index [ptgmedia.pearsoncmg.com]ptgmedia.pearsoncmg.com/images/0131456938/index/...index 641...

639

Index

NUMERICS32-bit Directory Server packages, 1953des triple DES cipher, 4764-bit caching, 44464-bit Directory Server packages, 19680/20 rule, 52699nisplusLDAPconfig.ldif file, xxviii, 32699user.ldif file, 441

Aabbreviations, PAM, 178accepting a server’s certificate, 110access and error log files, 575access control, 36access control (Kerberos), 72access control instruction (ACI), 9, 37, 189access control list (ACL), 72access control manager (SLAMD), 507access control policies, verification of, 37access hour restrictions, 160Access Log Viewer, 405access log, example output, 57access rights and object data, 332accessing directory data, 17account expiration, 160, 168account management, 156, 175account management function, 608, 609account management with PAM, 169

accounting databases, 32ACI for an entry, 177ACI management functionality, 37ACI, incorrectly set, 276action-related parameters, 316activating TLSv1/SSL, 126Add User wizard, 370add_install_client command, 254adding a public key to a user entry, 299adding additional CPUs, 444adding additional RAM, 444adding administrators (KDC), 72adding authorization descriptions, 306adding auto_master entries, 291adding entries with the Console, 366adding execution profiles, 307adding extended user attributes, 304adding group entries, 291adding job classes for SLAMD, 535adding modules and modifying properties, 109adding more replicas, 444adding new entries with ldapaddent, 357adding non-user entries with the Console, 368adding PAM modules, 170adding principals, 87adding profile descriptions, 306additional schema definitions, 328, 329addprinc command, 88addSchema.ldif file, xxviiiadjusting client cache, 416

640 LDAP in the Solaris Operating Environment – Deploying Secure Directory Services • September 2003

Administration Server application, 194Administration Server Console, 131Administration Server Console plug-in, 194administration state file, 225administration tools, 348, 361Administration URL, 133administrative interface (SLAMD), 508, 517administrative tasks, 399aggregated controllers, 474alarms, tools for sending, 405algorithm directive, 47alias database example, 298alias directory, 131aliases attribute, 9aliases database, 288aliases database (NIS/NIS+), 27, 31alternate pathing software, 452alternate search path, setting an, 437alternate search paths with SSDs, 434alternative method of client failover, 257alternative to mirroring, 464analyzing alternative solutions, 4analyzing benchmark results, 468anonymous, 38anonymous bind, 8, 39anonymous credential level and pam_unix

authentication, 231anyone permissions, 189Apache server, unbundled, 381Apache Tomcat servlet engine, 509API, naming service, 32APIs and toolkits, LDAP, 377APIs, LDAP, 393appdefaults section in krb5.conf, 78appendices, descriptions of, xxviarchitecting an enterprise directory solution, 453assessing performance of LDAP directory

servers, 508attribute mapping, 180, 412attribute names, 9attribute value reference tags, 496AttributeMap attribute, 438attributes and objects, 9

attributes for client failover, 257attributes for loading configuration data, 313attributes for mapping data, 326attributes for RBAC-related object classes, 302attributes requiring configuration, 323attributes shared by DUAconfigProfile, 322attributes, adding extended user, 304attributes, standard profile, 306audit log, 364audit_user database (NIS/NIS+), 27, 32auth qop directive, 46auth_attr database, 439auth_attr database (NIS/NIS+), 32auth_attr RBAC database, 302authenticating, 52authenticating a telnet user, 64authenticating using DIGEST-MD5, 61authentication and security internet drafts, 571authentication examples, 272authentication exchange, 51authentication ID, 42authentication levels, 213authentication mechanisms, 38authentication mechanisms, certificate-based, 39authentication mechanisms, PAM, 163authentication mechanisms, SASL, 39authentication mechanisms, SASL DIGEST-

MD5, 42authentication mechanisms, SASL EXTERNAL, 95authentication mechanisms, secure, 63authentication mechanisms, simple, 39authentication mechanisms, strong (Kerberos), 64authentication mechanisms, supported, 179authentication mechanisms, TLSv1/SSL, 93Authentication Method field, 532authentication module functions, PAM, 609authentication options, 212, 290authentication problem summary, 275authentication problems, 270authentication realm, 42authentication user types, 213authentication using a DN, 287authentication with PAM, 178

Index 641

authentication with pam_ldap, 274authentication with pam_unix, 177, 273authentication, client, 8authentication, Network Operating System

(NOS), 17authentication, PAM functions for, 607authentication, pam_unix style, 189authentication, pluggable (SASL), 39authenticationMethod attribute, 242authenticationMethod parameter, 314authenticity, 43authid, 42autho_attr database (NIS/NIS+), 27authorization (or proxy) ID, 42authorization descriptions, adding, 306authorization ID, 44auth-param, 48auto mode, 450auto_* database, 288auto_master container, 295auto_master file, 32autofs, 278automaps, sharing, 214automatic LDAP referral, 258automatic startup of SSL, 234automatically installing native LDAP clients, 253automating installations, 244automating installations (NIS+), 23automating LDAP client installations, 248automating MakeLDIF, 502automount database (NIS/NIS+), 27, 32automount database entry example, 294automount objects, 278automount, restricting access on client

systems, 437automounter, 402automounter problems, 277auxiliary object classes, 293availability, 19, 466

Bbacking up a KDC, 77

backup and recovery, 400backup and recovery, directory data, 406backup directory, 471backup files, 37backups, online vs. offline, 401bad search base, 276bak2db scripts, 362balancing masters and consumers, 258base level search, 184base64 standard replacement tags, 498baseDN option, 290BatchRequest element, 551BatchResponse element, 551behavior of naming service clients, changing, 403benchmark configuration, low-end, 472benchmark hardware configuration, 469benchmark load generation tool (SLAMD), 507benchmark methodology, 541benchmark network topology, 479benchmark objectives, 466benchmark performance validation tests, 502benchmark server layout, 474benchmark settings, 477benchmark tasks, overview, 468benchmark test harness description, 468benchmark, mid-range configuration, 473benchmark, server and client, systems used, 469benchmark, storage hardware used, 470benchmarking, 465benchmarking and replication, 479benchmarks and logging, 471benchmarks, creating LDIF for, 479benefits of crypt(3c), 157benefits of GSSAPI, 64Berkeley Software Distribution (BSD) UNIX, 20bidirectional synchronization of passwords, 557bind operation, 8bind operation, verifying a, 58bind request, 44bind request (SASL DIGEST), 57bind, SASL, 52bind, successful, 39binding control flag, 166, 170


binding control flag (new), 169binding to a directory server, 290binding to a directory server using credentials, 59binding to an NIS server, 21bindTimeLimt attribute, 257blocksize, 449Blocksize parameter, 450Blowfish hashes, 158BMC Patrol, 405bonus software, 191book organization, xxvboot net - install, 255boot server, 250bootparams database, 23, 288bootparams database (NIS/NIS+), 26, 30bootparams file, 250branch definitions, 484branch entries, 486broadcast bind, 21browser security database files, 140browsing schema definitions, 441BSD print spooler, 309building an index, 362building an LDAP Gateway, 381building larger data sets, 505built-in data replication, 256business case for LDAP, 15

CC LDAP API, 393C LDAP Software Development Kit (SDK), 393C library, 17CA certificate module, 109CA required information, 120cabling of host arrays, 472, 475cache consistency, 309cache hits, 426cache mirroring, 450, 452cache mode, 450cache tuning, 539cache, refreshing, 416calculating a new digest, 51

Calendar Initial Page Rate job, 534capturing sensitive information, 97cascading replication, 11case sensitive or insensitive, 9centralized naming service, the first, 20cert7.db database, 108, 233certificate (TLSv1), 97Certificate Authority (CA), 232certificate database, 133certificate database key store, 130Certificate Install wizard, 122certificate management system (CMS), 147certificate name, 109certificate path, 205certificate request example, 141certificate request, generating, 113Certificate Setup wizard, 132certificate, digital, 39certificate-based authentication, 39, 95certificates, installing, 121certificates, obtaining server, 113certificates, working with, 108certmap.conf file, 136certutil utility, 108, 109, 124, 125CGI.pm module, 381chaining over SSL, 106challenge stage, digest, 45change log, 541changes, packaging, 191changing an authentication token, 160changing passwords, enforcement of, 38changing the realm names, 84changing user login parameters, 438chapter descriptions, xxvcharacteristics, software, 444characterizing performance, 465charset directive, 47checking for current patches, 216checking name service containers, 269checking replication status, 423checklist, 219checksum, 224checksum algorithm, 69

Index 643

child of an object class, 9choosing a suffix name, 185choosing high-availability options, 256choosing NIS/NIS+ migration tools, 33cipher policy (Start TLS), 153cipher spec messages, 104cipher suites, 47, 100, 101, 109, 149cipherblock chaining (CBC), 47cipher-opts directive, 47classes, password, 75clear text password (not encrypted), 39clear text password (table), 178clear text password, required, 58clear text passwords, 59, 157, 290client and server versions, differentiating, 191client and server versions, mixing, 214client authentication, 8, 95, 98client authentication (TLSv1), 104client cache, adjusting, 416client cannot access data, 268client configuration, listing, 357client data access problems, 269client failover, 33, 257client fails to initialize, 268client listener, 507client parameters (local), updating, 357client post-installation issues, 252client problems, 268client profiles, 189, 242client profiles and proxy agent accounts,

managing, 412client profiles, creating, 357client profiles, implementing with SSDs, 404client profiles, managing, 403client proxy credentials, 180client referral, 7client uses wrong password, 42client, uninitializing, 357client_info attributes and object classes, 328client_info schema, 330client-info file, 238clients finding servers, methods for, 571clients running earlier Solaris OEs, 33

Clients Used section (SLAMD), 523clocks, synchronize with NTP, 74cn attribute, 548cnonce, 50, 51co-existence with LDAP-aware applications, 190collecting data for migration planning, 26combining disks into a volume, 454command-line tools, 348commands, LDAP-aware, 359commands, PAM, 164common configuration changes, 338Common Desktop Environment (CDE), 156common pitfalls, 260common problems (NIS+ Gateway), 345common tasks, 400common uses of NIS/NIS+, 22commonly used GSSAPI mechanism

