Importing Other Databases

Some databases are not handled by the ldapaddent command. These include:

• Projects

• RBAC- related databases

• Printers

projects Database

The default projects defined in /etc/project can be expressed in LDIF like this:

 dn: solarisprojectname=system,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 0 SolarisProjectName: system dn: solarisprojectname=user.root,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 1 SolarisProjectName: user.root dn: solarisprojectname=noproject,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 2 SolarisProjectName: noproject dn: solarisprojectname=default,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 3 SolarisProjectName: default 

As discussed in Chapter 6 "Management Tools and Toolkits," the Solaris Management Console ( smc (1M)) can be used to manage project data. Below is an LDIF representation of a new project created through smc .

 dn: SolarisProjectName=testproj,ou=projects,dc=example,dc=com objectClass: SolarisProject objectClass: top SolarisProjectName: testproject SolarisProjectID: 100 memberUid: tomb,mhaines memberGid: operator SolarisProjectAttr: description: Test Project 

RBAC-Related Databases

To use LDAP as a naming service for role-based access control (RBAC) data, there must be a defined mapping between the field names specified in the /etc files and LDAP object classes and attributes.TABLE 5-1 shows the mapping between RBAC databases and LDAP object classes.

Table 5-1. Object class Mapping

TABLE 5-2 shows the attributes defined for the four RBAC-related object classes.

Table 5-2. LDAP Attributes

TABLE 5-3 and TABLE 5-4 show the mapping between fields in the RBAC databases and their equivalent LDAP attributes.

Table 5-3. Database Fields

Table 5-4. Equivalent LDAP Attributes

Creating RBAC Entries with LDIF

Two additional containers need to be added to your DIT. These are: ou=SolarisAuthAttr and ou=SolarisProfAttr .

To add the SolarisAuthAttr and SolarisProfAttr Containers, create an LDIF file and import the file with ldapmodify :

 dn: ou=SolarisAuthAttr,dc=example,dc=com changetype: add ou: SolarisAuthAttr objectclass: top objectclass: organizationalUnit dn: ou=SolarisProfAttr,dc=example,dc=com ou: SolarisProfAttr objectclass: top objectclass: organizationalUnit 

Adding Extended User Attributes to Existing Users

The extended user attributes that are contained in user_attr can be added to a user's LDAP entry. This can be done either at the time the user entry is created or applied to an entry that already exists. The following example shows LDIF for adding the extended attributes to an existing user entry.

Contents of user_attr

 #  cat /etc/user_attr  tom::::auths=solaris.*,solaris.grant;profiles=All . . . # 

Modifying the user entry:

To add the extended user attributes to a user's LDAP entry, create an LDIF file and import it with the ldapmodify command.

 dn: uid=tom,ou=people,dc=example,dc=com changetype: modify replace: objectclass objectClass: top objectClass: account objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: SolarisUserAttr - replace: SolarisAttrKeyValue SolarisAttrKeyValue: auths=solaris.*,solaris.grant;profiles=All 

In this example, the SolarisUserAttr object class is added to the entry and the data contained in user_attr is specified in the SolarisAttrKeyValue attribute. Similar LDIF can be used to modify the extended attributes later.

Adding Profile Descriptions

The standard profile attributes are defined in the /etc/security/prof_attr file.

 #  cat /etc/security/pro_attr  System Administrator:::Can perform most non-security administrative tasks:profiles=Audit Review,Printer Management,Cron Management,Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Name SZZervice Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html . . . # 

The standard profile attributes can be converted to LDIF representation as shown.

 dn: cn=System Administrator,ou=SolarisProfAttr,dc=example,dc=com changetype: add cn: System Administrator objectclass: top objectclass: SolarisProfAttr SolarisAttrKeyValue: profiles=Audit Review,Printer Management, Cron Management,Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore, Name Service Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html SolarisAttrLongDesc:Can perform most non-security administrative tasks 

Adding Authorization Descriptions

In this example, an LDAP entry for one line in the authorization description database is created.

Contents of auth_attr file:

 #  cat /etc/security/auth_attr  solaris.admin.diskmgr.read:::View Disks::help=AuthDiskmgrRead.html . . . 

LDIF can be used to create an entry:

 dn: cn=solaris.admin.diskmgr.read,ou=SolarisAuthAttr,dc=example, dc=com changetype: add cn: solaris.admin.diskmgr.read objectclass: top objectclass: SolarisAuthAttr SolarisAttrShortDesc: View Disks SolarisAttrKeyValue:help=AuthDiskmgrRead.html 

Adding Execution Profiles

In this example, an LDAP entry for one line in the exec_attr file is created.

Content of exec_attr file:

 #  cat /etc/security/exec_attr  Network Management:suser:cmd:::/usr/bin/setuname:euid=0 . . . 

LDIF to create an entry:

 dn: cn=Network Management+SolarisKernelSecurityPolicy= suser+SolarisProfileType=cmd+SolarisProfileId= /usr/bin/setuname,ou=SolarisProfAttr,dc=example,dc=com changetype:add cn: Network Management SolarisKernelSecurityPolicy: suser SolarisProfileType: cmd SolarisProfileId: /usr/bin/setuname SolarisAttrKeyValue: euid=0 objectclass: SolarisProfAttr objectclass: top 

Printer Entries

Printer entries are created using the lpset command, as shown.

 #  lpset -n ldap -D "cn=directory manager" -w mypassword -h   ldapserver -a bsdaddr=printhost,myprinter,Solaris myprinter  

The printer defined here is a networked printer that supports a Berkeley Software Distribution (BSD) print spooler. The entry in LDIF format looks like this:

 dn: printer-uri=myprinter,ou=printers,dc=example,dc=com objectClass: top objectClass: printerService objectClass: printerAbstract objectClass: sunPrinter printer-name: myprinter sun-printer-bsdaddr: printhost,myprinter,Solaris printer-uri: myprinter