LDAPCLIENT(8) | Maintenance Commands and Procedures | LDAPCLIENT(8) |
ldapclient - initialize LDAP client machine or output an LDAP client profile in LDIF format
/usr/sbin/ldapclient [-v | -q] init [-a profileName=profileName]
[-a domainName=domain] [-a proxyDN=proxyDN]
[-a proxyPassword=password]
[-a authenticationMethod=authenticationMethod]
[-a enableShadowUpdate=true | false]
[-a adminDN=adminDN]
[-a adminPassword=adminPassword]
[-a certificatePath=path] [-d bindDN] [-w bindPassword]
[-j passwdFile] [-y passwdFile]
[-z adminrPasswdFile] LDAP_server[:port_number]
/usr/sbin/ldapclient [-v | -q] manual [-a attrName=attrVal]
/usr/sbin/ldapclient [-v | -q] mod [-a attrName=attrVal]
/usr/sbin/ldapclient [-v | -q] list
/usr/sbin/ldapclient [-v | -q] uninit
/usr/sbin/ldapclient [-v | -q] genprofile -a profileName=profileName
[-a attrName=attrVal]
The ldapclient utility can be used to:
The init form of the ldapclient utility is used to initialize an LDAP client machine, using a profile stored on an LDAP server specified by LDAP_server. The LDAP client will use the attributes in the specified profile to determine the configuration of the LDAP client. Using a configuration profile allows for easy installation of LDAP client and propagation of configuration changes to LDAP clients. The ldap_cachemgr(8) utility will update the LDAP client configuration when its cache expires by reading the profile. For more information on the configuration profile refer to IETF document A Configuration Schema for LDAP Based Directory User Agents.
The manual form of the ldapclient utility is used to initialize an LDAP client machine manually. The LDAP client will use the attributes specified on the command line. Any unspecified attributes will be assigned their default values. At least one server must be specified in the defaultServerList or the preferredServerList attributes.The domainName attribute must be specified if the client's domainName is not set.
The mod form of the ldapclient utility is used to modify the configuration of an LDAP client machine that was setup manually. This option modifies only those LDAP client configuration attributes specified on the command line. The mod option should only be used on LDAP clients that were initialized using the manual option.
Regardless of which method is used for initialization, if a client is to be configured to use a proxy credentialLevel, proxy credentials must be provided using -a proxyDN=proxyDN and -a proxyPassword=proxyPassword options. However, if -a proxyPassword=proxyPassword is not specified, ldapclient will prompt for it. Note that NULL passwords are not allowed in LDAP. If a self credentialLevel is configured, authenticationMethod must be sasl/GSSAPI.
Similarly, if a client is to be configured to enable shadow information update and use a proxy credentialLevel, administrator credentials must be provided using -a adminDN=adminDN and -a adminPassword=adminPassword. However, the shadow information update does not need the administrator credentials if a self credentialLevel is configured.
If any file is modified during installation, it will be backed up to /var/ldap/restore. The files that are typically modified during initialization are:
ldapclient does not set up a client to resolve hostnames using DNS. It simply copies /etc/nsswitch.ldap to /etc/nsswitch.conf. If you prefer to use DNS for host resolution, please refer to the DNS documentation for information on setting up DNS. See resolv.conf(5). If you want to use sasl/GSSAPI as the authentication method, you have to use DNS for hosts and ipnodes resolution.
The list form of the ldapclient utility is used to list the LDAP client configuration. The output will be human readable. LDAP configuration files are not guaranteed to be human readable. Note that for security reason, the values for adminDN and adminPassword will not be displayed.
The uninit form of the ldapclient utility is used to uninitialize the network service environment, restoring it to the state it was in prior to the last execution of ldapclient using init or manual. The restoration will succeed only if the machine was initialized with the init or manual form of ldapclient, as it uses the backup files created by these options.
The genprofile option is used to write an LDIF formatted configuration profile based on the attributes specified on the command line to standard output. This profile can then be loaded into an LDAP server to be used as the client profile, which can be downloaded by means of the ldapclient init command. Loading the LDIF formatted profile to the directory server can be done through ldapadd(1), or through any server specific import tool. Note that the attributes proxyDN, proxyPassword, certificatePath, domainName, enableShadowUpdate, adminDN, and adminPassword are not part of the configuration profile and thus are not permitted.
You must have superuser privileges to run the ldapclient command, except with the genprofile option.
To access the information stored in the directory, clients can either authenticate to the directory, or use an unauthenticated connection. The LDAP client is configured to have a credential level of either anonymous or proxy. In the first case, the client does not authenticate to the directory. In the second case, client authenticates to the directory using a proxy identity for read access, and using a administrator identity for write access if enableShadowUpdate is configured. In the third case, client authenticates to the directory using a Kerberos principal that is mapped to an LDAP identity by the LDAP server. Refer to the chapter on implementing security in the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) or your appropriate directory server documentation for identity mapping details.