(Kerberos), 63communication between rpc.nisd and the LDAP

server, 311compatibility mode, 436compatibility with BSD and Linux, 158compressed tar file distributions, 196compression of changes, 445concatenating physical disks, 459confidentiality, 51Config Directory Address, 512Config Directory Bind DN, 512Config Directory Bind Password, 512Config Directory Port, 512Configuration Base DN, 512configuration changes, common, 338configuration data backup and restore, 407configuration data vs. user data, 400configuration data, storing, 184configuration entries, 109configuration errors, 270configuration handler, 507configuration information (NIS+), 312configuration policy, flexible, 154configuration process vs. installation process, 215configuration, benchmark, 469configuring a DNS client for GSSAPI, 82


configuring clients to use TLSv1/SSLtransport, 243

configuring Directory Server software, 219configuring Directory Server software to trust a

CA, 123configuring GSSAPI, 90configuring Kerberos v5, 83configuring LDAP clients, 237configuring LDAP clients, information required

for, 250configuring LDAP servers as data repositories, 311configuring pam_ldap, 241configuring the Directory Server for

TLSv1/SSL, 126configuring the Sun ONE Directory Server software

as a configuration server, 326configuring the Sun ONE Directory Servers and

Clients, 214configuring TLSv1/SSL (command line), 235confirmation of the startup for SLAMD, 513confirming installed CAs, 124connecting to the SLAMD server, 514connection confidentiality and integrity, 152connection, encryption, 37consistent management policy, 16console login rejections, troubleshooting, 264console message example, 252Console, Sun ONE Server, 194Console, TLSv1/SSL in the, 131Console.4.0.Login.preferences file, 264consolidating host names, 29consolidation of data, 16, 17consolidation of naming service, 14consumers, 11, 256container, 286container DNs, list of, 354containers for Secured LDAP Client, 186containers, creating, 186containers, default, 186control extension for server-side sorting, 569control flag for pam_unix, 175control flags, PAM, 165controller failures, 453controllers, aggregated, 474

controllers, dual, 446controlling access, 18controlling access to directory data, 189controlling operations, 36controls and extended operations, 570controls and extended operations, internet

drafts, 570conversion of NIS+ clients to LDAP clients, 312core server, 507corporate phone book, 17correcting common problems, 260corrective actions, 275country code (C=) attribute, 185CPUs and performance, 443CPUs, adding additional, 444CRAM-MD5, 38, 174CRAM-MD5 login, 40creating a password hash, 362creating a stripe, 455creating a volume, 449creating additional profiles, 413creating benchmark configurations, 469creating client certificate databases, 243creating clusters, 258creating configuration entries, 327creating containers, 186creating entries in LDAP containers from /etc

files, 288creating host keys, 73creating LDIF, 235creating LDIF for benchmarks, 479creating master KDC host principals, 88creating RBAC entries with LDIF, 304creating replication agreements from scripts, 417creating stash files, 69creating suffixes, 186creating unique entries, 287creating user accounts, 54creating VLV indexes, 229creating your own schema definitions, 441creation and deletion of entries, 348credential level, 205Credential Level field, 532

Index 645

credentials, 22, 79credentials and tickets, 66credentials, binding with, 59critical messages, PAM, 172CRYPT, 176crypt(3c), 155crypt(3c) plug-in framework, 158crypt(3c), flexible, 158crypt_gensalt(3c), 158cryptographic devices, 108cryptographic token, 109curly braces, 496custom attributes, 480custom jobs (SLAMD), 508custom standard replacement tags, 498custom tag implementation, sample, 500custom tags, 480, 499customizing creation of LDIF files, 499customizing LDIF files, 485cyptograhic keys, 100Cyrus CMU implementation, 42

Ddaemons, PAM, 164dangerous use of plain text passwords, 42DAP groups, 403data access, random, 474data consolidation issues, 26Data Encryption Standard (DES) cipher, 47data generation tool, 479data migration, two approaches, 285data replication, 19data repositories, LDAP servers as, 311data retrieval parameters, 314data sets, building larger, 505data stream encryption, 79data, using LDAP to store, 320database files, 37database key store, 130database loading, recommended order, 289databases, importing, 300databases, security, 108

databases, supported, 288db2bak scripts, 362db2index script, 362db2ldif script, 362dbck utility, 109dbgen.pl utility, 480DBM files, 21debug messages, PAM, 172debug mode, turning on, 279debugging access control issues, 37debugging problems (SLAMD), 516debugging SASL DIGEST-MD5 problems, 281decentralized data, 16default authentication method, 205default configuration files, 337default containers, 186, 290default entries, 7default entry formats, 291default file system type, 457default installation directory, 219default module, 109default password storage mechanism, 58default search base, 206default_principal_expiration

parameter, 70defaultdomain file, 238defaultSearchBase parameter, 315defaultServerList attribute, 257defining authentication methods, 208, 212defining KDC ports, 70defining security architecture, 35defining the name service problem, 3delete load, 528deleting multiple entries, 360delimiters used, 352denial of service (DoS) attacks, detecting, 258denial of service attack (DoS), 74dependencies on other processes, 263deploying appropriate authentication mechanisms

with PAM, 154deploying different authentication

technologies, 158deploying LDAP, 183


deploying RBAC with LDAP, 439deployment approaches, 33DES encryption, 47, 96, 101DES encryption with Cipher Block Chaining, 69DES-CBC-CRC key, 69description attribute, 10Description field (SLAMD), 519designing a DIT, 190desktop display, 264developing an implementation plan, 4developing authentication mechanisms (changing

environments), 40DHCP server, 23diagnosing other idsconfig problems, 267diagnostic messages generated by PAM

modules, 172dict_file parameter, 71, 77dictionary file, 71differences between LDAP utilities, 349different IP addresses for different interfaces, 294differentiating server and client versions, 191Diffie-Hellman GSSAPI mechanisms, 63Diffie-Hellman keys, 162digest challenge stage, 45digest response, 50digest response stage, 48digest-challenge, rules for, 45DIGEST-MD5, 8, 38, 179, 290DIGEST-MD5 hash, 50DIGEST-MD5, authenticating with, 61digest-uri, 51digital certificate, 39, 118digital signatures, 43, 103Directory Base DN field, 532directory client authenticates itself, 36Directory Console Performance Counters, 405directory data backup and recovery, 400, 406, 409directory data replication, managing, 417directory data, accessing, 17directory information tree (also see DIT), 7, 184,

287directory management tasks, identifying, 400Directory Manager, 271

directory objects and attributes, 9directory root, 7directory schema, 10Directory SDK for Java, 377directory server access control instructions (ACIs),

setting, 404directory server access logs, examining, 427Directory Server Address field, 531directory server benchmarks, 465Directory Server Certificate wizard, 233directory server configuration problems, 260Directory Server Console plug-in, 194Directory Server Console Schema Display, 441directory server core configuration, 542directory server definition, 6Directory Server Entry (DSE), 8, 184Directory Server Heap Allocator, 194directory server monitoring, 405directory server packages, 193, 195directory server performance tuning, 541Directory Server PerLDAP modules, 194Directory Server Port field, 532directory server replication and

benchmarking, 479directory server settings for benchmarks, 477directory server software and performance, 444Directory Server Status screen, 427Directory Server supporting Secured LDAP

Clients, 359directory server, basic parameters, 247directory server, binding to the, 290directory server, restarting, 234directory server, stopping and starting, 362directory servers, multiple, 7directory service instances, 7, 262Directory Service Markup Language (DSMLv2), 2,

550directory service, definition, 6directory services, monitoring, 424directory suffix, 7, 184directory suffix, adding, 362directoryserver command, 219, 224directoryserver wrapper, 407

Index 647

directoryserver wrapper script, 193, 362disable caching, 258disabling client authentication, 131disabling directory and group objects, 341disabling the .rhosts file, 171discovering LDAP services with DNS, 571disk failures, 459, 473disk group, 455disk storage subsystems and performance, 443disk storage, selecting, 443disk volumes, 455displaying contents of cn=monitor, 362displaying replicas, 421, 422displaying replication agreements, 421displaying the userpassword value, 59distinguished name (also see DN), 8, 10, 184distributed code, xxviidistributed load generation engine, 507distributing directory data, 19distribution, compressed tar file, 196DIT example, 188DIT, viewing with the Console, 365DN (distinguished name), 8, 10, 184DN analogy, 286DN for configuration information, 313DN syntax, 11DN, how clients use entry, 287DN, using for authentication, 287DNS, 288DNS addresses, 185DNS and LDAP, running, 242DNS and NIS/NIS+, 23DNS and SLAMD, 509DNS domain address, 7DNS domain as the main suffix, 186DNS FQN failures, 261DNS Fully Qualified Name (FQN), 260DNS lookups, 257DNS, discovering LDAP services, 571DNS, enabling, 242DNS, forming an address, 185DNS, registered address, 185DNS, registered name, 185

DNS, round-robin, 257docs.sun.com web site, xxxdocuments, X.500, locating, 571domain, 21domain component (dc=) attribute, 7, 185domain name, 250domain name system (DNS), 23downloadable scripts and tools, xxviiDPM, Veritas, 452drawbacks of crypt(3c), 157ds5ReplicaTransportGroupSize

attribute, 256DSA, 101dse.ldif configuration file, 52, 130dsimport command, 562DSML, 17DSML access, 106DSML authentication options, 556DSML, configuring, 555DSMLv2 attributes, 554DSMLv2 bindings, types of, 550DSMLv2 functionality, 553DSMLv2 interface, 549, 553DSMLv2, URN, 551dsSaslPluginsPath attribute, 52ds-start-tls-enabled attribute, 153DUAconfigProfile object class, 321dual controllers, 446dump device, 459dumping a database in LDIF, 362dumping password entries, 291duplicate data, 15duplicate entry representation, 571Duration field (SLAMD), 520Dynamic Host Configuration Protocol (DHCP), 24dynamic system authentication, 156Dynamically Loadable SASL Library, 38

