In April 2013 I posted a blog entry,  Getting Started with OpenLDAP, which included some shell scripts for configuring the OpenLDAP server to manage Oracle Solaris accounts. Back then the only supported tool for configuring an LDAP server was idsconfig(8), which only worked with Oracle Directory Server Enterprise Edition (ODSEE). The OpenLDAP server, slapd, is now fully supported in Solaris 11.4, and idsconfig has been replaced by a new tool, ldapservercfg(8).

The ldapservercfg tool is fully integrated with SMF and RBAC, and can be run interactively or automatically. It is well documented here so I won't repeat those instructions, but there are some interesting security aspects of the process that are worth noting. Unlike most administrative procedures, ldapservercfg and the SMF service svc:/network/ldap/server:openldap must be started by the openldap account, instead of root.

The RBAC profile OpenLDAP Server Administration specifies the required user, group, authorizations and privileges to properly execute ldapservercfg and to configure the slapd server. These RBAC attributes can be observed as follows:

gfaden@sol11:~$ profiles -lc ldapservercfg openldap

openldap:

name=OpenLDAP Server Administration

id=/usr/sbin/ldapservercfg

uid=openldap

gid=openldap

privs={zone}:/etc/openldap/*,{file_dac_read}:/etc/shadow

 

gfaden@sol11:~$ auths list -u openldap

openldap:

    solaris.admin.wusb.read

    solaris.mail.mailq

    solaris.network.autoconf.read

    solaris.smf.manage.name-service.ldap.server

    solaris.smf.read.name-service.ldap.server

    solaris.smf.value.name-service.ldap.server

Administrators with this rights profile can run ldapservercfg interactively via a profile shell like pfexec or by su'ing to the openldap account, whose shell is pfbash. The tool reads its initial parameter values from the SMF service properties, and provides a menu driven interface to modify these values. When the server configuration is successful, the configuration properties are updated and the slapd server is started.

Alternatively, the SMF service can be enabled by an administrator using svcadm(8) or via an auto-install profile. Prior to enabling the service, the default service properties can be updated by svccfg(8).  If the slapd server has not been previously configured, ldapservercfg is run automatically by the service.

The ldapservercfg tool can optionally create the admin credentials required by the ShadowUpdate policy to support remote account administration. Two options are provided for password authentication. By default, the slapd server will act as an account authority for authentication. In this case LDAP user accounts should be configured with the pam_policy keyword set to ldap. This can be specified globally in the defaults file /etc/security/policy.conf.  Alternatively, if a proxyagent account credential is specified then the slapd server will act as a password repository and accounts will be authenticated locally on the client. These credentials can be shared with clients systems via ldapclient(8) so that the administrative tools I mentioned in my previous blog, useradm and the Oracle Solaris Account Manager, can be used to manage LDAP accounts.