If a client is configured to use an identity, you can configure
which authentication method the client will use. The LDAP client supports
the following authentication methods:
none
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
sasl/GSSAPI
tls:none
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5
Note that some directory servers may not support all of these authentication methods. For simple, be aware that the bind password will be sent in the clear to the LDAP server. For those authentication methods using TLS (transport layer security), the entire session is encrypted. You will need to install the appropriate certificate databases to use TLS. Note that the tls:none authentication method requires a credentialLevel of proxy to take effect.
The following commands are supported:
init
manual
mod
list
uninit
genprofile
The following attributes are supported:
adminDN
adminPassword
attributeMap
attributeMap: passwd:uid=employeeNumber
the LDAP client would use the LDAP attribute employeeNumber rather than uid for the passwd service. This is a multivalued attribute.
To use rfc2307bis style groups (with a DN rather than username as the attribute value), map the memberUid attribute to the group attribute being used (typically either uniqueMember or member), for example:
attributeMap: group:memberUid=uniqueMember
Group membership in a given directory is expected to be maintained with either username format member attributes, or DN format member attributes. If both are present they must describe identical memberships or unexpected results may be obtained. For DN format attributes, the username is required to be the RDN of the entry. Note that nested groups are not currently supported, and unexpected results may be obtained if they are used.
authenticationMethod
hosts: dns files ipnodes: dns files
bindTimeLimit
certificatePath
credentialLevel
defaultSearchBase
defaultSearchScope=one | sub
defaultServerList
The port number is optional. If not specified, the default LDAP server port number 389 is used, except when TLS is specified in the authentication method. In this case, the default LDAP server port number is 636.
The format to specify the port number for an IPv6 address is:
[ipv6_addr]:port
To specify the port number for an IPv4 address, use the following format:
ipv4_addr:port
If the host name is specified, use the format:
host_name:port
If you use TLS, the LDAP server's hostname must match the hostname in the TLS certificate. Typically, the hostname in the TLS certificate is a fully qualified domain name. With TLS, the LDAP server host addresses must resolve to the hostnames in the TLS certificate. You must use files or dns to resolve the host address.
domainName
enableShadowUpdate=true | false
followReferrals=true | false
objectclassMap
objectclassMap=passwd:posixAccount=unixAccount
the LDAP client would use the LDAP objectclass of unixAccount rather than the posixAccount for the passwd service. This is a multivalued attribute.
preferredServerList
The port number is optional. If not specified, the default LDAP server port number 389 is used, except when TLS is specified in the authentication method. In this case, the default LDAP server port number is 636.
The format to specify the port number for an IPv6 address is:
[ipv6_addr]:port
To specify the port number for an IPv4 address, use the following format:
ipv4_addr:port
If the host name is specified, use the format:
host_name:port
If you use TLS, the LDAP server's hostname must match the hostname in the TLS certificate. Typically, the hostname in the TLS certificate is a fully qualified domain name. With TLS, the LDAP server host addresses must resolve to the hostnames in the TLS certificate. You must use files or dns to resolve the host address.
profileName
profileTTL
proxyDN
proxyPassword
searchTimeLimit
serviceAuthenticationMethod
pam_ldap:tls:simple
For multiple authentication methods, use a semicolon-separated list. The default value is no service authentication methods, in which case, each service would default to the authenticationMethod value. The supported authentications are described above.
Three services support this feature: passwd-cmd, keyserv, and pam_ldap. The passwd-cmd service is used to define the authentication method to be used by passwd(1) to change the user's password and other attributes. The keyserv service is used to identify the authentication method to be used by the chkey(1) and newkey(8) utilities. The pam_ldap service defines the authentication method to be used for authenticating users when pam_ldap(7) is configured. If this attribute is not set for any of these services, the authenticationMethod attribute is used to define the authentication method. This is a multivalued attribute.
serviceCredentialLevel
serviceSearchDescriptor
serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=example,dc=com?one
the LDAP client would do a one level search in ou=people,dc=a1,dc=example,dc=com rather than ou=people,defaultSearchBase for the passwd service.
The following options are supported:
-a attrName=attrValue
-D bindDN
-j passwdFile
-q
-v
-w bindPassword
When you use -w bindPassword to specify the password to be used for authentication, the password is visible to other users of the system by means of the ps command, in script files, or in shell history.
If you supply "-" (hyphen) as a password, the command will prompt for a password.