Eease of management, 16, 18ease of securing data, 18Edit a Certificate Authority dialog box, 146


editing rpc.nisd, 339effective rights, 37email system, 17emerging directory technologies, 549enabling authentication mechanisms, 42enabling credentials, 160enabling DNS with LDAP, 242enabling SSL, 233enabling TLSv1/SSL, 112, 133, 232enabling TLSv1/SSL on the client, 242encoding, UTF-8, 47encrypted attributes, 37encrypted connection over standard LDAP port, 37encrypted sessions, 180encrypted traffic, 151encryption, 63, 96encryption cipher, 100encryption for data stream, 79encryption limitations, 38encryption overhead, 97Encryption tab, 127encryption type for the KDC, 69end of feature (EOF), 19enforcement of uid attribute uniqueness, 11enhanced Solaris OE PAM features, 154enterprise-wide naming convention, 32entries, 7entries based on the person template, 487entries, creating unique, 287entries, creation and deletion, 348entries, modification of, 348entries, renaming, 348entries, searching for, 349entry formats, 286entry formats, default, 291entry names, 7entry, sample user, 402entrycmp tool, 417envelopes, 551error action attributes, 325error codes, LDAP v3, 575Error Correction Coding (ECC), Hamming, 464error log files, 261, 575

Error Log Properties window, 282error log tracing, turning on, 282error reporting, PAM, 172errors when the system boots, 252establishing password policies, 75establishing unique IDs, 32Ethereal program, 97ethers database, 23, 288ethers database (NIS/NIS+), 26, 30ethers database entry example, 297evolution of NIS, 20evolution of NIS+, 21EWOS directory functional standards, internet

drafts, 572examination of directory server access logs, 427Example custom tag, using, 501exec job (SLAMD), 525exec_attr database, 439exec_attr database (NIS/NIS+), 27, 32execution profiles, adding, 307expiration, ticket, 70extended LDAP PDU, 152extended operation, Start TLS, 153extending the directory schema, 405, 440extensible schema, 18extensibleObject object class, 486extensions, PAM, 168extents on a file system, 458EXTERNAL mechanism, SASL, 39external modules, 109, 140extracting entries from the directory in files

format, 357extracting LDAP entries, 291

Ffailing to authenticate, 38failover, 19, 21failover, client, 257fast disks, 446FC-AL controllers, separate, 472FC-AL internal disks, 445

Index 649

fiber-channel arbitrated loop (FC-AL)controller, 447

fibre-channel arbitrated loop (FC-AL) disks, 446file binding, 550file parameter mappings (table), 212file system type, default, 457files format, extracting entries, 357files modified, 238fingerprint, 43finish script sample, 246finish scripts, 255finished messages, 104first book, xxiiiflexible crypt(3c), 158flooding, 453forcing password changes, 75format utility, 455, 472formats for entries, 286formatting for a request, 151forming a DNS address, 185Fortezza cases, 149Fortezza-compliant hardware, 101four-way multi-master replication, 445FQDN hostname, 46FQN, 257fragmented data storage, 15frequently asked questions, 2fsck(1M), 458ftp command (secure version), 81fully qualified host names, 257Fully Qualified Name (FQN), DNS, 260functional model, 6future of NIS/NIS+, 19

Ggateway, 309gateway deployment (figure), 310gecos (NIS/NIS+), 28gecos attributes, 10, 189general scalability, 466generated LDIF files (for benchmark), 471generating a certificate request (Console), 113

generating a self-signed certificate request, 125generating hashed passwords, 282generating pre-master secrets, 102generating sample data for benchmarks, 480generating TLSv1/SSL client certificates, 137generating version 2 profiles, 209generic data services, 259generic pam.conf file, 166Generic Security Services Application Program

Interface (also see GSSAPI), 62gentent command, 359GetEffectiveRights features, 37GetEffectiveRights mechanism, 37getent command, 357getpassphrase() routine, 158getpwenc script, 362GID numbers, potential for collision, 29GID numbers, reserved, 29gidNumber attribute, 10global Makefile example, 506global replacement variables, 484group conflicts, 29group database, 288group database (NIS/NIS+), 26, 29group database entry example, 293group identifier (GID), 22grouping, 256groups and users, provisioning, 401groups, POSIX, 187GSSAPI, 35, 38, 42, 62, 90GSSAPI authentication and Kerberos v5, 62GSSAPI layers, 63GSSAPI LDIF file, 92GSSAPI support in Solaris OE, 62GSSAPI, benefits of, 64GSSAPI, configuring, 90GSSAPI, Diffie-Hellman, 63GSSAPI, implementing, 81GSSAPI, testing, 93GSSAPI, understanding, 62GUI-based tools, 364guidelines for choosing hardware, 443gunzip command, 481, 510, 515


HHamming Error Correction Coding (ECC), 464handshake protocol (TLSv1), 99hands-off installation of LDAP clients, 253hardening, server, 74hardware configuration, benchmark, 469hardware failover, 259hardware RAID, 446, 447hardware RAID device, 445hardware RAID versus software RAID, 459hardware switches, alternative, 258hardware volume, 455hash, one-way, 558hash-value of the message, 174hello messages, 100heterogeneous systems, 20hierarchal structure of NIS+, 22high availability, 19high-availability considerations (Sun

StorEdge), 451high-availability options, choosing, 256high-end storage, 445, 446highly available data services, 258highly available service, 445history, password, 75homegrown services, 31homePhone attribute, 10horizontal scalability, 19, 444host arrays, cabling of, 472host names, 250hosts database, 288hosts database (NIS/NIS+), 23, 26, 29hosts database entry example, 294hosts file, 148hosts.equiv file, 80hot spare, 449how a Solaris client is configured, 249how clients use entry DNs, 287how NIS+ data is mapped to LDAP, 328how PAM and LDAP work, 176HTTP Digest, 47HTTP GetRate job (SLAMD), 525HTTPS, 131, 133

hub server, 11human resource database, 17

Iidentifier for the NIS+ Gateway, 334identifying directory management tasks, 400identifying secondary groups, 361identifying the solution, 16identifying the version, 211identity mapping, 42, 90, 177Identity Synchronization for Windows (ISW), 557idlist block size, 449IDs, unique, 32idsconfig command, 180, 187, 189, 193, 225, 321,

353, 359, 413idsconfig failures, troubleshooting, 266idsconfig tips, 231idsktune sample output, 217idsktune utility, 53, 261ifconfig command, 31IMAP protocol, 41implementing client profiles with SSDs, 404implementing custom password management

policies, 168implementing netgroups, 404implementing the GSSAPI mechanism, 81import and export keys and certificates, 109importing a signed certificate, 144importing other databases, 300incompatible 64-bit installation, 263incorrect DN specified, 275increasing I/O speed (storage), 457incremental database updates (NIS+), 22index files, 449indexing and benchmarks, 478indexing, SLAMD, 540infadd command, 527information and X.500 documents, internet

drafts, 571information model, 6, 7information required by CA, 120

Index 651

information required to configure LDAPclients, 250

inheritance, 489initial authentication (SASL DIGEST-MD5), 44INITIAL_MEMORY variable, 511, 535initialization parameters, 313initialization problems, 268initializing a Kerberos session, 66initializing a Secured LDAP Client, 147, 357initializing LDAP Clients, 238initiating diagnostics reporting for PAM, 173initiating PAM error reporting, 174insecure ACI, 190insecure LDAP, 136installation directory, default, 219installation package order, 216installation process vs. configuration process, 215installation sample dialog, 251installations, automating, 244installations, automating (NIS+), 23installations, automating LDAP client, 248installing a SLAMD server, 510installing certificates, 121installing certificates (command-line), 124installing server certificates, 113installing SLAMD clients, 515instance (principal component), 67instance identifier, 73instance, starting, 362instance, stopping, 362instances, directory service, 7insync tool, 417integrity, 51, 63integrity of data, 43interactive installation example dialog, 251interface, SASL, 8internal software module, 109International Components for Unicode Files, 194International Telecommunication Union (ITU), 571Internet Drafts, 563internet drafts X.500 documents, 571internet drafts, authentication and security, 571

internet drafts, controls and extendedoperations, 570

internet drafts, EWOS directory functionalstandards, 572

internet drafts, joint ISO standards and CCITTrecommendations, 573

internet drafts, locating, 563internet drafts, NADF documents, 572internet drafts, other ISO documents, 573Internet Drafts, URLs, 564Internet Print Protocol Draft Schema, 286Internet Protocol version 6 (IPv6), 30Internet style domain component (dc=), 7introduction, 1invoking startconsole on a protected

display, 264IP address, 250IP addresses for multiple interfaces, 294ipHost entry, 250iPlanet Directory Server 5.1 software, 191IPLTxxxxx (iPlanet) packages, 192ipnodes database (NIS/NIS+), 26, 30IPsec, 43ISO 8859-1, 47ISO documents, 573ISO standards, joint and CCITT

recommendations, 573issues, client post-installation, 252

JJASS (Solaris Security Toolkit software), 74Java 1.4.0 specification for SLAMD, 508Java 2 Platform, 387Java API, 393Java Archive (JAR), 535Java Management Extensions (JMX) agent, 405Java Message Service (JMS), 558Java Naming and Directory Interface

(J.N.D.I.), 377, 393Java runtime environment, 480Java Server Pages (JSP) technology, 386Java Virtual Machine (JVM), 519


Java, Network Security Services (JSS), 194Java/JNDI, 17JAVA_HOME variable, 511, 535JNDI, 393job cache, 507job classes, SLAMD default, 525Job Comments field (SLAMD), 520Job Dependencies field (SLAMD), 521Job Execution Data section (SLAMD), 523job folders, real and virtual, 524job information, 512Job Is Disabled checkbox (SLAMD), 521job, unit of work, 507journal, 458JSP Directory Gateway (JDGW), 377, 386JSP framework, 386JumpStart finish script sample, 246JumpStart finish scripts, 255JumpStart servers, 23JumpStart technology, 244

Kkadm5.acl file, 72, 86kadm5.acl sample file, 73kadmin command, 76kadmin.local command, 87kadmind daemon, 69kdb5_util utility, 69, 85KDC host principals, creating, 88KDC keys, 73KDC log files, 78KDC root principal, creating, 88KDC servers, 68KDC, adding administrators, 72KDC, backing up, 77KDC, defining ports, 70KDC, encryption for, 69KDC, monitoring, 78KDC, secure setting in config file, 70kdc.conf example, 71kdc.conf file, 70kdc.log file, 78

kdc_ports parameter, 70KDC-specific parameters, 70KEA, 101keeping track of security modules, 109Kerberized telnet daemon, 80Kerberos Key Distribution Center (also see

