2. Configure the LDAP client.
3. Verify LDAP client communication with the LDAP server. Task 1/3
1. Configure the LDAP server.
a. In the pri-services terminal, verify the SMF status of the OpenLDAP server.
root@pri-services:~# svcs network/ldap/server STATE STIME FMRI
disabled Oct_09 svc:/network/ldap/server:openldap_24
The OpenLDAP service should be in the disabled state.
b. As a precautionary step, delete the content of the /var/openldap/openldap- data/ directory to remove any previous entries.
root@pri-services:~# ls /var/openldap/openldap-data/ DB_CONFIG.example
root@pri-services:~# rm /var/openldap/openldap-data/*
c. Enable the executable bit for the LDAP configuration command, /usr/lib/slapd. root@pri-services:~# chmod +x /usr/lib/slapd
root@pri-services:~# ls -l /usr/lib/slapd
-r-xr-xr-x 1 root bin 2743456 Oct 8 08:38 /usr/lib/slapd
d. Create a copy of the slapd.conf.default file to reuse it for configuring the
OpenLDAP server.
root@pri-services:~# cp /etc/openldap/slapd.conf.default /etc/openldap/slapd.conf
e. The slapd.conf file needs to be edited to include the following schema at the top of
the file, immediately following the line, “include
/etc/openldap/schema/core.schema”. Also the string my-domain to mydomain needs to be changed. You can either:
− Copy the file from the system. root@pri-services:~# exit
root@s11-host01:~# scp /opt/ora/course_files/ldap/slapd.conf /zones/pri-services/root/etc/openldap/
root@s11-host01:~# zlogin pri-services − Or, edit the file by using the vi editor.
root@pri-services:~# vi /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable.
# include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/openldap/run/slapd.pid argsfile /var/openldap/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/amd64/openldap # moduleload back_bdb.la
# moduleload back_hdb.la # moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it # Other DSEs:
# Allow self write access
# Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read # access to *
# by self write # by users read # by anonymous auth #
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
################################################################ #######
# BDB database definitions
################################################################ #######
database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap/openldap-data # Indices to maintain
index objectClass eq :wq
A directory schema specifies, among other rules, the types of objects that a directory may have and the mandatory and optional attributes of each object type.
f. Change the ownership of the openldap directory to the default LDAP user,
openldap.
root@pri-services:~# chown -R openldap:openldap /var/openldap g. Enable the LDAP server.
root@pri-services:~# svcadm enable ldap/server root@pri-services:~# svcs ldap/server
STATE STIME FMRI
online 11:18:57 svc:/network/ldap/server:openldap_24 h. The LDAP Data Interchange Format (LDIF) file needs to be created. The LDIF file is a
standard plain text data interchange format for representing LDAP directory content and update requests. This file contains the user information directory. You can either: − Copy the file from the host system.
root@pri-services:~# exit
root@s11-host01:~# scp /opt/ora/course_files/ldap/data.ldif /zones/pri-services/root/root/
root@s11-host01:~# zlogin pri-services − Or, create the file by using the vi editor.
root@pri-services:~# vi /root/data.ldif dn: dc=mydomain,dc=com
o: mydomain
objectClass: dcObject dc: mydomain
objectClass: organization dn: ou=profile,dc=mydomain,dc=com objectClass: organizationalUnit objectClass: top ou: profile dn: cn=default,ou=profile,dc=mydomain,dc=com objectClass: DUAConfigProfile cn: default defaultSearchBase: dc=mydomain,dc=com credentialLevel: anonymous authenticationMethod: none defaultSearchScope: sub profileTTL: 300 searchTimeLimit: 60 defaultServerList: 192.168.3.4
serviceSearchDescriptor: passwd: ou=users,dc=mydomain,dc=com serviceSearchDescriptor: shadow: ou=users,dc=mydomain,dc=com serviceSearchDescriptor: group: ou=groups,dc=mydomain,dc=com
dn: ou=groups,dc=mydomain,dc=com objectClass: organizationalUnit ou: groups dn: cn=staff,ou=groups,dc=mydomain,dc=com gidNumber: 10 cn: staff objectClass: posixGroup objectClass: top dn: ou=users,dc=mydomain,dc=com objectClass: organizationalUnit objectClass: top ou: users dn: uid=scarter,ou=users,dc=mydomain,dc=com cn: Sam Carter sn: Carter givenName: Sam uid: scarter uidNumber: 1002 gidNumber: 10
homeDirectory: /home/scarter loginShell: /bin/bash
gecos: Normal User
mail: [email protected] shadowMax: 45 objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: shadowAccount userPassword: oracle1 dn: uid=proxy,dc=mydomain,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top userPassword: oracle1 uid: proxy
i. Add the ldap directory content to the data.ldif configuration file.
root@pri-services:~# ldapadd -D "cn=Manager,dc=mydomain,dc=com" -f /root/data.ldif
Enter bind password: secret
adding new entry dc=mydomain,dc=com
adding new entry ou=profile,dc=mydomain,dc=com
adding new entry cn=default,ou=profile,dc=mydomain,dc=com
adding new entry ou=groups,dc=mydomain,dc=com
adding new entry cn=staff,ou=groups,dc=mydomain,dc=com
adding new entry ou=users,dc=mydomain,dc=com
adding new entry uid=scarter,ou=users,dc=mydomain,dc=com
adding new entry uid=proxy,dc=mydomain,dc=com
Observation: The LDAP server has been successfully created. Task 2/3
1. Configure the LDAP client.