls found on LDAP server.
Enter the directory manager DN: [cn=Directory Manager] cn=Directory Manager
In get_passwd_nochk()
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [ggr.co.uk] example.com
Enter LDAP Base DN (h=help): [dc=example,dc=com] dc=example,dc=com
Checking baseDN: dc=example,dc=com
In check_attrName()
check_attrName: Input Param = dc
check_baseDN: valid key=dc
In check_attrName()
check_attrName: Input Param = dc
check_baseDN: valid key=dc
Enter the profile name (h=help): [default] default
Default server list (h=help): [147.184.30.10] (directory server IP address)
Preferred server list (h=help):
In get_search_scope()
Choose desired search scope (one, sub, h=help): [one] one
In get_cred_level()
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
In get_auth()
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2

Current authenticationMethod: simple

Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n] n
Do you want to modify the server timelimit value (y/n/h)? [n] n
Do you want to modify the server sizelimit value (y/n/h)? [n] n
Do you want to store passwords in "crypt" format (y/n/h)? [n] y
Do you want to setup a Service Authentication Methods (y/n/h)? [n] n
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
In reset_ssd_file()
In prompt_ssd()
Do you wish to setup Service Search Descriptors (y/n/h)? [n] y
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a

In add_ssd()
Enter the service id: passwd
Enter the base: ou=people,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a

In add_ssd()
Enter the service id: group
Enter the base: ou=group,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] a

In add_ssd()
Enter the service id: shadow
Enter the base: ou=people,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] quit

In add_ssd()
Enter the service id: netgroup
Enter the base: ou=netgroup,dc=example,dc=com
Enter the scope: one
A Add a Service Search Descriptor
D Delete a SSD
M Modify a SSD
P Display all SSD's
H Help
X Clear all SSD's
Q Exit menu
Enter menu choice: [Quit] quit


IDS_SERVER = ukstsg10.example.com
IDS_PORT = 389
LDAP_ROOTDN = cn=Directory Manager
LDAP_ROOTPWD = *********
LDAP_DOMAIN = example.com
LDAP_TREETOP =
LDAP_BASEDN = dc=example,dc=com
LDAP_PROFILE_NAME = default
LDAP_SERVER_LIST = 147.184.30.10
LDAP_PREF_SRVLIST =
LDAP_SEARCH_SCOPE = one
LDAP_CRED_LEVEL = proxy
LDAP_AUTHMETHOD = simple
LDAP_FOLLOWREF = FALSE
IDS_TIMELIMIT =
IDS_SIZELIMIT =
NEED_CRYPT = FALSE
NEED_SRVAUTH_PAM = 0
NEED_SRVAUTH_KEY = 0
NEED_SRVAUTH_CMD = 0
LDAP_SRV_AUTHMETHOD_PAM =
LDAP_SRV_AUTHMETHOD_KEY =
LDAP_SRV_AUTHMETHOD_CMD =
LDAP_SEARCH_TIME_LIMIT = 30
LDAP_PROFILE_TTL = 43200
LDAP_BIND_LIMIT = 10
LDAP_SERV_SRCH_DES =

In display_summary()
Summary of Configuration

1 Domain to serve : example.com
2 Base DN to setup : dc=example,dc=com
3 Profile name to create : default
4 Default Server List : 147.184.30.10
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : tls:simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : FALSE
13 Service Auth Method pam_ldap :
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd:
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Service Search Descriptors Menu

Enter config value to change: (1-19 0=commit changes) [0] 0
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=com]
In get_passwd()
Enter passwd for proxyagent:
Re-enter passwd:
IDS_SERVER = ukstsg10.example.com
IDS_PORT = 389
LDAP_ROOTDN = cn=Directory Manager
LDAP_ROOTPWD = ********
LDAP_DOMAIN = example.com
LDAP_TREETOP =
LDAP_BASEDN = dc=example,dc=com
LDAP_PROFILE_NAME = default
LDAP_SERVER_LIST = 147.184.30.10
LDAP_PREF_SRVLIST =
LDAP_SEARCH_SCOPE = sub
LDAP_CRED_LEVEL = proxy
LDAP_AUTHMETHOD = tls:simple
LDAP_FOLLOWREF = FALSE
IDS_TIMELIMIT =
IDS_SIZELIMIT =
NEED_CRYPT = FALSE
NEED_SRVAUTH_PAM = 0
NEED_SRVAUTH_KEY = 0
NEED_SRVAUTH_CMD = 0
LDAP_SRV_AUTHMETHOD_PAM =
LDAP_SRV_AUTHMETHOD_KEY =
LDAP_SRV_AUTHMETHOD_CMD =
LDAP_SEARCH_TIME_LIMIT = 30
LDAP_PROFILE_TTL = 43200
LDAP_BIND_LIMIT = 10
LDAP_PROXYAGENT = cn=proxyagent,ou=profile,dc=example,dc=com
LDAP_PROXYAGENT_CRED = ********
NEED_PROXY = 1
LDAP_SERV_SRCH_DES =

WARNING: About to start committing changes. (y=continue, n=EXIT) y

In discover_serv_info()
LDAP_TREETOP = dc=example,dc=com
In modify_cn()
In update_schema_attr()
1. Schema attributes have been updated.
In update_schema_obj()
2. Schema objectclass definitions have been added.
In add_base_objects()
In set_nisdomain()
3. NisDomainObject added to dc=example,dc=com.
In add_new_containers()
4. Top level "ou" containers complete.
In add_auto_maps()
5. automount maps: auto_home auto_direct auto_master auto_shared processed.
In modify_top_aci()
6. ACI for dc=example,dc=com modified to disable self modify.
In add_vlv_aci()
7. Add of VLV Access Control Information (ACI).
In add_proxyagent()
8. Proxy Agent cn=proxyagent,ou=profile,dc=example,dc=com added.
In allow_proxy_read_pw()
9. Give cn=proxyagent,ou=profile,dc=example,dc=com read permission for password.
In add_profile()
In ssd_2_profile()
10. Generated client profile and loaded on server.
In add_eq_indexes()
11. Processing eq,pres indexes:
Adding index for uidNumber
uidNumber (eq,pres) Finished indexing.
Adding index for ipNetworkNumber
ipNetworkNumber (eq,pres) Finished indexing.
Adding index for gidnumber
gidnumber (eq,pres) Finished indexing.
Adding index for oncrpcnumber
oncrpcnumber (eq,pres) Finished indexing.
Adding index for automountKey
automountKey (eq,pres) Finished indexing.
In add_sub_indexes()
12. Processing eq,pres,sub indexes:
Adding index for ipHostNumber
ipHostNumber (eq,pres,sub) Finished indexing.
Adding index for membernisnetgroup
membernisnetgroup (eq,pres,sub) Finished indexing.
Adding index for nisnetgrouptriple
nisnetgrouptriple (eq,pres,sub) Finished indexing.
In add_vlv_indexes()
13. Processing VLV indexes:
Adding index for nisnetgrouptriple
example.com.getgrent vlv_index Entry created
Adding index for example.com.getgrent
example.com.gethostent vlv_index Entry created
Adding index for example.com.gethostent
example.com.getnetent vlv_index Entry created
Adding index for example.com.getnetent
example.com.getpwent vlv_index Entry created
Adding index for example.com.getpwent
example.com.getrpcent vlv_index Entry created
Adding index for example.com.getrpcent
example.com.getspent vlv_index Entry created
Adding index for example.com.getspent
example.com.getauhoent vlv_index Entry created
Adding index for example.com.getauhoent
example.com.getsoluent vlv_index Entry created
Adding index for example.com.getsoluent
example.com.getauduent vlv_index Entry created
Adding index for example.com.getauduent
example.com.getauthent vlv_index Entry created
Adding index for example.com.getauthent
example.com.getexecent vlv_index Entry created
Adding index for example.com.getexecent
example.com.getprofent vlv_index Entry created
Adding index for example.com.getprofent
example.com.getmailent vlv_index Entry created
Adding index for example.com.getmailent
example.com.getbootent vlv_index Entry created
Adding index for example.com.getbootent
example.com.getethent vlv_index Entry created
Adding index for example.com.getethent
example.com.getngrpent vlv_index Entry created
Adding index for example.com.getngrpent
example.com.getipnent vlv_index Entry created
Adding index for example.com.getipnent
example.com.getmaskent vlv_index Entry created
Adding index for example.com.getmaskent
example.com.getprent vlv_index Entry created
Adding index for example.com.getprent
example.com.getip4ent vlv_index Entry created
Adding index for example.com.getip4ent
example.com.getip6ent vlv_index Entry created

idsconfig: Setup of iDS server ukstsg10.example.com is complete.

Note: idsconfig has created entries for VLV indexes. Use the
directoryserver(1m) script on ukstsg10.example.com to stop
the server and then enter the following vlvindex
sub-commands to create the actual VLV indexes:

directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getgrent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.gethostent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getnetent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getpwent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getrpcent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getspent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauhoent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getsoluent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauduent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauthent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getexecent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprofent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmailent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getbootent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getethent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getngrpent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getipnent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmaskent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip4ent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip6ent
In cleanup()

Now that object class, profile, etc have been created we need to setup the VLV indexes as described by output of idsconfig command ran earlier. The indexes are used to increase performance when browsing through large databases that contain many objects. This is a two part process, the first part is done by the idsconfig script the second part requires that the directory server be halted and the following commands run, once ran the server should be started again.