KDC), 68Kerberos v5, 42Kerberos v5 access control, 72Kerberos v5 administration daemon, 68Kerberos v5 and GSSAPI, 62Kerberos v5 authentication, 66, 81Kerberos v5 configuration file (krb5.conf), 84Kerberos v5 credentials, 62Kerberos v5 daemons, 88Kerberos v5 ftp client, 81Kerberos v5 implementations, open-source, 64Kerberos v5 login program, 80Kerberos v5 options, 78Kerberos v5 packages, 65Kerberos v5 password policies, 75Kerberos v5 rcp, 80Kerberos v5 rlogin and rsh clients, 80Kerberos v5 Solaris bundling, 65Kerberos v5 summary, 81Kerberos v5 telnet client, 79Kerberos v5 tickets, 66, 68Kerberos v5, configuring, 83Kerberos v5, how it works, 66Kerberos v5, understanding, 64key agreement with RSA, 96key database, 133Key Distribution Center (also see KDC), 66key exchange, 102key exchange (RSA), 101Key Generation dialog box, 139key performance features, 444key3.db database, 108, 233keypair, 138keys, 73keys, stored, 31keys, types of, 69keytab file, 73

Index 653

key-value pairs, 21, 22kinit client, 79kinit command, 89krb5.conf file, 78, 80krb5_get_tickets option, 80krb5kdc daemon, 69ktadd command, 73, 89

Llack of extensibility, 15large entries (SLAMD), configuring, 539large file support and VxVM, 459latency, 256, 527LBE, LDAP Browser/Editor, 373LD_LIBRARY_PATH variable, 56, 351LDAP AddRate job, 527LDAP AddRate with replica latency job, 528LDAP and DNS, running, 242LDAP and LDAPS requests, 133LDAP and NIS+ mapping, 328LDAP and snoop, 583LDAP and the Solaris 9 OE, 2LDAP APIs, 12, 393LDAP as a back-end store, 33LDAP AuthRate job, 529LDAP bind operation, 287LDAP Browser/Editor (LBE), 373LDAP C SDK, 194LDAP C Software Development Kit (SDK), 377LDAP client, 12LDAP client profiles, 250LDAP client script and file, 240LDAP commands, tips for, 359LDAP CompRate job, 529LDAP control, 552LDAP controls and extended operations, 570LDAP C-SDK, 52LDAP DelRate job, 528LDAP DelRate with replica latency job, 529LDAP DIGEST-MD5 AuthRate job, 530LDAP domain name, 219LDAP entries, populating, 193

LDAP entries, verifying, 342LDAP error codes, 575LDAP Gateway, building an, 381LDAP identity mapping, 42LDAP introduction, 1LDAP load generator with multiple searches

job, 531LDAP Mailgroups Internet Draft schema, 286LDAP models, 6LDAP ModRate job, 530LDAP ModRate job (SLAMD), 526LDAP ModRate with replica latency job, 527LDAP operations over SSL, 106LDAP Perl Modules, 378LDAP prime job, 526LDAP protocol exchange, 590LDAP protocol validation, 258LDAP proxy servers, 19, 257LDAP referral, automatic, 258LDAP referrals, 7LDAP request elements, 552LDAP response elements, 553LDAP RFCs and internet drafts, 565LDAP SDK for Java, creating a program for, 393LDAP search and modify load generator, 530LDAP search filter, 356LDAP searches, 8LDAP SearchRate job (SLAMD), 525LDAP servers as data repositories, 311LDAP service module for PAM, 159LDAP standard utilities, 348LDAP standards information, 563ldap tag, 238ldap tag (nsswitch.conf) file, 239LDAP terms and concepts, 6LDAP to NIS+ gateway, 309LDAP toolbox, setting up an, 371LDAP toolkits and APIs, 377LDAP v3 protocol, 348LDAP v3 result codes, 575LDAP, big picture, 3LDAP, business case for, 15LDAP, deploying, 183


LDAP, differences between utilities, 349LDAP, frequently asked questions, 2LDAP, how it works with PAM, 176LDAP, migrating to, 285LDAP, populating with NIS/NIS+ data, 288LDAP, storing configuration attributes in, 320ldap.h file, 575ldap_cachemgr process, 238, 240ldap_client_cred file, 238ldap_client_file example, 210ldap_client_file file, 238ldap_gen_profile command, 414ldapadd command, 350, 351ldapaddent command, 151, 188, 193, 288, 353,

357, 432ldapaddent examples, 290LDAP-aware commands, 359ldapclient command, 209, 238, 353, 357, 414ldapclient init command, 151ldapcompare command, 350LDAP-compliant directory, 8ldapdelete command, 350, 360, 528LDAPJDK, xxix, 394ldaplist command, 151, 269, 353ldapmodify interactive mode, 60ldapmodify utility, 55, 93, 137, 350ldapmodrdn command, 350, 351LDAPS, 113LDAPS communications protocol, 95LDAPS port, 130LDAPS requests using client authentication, 136LDAPS, restricting communication, 130ldap-schemas.tar.gz downloadable file, xxviiildapsearch command, 343ldapsearch utility, 58, 90, 93, 150, 350, 360, 416ldapsearch utility (common options), 134ldapssl_client_init API, 147LDAPsubtdel program, xxix, 394LDAPv3, 40, 152LDAPv3 extended operation plug-in (Start

TLS), 37LDAPv3 standard, 38LDIF adding NIS+ object schema, 331

LDIF file, GSSAPI, 92LDIF files, 37LDIF files, customizing, 485, 499LDIF for adding extended user attributes, 304LDIF structure, creating, 479LDIF to create time zone data, 330ldif2db utility, 55, 362legacy naming service, transitioning, 13levels of authentication, 213levels, RAID, 460libc.so library, 155libdigestmd5.so library, 52libldap50.so library, 381libsasl shared library, 38, 52Lightweight Directory Access Protocol (also see

LDAP), xxiiilimiting user access, 434Linux-PAM, 154list of container DNs, 354listenhost parameter, 130listing preferred and alternate servers, 403load balancing, 21load balancing switches, 19load tested by the SLAMD server, 541load testing, 507load-balancing switch, 257local area networks (LANs), 23, 445local copy of master key, 69locale, 250log files, KDC, 78log format, 174log priorities, PAM, 172LOG_KERN PAM messages, 172LOG_MAIL PAM messages, 172LOG_USER PAM messages, 172logconv.pl script, 427logger, 507logging activity, 160logging and benchmarks, 471logging option, 458logging UFS, 458logical disk, 460logical units (also see LUNs), 447

Index 655

logical view of volumes, 473logical volume, 447login process searches (NIS/NIS+), 28login.krb5 login program, 80loginShell attribute, 10, 439looking at directory hierarchy, 364LookMeUp application structure, 388LookMeUp, customizing, 388loop standard replacement tag, 498loss of administration control, 15lpset command, 308lsof utility, 263LUN block size configuration, 449LUN configurations, 448LUN parameters, 450LUN RAID configuration, 448LUN reconstruction rate, 450

MMAC algorithm, 100maintaining duplicate information, 17maintaining user and group data (NIS), 22MakeLDIF command, 54, 479, 482MakeLDIF options, 483MakeLDIF tags, 491MakeLDIF template files, 484MakeLDIF, automating, 502MakeLDIF-1.3.tar.gz downloadable file, xxviiimaking sure administration server is running, 265Manage Certificates window, 114Manage Jobs section, 518management for login service, 179management tools and toolkits, 347managing certificate and key databases, 109managing client profiles, 403managing client profiles and proxy agent

accounts, 412managing directory data replication, 417managing proxy agent credentials, 404managing replica servers, 404managing scheduled jobs (SLAMD), 522managing storage, 454

managing users and groups, 401, 432MAP CheckRate job, 534map the certificate subject DN to an entry, 136mapping for public and private keys, 333mapping from an attribute, 205, 206, 207, 208mapping function (rpc.nisd), 328mapping naming service data to LDAP

schemas, 286mapping NIS+ data to LDAP data, 309, 334mapping RPCs, 31mapping, testing, 342mappings, NIS+ to LDAP defaults, 328maps, 22maps, NIS/NIS+, 26master KDC server, 68master key, local copy, 69master secret, 104master servers, 11masters and consumers, balancing, 258matrices for password authentication, 179max_life parameter, 70MAX_MEMORY variable, 511, 535max_renewable_life parameter, 70maxbuf directive, 47maximum lifetime of a ticket, 70MD5, 101MD5 example, 43MD5 hash, 48, 50MD5 hashes, 158MD5 hashing, 43measuring the scope, 4mech file, 86mechanisms for capturing and displaying

information, 97memory and performance, 443merging data from an NIS/NIS+ domains, 357message authentication code (MAC), 100message digest algorithm (also see MD5), 43message-digest algorithm (also see MD5), 43Messages Logged section (SLAMD), 523method for adding authentication support

(SASL), 40methods for custom tags, 499


methods for expressing directory queries, 550Microsoft’s SSPI, compatibility, 64migrating from NIS to LDAP-based name services

with N2L service, 561migrating legacy data to LDAP, 285migration example, 339migration planning, 26mirror (RAID 1), 448, 461mirrored storage, 446misconfigurations, 269mismatch between server name and certificate

header, 282missing a critical patch, 260missing shadowAccount attribute, 276mistyped passwords, 274MIT KRB5 Release version 1.0, 65mixing client and server versions, 214modeling complex DIT structures, 480models, LDAP, 6modification of entries, 348modified server, 309modify_policy command, 77modifying default password policies, 77modifying rpc.nisd, 328modprinc command, 76modrate command, 526modular PAM service modules, 170module types, PAM, 164modules in non-default directories, 168modutil tool, 109monitor script, 362monitoring directory services, 424monitoring handshake activity, 271monitoring the KDC, 78monitoring tools, 405Mozilla modules, 378mpsadmserver command, 221, 224, 225mpxio, 452multi-homed systems, 29, 294multi-hosting support, 446multi-master replication (MMR), 11, 19, 192multi-master replication example, 418multi-pathing, 452

multi-pathing support, 450multiple database technology, 445multiple databases, 19multiple directory servers, 7multiple domains, 30multiple host names, 287multiple instances of directory service, 7multiple IP addresses listed, 257multiple jobs, concurrent (SLAMD), 514multiple password policies, 38multiple password systems, 158multiple passwords, 159multi-processor support, 444

