IN-350 Планирование и внедрение LDAP

33 downloads 390 Views 743KB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Sun Educational Services

LDAP Design and Deployment

IN-350

LDAP Design and Deployment

June 2001

Copyright 2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, California 94303, U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Sun, Sun Microsystems, the Sun Logo, Solaris, and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. Netscape and Netscape Navigator are trademarks or registered trademarks of Netscape Communications Corporation in the United States and other countries. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements. U.S. Government approval might be required when exporting the product. RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227-19(6/87), or DFAR 252.227-7015 (b)(6/95) and DFAR 227.7202-3(a). DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright 2001 Sun Microsystems Inc., 901 San Antonio Road, Palo Alto, California 94303, Etats-Unis. Tous droits réservés. Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun. Sun, Sun Microsystems, le logo Sun, Solaris, and Java sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays. Toutes les marques SPARC sont utilisées sous licence sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. Netscape et Netscape Navigator sont des marques de Netscape Communications Corporation aux Etats-Unis et dans d’autres pays. UNIX est une marques déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd. L’interfaces d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour larecherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun. L’accord du gouvernement américain est requis avant l’exportation du produit. LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

Sun Educational Services

About This Course

LDAP Design and Deployment

June 2001

Sun Educational Services

Course Goals Upon completion of this course, you should be able to: • Design and deploy a Lightweight Directory Access Protocol (LDAP) directory server on the Solaris™ Operating Environment (OE)

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide v of xiv

Sun Educational Services

Course Map

LDAP Design and Deployment

Naming Service Fundamentals

Implementing an LDAP Directory Server on the Solaris OE

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Configuring the Netscape Directory Server for LDAP on the Solaris OE

Implementing an LDAP Client for the Solaris OE

About This Course, slide vi of xiv

Sun Educational Services

Topics Not Covered • In-depth examination of Solaris Naming Services – Covered in SA-389: Solaris™ 8 Operating Environment - TCP/IP Network Administration • Network administration and management – Covered in SA-389: Solaris™ 8 Operating Environment – TCP/IP Network Administration • System administration – Covered in SA-238: Solaris™ 8 Operating Environment System Administration I and SA288: Solaris™ 8 Operating Environment System Administration II

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide vii of xiv

Sun Educational Services

Topics Not Covered • Solaris and Microsoft Windows integration — Covered in IN-310: Solaris™ and Microsoft Windows Network Integration • Planning for Netscape Directory Services — Covered in DIR-2037: Netscape™ Directory Services: Analysis and Planning 4.x

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide viii of xiv

Sun Educational Services

How Prepared Are You? To be sure you are prepared to take this course, can you answer yes to the following questions? • Can you perform Solaris OE system administration tasks, including adding and deleting users, adding and removing Solaris OE packages, installing software, and adding Solaris OE patches? • Can you perform Solaris OE network administration tasks, including administering domain name service (DNS) and network information service (NIS) and configuring network interfaces?

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide ix of xiv

Sun Educational Services

How Prepared Are You? • Can you perform Transmission Control Protocol/ Internet Protocol (TCP/IP) network management tasks, including daily management and troubleshooting using the snoop command? • Can you perform general Solaris OE and UNIX® administration tasks, including booting systems and implementing TCP/IP? • Can you troubleshoot system issues?

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide x of xiv

Sun Educational Services

Introductions • Name • Company affiliation • Title, function, and job responsibility • Experience related to topics presented in this course • Reasons for enrolling in this course • Expectations for this course

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide xi of xiv

Sun Educational Services

How to Use the Icons Additional resources Note Caution

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide xii of xiv

Sun Educational Services

Typographical Conventions and Symbols • Courier is used for the names of commands, files, directories, programming code, programming constructs, and on-screen computer output. • Courier bold is used for characters and numbers that you type, and for each line of programming code that is referenced in a textual description. • Courier italics is used for variables and command-line placeholders that are replaced with a real name or value.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide xiii of xiv

Sun Educational Services

Typographical Conventions and Symbols • Courier italics bold is used to represent variables whose values are to be entered by the student as part of an activity. • Palatino italics is used for book titles, new words or terms, or words that are emphasized.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

About This Course, slide xiv of xiv

Sun Educational Services

Module 1 Naming Service Fundamentals

LDAP Design and Deployment

June 2001

Sun Educational Services

Objectives The primary objective of this module is to identify Solaris™ Operating Environment (OE) naming service fundamentals. Upon completion of this module, you should be able to: • Describe the Solaris OE naming service architecture and security models • Specify Lightweight Directory Access Protocol (LDAP) design on Solaris OE

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 2 of 21

Sun Educational Services

Solaris OE Naming Service Architecture • Network information service (NIS) • Network information service plus (NIS+) • Domain name service (DNS) • Lightweight Directory Access Protocol (LDAP)

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 3 of 21

Sun Educational Services

Solaris OE Naming Services

LDAP

DNS

NIS+

NIS

files

Naming Services

Solaris OE

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 4 of 21

Sun Educational Services

Solaris OE Name Service Switch Because a number of naming services are available for the Solaris OE, Sun developed the concept of universal naming. This means that an application can be unaware of which naming service is actually running.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 5 of 21

Sun Educational Services

Solaris OE Security Models • Authentication – The verification of someone's identity • Authorization – The granting of access to controlled system resources

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 6 of 21

Sun Educational Services

Directory Service Overview Directory services are a good choice for naming services because: • A directory is a specialized database that is optimized to be read or searched more often than it is written to. • A directory supports storing a wide variety of information. • A directory is dynamic, so it provides mechanisms to add and update information. • A directory is extensible, so it provides mechanisms to extend the types of information that can be stored.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 7 of 21

Sun Educational Services

Directory Service Overview • Directories can be centralized or distributed, which allows for flexible management. • Directories can be replicated, which provides higher availability to clients. • With LDAP, directories have become standardized, which allows interoperability between applications and servers from different vendors.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 8 of 21