-y passwdFile
-z adminrPasswdFile
The following operand is supported:
LDAP_server
Example 1 Setting Up a Client By Using the Default Profile Stored on a Specified LDAP Server
The following example shows how to set up a client using the default profile stored on the specified LDAP server. This command will only be successful if either the credential level in the profile is set to anonymous or the authentication method is set to none.
example# ldapclient init 172.16.100.1
Example 2 Setting Up a Client By Using the simple Profile Stored on a Specified LDAP Server
The following example shows how to set up a client using the simple profile stored on the specified LDAP server. The domainname is set to xyz.example.com and the proxyPassword is secret.
example# ldapclient init -a profileName=simple \ -a domainName=xyz.example.com \ -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=example,dc=com \ -a proxyPassword=secret '['fe80::a00:20ff:fea3:388']':386
Example 3 Setting Up a Client Using Only One Server
The following example shows how to set up a client using only one server. The authentication method is set to none, and the search base is dc=example,dc=com.
example# ldapclient manual -a authenticationMethod=none \ -a defaultSearchBase=dc=example,dc=com \ -a defaultServerList=172.16.100.1
Example 4 Setting Up a Client Using Only One Server That Does Not Follow Referrals
The following example shows how to set up a client using only one server. The credential level is set to proxy. The authentication method of is sasl/CRAM-MD5, with the option not to follow referrals. The domain name is xyz.example.com, and the LDAP server is running on port number 386 at IP address 172.16.100.1.
example# ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=sasl/CRAM-MD5 \ -a proxyPassword=secret \ -a proxyDN=cn=proxyagent,ou=profile,dc=xyz,dc=example,dc=com \ -a defaultSearchBase=dc=xyz,dc=example,dc=com \ -a domainName=xyz.example.com \ -a followReferrals=false \ -a defaultServerList=172.16.100.1:386
Example 5 Using genprofile to Set Only the defaultSearchBase and the Server Addresses
The following example shows how to use the genprofile command to set the defaultSearchBase and the server addresses.
example# ldapclient genprofile -a profileName=myprofile \ -a defaultSearchBase=dc=eng,dc=sun,dc=com \ -a "defaultServerList=172.16.100.1 172.16.234.15:386" \ > myprofile.ldif
Example 6 Creating a Profile on IPv6 servers
The following example creates a profile on IPv6 servers
example# ldapclient genprofile -a profileName=eng \ -a credentialLevel=proxy \ -a authenticationMethod=sasl/DIGEST-MD5 \ -a defaultSearchBase=dc=eng,dc=example,dc=com \ -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=example,dc=com?one"\ -a preferredServerList= '['fe80::a00:20ff:fea3:388']' \ -a "defaultServerList='['fec0::111:a00:20ff:fea3:edcf']' \
'['fec0::111:a00:20ff:feb5:e41']'" > eng.ldif
Example 7 Creating a Profile That Overrides Every Default Value
The following example shows a profile that overrides every default value.
example# ldapclient genprofile -a profileName=eng \ -a credentialLevel=proxy -a authenticationMethod=sasl/DIGEST-MD5 \ -a bindTimeLimit=20 \ -a defaultSearchBase=dc=eng,dc=example,dc=com \ -a "serviceSearchDescriptor=passwd:ou=people,dc=a1,dc=example,dc=com?one"\ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a defaultSearchScope=sub \ -a attributeMap=passwd:uid=employeeNumber \ -a objectclassMap=passwd:posixAccount=unixAccount \ -a followReferrals=false -a profileTTL=6000 \ -a preferredServerList=172.16.100.30 -a searchTimeLimit=30 \ -a "defaultServerList=172.16.200.1 172.16.100.1 192.168.5.6" > eng.ldif
The following exit values are returned:
0
1
2
/var/ldap/ldap_client_cred
/var/ldap/ldap_client_file
/etc/defaultdomain
/etc/nsswitch.conf
/etc/nsswitch.ldap
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | Evolving |
chkey(1), ldap(1), ldapadd(1), ldapdelete(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1), defaultdomain(5), nsswitch.conf(5), resolv.conf(5), attributes(7), idsconfig(8), ldap_cachemgr(8), ldapaddent(8)
Currently StartTLS is not supported by libldap.so.5, therefore the port number provided refers to the port used during a TLS open, rather than the port used as part of a StartTLS sequence. To avoid timeout delays, mixed use of TLS and non-TLS authentication mechanisms is not recommended.
For example:
-h foo:1000 -a authenticationMethod=tls:simple
...or:
defaultServerList= foo:1000 authenticationMethod= tls:simple
The preceding refers to a raw TLS open on host foo port 1000, not an open, StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured the connection will not be made.
As a second example, the following will incur a significant timeout delay while attempting the connection to foo:636 with an unsecured bind.
defaultServerList= foo:636 foo:389 authenticationMethod= simple
November 22, 2021 | OmniOS |