NNADF documents, internet drafts, 572name service definition, 6name service requests, 21Name Service Switch (NSS) layer, 163names, entry, 7naming attributes, 286naming chaos (NIS), 25naming conventions, 185naming model, 6naming service API, 32naming service, consolidation, 14naming service, reverting back, 359naming services, deploying, 183namingContexts attribute, 184native LDAP client, 288native LDAP clients, installing, 253negotiating optional security layer, 39nested entries, 7Netegrity SiteMinder, 534netgroup database, 288netgroup database (NIS/NIS+), 26, 30netgroup entries, creating, 436netgroups, 22, 434netgroups, implementing, 404netmask, 250netmasks database, 288netmasks database (NIS/NIS+), 26, 31

Index 657

netnames, 329Netscape Communicator, 17Netscape Directory Server 4.1x software, 191Netscape Portable Runtime (NSPR), 107Netscape utilities, 350netstat command, 263network bandwidth and performance, 443network file systems (NFS), 445Network File Systems (NFS), secure support for, 64Network Operating System (NOS)

authentication, 17network password, 155Network Security Services (NSS), 107Network Security Services for Java (JSS), 194network services, custom, 23network topology for benchmarking, 479network-attached storage, not supported, 445networks container, 289networks database, 289networks database (NIS/NIS+), 26, 30new PAM modules, 170newfs command, 472newkey command, 300NFS mount points, 30NFS service principal, 89NIS domain, 21NIS Extension to Netscape Directory Server

4.1x, 561NIS extensions, 309, 562NIS limitations, 24NIS passwd maps, 156NIS security issues, 24NIS to LDAP Gateway, 561NIS to LDAP transition service (N2L service), 561NIS workarounds, 25NIS+ clients to LDAP clients conversion, 312NIS+ database as cache for LDAP data, 311NIS+ gateway, 309NIS+ gateway components, 310NIS+ Gateway identifier, 334NIS+ Gateway software, visible components, 311NIS+ Gateway without modifications, 337NIS+ object data, 329

NIS+ object data and entry data, 331NIS+ to LDAP mapping, 334NIS+ to LDAP migration example, 339NIS+LDAPmapping file, 311, 331, 334NIS+LDAPmapping file, five directives, 334NIS+LDAPmapping.template file, 311, 328NIS/NIS+ and DNS, 23NIS/NIS+ domains, 26NIS/NIS+ GIDs, 28NIS/NIS+ maps, 26NIS/NIS+ UIDs, 28NIS/NIS+, common uses, 22NIS/NIS+, eliminating clients, 33NIS/NIS+, ethers database, 23NIS/NIS+, evolution of, 20NIS/NIS+, hosts database, 23NIS/NIS+, merging data from, 357NIS/NIS+, user-defined maps, 32NIS_COLD_START file, 238NIS_PRIVATE_DIRCACHE file, 238NisKeyObject object class, 299nisldapmaptest test utility, 311, 343nisObject object class, 294nisplusEntryData object class, 332nisplusLDAP action-related parameters, 316nisplusLDAPattributeFromColumn

directive, 336nisplusLDAPbaseDomain parameter, 315nisplusLDAPcolumnFromAttribute

directive, 337nisplusLDAPconfig object class, 320nisplusLDAPconfigAuthenticationMethod

parameter, 313nisplusLDAPconfigDN DN for configuration

information, 313nisplusLDAPconfigPreferredServerList

parameter, 313nisplusLDAPconfigProxyPassword

parameter, 314nisplusLDAPconfigProxyUser parameter, 314nisplusLDAPconfigTLS parameter, 314nisplusLDAPconfigTLSCertificateDBPath

parameter, 314


nisplusLDAPdatabaseIdMappingdirective, 334

nisplusLDAPentryTtl directive, 334nisplusLDAPobjectDN directive, 335nisplusLDAPproxyPassword parameter, 315nisplusLDAPproxyUser parameter, 315nisplusLDAPTLS parameter, 314no authentication (None), 38No RPC Credentials warning message, 277nonce, 42, 46, 50non-NIS/NIS+ clients, 29Notify on Completion field (SLAMD), 521ns-accountstatus script, 362ns-activate and ns-inactivate scripts, 362nsCertfile attribute, 111nsIndexType attribute, 548nsKeyfile attribute, 111NSPR for secured connections, 153NSS and NSPR versions, 107nsslapd attributes, 110nsslapd-accesslog attribute, 542nsslapd-accesslog-logbuffering

attribute, 542nsslapd-allidsthreshold attribute, 544nsslapd-auditlog attribute, 542nsslapd-cachememsize attribute, 545nsslapd-cachesize attribute, 545nsslapd-dbcachesize attribute, 544nsslapd-db-home-directory attribute, 545nsslapd-directory attribute, 544, 547nsslapd-errorlog attribute, 542nsslapd-import-cachesize attribute, 545nsslapd-logdirectory attribute, 544nsslapd-maxbersize configuration

attribute, 539nsslapd-maxdescriptors attribute, 543nsslapd-pluginarg0 attribute, 547nsslapd-pluginEnabled attribute, 556nsslapd-schemacheck attribute, 543nsslapd-single-writer attribute, 546nsslapd-threadnumber attribute, 543nsSSL3Ciphers attribute, 111nsSSLActivation attribute, 112

nsSSLClientAuth attribute, 110nsSSLPersonalityssl attribute, 112nsSSLServerAuth attribute, 110nsSSLSessiontimeout attribute, 110nsSSLToken attribute, 112nsswitch.conf file, 32, 148, 355, 436nsswitch.conf file tag mapping, 440nsswitch.ldap file, 148nsswitch.ldap file example, 239NT Security Access Manager (SAM), 557NTP (clock synchronization), 74null job (SLAMD), 525NULL passwords, 290Number of Clients field (SLAMD), 520Number of Copies field (SLAMD), 521number of RPC service threads, specifying, 316

Oobject class, 9object class and attribute mapping, 403, 404object class mapping (table), 302object class name, 10object class violations, 441object class, ou, 186object identifier (OID), 9, 86objects and attributes, 9obtain cache, 89obtaining a certificate from a CA, 118obtaining server certificates, 113obtaining TGT, 89old pam_unix module, 170old style notation, 278one-way encryption, 156one-way encryption hashing algorithm, 155one-way hash, 558online vs. offline backups, 401Open Network Computing (ONC) specification, 20Open Software Foundation (OSF), 156OpenPAM, 154operations per second, 467optimizing SLAMD jobs, 523optional control flag, 165

Index 659

options for authentication, 212options, authentication, 290options, Kerberos v5, 78organization (o=) attribute, 7, 185organization of book, xxvorganization unit (ou), 7organizing job information (SLAMD), 524other service name, 167ou=people container, 289ou=SolarisAuthAttr container, 304ou=SolarisProfAttr container, 304overhead of encryption, 97overriding the password policy, 169ownership and object data, 332

Ppackage clusters, 214package installation order, 216packages for Sun Cluster data services, 259packages, Kerberos v5, 65packaging changes, 191PAM abbreviations, 178PAM account management module for UNIX, 162PAM account management stack, 162PAM adding a module, 170PAM and the .rhosts file, 171PAM API, 159PAM application programming interface

(API), 605PAM authentication, 163, 178PAM authentication functions, 607PAM authentication mechanisms, 178PAM Compare, xxviiiPAM configuration control flags, 165PAM configuration file, 159, 163PAM configuration file syntax, 163PAM configuration file update, 163PAM configurations, 164PAM control flags, 165PAM Crack, xxviiiPAM error reporting, 172PAM error reporting, initiating, 174

PAM file ownership, 163PAM framework, 159, 161PAM framework functions, 606PAM functionality, enhanced, 170PAM LDAP module (pam_ldap), 174PAM LDAP password management

extensions, 168PAM library, 161PAM Logon Times, xxviiiPAM messages generated by the kernel, 172PAM module types, 160PAM module verification, 171PAM module, verifying, 171PAM modules, 162, 605PAM modules available for download, 611PAM modules, new, 170PAM modules, testing, 626PAM operation, 161PAM service modules, 160PAM service provider interface (SPI), 159, 605PAM stacking, 160PAM update of password (table), 179PAM, how it works with LDAP, 176PAM, how to add a module, 170PAM, initiating diagnostics reporting, 173PAM, relationships between applications, library,

and modules, 162PAM, traditional authentication, 155PAM, update of password, 179PAM, using, 161PAM, writing service modules, 610pam.conf file, 164, 171, 272, 605, 610pam.conf file example, 175pam.conf file, generic, 166pam_adhkeys PAM module, 162pam_auth PAM module, 163pam_authtok_check PAM module, 162pam_authtok_get PAM module, 162pam_authtok_store PAM module, 162, 169pam_chauthtok() function, 609pam_compare.so.1 stand-alone PAM

module, 610


pam_get_item() and pam_set_item()functions, 607

pam_ldap, 159, 177, 213, 531pam_ldap authentication, 179pam_ldap file, 175pam_ldap PAM module, 163pam_ldap structure, 175pam_open and pam_close functions, 608pam_sm_acct_mgmt() function, 609pam_sm_authenticate() module function, 609pam_sm_setcred() module function, 609pam_start()and pam_end() functions, 606pam_unix, 213pam_unix authentication, 177, 241pam_unix module, old, 170pam_unix style authentication, 189pam_unix_account PAM module, 162pam_unix_session PAM module, 163pamlog file, 174parameters to initiate action, 313parameters used to retrieve data, 313parameters, action-related, 316parent class, 9parity stripe, 463parsing algorithm used by MakeLDIF, 485parsing template definitions, 498partner-pair arrays, 450, 451partner-pairs disk configuration, 447passwd and shadow database (NIS/NIS+), 26passwd and shadow database fields, 28passwd database, 289passwd.org_dir table, 311password aging, 160, 168, 434password classes, 75Password dialog box, 145password field, 293password file created, 234password history, 75password key db, 113password length, 75password lifetime, 75password management, 156, 168, 242, 403, 434password management function, PAM, 609

password management module function,PAM, 610

password management modules, 179password management stack, 162password management with an LDAP server, 174password policy creation, 76password policy engine, 159password policy, scoped, 37password problems, 282password problems, troubleshooting, 270password storage mechanism, default, 58password storage schemes, 33password stored in clear text, 283password stored in SSHA, 283password stored in UNIX crypt format, 283password synchronization, 558password syntax checking, 159, 163password transfer scenarios, 558password-guessing attacks, preventing, 75passwords, 8passwords in crypt format, 273passwords not retrieved, 276passwords, absence of, 352passwords, bidirectional sychronization of, 557passwords, generating hashed, 282passwords, mistyped, 274passwords, plain text, 42passwords, setting rules for, 38passwords, storing in UNIX crypt format, 311passwords, UNIX, 156passwordStorageScheme attribute, 57, 59patches for backport, 181PatchManager and PatchPro utilities, 261PDU (protocol data unit), 152performance analysis of network-based

applications, 508performance and directory server software, 444performance and storage subsystems, 443performance characteristics, 466performance counters, 426performance features, 444performance impact of TLSv1, 96performance of UFS, 458

Index 661

performance stability of logging, 458performance tuning the directory server, 541performing administrative tasks, 399performing directory server benchmarks, 465PerLDAP, 17, 377PerLDAP module (package), 194permissions, 234, 290permissions, restricting, 36person.addinfo.jsp file, 388person.jsp file, 388physical view of volume block, 474PIN file, 132pk12util utility, 109PKCS #10 Request (example), 117pkginfo command, 215plaiding, 457plaiding for better performance, 470pluggable authentication (SASL), 39Pluggable Authentication Module (also see

PAM), 40, 154pluggable authentication service modules, 162policy.conf file, 158poor accessibility, 15POP CheckRate job, 534POP protocol, 41populating LDAP entries, 193populating LDAP with NIS/NIS+ data, 288port 636, 234port already in use, 260, 262port number, 7POSIX defined groups, 187POSIX groups, 403posixAccount auxiliary object classes, 293posixAccount entries, 368posixAccount object class, 274posixAccount schema definition, 10POSIX-defined fields, 401potential problems, 263PPP, 43Preface, xxiiiPreferred Servers prompt, 231preferredServerList attribute, 257, 314premaster secret, 102

preparing a JumpStart server, 245, 254pretesting, benchmark, 468primary (principal component), 67principal, 22principal database, 68principal names and netnames, 333principals, 67, 329principals and expiration, 71principals, adding, 87principals, privileged, 73print spooler, 309printer entries, 308printers database, 300privacy support (encrypted data streams), 64private key, 97, 98, 120, 140private keys (NIS+), 23privileged principals, 73privileges allowed, 72problems, correcting common, 260prof_attr database, 439prof_attr database (NIS/NIS+), 27, 32prof_attr file, 306prof_attr RBAC database, 302profile data, 22profile descriptions, adding, 306profile schema, 180profile TTL attribute, 207profile, creating, 358profile_server variable, 254profiles, creating additional, 413programming interface (GSSAPI), single, 63Projects database, 300proliferation of multiple data stores, 3promiscuous mode (feature in network apps), 97prompts used in examples, xxxipropagate data, 21propagating incremental database updates

(NIS+), 22Property Editor, 368protection levels (ftp), 81protocol analyzers, 97protocol database (NIS/NIS+), 27, 31protocol decoders for snoop, 588


protocol, LDAP v3, 348protocols database, 289protocols database (NIS), 23protolcols, wire, 63providing authentication with SASL, 38provisioning users and groups, 401proxies through SASL (not supported), 42proxy (authentication) ID, 42proxy agent account, 177proxy agent bind fails, 275proxy agent credentials, managing, 404proxy anonymous authentication, 213proxy authentication, 213proxy DN attribute, 207proxy password, 178proxy password attribute, 207proxy password, changing on client, 359proxy servers, 19Proxy User DN field, 532Proxy User Password field, 532proxyagent password, 404proxyDn example, 239proxypassword example, 239public key, 97, 299Public Key Cryptography Standard (PKCS)

#11, 108public key technology, 22public keys (NIS+), 23public void initialize() method, 499publickey database, 289publickey database (NIS/NIS+), 27, 31publickey database entry example, 299pwdhash command, 282

Qqop-options, 46

RRAID 0, 448RAID 0 (stripe), 460

RAID 0+1, 462RAID 1, 448RAID 1 (mirror), 461RAID 1+0, 462RAID 1/0 (mirroring & striping), 470RAID 2 and 3, 464RAID 4, 464RAID 5, 448, 463RAID 5 LUN layout of eight disks, 453RAID 5 LUN with a hot spare, 450RAID 5 stripe, 457RAID device, 445RAID explained, 459RAID levels, 460RAID levels, usable, 448RAID manager device, 459RAM, adding additional, 444random data access, 474random reads, 461random seed, 156random writes, 461RBAC database fields and equivalent

attributes, 303RBAC databases, 439RBAC databases mapped to LDAP object

classes, 302RBAC entries, creating with LDIF, 304RBAC-related databases, 300RBAC-related object classes, attributes for, 302RC2 and RC4, 101RC4 encryption, 47, 96rcp (Kerberos v5 version), 80read ahead policy, 450read and search privileges, 270read and write caching, 446read-only replicas, 11reads and writes, 444real job folders, 524realm, 46, 49realm (principal component), 67realm names, changing, 84realm, server’s specified, 48realms, 68

Index 663

receipt of a return code, 467recommended configurations for Sun ONE

Directory Server software, 453recommended transition tasks, 311record protocol (TLSv1), 99recovery, backup and, 400redo logs, 461reducing load on master server, 11reducing operational costs, 16redundancy, 453redundant array of inexpensive disks (also see

RAID), 459redundant power supplies, 451referrals, LDAP, 7refreshing cache, 416registered DNS address, 185registered DNS name, 185Registration Authorities (RA), 118regulations, U.S. government, 38relationships between NSS and NSPR, 107Relative Distinguished Name (RDN), 8, 286, 336remote procedure call (RPC), 155removing replicas, 422removing test entries, 344renaming entries, 348repairing certificate databases, 109replacement variables, 485replcheck.pl tool, 423repldisc tool, 417replica servers, managing, 404replicas, adding, 444replicas, displaying, 422replicas, read-only, 11replicas, removing, 422replicating a schema, 362replication, 11replication agreements from scripts, creating, 417replication and benchmarking, 479replication from a consumer, forcing, 421replication latency, 527replication management, 421replication over a WAN, 256replication over SSL, 106

replication status, checking, 423replication update vector, 423replication, four-way multi-master, 445request document (DSMLv2), 551request elements, LDAP, 552Request for Comments (RFC) life cycle, 564Request for Comments (RFC), LDAP-specific, 565Request for Comments (RFC), locating, 563Request Submission dialog box, 117requesting a certificate from a certificate

authority, 117requesting a certificate signature, 232Requestor Information dialog box, 115required control flag, 165required processes for TLSv1/SSL, 112requiring client authentication, 131requisite control flag, 165resiliency, 447resiliency by mirroring volumes, 454resiliency, storage, 459resolv.conf file, 83resolver, 82response document (DSMLv2), 551restarting replication, 421restarting the directory server, 234restart-slapd script, 362restoreconfig script, 362restoring a backup, 362restoring a database from LDIF, 362restoring o=NetscapeRoot, 362restricting access to information, 36restricting automount access on client systems, 437restricting LDAPS communication, 130restricting user access, 404result code, success, 272result codes (Start TLS), 153result codes, LDAP v3, 575results of trace, 273retrieving SASL plug-ins, 52retrieving the root DSE, 135return code, receipt of, 467returning matched values (LDAP v3), 571reverse address resolution protocol (RARP), 23


reverting back to old naming service, 359revocation password, 120RFC 1321, 43RFC 1510, 81RFC 1823, 565RFC 2222, 39, 40RFC 2246, 152RFC 2247, 565RFC 2251, 38, 59, 550, 565, 575RFC 2252, 566RFC 2253, 566RFC 2254, 566RFC 2255, 566RFC 2256, 566RFC 2307, 328, 333, 368, 567RFC 2307 bis, 328RFC 2307 bis Network Information Service

Schema, 286RFC 2307 schema files, 193RFC 2589, 567RFC 2596, 567RFC 2696, 567RFC 2713, 567RFC 2714, 567RFC 2739, 568RFC 2743, 62RFC 2798, 568RFC 2829, 42, 176, 568RFC 2829 (authentication methods), 38RFC 2830, 153, 568RFC 2830 (Extension for TLS), 38RFC 2831, 176RFC 2849, 568RFC 2891, 569RFC 3045, 569RFC 3296, 569RFC 3377, 38, 569RFC, life cycle, 564RFCs, 563rhosts file, 80rights, user, 9rlogin (Kerberos v5 version), 80

Role-Based Access Control (also see RBAC), 286,404, 439

role-based accounting databases, 32root Directory Server Entry (DSE), 8root DSE, 90root makefile, sample, 503root password, 250root principal, KDC, 88rootkey file, 238rpc database, 289rpc database (NIS), 23rpc database (NIS/NIS+), 27, 31rpc.nisd (configuration file for NIS+), 312rpc.nisd modified version for gateway, 309RSA, 100, 101rsh (Kerberos v5 version), 80rules for a digest-challenge, 45running DNS and LDAP naming services, 242running kadmin.local, 87running the idsktune command, 216runtime environment, JAVA, 480run-time pluggable modules, 154

Ssafer network environment, 81salt string, 156salt, definition of, 157Salted Secure Hashing Algorithm (also see

SSHA), 58, 176, 271sample custom tag implementation, 500sample user entry, 402SASL (Simple Security Access Layer), 8, 38SASL authentication mechanism, 39SASL bind, 52SASL components, 41SASL CRAM-MD5, 180SASL DIGEST bind request, 57SASL DIGEST-MD5, 192, 290SASL DIGEST-MD5 and pam_ldap, 179SASL DIGEST-MD5 mechanism, 42, 52SASL DIGEST-MD5, debugging, 281SASL DIGEST-MD5, setting up, 52

Index 665

SASL DIGEST-MD5, support through RFC 2829, 42SASL EXTERNAL mechanism, 39, 95SASL GSSAPI, 192SASL packages, 194SASL plug-in directories, 52SASL Principal variable, 92SASL protocol exchange, 41SASL, understanding, 40saveconfig command, 408saveconfig script, 362SCA 1000 card, 112scalability, 19, 446scalability of logging, 458scalability of the directory server, 444scalability, vertical, 466Schedule Job button (SLAMD), 522scheduler, 507scheduling jobs for execution (SLAMD), 508, 519scheduling SLAMD jobs, 535schema configuration files, 9schema definition for principled names and

netnames, 333schema definitions, 440schema definitions for nisplusLDAPconfig

object class, 322schema definitions, additional, 328, 329schema definitions, creating, 441Schema display, 440schema, directory, 10schema, Internet Print Protocol, 286schema, LDAP Mailgroups Internet Draft, 286schema, RBAC, 286schema, Solaris Project, 286schema_push.pl script, 362schemas, extending, 405, 440schemas, extensible, 18scoped password policy, 37scopes, 371screen.properties file, 388script for creating user entries, 432scripts and tools download URL, xxixscripts, list of, 362SCSI disks, 470