Sun Educational Services

LDAP Design on the Solaris OE The complex architecture of LDAP is easier to explain when divided into the four models it supports: • The information model • The naming model • The functional model • The security model

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 9 of 21

Sun Educational Services

The Information Model • The LDAP information model defines how entries are organized within the directory. • Entries are arranged in a directory information tree (DIT). • At the top of the DIT is the directory root. Also known as the directory specific entry, the root is identified by the server name and port number on which the directory service is running. • Multiple instances of the directory service can be running on the same server with each instance having its own DIT.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 10 of 21

Sun Educational Services

The Information Model Common Attributes Attribute

Definition

c

Country

o

Organization

ou

Organization unit

cn

Common name

dc

Domain component

l

Location

dn

Distinguished name

rdn

Relative distinguished name

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 11 of 21

Sun Educational Services

The Information Model A sample DIT:

Directory Root

dc=sun,dc=com

ou=Sales

ou=Engineer

ou=Corporate

cn=John Jones

cn=Sue Smith

cn=Gary Johnson

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 12 of 21

Sun Educational Services

The Naming Model The naming model defines how the data is referenced.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 13 of 21

Sun Educational Services

The Naming Model Directory Schema The information specified in a directory schema includes the object class name, required and allowed attributes, an optional object identifier (OID) number, and the allowable syntax. LDAP Attribute Syntax Syntax

Description

ces

Case exact string

cis

Case ignore string

bin

Binary information

int

Integer

tel

Telephone number

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 14 of 21

Sun Educational Services

The Naming Model The schema definition for the posixAccount object class attributes that store Solaris OE user account information: Attributes for the posixAccount Object Class Attribute

Description

Syntax

cn

Common name of the posixAccount

cis (1-many)

gidNumber

Unique integer identifying group membership

int (single)

homePhone

The user's home telephone number

tel

uid

The user's log in name

cis (1-many)

uidNumber

An integer uniquely identifying a user

int

description

A user-friendly description of the object

cis

gecos

GECOS comment field

cis

loginShell

Path to the log in shell

ces (single)

userPassword

Entry's password and encryption method

bin (1-many)

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 15 of 21

Sun Educational Services

The Naming Model

Top person

ss cla s ior ute per trib Su erit at inh

Ext e add nd o mo bjec re a tc ttrib las ute s s

The object class inheritance for the posixAccount object class:

organizationalPerson inetOrgPerson posixAccount

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 16 of 21

Sun Educational Services

The Functional Model • The functional model defines what operations can be performed on the data. • These operations include query, update, and authentication.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 17 of 21

Sun Educational Services

The Security Model The security model defines how the LDAP directory can be protected from unauthorized access.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 18 of 21

Sun Educational Services

Replication • Replication is the mechanism by which directory data is automatically copied from one directory server to another. • This feature makes LDAP attractive for use as a naming service.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 19 of 21

Sun Educational Services

Replication An example of a full tree replication configuration: Supplier

dc=company

ou=people

ou=groups

dc=company

ou=people

ou=groups

Consumer

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 20 of 21

Sun Educational Services

Replication An example of a subtree replication configuration:

Supplier

dc=company

ou=people

ou=groups

dc=company

ou=groups

Consumer

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 1, slide 21 of 21

Sun Educational Services

Module 2 Implementing an LDAP Directory Server on the Solaris OE

LDAP Design and Deployment

June 2001

Sun Educational Services

Objectives The primary objective of this module is to implement an LDAP Directory Server on the Solaris OE. Upon completion of this module, you should be able to: • Install and configure the Netscape Directory Server • Create system startup scripts for the Netscape Directory Server • Identify LDAP commands and tools

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 2 of 62

Sun Educational Services

Installing and Configuring the Netscape Directory Server • Netscape Directory Server is packaged as part of the Solaris 8 OE media kit, which is found on one of the Bonus Software CD-ROMs. • Because this software is not part of the Solaris OE installation mechanism, it needs to be installed separately after the operating environment is installed.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 3 of 62

Sun Educational Services

Netscape Directory Server Installation Concepts • Administration domains – An administration domain is a grouping of Netscape servers used to distribute administration tasks. • Configuration data – Configuration data for both the Administration Server and Directory Server is maintained in the directory database under the o=NetscapeRoot suffix, which is automatically created during the installation process.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 4 of 62

Sun Educational Services

Netscape Directory Server Installation Concepts The layout of the o=NetscapeRoot suffix:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 5 of 62

Sun Educational Services

Netscape Directory Server Installation Concepts • Login Accounts – Two accounts are created during the installation: Configuration Administrator and Directory Manager. • The Netscape Console – The Netscape Console is a Java™ technology application invoked with the startconsole command. Both the administration server and the directory server need to be running for the Netscape Console to work.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 6 of 62

Sun Educational Services

Netscape Directory Server Installation Concepts Client Server Directory Netscape Console Administration server

Java technology application

HTTP

P

T

T

H

Web browser

Data

LD

AP

(re

ad

on

ly)

Directory server

:3

89

Shell AP

LD

89

:3

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 7 of 62

Sun Educational Services

Planning Installation of Netscape Directory Server • Determine the download directory • Determine the Netscape Directory Server installation directory • Determine the directory suffix • Determine the Configuration Administrator and Directory Manager passwords • Determine the LDAP server host name • Determine the administration domain name

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 8 of 62

Sun Educational Services

Planning Installation of Netscape Directory Server • Determine the server port number • Determine the administration server port number • Determine the directory server privileges • Plan the capacity of the server resources

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 9 of 62

Sun Educational Services

Verifying the Software Requirements • Solaris OE version • Solaris OE level patches • Directory server patches

