Certification Objective 11.03Configuring the Clients

Certification Objective 11.03—Configuring the Clients

Exam Objective 5.3: Configure naming service clients during install, configure the DNS client, and set up the LDAP client (client authentication, client profiles, proxy accounts, and LDAP configurations) after installation.

The naming services on Solaris works in terms of servers and clients. The client makes a request for the information, and the server provides the information. You need to know how to configure the clients for the naming services.

Configuring NIS Clients

You can configure your machine as an NIS client by using either of the two methods described here. The recommended method for configuring a client machine to use NIS is to log in to the machine as superuser and execute the following command:

    ypinit -c 

You will be asked for a list of NIS servers in the domain. You would name the master server and the other slave servers. It is a good practice to name the servers in ascending order of their distance (in terms of the network) from this machine—that is, the closest server first.

After logging on to the machine as superuser, you can use the following method (if you have to) from the good old days:

• Set the domain name with the domainname command:

      domainname <domainName> 

• Save the existing ypservers file:

      mv /var/yp/binding/<domainName>/ypservers    /var/yp/binding/<domainname>/ypservers.bak 

• Issue the ypstart command:

      ypstart 

• If the /var/yp/binding/<domainName>/ypservers file does not exist, the ypstart command will automatically invoke the NIS client in broadcast mode:

      ypbind -broadcast 

This is why you moved the ypservers file before issuing the ypstart command. The ypbind searches the local subnet for an NIS server. If the server is found, it binds to the server.

You cannot set up an NIS client on a machine that has also been configured for a native LDAP client. In other words, Solaris does not support the coexistence of a native LDAP client and an NIS client on the same machine.

Once you have configured the clients, you can convert one or more of them to be slave servers, as shown in the previous section. Just like NIS, DNS is a client/server system, and you need to know how to set up a DNS client.

Configuring the DNS Client

Berkeley Internet Name Domain (BIND) is a freely available reference implementation of the Domain Name System (DNS) protocol for providing naming service on the TCP/IP networks and the Internet. The main function of DNS is to resolve domain names (such as www.cornell.edu) into IP addresses and vice versa. Solaris 10 ships with BIND 9 DNS server.

For example, when you type www.cornell.edu in the location bar of your browser, your machine makes a request to a DNS server to resolve the domain name cornell.edu to an IP address. However, before your machine can make this request, it needs to be configured as a DNS client.

The DNS configuration information on your machine is in the /etc/resolv.conf file, which contains the name of the local domain and the address of the DNS server. The configuration file contains the following lines (called directives) described in Table 11-6.

The sortlist directive is rarely used. It is useful only when a domain name may be resolved to multiple addresses. Normally, the resolver will send the addresses in the order they are received. However, if the sortlist option is in place and the list of addresses that the resolver received contains the addresses specified in the sortlist, the resolver reorders the list of received addresses so that the addresses specified in the sortlist are placed in front of the other addresses. There is a space between the keyword (such as domain) and the value, and between two values when applicable. The keyword and the value (or values) must appear in the same line.

The resolver is not a command or a process; it is a library of routines that can be called by network processes or applications.

The /etc/resolv.conf file is used by the resolver, which is a collection of routines used for compiling and sending requests (queries) to a DNS server and interpreting the replies from the server.

If your network is running the LDAP service, you will need to set up LDAP clients to use the service.

Setting Up the LDAP Clients

The two main steps involved in setting up an LDAP client are initializing the client and setting up authentication for the client.

Initializing the LDAP Client

You can set up an LDAP client by using a utility called, well, ldapclient (can you figure out a simpler name?). Before a Solaris client machine can use the LDAP naming service, the following conditions must be met:

• You need to configure the client machine as LDAP client.

• The domain name that the client machine belongs to must be served by an LDAP server.

• The nsswitch.conf file must point to LDAP for the required services.

• The ldap_cachemgr must be running on the client machine.

• At least one server for which the client is configured must be up and running.

You can perform all these tasks, except starting the server, by using the ldapclient utility. You can initialize a client using either profile or proxy credentials. To initialize a client by using a profile, issue the following command:

 ldapclient init -a profileName=<profile> -a domainName= <domain> <LDAP_SERVER> 

<profile> specifies the name of the profile stored on the LDAP server specified by <LDAP_SERVER>, which could be an IP address of the server machine. The command uses the attributes in the specified profile to configure the client.

Alternatively, you can initialize a client to use the proxy credential by issuing the ldapclient command in the following form:

 ldapclient init -a proxyDN=<DN> -a domainName=<domain> -a profileName=<profile> -a proxyPassword=<password> <LDAP_SERVER> 

DN stands for the distinguished name. If you do not specify proxy password in the command, you will be prompted for it. LDAP does provide authentication.

Authentication

Solaris uses the pam (http://www.kernel.org/pub/linux/libs/pam) module, pm_ldap, which enables Solaris servers and workstations to authenticate against the LDAP directories and to change the passwords in the directory. The pam API uses transport layer security such as Secure Socket Layer (SSL) or Transport Layer Security (TLS) to encrypt transactions between, the workstation and the LDAP server and provide authenticated login.

An LDAP client authenticates to the LDAP server according to the client's credential level. The LDAP clients can be assigned three possible credential levels with which to authenticate to a directory server:

• Anonymous. A client with this access level can only access information that is available to everyone. Never allow write to anonymous—think of the implications if you do.

• Proxy. A client can be set up to authenticate or bind to the directory using a proxy account. A proxy account can be any entry that is allowed to bind to the directory. Obviously, this proxy account must have sufficient access to perform the naming service tasks on the LDAP server.

• Proxy anonymous. A client with this access level has the privileges of both the proxy and the anonymous levels. If a client with proxy anonymous access level attempts to log in as a proxy and the login fails, the client will be provided the anonymous access.

Like LDAP, NIS+ also provides security, which we discuss next.