SCSI disks. local, 445SDRK (Sun ONE Directory Server Resource Kit

software), 108search base, 8search descriptor, 290search filter, LDAP, 356search path for naming service data, 403search time limit attribute, 207search, base level, 184searches, LDAP, 8searching for entries, 349searching for job information (SLAMD), 524searchrate command, 525secmod.db database, 109secondary groups, 29secondary groups, identifying, 361secret key cryptography (Kerberos), 62secret, shared, 42secure authentication, 63secure communications, 95secure ftp command, 81secure hash algorithm (SHA), 176secure port number, 109secure remote applications, 64secure RPC calls, 162secure RPC equivalent netnames, 333secure RPC mechanism, 155secure setting in the KDC config file, 70Secure Sockets Layer (SSL), 94, 95secure.driver script, 74Secured LDAP Client, 12, 33, 35, 43, 44, 48, 244, 257Secured LDAP Client authentication methods, 148Secured LDAP Client backport to Solaris 8, 180Secured LDAP Client containers, required, 186Secured LDAP Client directory server, support

for, 359Secured LDAP Client library

(libsldap.so.1), 147Secured LDAP Client password, 51Secured LDAP Client problems, 268Secured LDAP Client tools, 348Secured LDAP Client, initializing, 147, 357securely synchronize clocks, 74


secure-port directive, 130securing data, ease of, 18security architecture, defining, 35security databases, 108Security Device Password Window, 114security feature attributes, 110security features, 36security file, 170security hole, 271security infrastructure for PAM framework, 159security infrastructure for PAM module types, 160security infrastructure using PAM, 161security infrastructure, PAM configuration file, 163security model, 6security model, description of, 9security of data, 43security, PAM, 155selecting storage, 443self-signed certificate request, 125sending update requests, 256Sendmail facility, 31separating users in different subtrees, 287sequential reads and writes, 461server authentication, 95, 98server certificate, 219server configured as its own client (caution), 288server hardening, 74server name, 7server_policy option, 163, 169server-specified data string, 46service authentication method attribute, 208Service Availability Manager (SAM), 425Service Availability Manager (SAM) add-on for

SunMC, 405service credential levels attribute, 208service modules, 168service name, PAM, 164service packs, 193Service Search Descriptor (SSD), 33, 180, 231, 356,

403, 412serviceAuthenticationMethod attribute, 213,

242services database, 289

services database (NIS), 23services database (NIS/NIS+), 27, 31servlet engine, 536session ID, 100session keys, 104session management, 156session management functions, PAM, 608setting directory server access control instructions

(ACIs), 404setting ownership and access rights of objects, 331setting rules on password usage, 38setting up an LDAP toolbox, 371setting up authentication for proxy and users, 212setting up SASL DIGEST-MD5, 52setting up the administration server (interactive

mode), 221setting up the administration server (silent

mode), 224setting up the directory server (interactive

mode), 219setting up the directory server (silent mode), 222setting up the Sun ONE Directory Server software

(task overview), 244setting up TLSv1/SSL (summary), 154setting your DNS domain as the main suffix, 186settings used for access control (SLAMD), 519settings, listing, 358shadow database, 28, 289shadow database (no container), 289shadow file, 156shadowAccount auxiliary object classes, 293shared library, libsasl, 38shared packages, 194shared secret, 42, 43, 45, 98sharing automaps, 214Show Advanced Scheduling Options button, 520shutdown.sh shell script, 511signed certificate components, 142signed server certificate, 232signer certificate, 243Simple authentication, 8, 179, 290Simple Authentication and Security Layer (also see

SASL), 38, 40, 176

Index 667

Simple Network Management Protocol(SNMP), 405

Simple Security Access Layer (SASL) interface, 8Simple, password-based authentication, 39Simulated Client Address Range field, 533simulating deployments, 490single sign-on, 159single-master replication, 11SiteMinder LDAP load simulation job, 534Six Sigma terminology, 3SKIPJACK, 101SLAMD, 507SLAMD administrative interface, 511, 517SLAMD administrative interface (figure), 518SLAMD advanced options, 520SLAMD architecture, 540SLAMD client application, xxviiiSLAMD client script options, 516SLAMD clients, 507, 514SLAMD clients, installing, 515SLAMD common configuration parameters, 519SLAMD components, 507SLAMD configuration parameters (table), 512SLAMD default job classes, 525slamd directory, 510SLAMD indexing, 540SLAMD offline, 537SLAMD overview, 508SLAMD preliminary requirements, 508SLAMD real job folders, 524SLAMD server distribution, xxviiiSLAMD Server Status link, 537SLAMD standalone clients, using, 535SLAMD time synchronization, 509SLAMD virtual job folders, 524SLAMD, cache tuning, 539SLAMD, configuring large entries, 539SLAMD, confirmation of startup, 513SLAMD, installing the server, 510SLAMD, optimizing, 523SLAMD, organizing job information, 524SLAMD, re-reading configuration parameters, 538SLAMD, restarting, 537

SLAMD, settings for access control, 519SLAMD, stages of jobs, 522SLAMD, starting and stopping, 536SLAMD, tuning the configuration directory, 539SLAMD, viewing job execution results, 522slamd_client-1.5.1.tar.gz downloadable

file, xxviiislamd-1.5.1.tar.gz downloadable file, xxviiislapd pin file, 131slapd-instance directory, 361slave KDC server, 68, 69Slot NSS Internal Cryptographic Services, 140Slot NSS User Private Key and Certificate

Services, 140SLP, 43smart cards, 108smattrpop command, 188, 359sniffers, 97snoop trace, 272snoop with LDAP, 583snoop, using with LDAP, 583SOAP request/response binding, 550software characteristics, 444software RAID versus hardware RAID, 459SOL9-PAM_Modules.tar.gz downloadable

file, xxviiiSolaris 8 backport and ldapaddent

command, 288Solaris 8 LDAP utilities, 350Solaris 8 OE specific packages, 196Solaris 8 patch client (Phase 2), 237Solaris 8, backport for Secured LDAP Client, 180Solaris 9 client, 238Solaris 9 LDAP utilities, 350Solaris 9 OE and LDAP, 2Solaris Easy Access Server package (SEAS), 65Solaris GSSAPI support, 62Solaris LDAP authentication load generator is a

job, 531Solaris LDAP client, 12Solaris Management Console (smc) with an LDAP

toolbox, 370Solaris Native LDAP Client, 251Solaris OE logging option, 458


Solaris OE login daemon, 80Solaris PAM framework, 159Solaris Project schema, 286Solaris Security Toolkit software, 74Solaris software revisions, xxivSolaris user account information, 10Solaris Volume Manager software, 454Solaris, UNIX crypt, 156SolarisAttrKeyValue attribute, 305SolarisAuthAttr object class, 302SolarisExecAttr object class, 302SolarisProfAttr object class, 302SolarisUserAttr object class, 302Solstice DiskSuite (former name), 454specifying a key, 21specifying an IP address (TLSv1/SSL), 130specifying rules for mapping NIS+ to LDAP, 336specifying subdomains, 186specifying support for an SSL version, 110splitting users into different categories, 187SSHA (see Salted Secure Hashing Algorithm), 101SSL and TLS development cycle, 94SSL and TLSv1 protocol support, 93SSL handshake flow chart, 105SSL Key Store field, 533SSL Key Store Password field, 533SSL Trust Store field, 533SSL Trust Store Password field, 533SSL, automatic startup, 234sslapd-require-index attribute, 546ssltap utility, 109SSLv2, 94, 110SSLv3, 94, 110stacking, 160stacking of PAM modules, recommended, 272stages of jobs (SLAMD), 522stale directive, 46standard LDAP utilities, 348standard profile attributes, 306standard replacement tags, 491standards information, 563Start Time (SLAMD), 520Start TLS cipher policy, 153

Start TLS extended operation, 153Start TLS extended response, 152Start TLS overview, 152Start TLS result codes, 153Start Transport Layer Security (see Start TLS), 37start_client.sh script, 515start-admin program, 132startconsole application, 264starting a directory server instance, 362starting SLAMD, 536starting the Tomcat servlet engine, 537start-slapd script, 362Startup Configuration section, 519stash file, 69stash file password, 69stash files, creating, 69Statistics Collection Interval field (SLAMD), 520Stop Time field (SLAMD), 520stopping a directory server instance, 362stopping and starting the directory server, 362stopping and starting the Tomcat server, 392stopping replication, 421stopping SLAMD, 536stopping the Tomcat servlet engine, 538stop-slapd script, 362storage architecture for benchmark, 470storage arrays with cache, 446storage layout for benchmark, 472storage resiliency with RAID, 459storage subsystems, high-end, 446storage subsystems, survey of, 445storage, mirrored, 446storage, selecting, 443storing configuration attributes in LDAP, 320storing configuration data, 184storing information about SLAMD jobs, 539storing passwords in UNIX crypt format, 311storing user account information, 7strcmp(3c), 158stress testing, 508string-valued attribute, 9stripe (RAID 0), 448, 460stripe and parity (RAID 5), 448

Index 669

striped volumes, 472striping disks (physical and logical), 457strong authentication, 64subdomains, 186submitted request example, 142subnet, 21success criteria, 467success result code, 272sufficient control flag, 166suffix name, choosing, 185suffix names, 185suffix, creating, 186suffix, directory, 7suffix2instance script, 362SumCustomTag class, 501Sun BluePrints OnLine, xxxSun BluePrints Program, xxxSun Cluster 3 core components, 258Sun Cluster 3 LDAP data services, 258Sun Cluster component, 194Sun Cluster HA agents (packages), 196Sun Cluster technology, 19, 256Sun Crypto Accelerator 1000 card, 109Sun Download Center, xxixSun Enterprise Authentication Mechanism (SEAM)

software, 65Sun Fire 420R system, 469Sun Fire E280R systems, 446Sun Fire V880 servers, 469Sun Fire v880 servers, 446Sun Management Center (SunMC) software, 424Sun Management Console (smc), 369Sun ONE Certificate Manager, 118, 138Sun ONE Console fails to start, 263Sun ONE Directory Console, 364Sun ONE Directory Console, adding new

entries, 366Sun ONE Directory Console, New User form, 367Sun ONE Directory Console, viewing the DIT, 365Sun ONE Directory Server 5.2 software, 2, 6, 191Sun ONE Directory Server password policy

engine, 163

Sun ONE Directory Server Resource Kit(SDRK), 18

Sun ONE Directory Server Resource Kit (SDRK)software, 108

Sun ONE Directory Server software5.2 utilities (SVR4 packages), 3505.2 utilities (tar file), 350configuring as a configuration server, 326encryption port 636, 130packages, 193performance counters, 426recommended configurations, 453security features, 36unbundled utilities, 350utilities, advantages of, 351volume managers, and, 454

Sun ONE Message Queue (MQ), 558Sun ONE Server Console, 132, 194Sun ONE Web Server 6.0, 509Sun OS 5.0 Network Information Service

(NIS+), 155Sun StorEdge 9900 products, 446Sun StorEdge A1000 systems, 445Sun StorEdge D1000 systems, 445Sun StorEdge QFS software, 458Sun StorEdge T3b array, 447, 470Sun StorEdge T3b array (recommended

configuration), 450Sun StorEdge T3b array architecture, 447Sun StorEdge T3b storage array, 445Sun technical documentation, xxxSunMC components, 425Suns benchmark configuration, 469SUNWkdcr Kerberos package, 65SUNWkdcu Kerberos package, 65SUNWkrbr Kerberos package, 65SUNWkrbu Kerberos package, 65SUNWkrbux Kerberos package, 65SUNWlldap package, 349SUNWmakeldif.tar.gz downloadable file, xxviiiSUNWmltempl.tar.gz downloadable file, xxviiiSUNWnisr package, 310SUNWnisu package, 310SUNWntpu package, 74supplier, 256


supplier directory, 527supplier server, 11supported databases, 288supported_enctypes parameter, 71survey of storage subsystems, 445SVR4 packages for Sun Cluster data services, 259syntax, DN, 11Synthetic Transaction Module (STM), 425sysidcfg file, 31, 249sysidcfg file syntax, 253sysidnet program, 249sysidtool suite of programs, 249sysidtools, 24, 238syslog channel, 173syslog.conf file, 173system log (syslog), 281system software details (benchmark), 470systems used in benchmark, 469sys-unconfig command, 249

TT3 volumes, 448tag evaluation order, 498tags, attribute value reference, 496tags, custom, 480, 499tags, template file, 490tasks, common, 400TCP, 43TCP/IP port 636 (default), 110technology, emerging, 549telnet client, Kerberos v5, 79template definition, parsing, 498template definitions, 484, 487template file tags, 490template files for MakeLDIF, xxviii, 484terms and concepts, LDAP, 6test harness, benchmark, 468Test Registration Authority, 119Test Registration Authority window, 120testing connectivity, 135testing mapping, 342testing PAM modules, 626

testing the GSSAPI mechanism, 93testing the NIS+ Gateway, 343text string converted to a hashed string, 157third party toolkits, 18Thread Startup Delay field (SLAMD), 521Threads per Client field (SLAMD), 520throughput, 466ticket (Kerberos), 66ticket renewal time, 70ticket, maximum life, 70ticket-granting ticket (TGT), 66tickets and credentials, 66Time Between Copy Startups field (SLAMD), 521time synchronization and SLAMD, 509time to live default, 231time zone, 250timeout limits, 403timeouts for LDAP, parameters that establish, 315timezone attributes and object classes, 328timezone schema, 329tips for idsconfig, 231tips for LDAP commands, 359TLS, 8, 94, 95TLS protocol above TCP/IP, 99TLS protocol in the network layer, 99TLS Protocol Version 1.0, 152TLS SIMPLE, 179, 290TLSv1 handshake, 98TLSv1 SASL, 290TLSv1, types, 98TLSv1, why use it, 96TLSv1/SSL client architecture, 133TLSv1/SSL clients, enabling, 242TLSv1/SSL configuration overview, 109TLSv1/SSL in the Console, 131TLSv1/SSL problems, 281TLSv1/SSL protocol support, 93TLSv1/SSL requests, 234TLSv1/SSL socket, 153TLSv1/SSL tools, 108, 109TLSv1/SSL verifying, 150TLSv1/SSL, activating, 126TLSv1/SSL, additional information, 130

Index 671

TLSv1/SSL, enabling, 112, 232TLSv1/SSL, enabling in the Administration

Console, 133TLSv1/SSL, generating client certificates, 137TLSv1/SSL, performance impact, 96TLSv1/SSL, setting up (summary), 154TLSv1/SSL, specifying an IP address, 130Token for the cryptograhic operations, 112Token Password dialog box, 116tokens, 46Tomcat server, 387Tomcat server, stopping and starting, 392Tomcat servlet engine, starting, 537Tomcat servlet engine, stopping, 538toolkits and LDAP APIs, 377tools and toolkits, management, 347tools for managing directory data replication, 417tools for managing local databases, 369tools for troubleshooting, 260tools, administration, 361tools, command-line, 348tools, GUI-based, 364tools, migration, choosing, 33tools, Secured LDAP Client, 348tools, TLSv1/SSL, 109trace, results of, 273traditional Solaris authentication with PAM, 155traditional Solaris authentication with UNIX

crypt, 156transaction log, 541transaction logs and benchmarks, 471transition tasks, recommended, 311transition tools, 20transitioning from a legacy naming service, 13translation of host names to IP addresses, 23Transport Layer Security (also see TLS), 35tree-like structure, 7triple-DES cipher, 47, 101troubleshooting, 406troubleshooting client initialization problems, 268troubleshooting console login rejections, 264troubleshooting idsconfig failures, 266troubleshooting the NIS+ Gateway, 343

troubleshooting tips (NIS+ Gateway), 344troubleshooting tools, 260trust store, 126trusted server, 52trusting a CA, 123try_first_pass option, 274tuning parameters to consider, 247tuning the configuration directory (SLAMD), 539turning on debug mode, 279turning on error log tracing, 282two approaches to data migration, 285two systems required, 288two-bit patterns, difficulty of finding, 43types of keys, 69types of PAM service modules, 160types of TLSv1, 98types of user authentication, 213typical.ins file, 223typographic conventions, xxxi

UU.S. government regulations, 38UFS, 472UFS versus VxFS, 457uid attribute, 10uid used as a naming attribute, 293uidNumber attribute, 10unauthorized snooping, 18unbind operation, 8understanding legacy naming services, 20understanding the DIT, 184unique attribute names, 9unique entries, 287unique IDs, 32universal access, 16, 17Universal Resource Name (URN) for DSMLv2, 551UNIX crypt, 156UNIX crypt, benefits and drawbacks, 157UNIX File System (UFS), 458UNIX passwords, 156updating NIS+ data from LDAP, 316updating the authentication token, 162


updating the schema, 326uploading NIS+ data, 312uploading NIS+ data to LDAP, 342URL, scripts and tools, xxixUse Specific Clients field (SLAMD), 521user access, limiting, 434user access, restricting, 404user account information, 10user accounts, creating, 54user and group accounts, 22user authentication types, 213user data vs. configuration data, 400user entries, creating with a script, 432user entry not found, 276User ID field, 532User Identifier (UID), 22user login parameters, changing, 438user login sequence, 287User Password field, 533user rights, 9user_attr database, 439user_attr database (NIS/NIS+), 27, 32user_auth database, 32user-defined NIS/NIS+ maps, 32username, 49userPassword attribute, 10, 58, 270, 311users and groups, managing, 432users and groups, provisioning, 401users cannot log in, 268users, separating in different subtrees, 287using a different port, 130using a gateway as a transition tool, 311using default configuration files, 337using LDAP as a naming service, 190using LDAP to store configuration data, 320using SLAMD standalone clients, 535usr_attr RBAC database, 302UTF-8 encoding, 47, 50utilities, Netscape versions, 350utilities, standard LDAP, 348

Vvalidating aliases, 31validating identity of a user, 90values associated with database ID, 334verification of access control policies, 37Verify a Certificate dialog box, 145verifying a bind operation, 58verifying a new PAM module, 171verifying a user, 58verifying a user entry, 59verifying entries for users, 270verifying installation of the directory server

packages, 215verifying LDAP entries, 342verifying that TLSv1/SSL is working, 150verifying the TLSv1/SSL configuration on the

server, 237Veritas block, 456Veritas disk group, 456Veritas DMP, 452Veritas Volume Manager, 454Veritas VxFS 3.5 software, 458Version 1 profiles, 414version identification, 211versions, differentiating, 191vertical scalability, 19, 444, 466viewing job execution results (SLAMD), 522viewing status of CA request, 121viewing status of SLAMD server, 517viewing the DIT with the Console, 365virtual disk, 459virtual internet protocol (VIP), 19, 258virtual job folders, 524virtual list view (VLV), 189VLV index, adding, 362VLV indexes, creating, 229vlvindex script, 362volume, 459volume block, physical view, 474volume management software, 454, 470volume slicing, 447volumes laid out for benchmark, 471volumes, disk, 455

Index 673

volumes, logical view, 473vxassist command, 455VXFS versus UFS, 457

WWait for Available Clients field (SLAMD), 520WAN replication, 256web services authentication, 17web-based enterprise management (wbem)

server, 371Weighted LDAP SearchRate job (SLAMD), 526why benchmark, 466wide area network (WAN), 256, 445wild card (*), 356window size, 256Windows 2000 AD, 557Windows environments, ISW for, 557Windows logins, 2wire protocols, 63words file, 71workgroup array, standalone, 447workgroup arrays, 445, 451, 453wrapper script (directoryserver), 348writebehind mode, 450writethrough mode, 450writing PAM service modules, 610wrong value for the uid attribute, 276

XX.500 and X.509 specifications, 185xhost command, 263XML documents, performing operations from, 550XML-Schema, 550XOR logic engines, 464

YYellow Pages (former name of NIS), 20ypcat example, 292

index [ptgmedia.pearsoncmg.com]ptgmedia.pearsoncmg.com/images/0131456938/index/...index 641...

Documents