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 10 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ---------------------------------------------------------------------Welcome to the Netscape Server Products installation program This program will install Netscape Server products and the Netscape Console on your computer. It is recommended that you have "root" privilege to install the software. Tips for using the installation program: - Press "Enter" to choose the default and go to the next - Type "Control-B" to go back to the previous screen - Type "Control-C" to cancel the installation program - You can enter multiple items using commas to separate them. For example: 1, 2, 3 Would you like to continue with installation? [Yes]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 11 of 62

Sun Educational Services

Installing Netscape Directory Server Select the items you would like to install: Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ---------------------------------------------------------------------Select the items you would like to install: 1. Netscape Servers Installs Netscape Servers with the integrated Netscape onto your computer. 2. Netscape Console Installs Netscape Console as a stand-alone Java application on your computer. To accept the default shown in brackets, press the Enter key. Select the component you want to install [1]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 12 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Choose an installation type: 1. Express installation Allows you to quickly install the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical installation Allows you to specify common defaults and options. 3. Custom installation Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose an installation type [2]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 13 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ---------------------------------------------------------------------This program will extract the server files and install them into a directory you specify. That directory is called the server root in the product documentation and will contain the server programs, the Administration Server, and the server configuration files. To accept the default shown in brackets, press the Enter key. Install location [/usr/netscape/server4]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 14 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Netscape Server Products components: Components with a number in () contain additional subcomponents which you can select using subsequent screens. 1. Netscape Server Products Core Components (3) 2. Netscape Directory Suite (2) 3. Administration Services (2) Specify the components you wish to install [All]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 15 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Netscape Server Products Core Components components: Components with a number in () contain additional subcomponents which you can select using subsequent screens. 1. Netscape Server Products Core Components 2. Netscape Core Java classes 3. Java Runtime Environment Specify the components you wish to install [1, 2, 3]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 16 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Netscape Directory Suite components: Components with a number in () contain additional subcomponents which you can select using subsequent screens. 1. Netscape Directory Server 2. Netscape Directory Server Console Specify the components you wish to install [1, 2]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 17 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Administration Services components: Components with a number in () contain additional subcomponents which you can select using subsequent screens. 1. Netscape Administration Server 2. Administration Server Console Specify the components you wish to install [1, 2]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 18 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Enter the fully qualified domain name of the computer on which you're installing server software. Using the form <domainname>. Example: eros.airius.com. To accept the default shown in brackets, press the Enter key. Computer name [xray.central.sun.com]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 19 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corp. Netscape Server Products Installation/Uninstallation ------------------------------------------------------------------------Choose a Unix user and group to represent the Netscape server in the user directory. The Netscape server will run as this user. It is recommended that this user should have no privileges in the computer network system. The Administration Server will give this group some permissions in the server root to perform server-specific operations. If you have not yet created a user and group for the Netscape server, create this user and group using your native UNIX system utilities. To accept the default shown in brackets, press the Return key. System User [nobody]: System Group [nobody]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 20 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------Netscape server information is stored in the Netscape configuration directory server, which you may have already set up. If so, you should configure this server to be managed by the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form hostname.domainname. (e.g. hostname.domain.com), the port number, the suffix, and the DN and password of a user having permission to write the configuration information, usually the Netscape configuration directory administrator. If you want to install this software as a standalone server, or if you want this instance to serve as your Netscape configuration directory server, press Enter. Do you want to register this software with an existing Netscape configuration directory server? [No]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 21 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation -----------------------------------------------------------------------If you already have a directory server you want to use to store your data, such as user and group information, answer Yes to the following question. You will be prompted for the host, port, suffix, and bind DN to use for that directory server. If you want this directory server to store your data, answer No. Do you want to use another directory to store your data? [No]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 22 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ----------------------------------------------------------------------The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use, and that you run the admin server as the superuser. Directory server network port [389]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 23 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------Each instance of a directory server requires a unique identifier. Press Enter to accept the default, or type in another name and press Enter. Directory server identifier [xray]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 24 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------Please enter the administrator ID for the Netscape configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. Netscape configuration directory server administrator ID [admin]: Password: Password (again):

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 25 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------The suffix is the root of your directory tree. You may have more than one suffix. Suffix [o=sun.com]: dc=sun,dc=com

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 26 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. Press Enter to accept the default value, or enter another DN. In either case, you will be prompted for the password for this user. The password must be at least 8 characters long. Directory Manager DN [cn=Directory Manager]: Password: Password (again):

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 27 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------The Administration Domain is a part of the configuration directory server used to store information about Netscape software. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [sun.com]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 28 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------The Administration Server is separate from any of your application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run an application server on, rather, select a number which you will remember and which will not be used for anything else. The default in brackets was randomly selected from the available ports on your system. To accept the default, press return. Administration port [26424]: 4000

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 29 of 62

Sun Educational Services

Installing Netscape Directory Server Netscape Communications Corporation Directory Installation/Uninstallation ------------------------------------------------------------------------The Administration Server program runs as a certain user on your system. This user should be different than the one which your application servers run as. Only the user you select will be able to write to your configuration files. If you run the Administration Server as "root", you will be able to use the Server Administration screen to start and stop your application servers. Run Administration Server as [root]:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 30 of 62

Sun Educational Services

Verifying the Installation To verify the installation, perform the following steps: 1. Start the Netscape Console by executing the startconsole command. # cd /usr/netscape/server4 # ./startconsole

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 31 of 62

Sun Educational Services

Verifying the Installation The Netscape Console login screen:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 32 of 62

Sun Educational Services

Verifying the Installation 2. Start the directory server and view the contents of the directory. a. From the main Console window, launch the Directory Server Console.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 33 of 62

Sun Educational Services

Verifying the Installation b. From the main Console window, launch the Directory Server Console.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 34 of 62

Sun Educational Services

Verifying the Installation c. A separate window displays, from which you can view the contents of the directory.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 35 of 62

