Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Solaris LDAP

LDAP is a client-server protocol for accessing a directory service. LDAP server can be used as a central point for user authentication over the network. LDAP is the industry standard for directory access and embraced by companies such as IBM, Netscape, Novell, Microsoft etc.

LDAP was first implemented at the University of Michigan in the early 1990's. LDAP is a TCP/IP application level protocol similar to HTTP, ftp and telnet.

There are many commercial LDAP servers available like Microsoft Active Directory, Novell eDirectory, iPlanet Directory Server, etc. In addition there is an open source implementation of LDAP (OpenLDAP) based on the work done at Michigan . It is used mainly on Linux and BSD operating systems, but can be used on Solaris too. LDAP is commonly defined in terms of four models. These are:

• Information Model -- specifies how data is stored within the directory.
• Naming Model -- defines how objects within the directory structure are organized and identified
• Access Model. The mechanics for accessing data
• Security Model. How data are protected.

The Lightweight Directory Access Protocol (LDAP) is an open-standard, platform independent, access protocol based on the X.500 informational model. It is designed to run over TCP/IP and uses simple string encoding. LDAP servers provide access to a hierarchical Directory Information Tree (DIT) that is made up of entries much like Unix filesystem tree. An entry has a relative distinguished name (RDN) that is unique among all its siblings and a distinguished name (DN) that is unique in the tree. LDAPv3 (RFC 2251) supports the following operations:

1. bind Allows authentication information to be exchanged between the client and server.
2. unbind Terminates a protocol session.
3. search Allows a client to request that a search be performed on its behalf by a server.
4. modify Allows a client to request modification of an entry on its behalf by a server.
5. add Allows a client to request the addition of an entry into the directory.
6. delete Allows a client to request the removal of an entry from the directory.
7. modify DN Allows a client to change the leftmost component of the name of an entry in the directory, or to move a subtree of entries to a new location in the directory.
8. compare Allows a client to compare an assertion provided with an entry in the directory.
9. abandon Allows a client to request that the server abandon an outstanding operation.
10. extended Allows clients to make requests and receive responses with predefined syntax and semantics.

LDAP in Solaris

The LDAP client library was first available in Solaris 7. The ldap(3LDAP) man page refers to 134 LDAP library functions that were added. In addition, the following user commands became available:

• ldapadd(1) -- LDAP entry addition tool
• ldapmodify(1) -- LDAP entry modification tool
• ldapdelete(1) -- LDAP delete entry tool
• ldapsearch(1) -- LDAP search tool
• ldapmodrdn(1) -- LDAP modify entry RDN tool
• ldapsearchprefs.conf(4) -- Configuration file for LDAP search preference routines
• ldapfilter.conf(4) -- Configuration file for LDAP filtering routines
• ldaptemplates.conf(4)-- Configuration file for LDAP display template routines

Starting from version 8 Solaris provides complete LDAP integration. LDAP back-end support to the Name Service switch was added. Network administrators can now specify LDAP as the desired name service to directory access by copying the nsswitch.ldap template file to /etc/nsswitch.conf. Native LDAP support is only available for IPv4 for Solaris versions less then 10. 

There are several relevant man pages:

• ldap(1)Using LDAP as a naming repository.
• ldap_cachemgr(1M) Specifying LDAP daemon to cache server and client information for Network Information Service lookups.
• ldapclient(1M)Initializing LDAP client machines.
• ldap_gen_profile(1M) Creating an LDIF file that can be loaded into an LDAP server to be used as the client profile, which can be downloaded by ldapclient.
• ldaplist(1) Specifying LDAP utility to search and list naming information from an LDAP directory service.
• pam_ldap(5) Specifying Authentication and password management PAM modules for LDAP.

The nsswitch(4) man page have been updated with changes to support LDAP.

