LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services
Graphical User Interface (GUI) tools are an alternative to command-line tools and are useful for administrators who are new to LDAP. In general, you would use GUI tools to perform tasks requiring few changes, or as learning tools. For repetitive tasks or tasks requiring many updates to directory data, you would want to create scripts. GUI tools provide a visual way of looking at the directory hierarchy. However, if the number of entries is large, displaying them in a readable format becomes problematical. While there are many third-party graphical tools for displaying and manipulating LDAP data, this section only focuses on three:
The first tool is part of the directory server software distribution. The second tool is part of the Solaris OE, and the third is a public domain tool. Sun ONE Directory Console
The Sun ONE Directory Console is a Java-based application that can be installed along with, or separate from, the directory server. The Directory Console can also be displayed through the X protocol on a remote system. Most common administration functions can be performed through the Directory Console, although some may be cumbersome. The Sun ONE Directory Server documentation does a good job at detailing how to perform most procedures. The intent of this section is not to repeat those procedures, although some similar examples are provided for educational purposes. In general, command-line tools and scripts built around them are recommended over use of the Sun ONE Directory Console because of their flexibility and repeatability . However, the Console can be a valuable learning tool, and at times can be more convenient for some tasks. All operations that are performed by the Console can be captured in a form suitable for used with ldapmodify by enabling the directory server audit log. Sample Tasks Using the Directory Console
The following are examples of how the Directory Console can be used to perform useful tasks. To View the DIT With the Directory Console
One drawback of viewing entries through the Directory Console is that performance can become sluggish when there are a large number of entries. Another problem is that there is no way to dump the LDIF representation of a single entry.
Note Newly created entries do not immediately appear in the view. You may have to perform a Refresh of the view to see new entries.
To Add New Entries With the Directory Console
Entries can be created, modified, or deleted from the Directory Console. However, creating entries is not always a one-step process. This is because the Directory Console is a general-purpose tool that makes assumptions about how entries should be constructed . In the case of entries defining a Solaris OE user profile, the entry you create will require additional object classes and attributes that are not created by the Directory Console. FIGURE 6-2 is an example of creating a user account through the Directory Console that can be used to log in to a Solaris OE system. Figure 6-2. Directory Console New User Form
In this example, the POSIX User account option is chosen from the New To complete the entry, you need to manually add the shadowAccount object class by following these steps:
FIGURE 6-3 shows what the Directory Console display should look like following these steps. Figure 6-3. Adding Shadow Account Attributes With the Property Editor
Note The Sun ONE Directory Server 5.2 software uses the E dit with Generic Editor pull-down menu option rather than the Advanced button.
To Add Non-User Entries With the Directory Console
The Directory Console can be used to create other RFC 2307 defined entries besides the posixAccount entries described previously.
The only two required attributes are the host name, represented by cn and the IP address, represented by ipHostNumber . While an ou=host entry can be created this way, it is not in the same format that ldapaddent and the NIS/NIS+ Gateways use by default. For example, the device object class is not included and the RDN uses the ipHostNumber attribute in place of cn . Sun Management Console
The Sun Management Console (smc) is essentially a container for GUI-based system administration tools. The tools are stored in collections called toolboxes. By default, a toolbox for managing local databases, that is, /etc files, is created. Toolboxes for managing naming service data can be created as described later in this section. Once a toolbox is created for your LDAP naming service, management tools, such as user management tools, can be installed in the toolbox. The definition for the toolbox and the tools it contains can be stored in a file and loaded once smc is started. FIGURE 6-5 shows how users stored in an LDAP naming service would appear in smc . Figure 6-5. Solaris Management Console (smc) With an LDAP Toolbox
To add new users, the Add User Wizard can be used as shown in FIGURE 6-6. Figure 6-6. Adding a User Through smc
To Set Up an LDAP Name Service Domain Toolbox
Before setting up an LDAP toolbox, you should have a configured and populated directory server. You can set up the toolbox either on the same system as the directory server, or on a different system.
LDAP Browser/Editor (LBE)
The LDAP Browser/Editor (LBE) is public domain software developed at the University of Michigan that can be downloaded from various web sites. The following instructions use LBE version 2.8.2. To Install and Configure the LBE
|