LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services
Some databases are not handled by the ldapaddent command. These include:
projects Database
The default projects defined in /etc/project can be expressed in LDIF like this: dn: solarisprojectname=system,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 0 SolarisProjectName: system dn: solarisprojectname=user.root,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 1 SolarisProjectName: user.root dn: solarisprojectname=noproject,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 2 SolarisProjectName: noproject dn: solarisprojectname=default,ou=projects,dc=example,dc=com objectClass: top objectClass: solarisproject SolarisProjectID: 3 SolarisProjectName: default As discussed in Chapter 6 "Management Tools and Toolkits," the Solaris Management Console ( smc (1M)) can be used to manage project data. Below is an LDIF representation of a new project created through smc . dn: SolarisProjectName=testproj,ou=projects,dc=example,dc=com objectClass: SolarisProject objectClass: top SolarisProjectName: testproject SolarisProjectID: 100 memberUid: tomb,mhaines memberGid: operator SolarisProjectAttr: description: Test Project RBAC-Related Databases
To use LDAP as a naming service for role-based access control (RBAC) data, there must be a defined mapping between the field names specified in the /etc files and LDAP object classes and attributes.TABLE 5-1 shows the mapping between RBAC databases and LDAP object classes. Table 5-1. Object class Mapping
TABLE 5-2 shows the attributes defined for the four RBAC-related object classes. Table 5-2. LDAP Attributes
TABLE 5-3 and TABLE 5-4 show the mapping between fields in the RBAC databases and their equivalent LDAP attributes. Table 5-3. Database Fields
Table 5-4. Equivalent LDAP Attributes
Creating RBAC Entries with LDIF
Two additional containers need to be added to your DIT. These are: ou=SolarisAuthAttr and ou=SolarisProfAttr . To add the SolarisAuthAttr and SolarisProfAttr Containers, create an LDIF file and import the file with ldapmodify : dn: ou=SolarisAuthAttr,dc=example,dc=com changetype: add ou: SolarisAuthAttr objectclass: top objectclass: organizationalUnit dn: ou=SolarisProfAttr,dc=example,dc=com ou: SolarisProfAttr objectclass: top objectclass: organizationalUnit Adding Extended User Attributes to Existing Users
The extended user attributes that are contained in user_attr can be added to a user's LDAP entry. This can be done either at the time the user entry is created or applied to an entry that already exists. The following example shows LDIF for adding the extended attributes to an existing user entry. Contents of user_attr # cat /etc/user_attr tom::::auths=solaris.*,solaris.grant;profiles=All . . . # Modifying the user entry: To add the extended user attributes to a user's LDAP entry, create an LDIF file and import it with the ldapmodify command. dn: uid=tom,ou=people,dc=example,dc=com changetype: modify replace: objectclass objectClass: top objectClass: account objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: SolarisUserAttr - replace: SolarisAttrKeyValue SolarisAttrKeyValue: auths=solaris.*,solaris.grant;profiles=All In this example, the SolarisUserAttr object class is added to the entry and the data contained in user_attr is specified in the SolarisAttrKeyValue attribute. Similar LDIF can be used to modify the extended attributes later. Adding Profile Descriptions
The standard profile attributes are defined in the /etc/security/prof_attr file. # cat /etc/security/pro_attr System Administrator:::Can perform most non-security administrative tasks:profiles=Audit Review,Printer Management,Cron Management,Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Name SZZervice Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html . . . # The standard profile attributes can be converted to LDIF representation as shown. dn: cn=System Administrator,ou=SolarisProfAttr,dc=example,dc=com changetype: add cn: System Administrator objectclass: top objectclass: SolarisProfAttr SolarisAttrKeyValue: profiles=Audit Review,Printer Management, Cron Management,Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore, Name Service Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html SolarisAttrLongDesc:Can perform most non-security administrative tasks Adding Authorization Descriptions
In this example, an LDAP entry for one line in the authorization description database is created. Contents of auth_attr file: # cat /etc/security/auth_attr solaris.admin.diskmgr.read:::View Disks::help=AuthDiskmgrRead.html . . . LDIF can be used to create an entry: dn: cn=solaris.admin.diskmgr.read,ou=SolarisAuthAttr,dc=example, dc=com changetype: add cn: solaris.admin.diskmgr.read objectclass: top objectclass: SolarisAuthAttr SolarisAttrShortDesc: View Disks SolarisAttrKeyValue:help=AuthDiskmgrRead.html Adding Execution Profiles
In this example, an LDAP entry for one line in the exec_attr file is created. Content of exec_attr file: # cat /etc/security/exec_attr Network Management:suser:cmd:::/usr/bin/setuname:euid=0 . . . LDIF to create an entry: dn: cn=Network Management+SolarisKernelSecurityPolicy= suser+SolarisProfileType=cmd+SolarisProfileId= /usr/bin/setuname,ou=SolarisProfAttr,dc=example,dc=com changetype:add cn: Network Management SolarisKernelSecurityPolicy: suser SolarisProfileType: cmd SolarisProfileId: /usr/bin/setuname SolarisAttrKeyValue: euid=0 objectclass: SolarisProfAttr objectclass: top
Note The DN contains all the fields with values, separated by the + (plus) sign.
Printer Entries
Printer entries are created using the lpset command, as shown. # lpset -n ldap -D "cn=directory manager" -w mypassword -h ldapserver -a bsdaddr=printhost,myprinter,Solaris myprinter
Note This command should be run for a shell script to avoid the password from appearing in the output of ps -ef .
The printer defined here is a networked printer that supports a Berkeley Software Distribution (BSD) print spooler. The entry in LDIF format looks like this: dn: printer-uri=myprinter,ou=printers,dc=example,dc=com objectClass: top objectClass: printerService objectClass: printerAbstract objectClass: sunPrinter printer-name: myprinter sun-printer-bsdaddr: printhost,myprinter,Solaris printer-uri: myprinter |