I decided to try out the OpenLDAP server that is bundled with Oracle Solaris 11.1 after reading Paul Johnson's blog entry Configuring a Basic LDAP Server + Client in Solaris 11. Paul's instructions were helpful, but he didn't explain how to configure OpenLDAP so that it could be used with the Solaris commands which accept the option:
-S files | ldap.
That option is interpreted by the following commands:
In addition, the passwd(1) command accepts -r file | ldap and the User Manager GUI has a Filter Users dialog which hasradio buttons for files and ldap. All of these commands depend on LDAP schema extensions that are not configured in OpenLDAP by default. The various schema are documented in Working with Naming and Directory Services and Trusted Extensions Configuration and Administration:
I combined these into a single file called solaris.schema, and copied it into the /etc/openldap/schema directory. I also created and installed another file called automap.schema which contains just the attributes and object classes for the automount service. These are missing from the existing nis.schema file, which is apparently a subset of RFC 2307bis Network Information Service Schema.
Then I modified the configuration file /etc/openldap/slapd.conf to include the required schema, and changed the domain name to gfaden.com.
a6,11> include /etc/openldap/schema/cosine.schema> include /etc/openldap/schema/inetorgperson.schema> include /etc/openldap/schema/nis.schema> include /etc/openldap/schema/solaris.schema> include /etc/openldap/schema/automap.schema54,55c60,61< suffix "dc=my-domain,dc=com"< rootdn "cn=Manager,dc=my-domain,dc=com"---> suffix "dc=gfaden,dc=com"> rootdn "cn=admin,dc=gfaden,dc=com"
Following Paul's advice, I did the following:
root#chown -R openldap:openldap /var/openldap/root#svcadm enable ldap/server
Then I wrote two scripts and ran them to create the various containers in the directory. The following script creates empty containers corresponding to the top-level directory object and the organizational units for the object classes.
1#!/bin/ksh 2 3ME=gfaden 4LDAP_BASEDN="dc=${ME},dc=com" 5LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}" 6 7TMP_LDIF=$(mktemp /tmp/toplevels.XXXX) 8 9( cat << EOF 10 dn: ${LDAP_BASEDN} 11 objectClass: dcObject 12 objectClass: organization 13 o: ${ME}.com 14 dc: ${ME} 15 16 EOF 17)>${TMP_LDIF} 18 19for ou in users groups rpc protocols networks netgroup \ 20 aliases hosts services ethers projects \ 21 SolarisAuthAttr SolarisProfAttr ipTnet;do 22 23( cat << EOF 24 dn: ou=${ou},${LDAP_BASEDN} 25 ou: ${ou} 26 objectClass: top 27 objectClass: organizationalUnit 28 29 EOF 30)>>${TMP_LDIF} 31done 32 33 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF} 34 rm ${TMP_LDIF}
I'm not sure I got all the spelling right in lines 19-21, but it seems to work. There are some subtle differences between what OpenLDAP uses compared to ODSEE. I wrote a similar script to create the automap containers:
1#!/bin/ksh 2 3LDAP_BASEDN="dc=gfaden,dc=com" 4LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}" 5 6TMP_LDIF=$(mktemp /tmp/automap.XXXX) 7 8for automap in auto_home auto_direct auto_master;do 9 10( cat << EOF 11 dn: automountMapName=${automap},${LDAP_BASEDN} 12 automountMapName: ${automap} 13 objectClass: top 14 objectClass: automountMap 15 16 EOF 17)>>${TMP_LDIF} 18done 19 20 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF} 21 rm ${TMP_LDIF}
Then I used a slightly modified version of Paul's ldapaddclient(1M) command to make my system an LDAP client of itself:
1#!/bin/ksh 2 ldapclient manual \ 3 -a credentialLevel=proxy \ 4 -a authenticationMethod=simple \ 5 -a defaultSearchBase=dc=gfaden,dc=com \ 6 -a domainName=gfaden.com \ 7 -a defaultServerList=127.0.0.1 \ 8 -a proxyDN=cn=admin,dc=gfaden,dc=com \ 9 -a adminDN=cn=admin,dc=gfaden,dc=com \ 10 -a proxyPassword=secret \ 11 -a enableShadowUpdate=true \ 12 -a attributeMap=group:gidnumber=gidNumber \ 13 -a attributeMap=passwd:gidnumber=gidNumber \ 14 -a attributeMap=passwd:uidnumber=uidNumber \ 15 -a attributeMap=passwd:homedirectory=homeDirectory \ 16 -a attributeMap=passwd:loginshell=loginShell \ 17 -a attributeMap=shadow:userpassword=userPassword \ 18 -a objectClassMap=group:posixGroup=posixgroup \ 19 -a objectClassMap=passwd:posixAccount=posixaccount \ 20 -a objectClassMap=shadow:shadowAccount=posixaccount \ 21 -a serviceSearchDescriptor=passwd:ou=users,dc=gfaden,dc=com \ 22 -a serviceSearchDescriptor=group:ou=groups,dc=gfaden,dc=com \
23 -a serviceSearchDescriptor=shadow:ou=users,dc=gfaden,dc=com
Since I was doing this on my laptop, I just used localhost for the IP address (line 7). However, I needed to add the admin distinguished name (line 9), and enable shadow update (line 11). Together, these two settings allow the client to make updates without re-authenticating if it is running as root or with all privileges.
Again, following Paul's blog, I enabled DNS, and restarted the name service:
root# svccfg -s name-service/switch setprop config/host = a string: \"files dns ldap\"root# svccfg -s name-service/switch:default refreshroot# svcadm restart name-service/cache
Now I can specify the ldap option for any of the commands listed above. For example:
root# groupadd -S ldap -g 1001 wordroot# ldapaddent -d groupworld:*:1001: