NAME ldapclient, ldap_gen_profile - initialize LDAP client machine or create an LDIF of an LDAP client profile SYNOPSIS /usr/sbin/ldapclient [ -v ] -P profile_name [ -d domaianname ] LDAP_server_addr /usr/sbin/ldapclient -i | -m [ -O ] [ -v ] [ -a none | simple | cram_md5 ] [ -b baseDN ] [ -B alternate_search_dn ] [ -d domainname ] [ -D Bind_DN ] [ -e client_TTL ] [ -o timeout_value ] [ -p server_preference ] [ -r follow_referals ] [ -w client_password ] LDAP_server_addr ... /usr/sbin/ldapclient -l /usr/sbin/ldapclient -u [ -v ] /usr/sbin/ldap_gen_profile -P profile_name [ -O ] [ -a none | simple | cram_md5 ] [ -b baseDN ] [ -B alternate_search_dn ] [ -d domainname ] [ -D Bind_DN ] [ -e client_TTL ] [ -o timeout_value ] [ -p server_preference ] [ -r follow_referals ] [ -w client_password ] LDAP_server_addr ... DESCRIPTION The ldapclient utility can be used to: o initialize LDAP client machines o restore the network service environment on LDAP clients o list the contents of the LDAP client cache in human- readable format. The ldap_gen_profile utility creates (on the standard out- put) an LDIF file that can be loaded into an LDAP server to be used as the client profile, which can be downloaded by ldapclient. The synopsis (-P profile_name) is used to initialize an LDAP client machine, using a profile stored on an LDAP server specified by LDAP_server_addr. This is simplest method and will provide the default format with all the correct set- tings for talking to the set of servers. It will also ensure that the ldap_cachemgr(1M) can automatically update the configuration file as it changes. The second synopsis (-i | -m) is used to initialize a LDAP client machine. The -i option is used to convert machines to use LDAP or to change the machine's domain name. It assigns a default value for the required parameters if they are not specified. You must be logged in as superuser on the machine that is to become a LDAP client. The -m option is used to modify the parameters in the cache file. It updates the parameter specified. The -i option in conjunction with -a none option can be used to initialize an unauthenticated LDAP client machine without having to specify a password. If the authentication method such as simple or cram_md5r equires a password and one is not specified with the -w client_password option, the administrator is prompted for the password. If one is not provided, the command will fail. During the client initialization process, files that are being modified are backed up as files.orig. The files that are usually modified during a client initialization are: /etc/defaultdomain, /etc/nsswitch.conf, and, if they exist, /var/yp/binding/`domainname` for a NIS(YP) client or /var/nis/NIS_COLD_START for a NIS+ client, or if the machine is already an LDAP client, /var/ldap/ldap_client_cache and /var/ldap/ldap_client_cred. Note that a file will not be saved if a backup file already exists. The -i option does not set up an LDAP client to resolve hostnames using DNS. Refer to the DNS documentation for information on setting up DNS. See resolv.conf(4). The third synopsis (-l) is used to list the LDAP client cache. The output will be human-readable (cache files are not guaranteed to be human-readable.) The fourth synopsis (-u) is used to uninitialize the network service environment, restoring it to the one in use before ldapclient -i was executed. You must be logged in as superuser on the machine that is to be restored. The res- toration will succeeds only if the machine was initialized with ldapclient -i because it uses the backup files created by the -i option. The machine must be rebooted after initializing a machine or restoring the network service. OPTIONS The following options are supported: -a none | simple | cram_md5 Specify authentication method. Multiple values can be specified, separated by commas. The default value is none. If simple or cram_md5 is specified, a password must be provided (see -w below). -b baseDN Specify search baseDN (for example dc=eng,dc=sun,dc=com.) The default is the root naming context on the first server specified. -B alternate_search_dn Specify alternative baseDN for LDAP searches (for example, ou=people,dc=corp,dc=sun,dc=com.) An define alternative search baseDN can be defined for each database possible in the /etc/nsswitch.conf file (see nsswitch.conf(4)). To remove a specific alternate baseDN, specify the database without any argument (for example, "passwd:"). The default value for all data- bases is NULL. -d domainname Specify the domain name (which becomes the default- domain for the machine). The default is the current domain name. -D Bind_DN Specify the Bind Distinguished Name (for example, cn=proxyagent,ou=profile,cd=eng,dc=sun,dc=com.) -e client_TTL Specify the TTL value for the client information. This is only relevant if the machine was initialized with a client profile. Set client_TTL to 0 (zero) if you do not wish for ldap_cachemgr to attempt an automatic refresh from the servers. The times are specified with either a zero ``0'' (for no expiration) or a positive integer and either ``d'' for days, ``h'' for hours, ``m'' for minutes or ``s'' for seconds. The default is 12h. -i Initialize client. -l (ell) List the contents of the LDAP client cache. The out- put (sent to standard output) is meant to be easily readable (the direct contents of the cache files might not be easily readable.). -m Modify parameters in the configuration file. -o timeout_value Specify LDAP operation timeout value. The default is the TCP default (usually 3 minutes.) -O Inform the client to contact only the servers on the preferred list (if for instance they are at the wrong end of a WAN). The default is FALSE. -p server_preference Specify the server preference list (for example, 129.100.100.0:8080,129.100.200.1:386.) The preferred servers can be defined either by the server specific address or the subnet that the server resides. To remove the server preference, specify "" for the -p option. The default preference is the local subnet. -P profile_name Specify a profile that is downloaded from the server and sets all the entries automatically. This option also sets an expiration time that ldap_cachemgr can use to automatically update the file if needed. The default profile_name is 'default' and is stored in the bind distinguished name. The profile name is also stored in cache file. -r follow_referals Specify the search referal option, either followref or noref. The default is followref. -u Uninitialize LDAP client. This option is appropriate only if ldapclient was used to initialize client. -v Specify verbose mode. -w client_password Specify client password for simple and cram_md5 authentication modes. This option is not required if authentication mode is none. OPERANDS The following operands are supported: LDAP_server_addr Server address (for example, 129.100.100.1:389,129.100.200.1.) The port number is optional; if not specified, the default LDAP server port number ':389' is used. EXAMPLES Example 1: Setup a client using the default profile stored on the server specified. Setup a client using the default profile stored on the server specified. This should list all the correct values for talking to your domain. example# ldapclient -P default 129.100.100.1 Example 2: Setup a client using only one server and with authentication mode of none. example# ldapclient -i -a none 129.100.100.1 Example 3: Setup a client using only one server and with authentication mode of cram_md5. Setup an LDAP client to use cram_md5 with client password "secret", with the domain information expiring once a week, with no search dereference, with the domain name "xyz.sun.com", and with the LDAP server running on port number 386 at IP address 129.100.100.1. example# ldapclient -i -a cram_md5 -w secret -d xyz.sun.com. \ -r noref 129.100.100.1:386 Example 4: Setup a client using two servers and with authen- tication mode of simple. Setup an LDAPclient using two servers and with authentica- tion mode of simple. The user will be prompted for a client password. example# ldapclient -i 129.100.100.1 129.100.234.15:386 Example 5: Setup a client with authentication mode of none. Setup an LDAP client with authentication mode of none that does not try an encrypt the transport with SSL and talks to only one server. example# ldapclient -i -a none -a 129.140.44.1 Example 6: Use ldap_gen_profile to set only the Base DN and the server addresses. Use ldap_gen_profile to set only the Base DN and the server addresses, usoing all possible default values. example# ldap_gen_profile \ -D cn=proxyagent,ou=profile,cd=eng,dc=sun,dc=com \ 129.100.100.1 129.100.234.15:386 > ldif_profile Example 7: Create a profile overriding every default value. example# ldap_gen_profile -P eng -a cram_md5 -d ge.co.uk -w test123 \ -b dc=eng,dc=ge-uk,dc=com -B ou=people,dc=lab,dc=ge-uk,dc=com \ -D cn=proxyagent,ou=profile,cd=eng,dc=ge-uk,dc=com -r noref \ -e 1h -O -p 129.100.100.0 -o 30s 129.100.200.1 129.100.100.1 \ 204.34.5.6 > ldif_profile FILES /var/ldap/ldap_client_cache contains a list of servers, their transport addresses, and the security method used to access them /var/ldap/ldap_client_cred contains Bind Distinguished Name (see -D above) and the encrypted password /etc/defaultdomain system default domainname, matching the domainname of the "NIS data" in the LDAP servers /etc/nsswitch.conf configuration file for the name-service switch /etc/nsswitch.ldap sample configuration file that uses "files" and "ldap" ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: ____________________________________________________________ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |_____________________________|_____________________________| | Availability | SUNWnisu | |_____________________________|_____________________________| SEE ALSO ldap(1), ldapadd(1), ldapdelete(1), ldaplist(1), ldapmo- dify(1), ldapmodrdn(1), ldapsearch(1), ldap_cachemgr(1M), suninstall(1M), resolv.conf(4), attributes(5)
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |