Configuring Sun ONE Directory Servers and Clients This section discusses various ways that you can install and configure Sun ONE Directory servers and clients. The topics covered are: -
"Configuring the Directory Server" on page 215 -
"Enabling TLS/SSL on the Directory Server" on page 232 -
"Configuring the Clients" on page 237 Configuring the Directory Server The Sun ONE Directory Server 5.2 software is designed so that the installation process is separate from the configuration process. What this means is that all the packages can be installed without any configuration required. You may choose to install all the packages and only configure the components you are interested in running. The caveat here is that if the 64-bit packages are loaded, the Directory Server will be configured to run in 64-bit mode by default. This section describes the following tasks required to perform these activities: -
"To Verify the Installation of the Sun ONE Directory Server 5.2 Packages" on page 215 -
"To Configure the Directory Server Software" on page 219 -
"Enabling TLS/SSL on the Directory Server" on page 232 -
"To Verify the TLS/SSL Configuration on the Server" on page 237 To Verify the Installation of the Sun ONE Directory Server 5.2 Packages -
Verify that the Sun ONE Directory Server 5.2 packages are installed on the systems that you plan to configure as directory servers . You can verify the installation of packages in one of two ways: -
Use the pkginfo command: # pkginfo SUNWdsvh SUNWdsvhx SUNWdsvpl . . . -
Check for the existence of the v5.2 directory and the setup files that are created when the Sun ONE Directory Server software is installed: vipivot# cd /usr/ds/v5.2 vipivot# ls -l total 14 drwxr-xr-x 4 root bin 512 Feb 11 15:42 bin drwxr-xr-x 4 root bin 1024 Feb 11 15:43 lib drwxr-xr-x 3 root bin 512 Feb 11 15:42 nsPerl5.005_03 drwxr-xr-x 3 root bin 512 Feb 11 15:42 nsPerl5.006_01 drwxr-xr-x 4 root bin 512 Feb 11 15:43 plugins drwxr-xr-x 2 root bin 12 Feb 11 15:42 sbin drwxr-xr-x 4 root bin 512 Feb 11 15:43 setup -
If the directory server packages are not installed, install the packages from the Sun ONE Directory Server 5.2 software distribution . Check the Sun ONE Directory Server 5.2 Installation and Tuning Guide for the correct order to load the packages. Correct Installation Order (64-bit version) for Solaris 9 OE. # pkgadd -d . SUNWicu # pkgadd -d . SUNWicux # pkgadd -d . SUNWpr # pkgadd -d . SUNWprx # pkgadd -d . SUNWtls # pkgadd -d . SUNWtlsx # pkgadd -d . SUNWtls # pkgadd -d . SUNWsasl # pkgadd -d . SUNWsaslx # pkgadd -d . SUNWjss # pkgadd -d . SUNWldk # pkgadd -d . SUNWldkx # pkgadd -d . SUNWasvc # pkgadd -d . SUNWasvu # pkgadd -d . SUNWasvr # pkgadd -d . SUNWasvcp # pkgadd -d . SUNWdsvcp # pkgadd -d . SUNWdsvpl # pkgadd -d . SUNWdsvu # pkgadd -d . SUNWdsvr # pkgadd -d . SUNWdsvx # pkgadd -d . SUNWasha # pkgadd -d . SUNWdsha Note The packages that have an "x" at the end of their names are required to run the 64-bit version of the directory server. To load a 32-bit version, do not install those packages. To Run the idsktune Command The idsktune program checks for current patches and recommends Solaris OE parameter settings that help optimize performance. You should run this command and make the recommended changes before continuing with the configuration. The following shows an invocation of idsktune and the suggested parameter changes it recommends. Run the idsktune command as shown . # cd /usr/ds/v5.2/bin/slapd/server # ls 64 ldif ns-ldapagt pwdhash idsktune mmldif ns-slapd sparcv9 # ./idsktune Sun ONE Directory Server system tuning analysis version 15-JAN- 2003. Copyright 2002 Sun Microsystems, Inc. ..... Sample output: NOTICE: System is usparc-SUNW, Ultra-5_10solaris 5.9_s9s_u2wos_10 (1 processor). NOTICE: Patch 112601-05 (SunOS 5.9: PGX32 Graphics) is not installed. NOTICE: Patch 112902-07 is present, but 112902-08 (SunOS 5.9: kernel/drv/ip Patch) is a more recent version. NOTICE: Patch 112963-03 is present, but 112963-05 (SunOS 5.9: linker patch) is a more recent version. NOTICE: Patch 113023-01 (SunOS 5.9: Broken preremove scripts in S9 ALC packages) is not installed. NOTICE: Patch 113033-02 is present, but 113033-03 (SunOS 5.9: patch /kernel/drv/isp and /kernel/drv/sparcv9/isp) is a more recent version. NOTICE: Patch 113277-03 is present, but 113277-04 (SunOS 5.9: sd and ssd Patch) is a more recent version NOTICE: Patch 113333-01 is present, but 113333-02 (SunOS 5.9: libmeta Patch) is a more recent version. NOTICE: Patch 113923-02 (X11 6.6.1: security font server patch) is not installed. NOTICE: Solaris patches can be obtained from http://sunsolve.sun.com or your Solaris support representative. Solaris patches listed as required by the JRE are located at http://www.sun.com/software/solaris/jre/download.html or can be obtained from your Solaris support representative. WARNING: Only 512MB of physical memory is available on the system. 