administeringLDAP naming servicesLDAP This chapter describes the use of the Sun Java System Directory Server (Directory Server) for a system that is configured with Solaris Trusted Extensions.Using a Naming Service in Trusted Extensions Using the LDAP Naming Service in Trusted Extensions LDAPnaming service for Trusted Extensions LDAPTrusted Extensions databasesdatabasesin LDAPnetwork databasesin LDAPnaming servicesdatabases unique to Trusted ExtensionsTo achieve uniformity of user, host, and network attributes within a security domain with multiple Trusted Extensions systems, a naming service is used for distributing most configuration information. LDAP is an example of a naming service. The nsswitch.conf file determines which naming service is used. LDAP is the recommended naming service for Trusted Extensions.The Directory Server can provide the LDAP naming service for Trusted Extensions and Solaris clients. The server must include Trusted Extensions network databases, and the Trusted Extensions clients must connect to the server over a multilevel port. The security administrator specifies the multilevel port when configuring Trusted Extensions.Trusted Extensions adds two trusted network databases to the LDAP server: tnrhdb and tnrhtp. These databases are administered by using the Security Templates tool in the Solaris Management Console. A toolbox of Scope=LDAP, Policy=TSOL stores configuration changes on the Directory Server.For information about the use of the LDAP naming service in the Solaris OS, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). Setting up the Directory Server for Trusted Extensions clients is described in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks). Trusted Extensions systems can be clients of a Solaris LDAP server by using an LDAP proxy server that is configured with Trusted Extensions. Systems that are configured with Trusted Extensions cannot be clients of NIS or NIS+ masters. If a naming service is not used at a site, administrators must ensure that configuration information for users, hosts, and networks is identical on all hosts. A change that is made on one host must be made on all hosts.On a non-networked Trusted Extensions system, configuration information is maintained in the /etc, /etc/security, and /etc/security/tsol directories. Actions in the Trusted_Extensions folder enable you to modify some configuration information. The Security Templates tool in the Solaris Management Console enables you to modify network database parameters. Users, roles, and rights are modified in the User Accounts, Administrative Roles, and Rights tools. A toolbox on This Computer with Scope=Files, Policy=TSOL stores configuration changes locally. Trusted Extensions extends the Directory Server's schema to accommodate the tnrhdb and tnrhtp databases. Trusted Extensions defines two new attributes, ipTnetNumber and ipTnetTemplateName, and two new object classes, ipTnetTemplate and ipTnetHost.The attribute definitions are as follows:ipTnetNumber ( 1.3.6.1.1.1.1.34 NAME 'ipTnetNumber' DESC 'Trusted network host or subnet address' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )ipTnetTemplateName ( 1.3.6.1.1.1.1.35 NAME 'ipTnetTemplateName' DESC 'Trusted network template name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )The object class definitions are as follows:ipTnetTemplate ( 1.3.6.1.1.1.2.18 NAME 'ipTnetTemplate' SUP top STRUCTURAL DESC 'Object class for Trusted network host templates' MUST ( ipTnetTemplateName ) MAY ( SolarisAttrKeyValue ) ) ipTnetHost ( 1.3.6.1.1.1.2.19 NAME 'ipTnetHost' SUP top AUXILIARY DESC 'Object class for Trusted network host/subnet address to template mapping' MUST ( ipTnetNumber $ ipTnetTemplateName ) )The cipso template definition in LDAP is similar to the following:ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com objectClass=top objectClass=organizationalUnit ou=ipTnet ipTnetTemplateName=cipso,ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com objectClass=top objectClass=ipTnetTemplate ipTnetTemplateName=cipso SolarisAttrKeyValue=host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH; ipTnetNumber=0.0.0.0,ou=ipTnet,dc=example,dc=example1,dc=exampleco,dc=com objectClass=top objectClass=ipTnetTemplate objectClass=ipTnetHost ipTnetNumber=0.0.0.0 ipTnetTemplateName=internal naming servicesactions for managing administrative actionsnaming services The LDAP naming service is managed in Trusted Extensions as it is managed in the Solaris OS. The following is a sample of useful commands, and contains references to more detailed information:For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). To troubleshoot client-to-server LDAP connection problems that are affected by labels, see How to Debug a Client Connection to the LDAP Server. To troubleshoot other client-to-server LDAP connection problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). LDAPdisplaying entriesTo display LDAP entries from an LDAP client, type:$ ldaplist -l $ ldap_cachemgr -g To display LDAP entries from an LDAP server, type:$ ldap_cachemgr -g $ idsconfig -v To list the hosts that LDAP manages, type:$ ldaplist -l hosts Long listing $ ldaplist hosts One-line listing To list information in the Directory Information Tree (DIT) on LDAP, type:$ ldaplist -l services | more dn: cn=apocd+ipServiceProtocol=udp,ou=Services,dc=exampleco,dc=com objectClass: ipService objectClass: top cn: apocd ipServicePort: 38900 ipServiceProtocol: udp ... $ ldaplist services name dn=cn=name+ipServiceProtocol=udp,ou=Services,dc=exampleco,dc=com To display the status of the LDAP service on the client, type:# svcs -xv network/ldap/client svc:/network/ldap/client:default (LDAP client) State: online since date See: man -M /usr/share/man -s 1M ldap_cachemgr See: /var/svc/log/network-ldap-client:default.log Impact: None. LDAPstartingLDAPstoppingTo start and stop the LDAP client, type:# svcadm enable network/ldap/client# svcadm disable network/ldap/client To start and stop the LDAP server in version 5.2 of Sun Java System Directory Server software, type:# installation-directory/slap-LDAP-server-hostname/start-slapd # installation-directory/slap-LDAP-server-hostname/stop-slapd To start and stop the LDAP server in version 6 of Sun Java System Directory Server software, type:# dsadm start /export/home/ds/instances/your-instance # dsadm stop /export/home/ds/instances/your-instance To start and stop a proxy LDAP server in version 6 of Sun Java System Directory Server software, type:# dpadm start /export/home/ds/instances/your-instance # dpadm stop /export/home/ds/instances/your-instance