Sun Educational Services

Identifying the Installed File Structure The following figure shows the layout diagram beginning at the target installation directory:

install_dir

startconsole start-admin

shared

bin

slapd_instance

admin_serv

config

logs db

ldapsearch

ldapmodify

logs

config

ldapdelete start-slapd

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

db2bak

saveconfig

ldif2db

Module 2, slide 36 of 62

Sun Educational Services

Performing Netscape Directory Server Post-Installation Configuration • Back up the configuration • Change the location of the database files • Change the location of the transaction log • Change the location of the database backup files

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 37 of 62

Sun Educational Services

Exercise: Installing and Configuring Netscape Directory Server • Objectives • Tasks • Discussion • Solutions

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 38 of 62

Sun Educational Services

Exercise Summary • Experiences • Interpretations • Conclusions • Applications

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 39 of 62

Sun Educational Services

Creating Startup Scripts for Netscape Directory Server • Netscape Directory Server installation does not automatically create startup or run command (rc) scripts. • Unless these scripts are added to the Solaris rc directory, you have to manually start the directory and administration servers. • You can use the sample script (S72ns-slapd) that is provided with Netscape Directory Server software. • Alternatively, you can use the script generating program for the mk_iDS_rc.sh script, an interactive script that creates the appropriate startup scripts to automatically run the Netscape Directory Server and Netscape Administration Server when the system boots. LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 40 of 62

Sun Educational Services

Using the Script Generating Program The mk_iDS_rc.sh script is an interactive script that creates the appropriate startup scripts to automatically run the Netscape Directory Server and Netscape Administration Server when the system boots. To run the script, type the following: # ./mk_iDS_sh

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 41 of 62

Sun Educational Services

Overview of LDAP Operations LDAP has nine basic operations, which can be grouped into three categories: • Interrogation operations (search and compare) • Update operations (add, delete, modify, modify DN) • Authentication and control operations (bind, unbind, and abandon)

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 42 of 62

Sun Educational Services

Overview of LDAP Operations LDAP operations are performed using the command line or Netscape Directory Console. The Solaris OE command-line utilities to access and modify a directory are: • ldapsearch • ldapmodify • ldapadd • ldapdelete • ldapmodrdn

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 43 of 62

Sun Educational Services

Overview of the LDIF Format • Directory server uses LDAP directory interchange format (LDIF) to describe a directory and directory entries in text format. • LDIF is commonly used to initially build a directory database or to add large numbers of entries to the directory all at once. • Changes to directory entries can also be described with LDIF. • The LDAP commands rely on LDIF for either input or output.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 44 of 62

Sun Educational Services

Overview of the LDIF Format • LDIF files consist of one or more directory entries separated by a blank line. The basic form of a directory entry consists of a required distinguished name, one or more object classes, and multiple attribute definitions. • The following is an example of the basic form of a directory entry: dn: cn=server9,ou=Hosts,dc=sun,dc=com cn: server9 iphostnumber: 192.168.0.18 objectclass: top objectclass: device objectclass: ipHost

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 45 of 62

Sun Educational Services

Using the ldapsearch Command • The ldapsearch command is used to locate and retrieve directory entries. • The general syntax of the ldapsearch command is: ldapsearch options filter attributes

Options for the ldapsearch Command Option

Description

-h hostname

Specifies the LDAP server to query

-b searchbase

Specifies the search base used as the starting point in the DIT for the search

-D bindDN

Uses the distinguished name bindDN to bind to the directory

-w password

Specifies the bindDN password

-s scope

Specifies the scope of the search, such as base for a base object search, one for one level search or sub for the entire subtree search (the default), and so on

-L

Displays the results in LDIF format

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 46 of 62

Sun Educational Services

Using the ldapsearch Command The following table summarizes the construction of an ldapsearch. Summary of the ldapsearch Command Focus

Query

Example

Base

Where?

-b "" -b "dc=sun,dc=com" -b "o=internet"

Scope

How?

-s base -s one -s sub

Filter

What?

ou=hosts cn=mary* uid=>1999

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 47 of 62

Sun Educational Services

Using the ldapmodify Command • The ldapmodify command opens a connection to an LDAP server, binds, and modifies or adds entries. • The syntax for the ldapmodify command is: ldapmodify options

• Common ldapmodify options are shown below:. Options for the ldapmodify Command Option

Description

-a

Adds new entries. The default is to modify entries; duplicate entries are rejected.

-r

Replaces existing values with the specified value.

-D bindDN

Uses the DN bindDN to bind the directory. Modifications to the DIT usually require administrator or Directory Manager binding.

-w password

Required to specify a password with the bindDN.

-f filename

Specifies the LDIF file to read.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 48 of 62

Sun Educational Services

Using ldapadd, ldapdelete, and ldapmodrdn Commands • The ldapadd command is implemented as a hard link to the ldapmodify tool invoked with the -a option. • The ldapdelete command is used to delete an RDN node from the directory. • The ldapmodrdn command is used to change an entry's RDN, and only the RDN. As with the other LDAP commands, the entry information is read from the command line or from standard input or from a file.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 49 of 62

Sun Educational Services

Using the Netscape Directory Console Viewing the DIT:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 50 of 62

Sun Educational Services

Using the Netscape Directory Console Adding entries:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 51 of 62

Sun Educational Services

Using the Netscape Directory Console Deleting entries:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 52 of 62

Sun Educational Services

Using the Netscape Directory Console Changing the Directory Manager account password:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 53 of 62

Sun Educational Services

Using the Netscape Directory Console Stopping the directory server:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 54 of 62

Sun Educational Services

Using the Netscape Directory Console Stopping the directory server:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 55 of 62

Sun Educational Services

Using the Netscape Directory Console Starting the directory server:

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 56 of 62

Sun Educational Services

Using LDAP URLs • The LDAP URL format (RFC 2255) defines how LDAP directory data can be queried using a Web browser. • In its simplest form, ldap:// servername/, the query returns the base information of the directory server running on port 389.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 57 of 62

Sun Educational Services

Using LDAP URLs The syntax of an LDAP URL is: ldap[s]://[[:<port>]] [/ [ [? [] [? [<scope>] [? [] [? <extensions>]]]]]]

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 58 of 62

Sun Educational Services

Using the Directory Server Gateway Interface Provides a simple user interface using an Hypertext Transfer Protocol (HTTP) connection to the administration server port

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 59 of 62

Sun Educational Services

Editing Configuration Files Key Configuration Files File

Description

slapd.conf

Contains the primary server configuration and parameter values. For example, the host name, port number, and performance-tuning values

slapd.ldbm.conf

Contains the directory server's database and indexing parameters.

slapd.at.conf

Defines standard LDAP attributes.

slapd.oc.conf

Contains standard object classes expected to be present and unchanged in the directory server.

slapd.user_at.conf

Contains user-defined attributes. This is where the attributes specific to Native LDAP are placed.

slapd.user_oc.conf

This file contains user-defined object classes. This is where the object classes specific to Native LDAP are defined.

ns-*-schema.conf

Contains schema configuration parameters for other products that integrate with Netscape Directory Server. For example, calendar server, news server, Web server, proxy server, and so forth, as well as the Netscape Administration Server and Netscape Console.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 60 of 62

Sun Educational Services

Exercise: Using LDAP Commands • Objectives • Tasks • Discussion • Solutions

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 61 of 62

Sun Educational Services

Exercise Summary • Experiences • Interpretations • Conclusions • Applications

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 2, slide 62 of 62

Sun Educational Services

Module 3 Configuring the Netscape Directory Server for LDAP on the Solaris OE

LDAP Design and Deployment

June 2001

Sun Educational Services

Objectives The primary objective of this module is to configure the Netscape Directory Server for LDAP on the Solaris OE Upon completion of this module, you should be able to: • Describe Native LDAP for the Solaris OE • Modify the directory schema • Create the DIT structure and support entries • Optimize performance • Populate the LDAP database

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 2 of 27

Sun Educational Services

Native LDAP for the Solaris OE LDAP client profiles: Client Profiles and Attributes Client Profile

Attribute

SolarisLDAPServers

A comma-separated list of LDAP servers that can be used by the client. This is a mandatory attribute that must contain at least one server name. If multiple servers are listed, the first server is tried first, and if after a specified time out period it does not respond, then the next server on the list is tried.

SolarisSearchBaseDN

The LDAP naming context where the Solaris OE naming information is stored.

SolarisBindDN

The bindDN used by the clients. Usually this is the proxyagent DN. The default is a NULL string that is used with anonymous authentication.

SolarisBindPassword

The password when SIMPLE or CRAM_MDS authentication is used. The default is a NULL string.

SolarisAuthMethod

The authentication method to be used by the clients NONE, SIMPLE, or CRAM_MD5. If multiple methods are specified, the first one is tried, and if it fails, the next method listed is tried. The default is NONE.

SolarisTransportSecurity

The security transport to be used by the client when updating information on the server. Currently, NONE is the only option supported.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 3 of 27

Sun Educational Services

Native LDAP for the Solaris OE Client Profiles and Attributes (Continued) Client Profile

Attribute

SolarisDataSearchDN

The alternative baseDN when searching for naming information. This attribute allows you to override one or more of the default containers established on the server.

SolarisSearchScope

The search scope to be used to look up naming information. Base, One level, and Subtree are possible values. The default is One level.

SolarisSearchTimeLimit

The time limit in seconds when searching for naming information. The default is 30 seconds.

SolarisCacheTTL

The time-to-live (TTL) value for clients to refresh their profile information from the server. If 0 (zero) is specified, then automatic refreshes are disabled.

SolarisSearchReferral

The referral option to be used to look up naming information. The default is to always follow referrals.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 4 of 27

Sun Educational Services

Creating the DIT Structure and Support Entries • Change the password store • Add new containers • Modify self-entry ACI • Set VLV-control ACI • Create proxy agent accounts • Set password read permission for proxyagent • Generate the client profile

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 5 of 27

Sun Educational Services

Optimizing Performance • Create indexes for the LDAP-specific attributes • Create VLV indexes

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 6 of 27

Sun Educational Services

Creating Indexes for the LDAP-specific Attributes The following attributes should be indexed along with the type of recommended indexing: •

membernisnetgroup pres,eq,sub

•

nisnetgrouptriple pres,eq,sub

•

memberuid pres,eq

•

macAddress pres,eq

•

uid pres,eq

•

uidNumber pres,eq

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 7 of 27

Sun Educational Services

Creating Indexes for the LDAP-specific Attributes •

gidNumber pres,eq

•

ipHostNumber pres,eq

•

ipNetworkNumber pres,eq

•

ipProtocolNumber pres,eq

•

oncRpcNumber pres,eq

•

ipServiceProtocol pres,eq

•

ipServicePort pres,eq

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 8 of 27

Sun Educational Services

Creating Indexes for the LDAP-specific Attributes •

nisDomain pres,eq

•

nisMapName pres,eq

•

mail pres,eq

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 9 of 27

Sun Educational Services

Creating Indexes for the LDAP-specific Attributes To create indexes, perform the following steps: 1. Log in to the Netscape Console as Directory Manager. 2. Under the Configuration tab, highlight Database and go to the Index Tab. 3. Click Add Attribute. Choose one of the attributes and check off the index types (Equality, Presence, Substring) shown as eq, pres, and sub.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 10 of 27

Sun Educational Services

Creating Indexes for the LDAP-specific Attributes

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 11 of 27

Sun Educational Services

Creating VLV Indexes • Create VLV indexes (also referred to as browsing indexes) for any container, such as password, group, host, and network, that contains a large number of entries. • If you do not create these indexes, search performance suffers and the Directory Server seems unresponsive. • The index files are located in the database directory and are named vlv#.db2. • You can create VLV indexes by using the Directory Server Console or by importing an LDIF file.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 12 of 27

