ldapclient(1M) is a utility used to set up LDAP clients in the Solaris system. ldapclient assumes the server has already been configured with the appropriate client profiles. You must install and configure the server with the appropriate profiles before you can set up clients. Profile At a minimum, you need to specify the server address containing the profile and domain you want to use. If no profile is specified, then the “default” profile is assumed. The server will provide the rest of the required information, except for proxy and certificate database information. If a client's credential level is proxy or proxy anonymous, you must supply the proxy bind DN and password. See Assigning Client Credential Levels for more information. Starting in the Solaris 10 10/09 release, the enableShadowUpdate switch is available. To enable shadow data update, you must provide the admin credential (adminDN plus adminPassword). Manual You configure the profile on the client itself, which means that you define all parameters from the command line. Thus, the profile information is stored in cache files and is never refreshed by the server. /etc/resolv.conf must be configured and the dns service must be running. See the DNS chapters in this document for details. The directory server DIT must be pre-loaded with (at a minimum) the users of this client machine, the client host and necessary auto_home LDAP entries. See other sections of this manual for details on how to add entries using ldapaddent. # /usr/sbin/ldapclient init -a profilename=gssapi_SPARKS.COM -a \\ domainname=example.com 9.9.9.50 Try to log in as a user: Run kinit -p user. Run ldaplist -l passwd user in user's login session and you should see “userpassword. ” But ldaplist -l passwd bar can get the entry without userpassword. By default root can still see userpassword of everybody. If the syslog has messages: libsldap: Status: 7 Mesg: openConnection: GSSAPI bind failed - 82 Local error, it is likely that Kerberos is not initialized or its ticket is expired. Run klist to browse it. Run kinit -p foo or kinit -R -p foo and try again. If you want to, you can add pam_krb5.so.1 to /etc/pam.conf so it will automatically kinit when you log in. For example: login auth optional pam_krb5.so.1 rlogin auth optional pam_krb5.so.1 other auth optional pam_krb5.so.1 If a user is kinited and the syslog message indicates Invalid credential, then the problem could be the host entry (root) or user entry is not in LDAP directory or mapping rules are not correct. When ldapclient init is executed, it makes some checks if the LDAP profile contains self/ sasl/GSSAPI configuration. If it fails at /etc/nsswitch.ldap check, then the usual reason is that dns was not added to host: and ipnodes:. If it fails because the DNS client not enabled, run svcs -l dns/client to see if /etc/resolv.conf is missing or it is just disabled. Run svcadm enable dns/client to enable it. If the check fails because of sasl/GSSAPI bind, check syslog to find out what went wrong. # ldapclient init \\ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \\ -a domainName=west.example.com \\ -a profileName=pit1 \\ -a proxyPassword=test1234 192.168.0.1 System successfully configured The -a proxyDN and -a proxyPassword are required if the profile to be used is set up for proxy. As the credentials are not stored in the profile saved on the server, you must supply the information when you initialize the client. This method is more secure than the older method of storing the proxy credentials on the server. The proxy information is used to create /var/ldap/ldap_client_cred. The rest of the information is put in /var/ldap/ldap_client_file. Initializing a Client Manually Superusers. or administrators with an equivalent role, can perform manual client configurations. However, many of the checks are bypassed during the process, so it is relatively easy to misconfigure your system. In addition, you must change settings on every machine, instead of in one central place, as is done when using profiles. Become superuser or assume an equivalent role. Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services . Use ldapclient manual to initialize the client. # ldapclient manual \\ -a domainName=dc=west.example.com \\ -a credentialLevel=proxy \\ -a defaultSearchBase=dc=west,dc=example,dc=com \\ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \\ -a proxyPassword=testtest 192.168.0.1 Use ldapclient list to verify. NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=west,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f NS_LDAP_SERVERS= 192.168.0.1 NS_LDAP_SEARCH_BASEDN= dc=west,dc=example,dc=com NS_LDAP_CREDENTIAL_LEVEL= proxy Uninitializing a Client ldapclient uninit restores the client name service to what it was prior to the most recent init, modify, or manual operation. In other words, it performs an “undo” on the last step taken. For example, if the client was configured to use profile1 and was then changed to use profile2, using ldapclient uninit would revert the client back to using profile1.
![ldapclient manual ldapclient manual](http://www.linuxtopia.org/online_books/suse_linux_guides/SLES10/suse_enterprise_linux_server_installation_admin/graphics/ldap_y2_clconf.png)
- Ldapclient Manual Solaris Tips and Tricks. Manual Bind. Steps to perform. Solaris 9. Prerequisites. References because of the frequency of usage: Configure a host as.
- Ldapclient (1) >> ldapclient (1). example# ldapclient manual -a authenticationMethod=none \ -a defaultSearchBase=dc=mycompany,dc=com \ -a defaultServerList=172.16.
- OpenLDAP Faq-O-Matic: OpenLDAP Software FAQ: Installation: Platform Hints: Sun Microsystems Solaris: 'result.c' patch IS NOT REALLY required if 'ldapclient manul' is used.
- Initializing an LDAP Client. ldapclient(1M). Or, run the ldapclient manual command, as described in Initializing a Client Manually. Uninitializing a Client.
- Configure native ldap client on Solaris 10. Hi guys. ldapclient -vv manual -a credentialLevel=proxy -a domainName=domine.com.ar -a proxyDN='cn=sultano,ou.
Ldapclient manual -a domainName=dc=west.example. com -a credentialLevel=proxy -a defaultSearchBase=dc=vas,dc=excelcom,dc=co,dc=id -a proxyDN=uid=psi123,ou=Cibitu.
![ldapclient manual ldapclient manual](http://www.ibm.com/developerworks/aix/library/au-aix-integration-windows-active-directory/image001.jpg)
Ldapclient(1m) - initialize LDAP client machine or output an LDAP client profile in LDIF fo. - ldapclient(1m) man page - OpenSolaris 2009.06 - Unix Commands.
![ldapclient manual ldapclient manual](http://d3a0ljgzro7nik.cloudfront.net/files/screen_shot_2013-01-08_at_4.13.03_pm.png)
![ldapclient manual ldapclient manual](http://4.bp.blogspot.com/-UI2HidduIXs/T2nXpNjGNpI/AAAAAAAAAUo/NxSwqzRznbo/s1600/ldap2.png)