参照先

以下のページを参考にさせて頂きました。
http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp

LDAPサーバ側設定

idsconfigスクリプトの編集

バージョンチェックによってexitしてしまうところをコメントアウトします。
chk_ids_version()
{
[ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
# check iDS version number.
eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base
  \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/'
  | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
if [ $? -ne 0 ]; then
${ECHO} "ERROR: Can not determine the version number of iDS!"
exit 1
fi
IDS_VER=`cat ${TMPDIR}/checkDSver`
IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
if [ "${IDS_MAJVER}" != "5" ]; then
${ECHO} "ERROR: $PROG only works with iDS version 5.x, not
  ${IDS_VER}."

# exit 1←ここをコメントアウト
fi
if [ $DEBUG -eq 1 ]; then
${ECHO} " IDS_MAJVER = $IDS_MAJVER"
${ECHO} " IDS_MINVER = $IDS_MINVER"
fi

idsconfigスクリプトを実行

#/usr/lib/ldap/idsconfig

It is strongly recommended that you BACKUP the directory server
before running idsconfig.

Hit Ctrl-C at any time before the final confirmation to exit.

Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup:
  server1
Enter the port number for iDS (h=help): [389]
ERROR: idsconfig only works with iDS version 5.x, not 6.0.
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [send.test]
Enter LDAP Base DN (h=help): [dc=send,dc=test]
  Checking LDAP Base DN ...
  Validating LDAP Base DN and Suffix ...
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.38]
Preferred server list (h=help): なし
Choose desired search scope (one, sub, h=help):  [one] sub
The following are the supported credential levels:
  1  anonymous
  2  proxy
  3  proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
  1  none
  2  simple
  3  sasl/DIGEST-MD5
  4  tls:simple
  5  tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2 

Current authenticationMethod: simple

Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to modify the server sizelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n]
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n]
・・・・・・・・  

LDAPエントリーの追加

DSCCにログインし「ディレクトリサーバ」タブを選択。
「エントリの管理」タブにて以下を追加します。

(1)group
ou=group,dc=send,dc=testに以下を新規作成する。
objectclassはposixGroupを選択。
必須属性
gidNumber:5001
フルネーム(cn):soluser
許可された属性
description:Solarisusers
memberUid:sunuser300

(2)ユーザ
ou=People,dc=send,dc=testに以下を新規作成する。
objectclassはユーザー(inetOrgPerson)を選択。
フルネーム(cn):taka
性(sn):taka
ユーザID(uid):taka
パスワード(userPassword):*****

続いてtakaのエントリーを編集する。
uid=takaが選択された状態で「エントリの編集」を押す。
変更画面が表示されるが「テキストビュー」タブを選択する。
「編集可能な属性」欄に以下を追加する。
objectclass: posixAccount
objectclass: shadowAccount
gidNumber: 5001
homeDirectory: /export/home/taka
uidNumber: 10003

anonymous接続の許可

ACLs設定の作成
#vi acis.ldif
dn: dc=send,dc=test
changetype: modify
replace: aci
aci: (target="ldap:///dc=send,dc=test") (targetattr="*") (version 3.0; acl "allow all Admin group"; allow (all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=send,dc=test";)
aci: (target="ldap:///dc=send,dc=test") (targetattr != "userPassword") (version 3.0; acl "Anonymous read-search access"; allow (read,search,testpare) (userdn = "ldap:///anyone");)aci: (target="ldap:///dc=send,dc=test") (targetattr != "userPassword") (version 3.0; acl "allow self read search testpare"; allow(read,search,testpare) userdn = "ldap:///self";)
aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access; deny (write) userdn = "ldap:///self";)
aci: (targetattr = "loginShell") (version 3.0;acl "LDAP_Naming_Services_allow_certain_changes"; allow (write) userdn = "ldap:///self";)
aci: (target="ldap:///dc=send,dc=test") (targetattr != "userPassword") (version 3.0; acl "LDAP_Naming_Services_proxy_read"; allow(read,search,testpare) userdn = "ldap:///cn=proxyagent,ou=people,dc=send,dc=test";)

ldapmodifyコマンドにて適用します。
# ldapmodify -D "cn=Directory Manager" -w ****(パスワード) -f acis.ldif

LDAPクライアント側(Solaris10)

設定のバックアップ

設定前に以下のファイルのオリジナルをバックアップします。
/etc/nsswitch.conf
/etc/pam.conf

ldapclientコマンドにてldapサーバと接続します。
#ldapclient init -v -a profileName=default -a domainName="send.test" -a proxyDN="cn=proxyagent,ou=profile,dc=send,dc=test" -a proxyPassword=**** 192.168.1.38 
その他オプション(必要ないかもしれません。)
#ldapclient mod -a authenticationMethod=simple
#ldapclient mod -a defaultSearchScope=sub

/etc/nsswitch.confの編集

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down.
hosts:      files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    files

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap

/etc/pam.confの編集

#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_dial_auth.so.1
login   auth binding        pam_unix_auth.so.1 server_policy
login   auth required       pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
・・・・・<省略>
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth binding        pam_unix_auth.so.1 server_policy
other   auth required       pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding        pam_passwd_auth.so.1 server_policy
passwd  auth required       pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required    pam_projects.so.1
other   account binding     pam_unix_account.so.1 server_policy
other   account required    pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required   pam_dhkeys.so.1
other   password requisite  pam_authtok_get.so.1
other   password requisite  pam_authtok_check.so.1
other   password required   pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

***ユーザ用のホームディレクトリの作成
#mkdir /export/home/taka
#cd /export/home
#chown taka taka
#chgrp soluser taka

以上
最終更新:2008年02月11日 02:46