Sun Educational Services

Exercise: Configuring Netscape Directory Server for Native LDAP • Objectives • Tasks • Discussion • Solutions

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 13 of 27

Sun Educational Services

Exercise Summary • Experiences • Interpretations • Conclusions • Applications

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 14 of 27

Sun Educational Services

Populating the LDAP Database After the LDAP directory has been configured to support Native LDAP as a naming service, the directory must be populated with data. The procedure to follow is: 1. Modify the nis.mapping file. 2. Run the dsimport command to create LDIF files. 3. Import the data into the database. 4. Verify the data.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 15 of 27

Sun Educational Services

Modifying the nis.mapping File The following table compares the Solaris OE naming database, Native LDAP object classes, and recommended LDAP containers: Solaris DIT Mappings Recommended Container

Naming Database

Object Class

passwd

posixAccount shadowAccount

ou=people

user_attr

SolarisUserAttr

ou=people

audit_user

SolarisAuditUser

ou=people

publickey

nisKeyObject

ou=people/ou=hosts

auth_attr

SolarisAuthAttr

ou=SolarisAuthAttr

exec_attr

SolarisExecAttr

ou=SolarisProfAttr

prof_attr

SolarisProfAttr

ou=SolarisProfAttr

group

posixGroup

ou=group

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 16 of 27

Sun Educational Services

Modifying the nis.mapping File Solaris DIT Mappings (Continued) Naming Database

Object Class

Recommended Container

services

ipService

ou=services

protocols

ipProtocol

ou=protocols

rpc

oncRpc

ou=rpc

hosts ipnodes

ipHost

ou=hosts

ethers

ieee802Device

ou=hosts

booparams

bootableDevice

ou=hosts

networks netmasks

ipNetwork

ou=networks

netgroup

nisNetwork

ou=netgroup

aliases

mailGroup

ou=aliases

automount

nisObject

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

nismap-name= auto_*

Module 3, slide 17 of 27

Sun Educational Services

Using the dsimport Command to Create LDIF Files • To load legacy naming service data into an LDAP directory, Solaris 8 OE provides a tool called dsimport included on the Solaris 8 OE companion CD. • With dsimport, you can load data in /etc file format into the Netscape Directory Server.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 18 of 27

Sun Educational Services

Importing the Data Into the LDAP Database • The LDIF files must be imported into the database using the ldapmodify command on the command line or by the Netscape Directory Server Console. • The following example shows how to import an LDIF file using the command line. # ldapmodify -c -D "cn=Directory Manager" -w nssecret -f hosts.ldif

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 19 of 27

Sun Educational Services

Importing the Data Into the LDAP Database To import an LDIF file using the Directory Server Console, perform the following steps: 1. Open the Directory Server Console. 2. Select the Configuration tab. 3. Click Database. 4. Click either the Console or Object menu at the top. 5. Select Import from the drop-down menu. 6. From the pop-up Import Data window, enter the LDIF file name relative to the install_dir/slapdinstance/ldif directory. 7. Click OK.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 20 of 27

Sun Educational Services

Importing the Data Into the LDAP Database

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 21 of 27

Sun Educational Services

Importing the Data Into the LDAP Database

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 22 of 27

Sun Educational Services

Verifying the Data To verify that the data has been imported correctly using the Directory Server Console, perform the following steps: 1. Click the container in the DIT. Each entry should appear in the main window of the Directory Server Console. 2. Right click any individual entry and select Properties from the pop-up dialog window. 3. A Property Editor pop-up Window shows the object's properties.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 23 of 27

Sun Educational Services

Verifying the Data

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 24 of 27

Sun Educational Services

Verifying the Data To verify the data using the command line, perform an ldapsearch as shown: # ldapsearch -b "ou=rpc,dc=suned,dc=sun,dc=com" cn=ping cn=ping,ou=Rpc,dc=suned,dc=sun,dc=com cn=ping cn=na.ping oncrpcnumber=100115 objectclass=top objectclass=oncRpc

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 25 of 27

Sun Educational Services

Exercise: Populating the LDAP Database • Objectives • Tasks • Discussion • Solutions

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 26 of 27

Sun Educational Services

Exercise Summary • Experiences • Interpretations • Conclusions • Applications

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 3, slide 27 of 27

Sun Educational Services

Module 4 Implementing an LDAP Client for the Solaris OE

LDAP Design and Deployment

June 2001

Sun Educational Services

Objectives The primary objective of this module is to implement an LDAP client for the Solaris OE Upon completion of this module, you should be able to: • Configure the Solaris OE LDAP client

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 2 of 20

Sun Educational Services

Configuring the Solaris OE LDAP Client Client initialization during set up of an LDAP client: Client Set domain name domainname mydomain.com

No Client

Run ldapclient

Server

Sends

search for nisDomain object

Check value of nisDomain nisdomain=mydomain.com?

Yes

Client

Download

Create ldap_client_file ldap_client_cred

profile

Client

Modify nsswitch.conf

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 3 of 20

Sun Educational Services

Configuring the Solaris OE LDAP Client Client initialization at boot: ldap_cachemgr cache Client

ldap_client_file ldap_client_cred

Binding sends request

ldap_cachemgr cache Client

Server

Application naming service request

Search for info Sends information back

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 4 of 20

Sun Educational Services

Configuring the Solaris OE LDAP Client Client initialization performed periodically:

ldap_cachemgr

Client

cache

Get profile

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

No Update

Yes

Server Profile on server?