A directory service functions somewhat like a database, but it differs from traditional relational databases in several ways:

• It is optimized for reading; adding and updating entries may be expensive.
• It provides advanced searching features.
• Its fundamental data structures, collectively known as the schema, can be extended according to local needs.
• It adheres to published standards to ensure interoperability among vendor implementations, specifically, a series of RFCs.
• It takes advantage of distributed storage and data replication techniques, allowing it to scale efficiently.

Because of these advantages  LDAP is replacing NIS/NIS+ as the enterprise user account and authentication of choice. That's why NIS+ will no longer be supported in future versions of Solaris. The Solaris best supports LDAP with the iPlanet Directory Server but can also work with other LDAP directory servers.  iPlanet Directory Server must be set up and then configured to support Solaris LDAP clients. On a configured LDAP server, the /etc/rc2.d/S72directory script starts the iPlanet Directory Server during the boot process.

LDAP provides a directory service which can be used for storing and querying information about the users. The range of information that can be made available in this way is typical for directories: Unix user account data or other institutional directory data (office location, phone numbers, and the like).

In order to emphasize these differences with respect to standard relational databases, different terminology is used to name a directory service's data structures: records are referred to as entries, and each field within a record is known as an attribute. .Like the DNS namespace, LDAP names start with the least significant component and proceed to the most significant; in other words, those just below root. The DN is constructed by concatenating the sequence of RDNs up to the root of the tree.

Note: Although the term LDAP is very fuzzy, it actually refers only to the protocol by which data are accessed (implemented in a daemon). The actual database capabilities are provided by a separate back-end program or package.

LDAP directories provide a way to name, manage, and access collections of directory entries. A directory entry is composed of attributes that have a type and one or more values. The syntax for each attribute defines the allowed values, or the allowed data type of the attribute values, such as American Standard Code for Information Interchange (ASCII) characters or a numerical data. LDAP also defines how those values are interpreted during a directory operation; for example, determining if a search or compare is case sensitive.

Directory entries are organized into a tree structure, which can be based on boundaries defined by geography (country), organization (company), or domain components (dc).

Entries are named according to their position in this tree structure by a distinguished name (DN). Each component of the DN is called a relative distinguished name (RDN). An RDN is composed of one or more attributes from the entry. The hierarchy of the directory tree structure is similar to that of the UNIX file system. An RDN corresponds to the relative path name of a file, and the DN to the absolute path name. As in the UNIX file system, sibling directory entries must have unique RDNs. However, unlike Unix filesystem in the directory tree, each entry can contain both content and attributes.

dc=softpanorama, dc=org
ou = Hosts ou = People
DN = "cn = Nikolai Bezroukov, ou = People, dc = softpanorama, dc = org"

Solaris LDAP Client

You execute the ldapclient command on the client system once to initiate the client as a native LDAP client. The required command-line arguments include the proxy name, password, and the LDAP server’s IP address. The following example describes a typical client initialization:

# ldapclient init -a proxyPassword=proxy \

-a proxyDN=cn=proxyagent,ou=profile,dc=softpanorama,dc=org\

-a domainname=softpanorama.org 192.168.1.1

There are two ACSII configuration files for the client in /var/ldap/

• ldap_client_cred contains the proxy agent information that the client uses for LDAP authentication that you can read using The ldapclient list command or any text file view command availble in Unix, for example cat ldap_client_cred
   
• ldap_client_file

You use the ldaplist command to list the naming information from the LDAP servers.

• Without any arguments, the ldaplist command returns all of the containers in the current search base DN.

To unconfigure an LDAP client, use the ldapclient uninit in used. This command removes the client files from the /var/ldap directory and restores the previous /etc/nsswitch.conf file.The ldap_cachemgr process is also stopped. The configuration changes are dynamic and no reboot is needed after ldapclient uninit command.

Old News ;-)

[July 15, 2007] Brads Publications

Mastering OpenLDAP Book review

A book review of Mastering OpenLDAP, written on 29th March, 2008.

• Book Review

LDAP Theory and Management

Covers LDAP theory and how to manage the data. Given at:

• SAGE-AU 2003 in Hobart on 4th August, 2003.
  • LaTeX
  • PDF
• SAGE-AU 2006 in Canberra on 24th July, 2006.
  • LaTeX
  • PDF

LDAP Servers and Applications

Covers LDAP servers and applications. Given at:

• SAGE-AU 2003 in Hobart on 4th August, 2003.
  • LaTeX
  • PDF
• SAGE-AU 2004 in Brisbane on 17th August, 2004.
  • LaTeX
  • PDF
• SAGE-AU 2006 in Canberra on 24th July, 2006.
  • LaTeX
  • PDF

LDAP Tutorial

This presentation gives an overview of what LDAP is, and covers a few uses for it. Given at:

• SAGE-AU and AUUG Tasmania in Tasma nia on October 2nd, 2000
  • HTML
  • ZIP
• SAGE-AU 2001 in A delaide on July 9th, 2001
  • HTML
  • ZIP
• SAGE-AU 2002 in Melbourne on August 5th, 2002
  • LaTeX
  • PDF

System Authentication using LDAP

A short presentation with basic information about LDAP and how to set up system authentication using pam_ldap and nss_ldap. Given at:

• SAGE-AU 2000
  • HTML (Paper)
  • MagicPoint (Slides)
  • HTML (Slides)
• QAUUG Summer Technical Conf 2001: HTML

Introduction to LDAP

This article was published in Linux.com Sysadmin section on 25th October 2000, and is a basic introduction to LDAP.

[Aug 24, 2006]LDAP Authentication In Linux HowtoForge - Linux Howtos and Tutorials Submitted by tdi

This howto will show you howto store your users in LDAP and authenticate some of the services against it. I will not show howto install particular packages, as it is distribution/system dependant. I will focus on "pure" configuration of all componenets needed to have LDAP authentication/storage of users. The howto assumes somehow, that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch.

Requirements

• OpenLDAP
• pam_ldap
• nss_ldap
• PADL migrationtools

Introducion

The thing we want to achieve is to have our users stored in LDAP, authenticated against LDAP ( direct or pam ) and have some tool to manage this in a human understandable way.

This way we can use all software, which has ldap support or fallback to PAM ldap module, which will act as a PAM->LDAP gateway.

More information on LDAP idea can be found on Wikipedia: LDAP wikipedia

[Jul 27, 2006] Demystifying LDAP

Is LDAP a database or a protocol? Is it understandable and deployable without reading a thousand pages of explanation and documentation? Brian Jones untangles some of the myths and legends about LDAP to explain what it is, why it's useful, and how to put it to productive use.

LDAPSolaris Docs TWiki

Solaris LDAP Authentication

This document covers how a Solaris system can be configured for LDAP authentication. It is an early draft and has only been tested with Solaris 10 zones although there is no reason why it should not work with earlier versions of Solaris.

Configure an SSL Tunnel

Because our LDAP service requires SSL connections before allowing authentication, it is necessary to connect to the LDAP server using SSL. The easiest way of doing this, is to configure a network tunnel ... the local machine will think it is talking to an LDAP server on the local machine.

First [ for O/S 9 and 10] , create the configuration necessary for the stunnel tool in /opt/etc. Or copy from ISOadm/nw-sun/LDAPclient/site-scripts/st-ldap.conf:-

    client = yes
    [ldap]
        accept=localhost:389
        connect=ldap.port.ac.uk:636

Note the "accept=localhost:389" ... the use of 'localhost' here prevents the tunnel from being visible (and usable) from the network, which would be a possible security hole.

Next is to configure an XML manifest for the SMF service if applying to Solaris 10. Either create the XML file with these conditions or use ISOadm/nw-sun/LDAPclient/site-scripts/st-ldap.xml :-

  <?xml version="1.0"?>

  <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

  <service_bundle type='manifest' name='Lstunnel-ldap'>

  <service
          name='site/Lstunnel-ldap'
          type='service'
          version='1'>

          <create_default_instance enabled='true' />

          <dependent
            name='exim_multi-user-server'
            grouping='require_all'
            restart_on='none'>
            <service_fmri value='svc:/milestone/multi-user-server' />
          </dependent>


          <exec_method
                  type='method'
                  name='start'
                  exec='/ISOadm/nw-sun/sbin/stunnel /opt/etc/st-ldap.conf'
                  timeout_seconds='0' />

          <exec_method
                  type='method'
                  name='stop'
                  exec=':kill -15'
                  timeout_seconds='3' />
  
  </service>
  </service_bundle>

This can be imported with svccfg import st-ldap.xml. Once imported start with svcadm enable Lstunnel-ldap.

For Solaris 9 copy ISOadm/nw-sun/site-scripts/LDAPclient/ldap.client to /etc/init.d, and run /etc/init.d/ldap.client start

Configure PAM

For Solaris 9 and 10 replace /etc/pam.conf with, the appropiate files from /ISOadm/nw-sun/site-scripts/LDAPclinet. select pam9.conf for Solaris 9, pam10.conf for Solaris 10]

The following is the corerct pam.conf for Solaris 10, for Solaris 9 all lines contained cred are omitted.

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth binding          pam_unix_auth.so.1 server_policy
login   auth required         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient       pam_rhosts_auth.so.1
rlogin  auth requisite        pam_authtok_get.so.1
rlogin  auth required         pam_dhkeys.so.1
rlogin  auth required         pam_unix_cred.so.1
rlogin  auth binding          pam_unix_auth.so.1 server_policy
rlogin  auth required         pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient       pam_rhosts_auth.so.1
rsh     auth required         pam_unix_cred.so.1
rsh     auth binding          pam_unix_auth.so.1 server_policy
rsh     auth required         pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth binding          pam_unix_auth.so.1 server_policy
ppp     auth required         pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth binding          pam_unix_auth.so.1 server_policy
other   auth required         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required      pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required      pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Instead of just looking in /etc/passwd, this checks there and checks in the LDAP server. The /etc/passwd file takes priority.

Configuring LDAP

Configure the LDAP client daemon manually with the following command, there is a script file in /site-scripts called ldap-mancli which will do the same thing, as long as stunnel is running:-

/usr/sbin/ldapclient manual
                -a defaultServerList=localhost
                -a defaultSearchBase=ou=lan,o=port
                -a defaultSearchScope=sub
                -a authenticationMethod=none
                -a credentialLevel=anonymous
                -a serviceAuthenticationMethod=passwd:simple
                -a serviceAuthenticationMethod=shadow:simple
                -a serviceAuthenticationMethod=pam_ldap:simple
                -a attributeMap=passwd:gecos=fullname
                -a attributeMap=passwd:homeDirectory=unixHome
                -a attributeMap=passwd:uid=cn
                -a serviceSearchDescriptor=shadow:ou=lan,o=port?sub
                -a serviceSearchDescriptor=passwd:ou=lan,o=port?sub

To restrict the ability to login to members of a group, add "?groupMembership=cn=gp-ac-pepitas,ou=sysperms,ou=ns,ou=lan,o=port" to the end of the "serviceSearchDescriptor".

Cleaning Up

The ldapclient command makes some changes we don't like, so edit /etc/nsswitch.conf and remove the 'ldap' word from all the name services except for 'passwd' and 'group' (including any "[NOTFOUND=return]" bits). Double check DNS has files and dns.

Also disable the autofs with svcadm disable autofs as this seems to spring into life.

