Template Files for Setting up native Solaris LDAP

Overview
--------
The files provided here are meant to be a guide to configuring an iPlanet
Directory Server 4.12 to support Solaris 8 LDAP clients. They complement
the procedures defined in the Sun BluePrint: "Solaris and LDAP Naming Services".
Some modifications of these files is necessary before they are installed.

The files fall into two categories: 
1) directory schema definitions 
2) templates for creating or modifying directory entries.

The schema files contain the required user defined attributes and object
classes which are:

slapd.user_at.conf
slapd.user_oc.conf

The templates are created in LDIF format and include the following:

tops.ldif
vlvcntrl.ldif
selfmodaci.ldif
proxyagent.ldif
proxyaci.ldif
vlv.ldif

Schema Files
------ -----

The files slapd.user_at.conf and slapd.user_at.conf are placed in your
<install_dir><slapd-instance>/config directory. After placing them there,
the iPlanet Directory Server is restarted for them to take effect.

LDIF Templates
---- ---------

tops.ldif: 
	This file creates the containers for your NIS data and also 
	assigns a naming service domain name. The file using dc=blueprints,
	dc=com as the suffix of the DIT and assigns the value of 
	blueprints.com to the nisdomain attribute in the root entry. Both
	these need to be modified to match your environment. The syntax
	for installing the file is:
	
	#ldapmodify -a -c -D "cn=directory manager" -w mysecret -f tops.ldif
	   
	Note: Before running the command set you PATH to:
	<install_dir>/shared/bin and LD_LIBRARY_PATH to:
	<install_dir>/lib
	   
vlvcntrl.ldif: 
	This file replaces the default ACI for the VLV Control Object.
	Specifically it changes the binding rules from allowing "all"
	to allowing "anyone". The reason for this is that the Solaris
	client does an anonymous bind during initialization, then attempts
	to use the VLV control. The "all" setting requires that the client
	binds as a legitimate DN and not anonymously. The syntax is:
	
	#ldapmodify -c -D "cn=directory manager" -w mysecret -f vlvcntrl.ldif
	
	Note: This change is specific to the entire directory server and not
	a specific DIT, so no modification to the file is required.
	
selfmodaci.ldif:
	This file sets an ACI at the top of your DIT to allow users the rights
	to change some fields in their user entry but not all. The default ACI
	allows the owner of an entry to modify all fields which is not desirable
	since users could change their uidNumber to 0 , giving themselves root
	privileges. The "typical" iDS installation option will automatically
	create a self-modify ACI which allows the owner to modify all fields,
	so it should be removed before adding the new one. Before installing
	the ACI, you need to modify the suffix in the file to match your
	environment. The syntax is:
	
	#ldapmodify -a -c -D "cn=directory manager" -w mysecret -f selfmodaci.ldif
	
	Note: The Solaris client will work without this change but a security
	hole will exist.
	
proxyagent.ldif:
	This files creates a DN the Solaris client can use when it
	binds to the LDAP server. The name chosen is cn=proxyagent,
	but any name will work as long as it matches the name in the
	client profile(s) you set up. The suffix in the file needs to
	be changed to match your environment and the container ou=profile
	can be changed to a different location. This container was chosen
	instead of ou=People to keep it separate from user accounts. The
	syntax is:
	
	#ldapmodify -a -c -D "cn=directory manager" -w mysecret -f proxyagent.ldif
	
	Note: The password must be stored in clear text.
	
proxyaci.ldif:
	This file creates an ACI at the top of your DIT which gives the
	proxyagent account compare, read, and search permission for the
	userPassword attribute. Without this ACI users would not be able to
	log in since proxyagent would not be able to retrieve the user's
	passwrod from the directory. You will need to modify this file to
	match your DIT suffix and DN of the proxyagent entry. The syntax is:
	
	#ldapmodify -c -D "cn=directory manager" -w mysecret -f proxyaci.ldif
	
	Note: You could create more than one proxyagent account. If you do, all
	of them will need to be listed in the ACI.
	
vlv.ldif:
	This file creates the VLV or browsing indexes for common Solaris 
	attributes. The Solaris client will still work without creating these
	indexes, but performance will suffer for large directories. The DIT
	suffix needs to be changed to match your environment. The sysntax is:
	
	#ldapmodify -a -c -D "cn=directory manager" -w mysecret -f vlv.ldif
	
	Note: After the VLV indexes have been created, they need to be enabled.
	To do this, you need to run the vlvindex command for each index while
	the server is in read-only mode. The syntax is:
	
	# cd <install_dir>/<slapd-<instance>
	# ./vlvindex getpwent
	OK# ./vlvindex getgrent
	OK# ./vlvindex gethostent
	OK# ./vlvindex getnetent
	OK# ./vlvindex getspent


	
	
	
	
	        	   