Module 4, slide 5 of 20

Sun Educational Services

Verifying the Client Operating Environment To verify the version of your client operating environment: • Use the uname command # uname -a SunOS cobalt 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

• Use the showrev command # showrev Hostname: cobalt Hostid: 80f52243 Release: 5.8 Kernel architecture: sun4u Application architecture: sparc Hardware provider: Sun_Microsystems Domain: suned.sun.com Kernel version: SunOS 5.8 Generic 108528-03 August 2000

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 6 of 20

Sun Educational Services

Creating a Client Profile The client profile is created on the LDAP server as part of the configuration procedure using the ldap_gen_profile command. # cat profile.ldif dn: cn=myprofile,ou=profile,dc=suned,dc=sun,dc=com SolarisBindDN: cn=proxyagent,ou=profile,dc=suned,dc=sun,dc=com SolarisBindPassword: {NS1}ecc423aad0 SolarisLDAPServers: 192.168.0.1 SolarisSearchBaseDN: dc=suned,dc=sun,dc=com SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE SolarisTransportSecurity: NS_LDAP_SEC_NONE SolarisSearchReferral: NS_LDAP_FOLLOWREF SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL SolarisSearchTimeLimit: 30 SolarisCacheTTL: 43200 cn: myprofile ObjectClass: top ObjectClass: SolarisNamingProfile LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 7 of 20

Sun Educational Services

Creating a Client Profile Client Profile Fields and Definitions Client Profile Field

Definition

SolarisBindDN

The bindDN – The LDAP client name used for general naming information lookup.

SolarisBindPassword

The bindDN password – The LDAP client password for authentication.

SolarisLDAPServers

Server information – The server's IP addresses and optional port definition.

SolarisSearchBaseDN

The search base name – The baseDN name for LDAP operation.

SolarisAuthMethod

The authentication mechanism – The security mechanism to be used.

SolarisTransportSecurity

Secure transport – The transport service to be used.

SolarisSearchReferral

The search referral option – The follow or do not follow referral.

SolarisSearchScope

The scope of the LDAP search – The default is one level below the baseDN.

SolarisSearchTimeLimit

The search time out — The maximum time if a search operation does not get the result, it returns to time out. The default is 30 seconds, which can be increased or decreased depending upon the complexity of the network.

SolarisCacheTTL

The server information expiration time – The time when the configuration stored in this file and the ldap_client_cred files become stale. The default is 12 hours from the last refresh.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 8 of 20

Sun Educational Services

Using the ldapclient Command The following is an example of a typical client initialization: # ldapclient -v -P myprofile serverIPaddress parsing -P option findDN: begins findDN: calling __ns_ldap_default_config() found 2 namingcontexts findDN: __ns_ldap_list(NULL, "((objectclass=nisDomainObject)(nisdomain=suned.sun.com))" rootDN[0] dc=sun,dc=com found baseDN dc=suned,dc=sun,dc=com for domain suned.sun.com Servers addresses 192.168.0.1 About to configure machine by downloading a profile save sysinfo save stat(/etc/nsswitch.conf, save /usr/sbin/nscd -K save /usr/bin/pkill -9 nscd save rename(/etc/nsswitch.conf, /etc/nsswitch.conf.orig) save stat(/etc/defaultdomain, save rename(/etc/defaultdomain, /etc/defaultdomain.orig) save stat(/etc/.rootkey, No /etc/.rootkey file! save stat(/var/nis/NIS_COLD_START, No /var/nis/NIS_COLD_START file! namelen 13 save stat(/var/yp/binding/suned.sun.com, No /var/yp/binding/suned.sun.com directory! download save() of systems configuration suceeded. download ret 0 download /bin/cp /etc/nsswitch.ldap /etc/nsswitch.conf ----> You will now need to reboot your machine.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 9 of 20

Sun Educational Services

Configuring the LDAP Client 1. To choose LDAP as a naming service, you must provide name service information in Netscape Console. In the Name Service window, select LDAP as the name service. Click continue.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 10 of 20

Sun Educational Services

Configuring the LDAP Client 2. In the Domain Name window, enter the domain name where the system resides. Click continue.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 11 of 20

Sun Educational Services

Configuring the LDAP Client 3. In the LDAP Profile window, enter the profile name and server IP address. Click continue.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 12 of 20

Sun Educational Services

Configuring the LDAP Client 4. In the Confirm Information window, verify that you have provided accurate information. Click continue.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 13 of 20

Sun Educational Services

Changing the LDAP Server Configuration Parameters Changes can be made to any of the parameters listed in the client profile using the Directory Server Console.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 14 of 20

Sun Educational Services

Verifying the Configuration Use the ldaplist command: # ldaplist dn: ou=Hosts,dc=suned,dc=sun,dc=com dn: ou=Group,dc=suned,dc=sun,dc=com dn: ou=rpc,dc=suned,dc=sun,dc=com dn: ou=protocols,dc=suned,dc=sun,dc=com dn: ou=networks,dc=suned,dc=sun,dc=com dn: ou=netgroup,dc=suned,dc=sun,dc=com dn: ou=aliases,dc=suned,dc=sun,dc=com dn: ou=people,dc=suned,dc=sun,dc=com dn: ou=services,dc=suned,dc=sun,dc=com dn: ou=Ethers,dc=suned,dc=sun,dc=com dn: ou=profile,dc=suned,dc=sun,dc=com dn: nismapname=auto_home,dc=suned,dc=sun,dc=com dn: nismapname=auto_direct,dc=suned,dc=sun,dc=com dn: nismapname=auto_master,dc=suned,dc=sun,dc=com LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 15 of 20

Sun Educational Services

Reverting the Client Configuration The ldapclient command can also be used to change the naming service back to its pre-LDAP state. # ldapclient -u ----> You will now need to reboot your machine.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 16 of 20

Sun Educational Services

Troubleshooting the Configuration The ldapclient Command Cannot Bind to the Server If ldapclient fails to initialize the client when using the -P profile option, there are several possible causes: • The nisDomain attribute is not set in the DIT to represent the entry point for the specified client domain, resulting in a nisDomainObject NOT FOUND message. • The VLV indexing ACI does not allow anonymous access (nisDomainObject NOT FOUND message). • The ACI is not set up properly on the server, forbidding anonymous searches in the LDAP database. LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 17 of 20

Sun Educational Services

Troubleshooting the Configuration The ldapclient Command Cannot Bind to the Server • An incorrect server IP address is passed to the ldapclient command. Use ldapsearch (1) to verify the server address. • An incorrect profile is name passed to the ldapclient command. Use ldapsearch (1) to verify the profile name in the DIT.