1000MB is the recommended minimum. NOTICE: /etc/system does not have a setting for tcp:tcp_conn_hash_sizeThe default is 256. NOTICE : The tcp_conn_req_max_q value is currently 128, which will limit the value of listen backlog which can be configured. It can be raised by adding to /etc/init.d/directory a line similar to: ndd -set /dev/tcp tcp_conn_req_max_q 1024 NOTICE: The tcp_keepalive_interval is set to 7200000 milliseconds (120 minutes).This might cause temporary server congestion from lost client connections. NOTICE: The tcp_keepalive_interval can be reduced by adding the following line to /etc/init.d/directory: ndd -set /dev/tcp tcp_keepalive_interval 600000 NOTICE: The NDD tcp_ip_abort_cinterval is currently set to 180000 milliseconds (180 seconds).This might cause long delays in establishing outgoing connections if the destination server is down. NOTICE: If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding to /etc/init.d/directory: ndd -set /dev/tcp tcp_ip_abort_cinterval 10000 NOTICE: The NDD tcp_ip_abort_interval is currently set to 180000 milliseconds (180 seconds).This might cause long delays in detecting connection failure if the destination server is down. NOTICE: If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding to /etc/init.d/directory: ndd -set /dev/tcp tcp_ip_abort_interval 60000 NOTICE: The TCP initial sequence number generation is not based on RFC 1948. If this directory service is intended for external access, add the following to /etc/init.d/directory: ndd -set /dev/tcp tcp_strong_iss 2 NOTICE: The NDD tcp_smallest_anon_port is currently 32768. This allows a maximum of 32768 simultaneous connections. More ports can be made available by adding a line to /etc/init.d/directory: ndd -set /dev/tcp tcp_smallest_anon_port 8192 WARNING: tcp_deferred_ack_interval is currently 100 milliseconds. This will cause Solaris to insert artificial delays in the LDAP protocol.It should be reduced during load testing. This line can be added to the /etc/init.d/directory file: ndd - set /dev/tcp tcp_deferred_ack_interval 5 NOTICE: / partition has less space available, 433MB, than the largest allowable core file size of 1362MB. A daemon process which dumps core could cause the root partition to be filled. To Configure the Directory Server Software Before you configure your directory server as an LDAP name server, you need to do a little preparation work. The following is a checklist of information you should have in hand. -
Storage volume partition and file system where the directory database will reside By default, the database is installed in the /var/mps/serverroot directory. -
Solaris OE user and group in which to run the directory server You can specify nobody , but for added security it is best to create a separate user and group from which to run the directory server. This gives you better control over how the user account will be used. -
Server certificate If you plan to run the server in secure mode (TLS/SSL) you need a signed server certificate. This part of the configuration is performed after the initial installation and configuration, and can be done later. -
LDAP Domain name This is the domain that clients specify during initialization. A directory server can be configured either in interactive mode or in an automated fashion using Jumpstart. The following sections describe both methods . To Set up the Directory Server (Interactive Mode) -
Run the directoryserver command as shown . # /usr/sbin/directoryserver configure -nodisplay By specifying the -nodisplay option, the directoryserver command runs on the command line, and not through a GUI. This is an efficient way to set up a directory server when you are running the command remotely, or when you aren't using a graphics-capable monitor. -
Provide the requested information when prompted . The following example is an abbreviated list of questions that are asked. Typical responses are shown in bold, and comments in italics. Choose the type of installation you prefer from the following choices: 1. Express 2. Typical 3. Custom What would you like to do [2] 2 Typical is sufficient for most cases . Choose the system user and group names under whose identity the Sun ONE server will run. System User [root] ds5user System Group [other] ds5group You must create this user and group before you start the configuration . You can store Sun ONE server configuration information in another Sun ONE directory server. If you have already prepared a configuration server, you can configure the new server to use that existing one. 1. The new instance will be the configuration directory server 2. Use existing configuration directory server What would you like to do [1] 1 The assumption here is that this is your first directory server instance . You might already have a directory server where you store user and group information. 1. Store data in the new directory server 2. Store data in an existing directory server What would you like to do [1] 1 Again the assumption is this is the first directory server instance . Settings the new directory will use for basic operation Server Identifier [ hostname ] myldap Server Port [389] 389 Suffix [dc=example, dc=com] dc=example, dc=com This is where you can specify a suffix of your choice. See the beginning of this chapter for details. The other defaults are common choices . The configuration server administrator is the LDAP identity typically used to log in to the Sun ONE Console. Configuration server administrator ID [admin]: admin Password: ******* Password: ******* Enter a descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [] example.com Any name can be specified here. The name becomes significant when other administration servers are configured . Enter a Distinguished Name (DN) for the Directory Manager and a password at least 8 characters long. Directory Manager DN []: cn=Directory Manager Password: ******* Password (again): ******* You can choose a different name, but this might lead to confusion for other administrators and support personnel who expect that name . To Set Up the Administration Server (Interactive Mode) -
Run the mpsadmserver command as shown . # /usr/sbin/mpsadmserver configure -nodisplay By specifying the -nodisplay option you configure the server on the command line, and not through a GUI. -
Provide the requested information when prompted . The following example is an abbreviated list of questions that are asked. Typical responses are shown in bold, and comments in italics. Enter the fully qualified domain name of the computer Fully Qualified Name [myldap.domain.com] myldap.example.com Choose the type of installation you prefer from the following choices: 1. Express 2. Typical What would you like to do [2] ? 2 Administration Port [7871] : 20000 The value 20000 is chosen because it is easy to remember. Be careful not to choose a port that is already in use because the configuration will fail . Choose the system user and group names under whose identity the Sun ONE server will run. System User [root] root System Group [other] other If you want to be able to start and stop the directory server you need a user who has those permissions . Configuration Directory Server Host [] : myldap.example.com Port [] : 389 This information must match what was used to configure the directory server instance that contains the configuration data.It is recommended to enter the FQN of the LDAP server here to avoid access problems later . Configuration Directory Server Administrator Administrator Id [admin] : admin Password [] : ******* The ID and password must match with the account created on the configuration server . Administration Domain [example.com]: example.com This must match the administration domain specified in the directory server . To Set Up the Directory Server (Silent Mode) Silent mode installations are particularly useful when combined with automated installations that use Jumpstart technology. -
Edit a copy of the /usr/ds/v5.2/setup/typical.ins file . The bold text in the following example shows the file entries that were changed. # Wizard Statefile section for Sun ONE Directory Distribution [STATE_BEGIN Sun ONE Directory Distribution dfc8280d7b940d1acc9e411ed388f11685a1ae8e] # This is the Fully Qualified Name of the computer in the # form <hostname>.<domainname> (e.g., host.domain.com). # Replace token FullMachineName FullMachineName = myldap.example.com # Unix user and group to run the Sun One server # Replace tokens UserID and GroupID ServerUser = ds5user ServerGroup = ds5group # This server is the Configuration Directory Server UseExistingConfigDirectory = (See the following example) # User Data will be stored in this server UseExistingUserDirectory = (See the following example) # Directory Settings for this server # Replace tokens InstanceName, LDAPPort and BaseSuffix DirectoryIdentifier = myldap DirectoryPort = 389 DirectorySuffix = dc=example, dc=com # Admistrator Identifier and Password # Replace tokens AdminUserID and AdminUserPasswd ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = admin # Administration Domain # Replace token AdministrationDomain AdminDomain = example.com # Directory Manager Identifier and Password # Replace tokens DirectoryManagerDN and DirectoryManagerPasswd DirectoryManager = cn=Directory Manager DirectoryManagerPwd = dirmanager [STATE_DONE Sun ONE Directory Distribution dfc8280d7b940d1acc9e411ed388f11685a1ae8e] Note The checksum lines at the start and end of the file are used to check if the file was created with the same version of the directory server you are installing. The installation file assumes you are using the same directory server instance for both configuration and user data. Configuration data can be shared among several servers and is only referenced when the directory server starts. Sharing configuration data enables updates to be performed in only one place. If you have a directory server already set up as a configuration server, specify the name of it as shown here. # This server is the Configuration Directory Server UseExistingConfigDirectory = mycfgserver.example.com # User Data will be stored in this server UseExistingUserDirectory = If you are setting up a configuration server that contains no user data, specify the name of a server that contains user data as shown here. # This server is the Configuration Directory Server UseExistingConfigDirectory = # User Data will be stored in this server UseExistingUserDirectory = myldapserver.example.com -
Run the directoryserver command as shown . # /usr/sbin/directoryserver -noconsole -nodisplay -state myfile.ins The directory server will be installed without prompting you with questions. You can combine a silent mode installation with Jumpstart to perform a fully automated installation, as described in "Automating Installations" on page 244. To Set Up the Administration Server (Silent Mode) -
Run mpsadmserver as shown . # /usr/sbin/mpsadmserver -nodisplay -noconsole -saveState filename A generic instruction file is created that you modify in the next step. -
Edit the administration state file that was created in the previous step . Make changes so that the parameters specified in this file correspond to your configuration. # vi filename # Install Wizard Statefile section for Sun ONE Administration Distribution # # [STATE_BEGIN Sun ONE Administration Distribution 0268835a2e5c475b4e526cd711ddfe114ea7c1a3] FullMachineName = myldap.example.com AdminPort = 20000 ServerUser = root ServerGroup = other ConfigDirectoryHost = myldap.example.com ConfigDirectoryPort = 389 ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = admin AdminDomain = example.com AdminSysUser = root AdminSysGroup = other [STATE_DONE Sun ONE Administration Distribution 0268835a2e5c475b4e526cd711ddfe114ea7c1a3] -
Run the mpsadmserver command as shown . # /usr/sbin/mpsadmserver configure -nodisplay -noconsole -state filename To Run the idsconfig Command (Interactive Mode) This command creates the object classes, containers, ACIs, and client profiles required before you can run native Solaris OE LDAP. -
Run the /usr/lib/ldap/idsconfig command as shown . Note that the domainname to be served is independent of your DNS domain name. # cd /usr/lib/ldap # ./idsconfig Enter the iPlanet Directory Server's (iDS) hostname to setup: myldap.example.com Enter the port number for iDS (h=help): [ 389 ] Enter the directory manager DN: [ cn=Directory Manager ] Enter passwd for cn=Directory Manager : Enter the domainname to be served (h=help): [ dc=example, dc=com] Enter LDAP Base DN (h=help): [ dc=example, dc=com] Enter the profile name (h=help): [ default ] Default server list (h=help): [ 128.100.100.1 ] Preferred server list (h=help): Choose desired search scope (one, sub, h=help): [one] The following are the supported credential levels: 1 anonymous 2 proxy 3 proxy anonymous Choose Credential level [h=help]: [1] 2 The following are the supported Authentication Methods: 1 none 2 simple 3 sasl/DIGEST-MD5 4 tls:simple 5 tls:sasl/DIGEST-MD5 Choose Authentication Method (h=help): [1] 4 Do you want the clients to follow referrals (y/n/h)? [n] Do you want to modify the server timelimit value (y/n/h)? [n] Do you want to modify the server sizelimit value (y/n/h)? [n] Do you want to store passwords in "crypt" format (y/n/h)? [n] Do you want to setup a Service Authentication Methods (y/n/h)? [n] Client search time limit in seconds (h=help): [30] Profile Time To Live in seconds (h=help): [ 43200 ] Bind time limit in seconds (h=help): [10] Do you wish to setup Service Search Descriptors (y/n/h)? [n] y A Add a Service Search Descriptor D Delete an SSD M Modify an SSD P Display all SSD's H Help X Clear all SSD's Q Exit menu Enter menu choice: [Quit] a Enter the service id: passwd Enter the base: ou=people2 Enter the scope: one Summary of Configuration 1 Domain to serve : example.com 2 Base DN to setup : dc=example, dc=com 3 Profile name to create : default 4 Default Server List : 128.100.100.1 5 Preferred Server List : 6 Default Search Scope : sub 7 Credential Level : proxy 8 Authentication Method : tls:simple 9 Enable Follow Referrals : FALSE 10 iDS Time Limit : 11 iDS Size Limit : 12 Enable crypt password storage : FALSE 13 Service Auth Method pam_ldap : 14 Service Auth Method keyserv : 15 Service Auth Method passwd-cmd : 16 Search Time Limit : 30 17 Profile Time to Live : 43200 18 Bind Limit : 10 19 Service Search Descriptors Menu Enter config value to change: (1-19 0=commit changes) [0] Enter DN for proxy agent: [ cn=proxyagent, ou=profile, dc= example, dc=com] Enter passwd for proxyagent: Re-enter passwd: -
As idsconfig runs, the steps performed are displayed as they are completed. Observe the following: 1. Schema attributes have been updated. 2. Schema objectclass definitions have been added. 3. NisDomainObject added to dc=example,dc=com. 4. Top level "ou" containers complete. 5. automount maps: auto_home auto_direct auto_master auto_shared processed. 6. ACI for dc=example,dc=com modified to disable self modify. 7. Add of VLV Access Control Information (ACI). 8. Generated client profile and loaded on server. 9. Processing eq,pres indexes: ipHostNumber (eq,pres) Finished indexing. uidNumber (eq,pres) Finished indexing. ipNetworkNumber (eq,pres) Finished indexing. gidnumber (eq,pres) Finished indexing. oncrpcnumber (eq,pres) Finished indexing. automountKey (eq,pres) Finished indexing. 10. Processing eq,pres,sub indexes: membernisnetgroup (eq,pres,sub) Finished indexing. nisnetgrouptriple (eq,pres,sub) Finished indexing. 11. Processing VLV indexes: example.com.gethostent vlv_index Entry created example.com.getnetent vlv_index Entry created example.com..getpwent vlv_index Entry created example.com.getrpcent vlv_index Entry created example.com.getspent vlv_index Entry created idsconfig: Setup of iDS server myldap.example.com is complete. Note The assumption is that idsconfig is run right after the directory server installation and configuration. Therefore, the indexes get created quickly. With a populated directory, indexing can be quite lengthy, during which time the directory is placed in read-only mode. -
Set up the VLV Indexes as described by the output of idsconfig . Creating VLV indexes is a two-part process. The first part is done by the idsconfig script. The second part requires the directory server to be halted, so must be performed separately as shown below. Note: idsconfig has created entries for VLV indexes. Use the directoryserver(1m) script on vipivot to stop the server and then enter the following vlvindex sub-commands to create the actual VLV indexes: directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.getgrent directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.gethostent directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.getnetent directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.getpwent directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.getrpcent directoryserver -s <server-instance> vlvindex -n userRoot -T example.com.getspent To Run the idsconfig Command (Silent Mode) -
Create an output file . # /usr/lib/ldap/idsconfig -o my_conf_file By specifying the -o option, a configuration file is created that can be used for subsequent installations. Example: # /tmp/idsconfig.ins - This file contains configuration # information for Native LDAP. Use the idsconfig tool to load it. # # WARNING: This file was generated by idsconfig, and is intended # to be loaded by idsconfig as is. DO NOT EDIT THIS FILE! # IDS_SERVER="myldap.example.com" IDS_PORT=389 IDS_TIMELIMIT= IDS_SIZELIMIT= LDAP_ROOTDN="cn=Directory Manager" LDAP_ROOTPWD=dirmanager LDAP_DOMAIN="example.com" LDAP_TREETOP="dc=example, dc=com" # Internal program variables that need to be set. NEED_PROXY=0 NEED_TIME=0 NEED_SIZE=0 NEED_CRYPT=FALSE # LDAP PROFILE related defaults LDAP_PROFILE_NAME="default" DEL_OLD_PROFILE=1 LDAP_BASEDN="dc=example, dc=com" LDAP_SERVER_LIST="128.100.100.1" LDAP_AUTHMETHOD="" LDAP_FOLLOWREF=FALSE LDAP_SEARCH_SCOPE="one" NEED_SRVAUTH_PAM=0 NEED_SRVAUTH_KEY=0 NEED_SRVAUTH_CMD=0 LDAP_SRV_AUTHMETHOD_PAM="" LDAP_SRV_AUTHMETHOD_KEY="" LDAP_SRV_AUTHMETHOD_CMD="" LDAP_SEARCH_TIME_LIMIT=30 LDAP_PREF_SRVLIST="" LDAP_PROFILE_TTL=43200 LDAP_CRED_LEVEL="proxy" LDAP_BIND_LIMIT=10 # Proxy Agent LDAP_PROXYAGENT="cn=proxyagent, ou=profile, dc=example, dc=com" LDAP_PROXYAGENT_CRED="test1234" # Export all the variables (just in case) export IDS_HOME IDS_PORT LDAP_ROOTDN LDAP_ROOTPWD LDAP_SERVER_LIST LDAP_BASEDN export LDAP_DOMAIN LDAP_TREETOP LDAP_PROXYAGENT LDAP_PROXYAGENT_CRED export NEED_PROXY export LDAP_PROFILE_NAME LDAP_BASEDN LDAP_SERVER_LIST export LDAP_AUTHMETHOD LDAP_FOLLOWREF LDAP_SEARCH_SCOPE LDAP_SEARCH_TIME_LIMIT export LDAP_PREF_SRVLIST LDAP_PROFILE_TTL LDAP_CRED_LEVEL LDAP_BIND_LIMIT export NEED_SRVAUTH_PAM NEED_SRVAUTH_KEY NEED_SRVAUTH_CMD export LDAP_SRV_AUTHMETHOD_PAM LDAP_SRV_AUTHMETHOD_KEY LDAP_SRV_AUTHMETHOD_CMD export LDAP_SERV_SRCH_DES SSD_FILE # Service Search Descriptors start here if present: # End of /tmp/idsconfig.ins As described in "Automating Installations" on page 244, you can create an idsconfig output file, then use it to perform an automated installation using JumpStart technology. idsconfig Tips and Observations The following tips and observations might clear up questions you have. -
The directory server you are configuring must be running when you run the idsconfig command because idsconfig uses LDAP to make the changes -
The name of the domain to be served is independent of your DNS domain. While it can have the same name, it doesn't need to. -
Anonymous credential level does not work with pam_unix authentication. This is because user passwords need to be readable by some identity, which is normally a proxy account. Unless you make passwords readable by anonymous , pam_unix will not work. -
The BaseDN specified does not have to be a root suffix. If you specify a container, such as ou=nsmaps , dc=example , dc=com , the ou=nsmap container is created for you (if it does not already exist). -
Only one client profile is created. See Chapter 7 "Performing Administrative Tasks" for details on creating additional profiles. -
At the Preferred Servers prompt, you must enter the IP address and not the host name. This is because a name service might not be running at the time the information is needed. -
Choosing an authentication method only creates an attribute in the profile. For example, if you specify tls:simple you still need to configure TLS/SSL on both the server and client. You can generate the profile before TLS/SSL is configured, but must configure it before clients are initialized using the profile. -
The default for the profile time to live is 12 hours. This means if you modify the profile in the directory, clients will not see the changes until the cache is refreshed, by default, in 12 hours. -
While Service Search Descriptors (SSDs) can be specified, they will be very rudimentary. If you want to deploy SSDs, see Chapter 7 "Performing Administrative Tasks" for more details. Enabling TLS/SSL on the Directory Server To take advantage of the ability to encrypt name service data, you need to perform the following tasks: -
Enable TLS/SSL on the directory server. -
Create a client profile that specifies TLS as an authentication method. -
Provide the client with a certificate database containing the Certificate Authority (CA) certificate. These tasks are described in the following sections. Enabling SSL To enable SSL on the directory server, you need to have a signed server certificate available. The certificate must be signed by a trusted Certificate Authority (CA). The CA can be a commercial one or one you set up for company use. Alternatively, you can self-sign a certificate. In either case, you will need access to the signer's certificate so it can be stored in the client's certificate database. For web browsers such as Netscape Communicator, obtaining the signer's certificate is as simple as pointing your browser at a URL and accepting the certificate. For an LDAP client, there is no way to duplicate this procedure. However, the same certificate database created for Communicator can also be used by the LDAP client. The process of requesting a certificate to be signed and then installing it on your directory server consists of several steps that include: -
Create a Certificate Signing Request (CSR) by invoking the directory server certificate wizard or generating one with another tool. -
Send the CSR to a Certificate Authority (CA). This can be through email, a web interface, or simply transferring the CSR file to the CA. -
Retrieve the signed certificate from the CA. This can be received through email, retrieved from a web site, or obtained by a file transfer. -
Import the certificate into the directory server. This can be through the certificate wizard or performed manually. The way these steps are performed varies depending on the type of CA you use. For the examples presented here, self-signed certificates are used. That is, you become the CA that signs the certificate. This method is useful for testing and for organizations that do not have access to a CA. Chapter 3 discusses how to use the certutil and keyutil utilities for creating your own CA, generating certificate requests , and then generating a certificate. Enabling SSL on the Directory Server The Sun ONE Directory Server provides a wizard that will generate a CSR and install the signed certificate for you. Essentially what this does is create cert7.db and key3.db databases. If you configure these using certutil as described in Chapter 3, you can bypass the wizard by copying them to the appropriate location. The names need to change to reflect the name of the directory server instance in which they will be used. # cp cert7.db slapd-myserver-cert7.db # cp key3.db slapd-myserver-key3.db # cp slapd-myserver-cert7.db /var/mps/serverroot/alias # cp slapd-myserver-key3.db /var/mps/serverroot/alias Once the slapd-myserver-cert7.db and slapd-myserver-key3.db databases are in place, you can enable SSL from the directory console. To do this, go to the Configuration tab and highlight the first line (your server instance). Click on the Encryption tab and observe the screen shown in FIGURE 4-2. Figure 4-2. Directory Server Certificate Wizard To enable SSL, check the Enable SSL for this server and Use this cypher family: RSA boxes. You should also see the server certificate you created under the Certificate: pull-down menu. When you click on the Save button, you are instructed to restart the directory server. When you manually restart the directory server you see the following output. # directoryserver stop # directoryserver start Enter PIN for Internal (Software) Token: ******* This is the same PIN used when the cert7.db and key3.db databases were created. At this point, the directory server is listening on port 636 for TLS/SSL requests. Automatic Startup of SSL Because there might be cases where the directory server is restarted without an administrator present, it is desirable to have the server start without querying for a password. This can be accomplished by creating a file that contains the key3.db database password. Usually, this file resides in the alias directory under the directory server root. The following example shows how the password file is created. # cd /var/mps/serverroot/alias # ls -l -rw------- 1 root other 196608 Sep 5 16:49 slapd-myserver-cert7.db -rw------ 1 root other 32768 Sep 5 16:49 slapd-myserver-key3.db -rw------- 1 root other 32768 Sep 10 11:32 secmod.db # vi slapd-myserver-pin.txt <insert text> Internal (Software) Token:mysecret <exit> # The permissions shown assume the Directory Server is started and run as root. If this is not the case, the ownership of the files must be adjusted. The permission and ownership of the password file should be set so only the user starting the directory server can read it. To Configure TLS/SSL From the Command Line LDIF provides an alternative to the Sun ONE Directory Console for configuring TLS/SSL. LDIF can be created and imported to generate the same configuration. There are three tasks to create this configuration: -