 

# the below commands where obtained from the idsconfig command (see above)

directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getgrent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.gethostent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getnetent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getpwent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getrpcent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getspent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauhoent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getsoluent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauduent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getauthent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getexecent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprofent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmailent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getbootent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getethent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getngrpent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getipnent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getmaskent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getprent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip4ent
directoryserver -s ukstsg10 vlvindex -n userRoot -T example.com.getip6ent

A final check to make sure that the NIS objects have indeed have be configured.

# ldapsearch -b cn=schema objectclass=* | grep nisDomainObject

objectClasses=( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' )

If you get nothing back then one of the above steps has failed, try unconfiguration the directory server and starting again. To unconfigure the directory server use the following commands:

# mpsadmserver -unconfigure
# directoryserver -unconfigure

Adding users and groups, etc

When replacing NIS with LDAP the passwd and shadow files are located in the people organizational unit group. So obtain all the config files that you wish to implement in LDAP, they can be any of the following:

aliases, auto_*, bootparams, ethers, group, hosts, netgroup, netmasks, networks, passwd, shadow, protocols, publickey, rpc and services.

update and trim as neccessary ready to load into the directory server make sure that the password file contains the contents from the shadow file i.e password, then run the following commands to load the files:

ldapaddent -a simple -D "cn=Directory manager" -w <password> -f /etc/passwd passwd
ldapaddent -a simple -D "cn=Directory manager" -w <password> -f /etc/group group
ldapaddent -a simple -D "cn=Directory manager" -w <password> -f /etc/hosts hosts
etc...........................................

Alternatively you can create your own user files and load them into the directory server, create a file called users.ldif and add the following:

dn: uid=jripper,ou=people,dc=example,dc=com
givenName: jack
sn: ripper
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: posixAccount
objectclass: shadowaccount
uid: jripper
userPassword: {crypt}R0DoMe2dtpkKw
uidNumber: 5450
gidNumber: 1028
gecos: Jack Ripper
homeDirectory: /export/home/jripper
loginShell: /bin/ksh
cn: jripper
shadowLastChange:
shadowMin:
shadowMax:
shadowWarning:
shadowInactive:
shadowExpire:
shadowFlag:

The user jripper can be added to the directory server by running the following command:

# ldapadd -c -D "cn=Directory manager" -f users.ldif
Bind Password: ********
adding new entry uid=jripper,ou=people,dc=example,dc=com

groups can also be added by creating a file called group.ldif

dn: cn=public,ou=group,dc=example,dc=com
cn: public
gidNumber: 1028
objectClass: top
objectClass: posixGroup
memberUid: jripper

Then running the following:

# ldapadd -c -D "cn=Directory manager" -f group.ldif
Bind password: ********
adding new entry cn=public,ou=group,dc=example,dc=com

LDAP profiles

LDAP profiles can be generated on the client or stored on the directory server, these profiles contain parameters that allow a client to connect to the server, parameters that are store are proxy password, proxy cn, serverlist, version, authenication, etc.

The best way is to store these profiles on the ldap server that way clients will copy the most up to date version from the ldap server everytime the client reboots.

The easiest way to create profiles is to create a ldif file and use ldapadd command to store on the directory server, we will create a automount_profile which will be used by the client later. Remember a default profile was already created during the idsconfig process.

dn: cn=automount_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: 147.184.30.10
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: FALSE
defaultSearchScope: sub
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: automount_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=people,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=people,dc=example,dc=com?one
serviceSearchDescriptor: auto.master: nisMapName=auto.master,dc=example,dc=com?one
serviceSearchDescriptor: auto.home: nisMapName=auto.home,dc=example,dc=com?one
serviceSearchDescriptor: auto_master: automountMapName=auto_master,dc=example,dc=com?one
serviceSearchDescriptor: auto_home: automountMapName=auto_home,dc=example,dc=com?one
serviceSearchDescriptor: auto_direct: automountMapName=auto_direct,dc=example,dc=com?one
objectclassMap: automount: automount=nisObject
objectclassMap: automount: automountMap=nisMap
attributeMap: automount: automountInformation=nisMapEntry
attributeMap: automount: automountKey=cn
attributeMap: automount: automountMapName=nisMapName

Now store this profile to the directory

# ldapadd -c -D "cn=Directory manager" -f automount_profile.ldif
Bind Password:
adding new entry cn=automount_profile,ou=profile,dc=example,dc=com