Remaining Stuff

1. Map homeDirectory to unixHome for systems where a local home directory is preferred.

2. Look into setting up autofs for /Network/Servers/{IP}/... so we automount the users home directory.

Debugging

Finding out what is going wrong is kind of tricky as there is very little logging for LDAP. The simplest method of debugging is to change the LDAP server list to "ldap.port.ac.uk" and dump the traffic :-

    ldapclient -v mod -a defaultServerList=ldap.port.ac.uk
    snoop -o ldap.dump -s 0 host hickory-blue

The output file is best inspected on a workstation using Ethereal.

Don't forget to change the server list back again ... because this is plain text LDAP (which is necessary for dumping traffic), the NDS won't allow any authentication.

Working ldapclient list Configuration

# /usr/sbin/ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= localhost
NS_LDAP_SEARCH_BASEDN= ou=lan,o=port
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=lan,o=port?sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=lan,o=port?sub
NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=unixHome
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=description
NS_LDAP_ATTRIBUTEMAP= passwd:uid=cn
NS_LDAP_SERVICE_AUTH_METHOD= passwd:simple
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
NS_LDAP_SERVICE_AUTH_METHOD= shadow:simple

-- MikeMeredith - 23 May 2005

[Oct 27, 2005] Linux.com Advanced Linux LDAP authentication By: "American" Dave Kline

In an earlier look at LDAP, we set up a simple LDAP-based authentication system. We configured client machines to retrieve authentication information from a server running OpenLDAP. Now let's go further by enabling encryption and looking at how to make user modifications through LDAP.

If client machines are to authenticate through LDAP, administrators must make sure user changes are reflected within the LDAP server. Most user management utilities on a client system expect to find information in files like /etc/passwd and /etc/group. If such information is only available through LDAP, utilities may complain about unknown users. To make changes in these cases, an administrator must modify the corresponding LDAP entries. While utilities such as phpLDAPadmin can help with this task, you must know what you're doing if you're to use them effectively.

LDAP for Solaris 8

Solaris 8 comes with a 200,000 user license for iPlanet Directory Server, a NSS nameservice-switch library for LDAP, a PAM module for LDAP, and Not Enough Documentation to get it to work.

It was really nice of sun to include all of this. It was extremely frustrating to not find documentation on Sun's web site, nor in the Answerbooks, etc, etc, rant rant rant.

Nobody should have to go through the pain I went through trying to get this to work. Using usenet and google searches, I got at least the NSS part working, so I could largely replace /etc/passwd with ldap, and I'm working on getting the PAM part working. [update: I have pam and nss working just great, it's all working superbly!] The following whitepaper, which I found through lots of deja searches, and not on www.sun.com for some reason is very helpful.

[update: there is now some information on sun's site at http://wwwwswest.sun.com/software/solutions/blueprints/1000/ldap-sol8.pdf.]

Sun Whitepaper titled "LDAP Setup and Configuration" [PDF, 232K]

---

Michael Mittelstadt

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

An LDAP Roadmap & FAQ -- Directory Services Information

IBM Redbooks Implementation and Practical Use of LDAP on the IBM eServer iSeries Server

First three chapters are a decent intro.

IBM Redbooks Understanding LDAP

Lightweight Directory Access Protocol (LDAP) is a fast-growing technology for accessing common directory information. LDAP has been embraced and implemented in most network-oriented middleware. As an open, vendor-neutral standard, LDAP provides an extendable architecture for centralized storage and management of information that needs to be available for today's distributed systems and services.

After a fast start, it can be assumed that LDAP has become the de facto access method for directory information, much the same as the Domain Name System (DNS) is used for IP address look-up on almost any system on an intranet and on the Internet. LDAP is currently supported in most network operating systems, groupware and even shrink-wrapped network applications.

This redbook was written for those readers who need to understand the basic principles and concepts of LDAP. Some background knowledge about heterogeneous, distributed systems is assumed and is highly beneficial when reading this book. Because this book is not meant to be an LDAP implementation guide, it does not contain product-related or vendor-specific information other than that used in examples

Implementing LDAP in the Solaris Operating Environment (October 2000) -by Tom Bialaski 

This article provides an overview of LDAP implementation. LDAP is an industry standard interface that is more than just a protocol. This article provides an explanation of the LDAP models and their actual implementation. Since the installation and configuration of Solaris Native LDAP is quite complex this article provides a foundation for understanding the fundamental principles involved.