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 18 of 20

Sun Educational Services

Exercise: Configuring the LDAP Client • Objectives • Tasks • Discussion • Solutions

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 19 of 20

Sun Educational Services

Exercise Summary • Experiences • Interpretations • Conclusions • Applications

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Module 4, slide 20 of 20

Course Contents About This Course ....................................................................................... Preface-iv Course Goals.................................................................................................................................. Preface-v Course Map...................................................................................................................................Preface-vi How Prepared Are You?............................................................................................................. Preface-ix Introductions ................................................................................................................................ Preface-xi How to Use the Icons..................................................................................................................Preface-xii Typographical Conventions and Symbols .............................................................................Preface-xiii

Naming Service Fundamentals ............................................................................... 1-1 Objectives .................................................................................................................................................. 1-2 Solaris OE Naming Service Architecture.............................................................................................. 1-3 Solaris OE Naming Services ................................................................................................................... 1-4 Solaris OE Name Service Switch............................................................................................................ 1-5 Solaris OE Security Models .................................................................................................................... 1-6 Directory Service Overview ................................................................................................................... 1-7 LDAP Design on the Solaris OE ............................................................................................................ 1-9 The Information Model ......................................................................................................................... 1-10 The Naming Model................................................................................................................................ 1-13 The Functional Model ........................................................................................................................... 1-17 The Security Model................................................................................................................................ 1-18 Replication .............................................................................................................................................. 1-19

Implementing an LDAP Directory Server on the Solaris OE ................................ 2-1 Objectives .................................................................................................................................................. 2-2 Installing and Configuring the Netscape Directory Server ............................................................... 2-3 Netscape Directory Server Installation Concepts................................................................................ 2-4

LDAP Design and Deployment Copyright 2000 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

i

Sun Educational Services Planning Installation of Netscape Directory Server............................................................................ 2-8 Verifying the Software Requirements................................................................................................. 2-10 Installing Netscape Directory Server .................................................................................................. 2-11 Verifying the Installation ...................................................................................................................... 2-31 Identifying the Installed File Structure ............................................................................................... 2-36 Performing Netscape Directory Server Post-Installation Configuration....................................... 2-37 Exercise: Installing and Configuring Netscape Directory Server ................................................... 2-38 Exercise Summary.................................................................................................................................. 2-39 Creating Startup Scripts for Netscape Directory Server .................................................................. 2-40 Using the Script Generating Program................................................................................................. 2-41 Overview of LDAP Operations............................................................................................................ 2-42 Overview of the LDIF Format .............................................................................................................. 2-44 Using the ldapsearch Command ..................................................................................................... 2-46 Using the ldapmodify Command ..................................................................................................... 2-48 Using ldapadd, ldapdelete, and ldapmodrdn Commands .......................................................... 2-49 Using the Netscape Directory Console ............................................................................................... 2-50 Using LDAP URLs ................................................................................................................................. 2-57 Using the Directory Server Gateway Interface .................................................................................. 2-59 Editing Configuration Files .................................................................................................................. 2-60 Exercise: Using LDAP Commands...................................................................................................... 2-61 Exercise Summary.................................................................................................................................. 2-62

Configuring the Netscape Directory Server for LDAP on the Solaris OE ........... 3-1 Objectives .................................................................................................................................................. 3-2 Native LDAP for the Solaris OE ............................................................................................................ 3-3 Creating the DIT Structure and Support Entries................................................................................. 3-5 Optimizing Performance......................................................................................................................... 3-6 Creating Indexes for the LDAP-specific Attributes ............................................................................ 3-7 Creating VLV Indexes ........................................................................................................................... 3-12 Exercise: Configuring Netscape Directory Server for Native LDAP.............................................. 3-13

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

ii

Sun Educational Services Exercise Summary.................................................................................................................................. 3-14 Populating the LDAP Database ........................................................................................................... 3-15 Modifying the nis.mapping File ........................................................................................................ 3-16 Modifying the nis.mapping File ........................................................................................................ 3-17 Using the dsimport Command to Create LDIF Files....................................................................... 3-18 Importing the Data Into the LDAP Database .................................................................................... 3-19 Verifying the Data.................................................................................................................................. 3-23 Exercise: Populating the LDAP Database........................................................................................... 3-26 Exercise Summary.................................................................................................................................. 3-27

Implementing an LDAP Client for the Solaris OE ................................................. 4-1 Objectives .................................................................................................................................................. 4-2 Configuring the Solaris OE LDAP Client ............................................................................................. 4-3 Verifying the Client Operating Environment ...................................................................................... 4-6 Creating a Client Profile.......................................................................................................................... 4-7 Using the ldapclient Command......................................................................................................... 4-9 Configuring the LDAP Client .............................................................................................................. 4-10 Configuring the LDAP Client .............................................................................................................. 4-12 Changing the LDAP Server Configuration Parameters ................................................................... 4-14 Verifying the Configuration ................................................................................................................. 4-15 Reverting the Client Configuration..................................................................................................... 4-16 Troubleshooting the Configuration..................................................................................................... 4-17 Exercise: Configuring the LDAP Client.............................................................................................. 4-19 Exercise Summary.................................................................................................................................. 4-20

LDAP Design and Deployment Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

iii