Вы находитесь на странице: 1из 4

LDAP CommandsFMO LDAP

Servers
Directory Information Trees (DITs)
Entry Administration
Password Resets
Entry addition, deletion and modification
Looking for entries
Starting and Stopping the Server
Logs
Troubleshooting
Is my Server Cliented?
Clienting your server
Servers
The servers are tssp0027 (MPC) and tssp0028 (JGC)
Access to the GUI using web interface: http://10.4.131.211/dscc. Sign on as
admin.
The following dsconf commands are useful for gathering info on the server:
/opt/product/ldap/dsee/ds6/bin/dsconf info
/opt/product/ldap/dsee/ds6/bin/dsconf get-server-prop
/opt/product/ldap/dsee/ds6/bin/dsconf get-suffix-prop dc=uk,dc=tslp
/opt/product/ldap/dsee/ds6/bin/dsconf list-suffixes
/opt/product/ldap/dsee/ds6/bin/dsconf list-suffixes -v
You can also get this from the GUI
Directory Information Trees
There are two DIT's:
dc=uk,dc=tsl for T-Systems servers (tssp*)
and
dc=uk,dc=centricaplc,dc=com for Centrica servers (cnsv*)
The servers will be ldapclient'd to one or other of these.
The contents of these DIT's are backed up every night to
/opt/product/ldap/ds/ldif by /opt/product/ldap/ds/backup.sh
Entry Administration
Password resets
This can be done via the GUI if it's working (which it probably isn't).
There are other methods that can be done on the command line:
Option 1 : As root on your LDAP client, run passwd -r ldap userid
Option 2 : As root on tssp0027, run /var/opt/ldap/reset_password userid
Option 3 : use ldapmodify and an LDIF file. Do this on tssp0027. This is a bit
more complicated, and is a manual version of option 2.
Run /var/opt/ldap/generatepw userid
This will produce an encrypted version of userid
Create a file containing the following LDIF:
dn:uid=userid,ou=people,dc=uk,dc=centricaplc,dc=com
changetype:modify
replace:userpassword
userpassword:{crypt}Encrypted userid
Run ldapmodify -h 10.4.131.21 -D 'cn=directory manager' -w passw
ord123 <
Your LDIF file
Entry addition, deletion and modification
Scripts are held in /var/opt/ldap, with centrica and tsl subdirectories.
To update groups, passwd or netgroups you should update the relevant flat file
in one of those directories and run /var/opt/ldap/ldap_sync.pl
e.g. to add a passwd entry to Centrica DIT
cd /var/opt/ldap/centrica
edit passwd to add your entry
Note: It's probably worth adding the user to NIS+ first to geta unique UID.
Edit the netgroup file if necessary
Note: Your userid must be defined in the netgroup for the server it needs to
get on to.
Don't change directories !
Run /var/opt/ldap/sync-ldap.pl centrica. This will produce up to 3 files
(add*, delete* modify*) containing LDIF that can be used to update LDAP.
Run ldapmodify -h 10.4.131.21 -D 'cn=directory manager' -w password123< file
containing LDIF for all 3 files.
Looking for Entries
There are a couple of methods to search for entries defined in LDAP. The easiest
method is to use ldaplist from the LDAP client. Alternatively, you can used the
more powerful ldapsearch command, which is a bit harder to use.
ldaplist
Note: ldaplist only lists entries for the DIT that the client resides in.
ldaplist passwd - All password entries
ldaplist -l passwd watersd - detailed info for watersd
ldaplist group - All groups
ldaplist netgroup - All Netgroups
ldapsearch
e.g. ldapsearch -D 'cn=directory manager' -w password123 -b 'dc=uk,dc=tsl' uid=*

where: -b "dc=uk,dc=tsl" Specifies the place to start the search. uid=*


Specifies all users.
Netgroups
The /var/opt/ldap/getusers.pl script shows the relationship between users and
their netgroup for all users and netgroups.
Use /var/opt/ldap/getusers.pl userid to find the netgroups for a single user.
Other examples: ldapsearch -D 'cn=directory manager' -w password123 -b
'dc=uk,dc=tsl' cn=* List everything
ldapsearch -D 'cn=directory manager' -w password123 -b
'ou=people,dc=uk,dc=tsl' cn=* List all users, Which is the same as -b
'dc=uk,dc=tsl' uid=*
ldapsearch -D 'cn=directory manager' -w password123 -b
'dc=uk,dc=centricaplc,dc=com' uid=* uid uidnumber gidnumber
or
dapsearch -D 'cn=directory manager' -w password123 -b
'ou=people,dc=uk,dc=tsl' uid=* uid uidnumber gidnumber List uid uidnumber
gidnumber for all users in which-ever domain you are interested in.
ldapsearch -D 'cn=directory manager' -w password123 -b 'dc=uk,dc=tsl'
cn=tssp0021 Display members of netgroup tssp0021
Starting and Stopping the server
The server can be stopped and started using svcadm:
svcadm disable /application/sun/ds:ds--local-ds
svcadm enable /application/sun/ds:ds--local-ds
Note: You must stop the server before you use dsadm commands!
Logs
Access and error logs are kept in /var/log/ldap/ds.
Logs are rotated as per the setting defined using dsconf (or the GUI). Display
the setting using /opt/product/ldap/dsee/ds6/bin/dsconf get-log-prop access
Troubleshooting

Sun may ask you to dump the whole directory:


ldapsearch -D "cn=Directory Manager" -w ldaptest -b "cn=config" objectclass="*"
Is my Server Cliented?
The following command should help determine if your server is configured
correctly:
svcs \*ldap\* Check that the ldap_cachemgr service is running (should say
online)
STATE STIME FMRI
online Aug_27 svc:/network/ldap/client:default
/usr/lib/ldap/ldap_cachemgr -g Get info out of ldap_cachemgr
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 1135
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2009/09/07 12:54:53
Next refresh time: 2009/09/07 13:54:53
Server information:
Previous refresh time: 2009/09/07 13:34:53
Next refresh time: 2009/09/07 13:54:53
server: 10.4.131.21, status: UP
server: 10.4.131.14, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
ldapclient list Check the Current Profile Information - shows how the
server was cliented
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=uk,dc=centricaplc,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411404d5a
NS_LDAP_SEARCH_BASEDN= dc=uk,dc=centricaplc,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= 10.4.131.21, 10.4.131.14
NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= uk-centrica-ssl-1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
ldaplist passwd Should list out all the passwd entries

Clienting your server

This should be done during installation by the script


/var/tmp/install-ldap-client.ksh
The most likely reason for it failing is that the server couldn't reach the LDAP
server. Do this:
Check you can ping 10.4.131.21. If not, sort out your network.
Look at /etc/nsswitch.conf
If it has refernces to ldap in it:
Take a backup of /etc/nsswitch.conf
Run /usr/sbin/ldapclient init -a profileName=uk-centrica-ssl-2 -a
domainName=uk.centricaplc.com -a
proxyDN=cn=proxyagent,ou=profile,dc=uk,dc=centricaplc,dc=com -a
proxyPassword=password123 10.4.131.21
Restore your copy of /etc/nsswitch.conf
If it does not have refernces to ldap in it:
run /var/tmp/install-ldap-client.ksh
Check your installation: ldaplist passwd