Solaris Directory Services: Past, Present and Future (October 1999) -by Tom Bialaski

The high availability features of currently supported Solaris Operating Environment directory services (NIS, NIS+, DNS) and contrasts them with LDAP's high availability features.

http://docs.sun.com/source/816-5616-10/ldap.htm   An Introduction to LDAP, rather week

This chapter gives a brief introduction to the Lightweight Directory Access Protocol (LDAP) and the concepts behind LDAP.

LDAP is the Internet directory protocol. Developed at the University of Michigan at Ann Arbor in conjunction with the Internet Engineering Task Force, LDAP is a protocol for accessing and managing directory services.

The chapter is organized into the following sections:

• How Directory Services Work
• How LDAP Servers Organize Directories
• How LDAP Clients and Servers Work
• Support for the LDAPv3 Protocol

NOVELL LDAP page

Novell Using LDAP Tools on Linux, Solaris, or Tru64 UNIX Documentation

LDAP and Directory Books

Providing directory services with LDAP requires a careful look at the options

System Authentication using LDAP

O'Reilly Network Getting Started with LDAP

Netscape Directory Server

LDAP authentication using pam_ldap and nss_ldap

Selected Blueprints

Understanding Solaris 9 Operating Environment Directory Services (December 2002)
-by Tom Bialaski
This article examines the differences between the Solaris 8 Operating Environment (Solaris OE) Lightweight Directory Access Protocol (LDAP) Client and the Solaris 9 OE Secured LDAP Client, and explains how to support them on the same directory server. In addition, this article details troubleshooting tips for common implementation problems.

Automating LDAP Client Installations (July 2001)
-by Tom Bialaski
The article explains how to configure a native LDAP client at installation time, which is a new feature in Solaris 8 Operating Environment U3. The basics of sysidtools and creating a sysidcfg file for hands-off installation is covered along with how they relate to LDAP. Hard to find (non-documented) tips are provided to avoid common pitfalls.

Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part II (October 2002)
-by Michael Haines and Joep Vesseur
This article is part two of a two-part series and details the PAM application programming interface (API) and the PAM service provider interface (SPI). Also included are procedures on how to effectively write PAM modules when using the Solaris 9 Operating Environment (Solaris 9 OE). By writing these PAM service modules, it is possible to extend the capability of the Solaris 9 OE authentication mechanisms in a number of different ways.

Part one, Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part I, was published in the September 2002 issue of Sun BluePrints Online.

Securing LDAP Through TLS/SSL--A Cookbook (June 2002)
-by Stefan Weber
Deploying secure Lightweight Directory Access Protocol (LDAP) connections is becoming more demanding. This article details the steps on how to set up the Sun Open Net Environment (Sun ONE) Directory Server software so that it can be accessed securely from command line tools.

Running Multiple Solaris Operating Environment Naming Services on a Client (May 2001)
-by Tom Bialaski
The native LDAP client installation program assumes that you will not be running another naming service on your client. Some customers, who I have worked with, do not want to disable NIS when they configure native LDAP. This can be done, but there is no readily available document which describes how to do it. The article not only describes this procedure, but also highlights best practices for running NIS and LDAP together.

LDAP Utilities

• ldaplist -- list LDSP entries

• ldapcmp.exe

• ldapdelete.exe

• ldapmodify.exe

• ldapsearch.exe - search LDAP entries

Etc

• 10-minute LDAP tutorial
• MigrationTools -- Perl scripts for populating LDAP directories Jun 28th 1999, 15:07 stable: 3.19 - devel: none license: BSD type
• Performance Computing - Features - LDAP The Glue Is Almost Set
• Implementing LDAP--Namespace Considerations