Create an entry that will contain TLS/SSL information. -
Modify some default directory data. -
Turn on TLS/SSL. -
Create LDIF representation that looks like this and import it . dn: cn=RSA, cn=encryption, cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLToken: internal (software) nsSSLPersonalitySSL: server-cert nsSSLActivation: on The nickname server-root matches the name given to the certificate created for the slapd-myserver-cert7.db database. -
Create LDIF representation that looks like this and import it . dn: cn=encryption,cn=config changetype: modify replace: nsSSL2 nsSSL2: on - replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: allowed - replace: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,-rsa_fips_3des_sha,-rsa_fips_des_s ha,+rsa_3des_sha,+rsa_rc4_128_md5,+rsa_des_sha,+rsa_rc4_40_md5 - replace: nsCertFile nsCertFile: alias/ slapd-myserver-cert7.db - replace: nsKeyFile nsKeyFile: alias/ slapd-myserver-key3.db The names of the database files, slapd-myserver-cert7.db and slapd-myserver-key3.db , match the ones that were placed there. -
Create LDIF representation that looks like this and import it . dn: cn=config changetype: modify replace: nsslapd-secureport nsslapd-secureport: 636 - replace: nsslapd-security nsslapd-security: on To Verify the TLS/SSL Configuration on the Server -
Make sure there is a process listening to port 636 . # netstat -an grep 636 grep LISTEN *.636 *.* 0 0 24576 0 LISTEN ... # -
Access the directory server in one of the following two ways: -
From Netscape Communicator, go to ldaps:///myserver:636/ -
From the command line, enter: # ./ldapsearch -h ipivot -p 636 -Z -P /var/ldap/cert7.db -K /var/ldap/key3.db -s base -b "" objectclass=\* . . . This output displayed on the screen where the command was entered should be the Directory Server Entry (DSE), which looks like this: dn: objectClass: top namingContexts: dc=example, dc=com namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.4 ... Configuring the Clients There are three versions of Solaris LDAP clients: -
Solaris 8 OE (Phase 1) is the original version that shipped with Solaris 8 OE. This client is overwritten when you install patch 108993-18 (or later version). -
Solaris 8 OE patch client (Phase 2) is loaded when you install patch 108993-16 (or later). -
Solaris 9 OE client installed as a core component of the Solaris 9 OE. To take advantage of password aging, you must install patch 112960-03 (or later). The first version of the client has been made obsolete by the introduction of the 108993-16 patch. Solaris LDAP Client Initialization Secured LDAP Clients are initialized either by the sysidtools program when the Solaris OE is installed, or by running the ldapclient command after the client has been configured with another name service. A description of sysidtools is provided in "Automating Installations" on page 244 because it is a key component of achieving automated installations. You can run the ldapclient command with or without client profiles. However, use of profiles is highly recommended for ease of administration, so this is the only method discussed. Client initialization consists of the following tasks that are performed as the result of running the ldapclient command.: -
Creating the ldap_client_file and ldap_client_cred files in the /var/ldap directory. -
Modifying the /etc/nsswitch.conf file to include the ldap tag. -
Starting the /usr/lib/ldap/ldap_cachemgr process. Other files that may be modified include: The ldap_client_file file is created from data contained in the client profile. The ldap_client_cred file is created from command-line arguments. Example: # ldapclient init -a proxyDn=cn=proxyagent, ou=profile, dc=\ example, dc=com -a domainname=example.com -a profilename=default\ -a proxypassword=test1234 128.100.100.1 In this example, the proxyDn and proxypassword arguments result in the creation of the following content: # cat /var/ldap/ldap_client_cred # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_BINDDN= cn=proxyagent, ou=profile, dc=example, dc=com NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f The following is a compressed example of the default nsswitch.ldap file. This file is copied to /etc/nsswitch.conf when the client is initialized. Notice that the ldap string is added as a tag along with the files tag. # cat /etc/nsswitch.ldap passwd: files ldap group: files ldap hosts: ldap [NOTFOUND=return] files ipnodes: files networks: ldap [NOTFOUND=return] files protocols: ldap [NOTFOUND=return] files rpc: ldap [NOTFOUND=return] files ethers: ldap [NOTFOUND=return] files netmasks: ldap [NOTFOUND=return] files bootparams: ldap [NOTFOUND=return] files publickey: ldap [NOTFOUND=return] files netgroup: ldap automount: files ldap aliases: files ldap services: files ldap sendmailvars: files printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap The ldap_cachemgr process is started when the /etc/init.d/ldap.client script is run. It is also started by the ldapclient command when it is run to initialize a client. The ldap_cachemgr process is started automatically if the ldap_client_file exists as shown in bold in the ldap.client script below. #!/sbin/sh # Copyright (c) 1999,2001 by Sun Microsystems, Inc. #ident "@(#)ldap.client 1.3 01/10/29 SMI" case "" in start) [ -f /var/ldap/ldap_client_file ] && \ [ -f /usr/lib/ldap/ldap_cachemgr ] exit 0 /usr/lib/ldap/ldap_cachemgr ;; stop) [ -f /usr/lib/ldap/ldap_cachemgr ] && /usr/lib/ldap/ldap_cachemgr -K ;; *) echo "Usage: #!/sbin/sh # Copyright (c) 1999,2001 by Sun Microsystems, Inc. #ident "@(#)ldap.client 1.3 01/10/29 SMI" case "$1" in start) [ -f /var/ldap/ldap_client_file ] && \ [ -f /usr/lib/ldap/ldap_cachemgr ] exit 0 /usr/lib/ldap/ldap_cachemgr ;; stop) [ -f /usr/lib/ldap/ldap_cachemgr ] && /usr/lib/ldap/ldap_cachemgr -K ;; *) echo "Usage: $0 { start stop }" exit 1 ;; esac exit 0 { start stop }" exit 1 ;; esac exit 0 To Configure pam_ldap By default, the /etc/pam.conf file is configured for pam_unix authentication. While this form of authentication works with LDAP as a name service, pam_ldap is recommended, as discussed in Chapter 3 "Defining Directory Service Security Architecture. To enable pam_ldap for all services, add the bolded lines to the pam.conf file as shown in the following code box . # login service (explicit because of pam_dial_auth) login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 try_first_pass # rlogin service (explicit because of pam_rhost_auth) rlogin auth required pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 try_first_pass # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) rsh auth required pam_unix_auth.so.1 rsh auth required pam_ldap.so.1 try_first_pass # PPP service (explicit because of pam_dial_auth) ppp auth required pam_unix_auth.so.1 ppp auth required pam_dap.so.1 try_first_pass # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication other auth required pam_unix_auth.so.1 other auth required pam_ldap.so.1 try_first_pass # passwd command (explicit because of a different authentication # module) passwd auth required pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 try_first_pass # Default definition for Password management # Used when service name is not explicitly mentioned for password # management other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_authtok_store.so.1 other password required pam_ldap.so.1 try_first_pass Running DNS and LDAP Name Services Unlike NIS, there is no DNS forwarding capability built into the LDAP name service. In many cases, it is desirable to be able to resolve fully qualified DNS names in addition to simple host names. This is important when configuring clients to accept server certificates that have DNS names defined. For security reasons, the client must be able to resolve the DNS name, or else it assumes the certificate is not valid. To Enable DNS With LDAP Modify two files as shown: # vi /etc/resolv.conf . . . nameserver 125.148.172.14 # vi /etc/nsswitch.conf . . . hosts: dns ldap [NOTFOUND=return] files The IP address 125.148.172.14 should be replaced with an address of one of your DNS servers and the dns tag should be placed before the ldap tag for the hosts entry in /etc/nsswitch.conf as shown. Enabling TLS/SSL on the Client The authentication method the Secured LDAP Client uses to connect with the name service is determined by the authenticationMethod attribute specified in the client profile. This attribute can be overridden to use another authentication method like the pam_ldap authentication and password management by adding the serviceAuthenticationMethod attribute. If this attribute is not specified, the same method is used for all services including proxy authentication. To Configure the Client to Use TLS/SSL as a Transport -
Insert the tls:simple tag as the value of the authenticationMethod attribute in the client profile as shown here in LDIF representation . dn: cn=sslProfile, ou=profile, dc=example, dc=com objectClass: top objectClass: DUAConfigProfile defaultServerList: 128.100.100.1 defaultSearchBase: dc=example, dc=com authenticationMethod: tls:simple followReferrals: FALSE defaultSearchScope: one searchTimeLimit: 30 profileTTL: 43200 cn: sslProfile credentialLevel: proxy bindTimeLimit: 10 -
Create a client certificate database . To complete the configuration, the client must have a certificate database contained in the signer certificate that the directory server uses. Although it can be empty, a key3.db file is also required. The same cert7.db file used on the directory server can be used by the client. Example: # cp cert7.db /var/ldap/cert7.db # chmod 444 /var/ldap/cert7.db # touch /var/ldap/key3.db # chmod 444 /var/ldap/key3.db Note Make sure the client can resolve DNS names, because the certificate that was created specifies the fully qualified directory server name in the cn= field. |