Monday, October 1, 2012

Overview of the ldapclient command

I have seen a lot of forum posts on the web asking for help on with this command. So I writing this post so I can help people understand the basic process of getting a Solaris server to authenticate to a LDAP server, using the ldapclient command. This post is not a "how to" for ldapclient command.


Synopsis
/var/sbin/ldapclient [-v | -q] [init | manual | mod | list | uninit | genprofile]

ldapclient sub-commands
The init sub-command for the ldapclient utility is used to initialize the client server, using a profile stored on an LDAP server.
The manual sub-command for the ldapclient utility is used to manually setup the LDAP client.
The mod  sub-command for the ldapclient utility is used to modify the configuration of the LDAP client that was setup manually.
The list  sub-command for the ldapclient utility shows the current LDAP client configuration.
The uninit sub-command for the ldapclient utility basically blows away your setup so you can start again.
The genprofile sub-command is used to generate  a LDIF file that can then be loaded into the LDAP server.

Any files modified during setup will backed up to /var/ldap/restore. Theses files are typically modified during setup are:
/etc/nsswitch.conf
/etc/defaultdomain (if it exists)
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred

The last to files above are created by ldapclient.

Steps to getting a Solaris client to work with a LDAP server.
1) Gather information that will be used, like IP addresses and host names.
 Note - You should capture the variables for the command before you run it. You will need it later.
2) Run ldapclient manual
3) If needed ldapclient mod

4) Test LDAP user accounts. this means login as the user.
5) If accounts works, then run the ldapclient genprofile command witch will create a ldif file. If you kept the full command from steps 1 or 2, just replace the word manual and/or mod with genprofile and run the command. Load the ldif in the LDAP server. This ldif file creates the the profile and agent entries.
6) If the proxy agent and profile are working, then all you need to do is run ldapclient init on all new Solaris clients.

Now as I said earlier this not a how to. This just a simple overview of the ldapclient command.
I hope this helps someone.