Solaris Trusted Extensions Administrator's Procedures
Previous Next

Configuring the Solaris Management Console for LDAP (Task Map)

The Solaris Management Console is the GUI for administering the network of systems that are running Trusted Extensions.

Task

Description

For Instructions

Initialize the Solaris Management Console.

Initialize the Solaris Management Console. This procedure is performed once per system in the global zone.

Initialize the Solaris Management Console Server in Trusted Extensions

Register credentials.

Authenticate the Solaris Management Console with the LDAP server.

Register LDAP Credentials With the Solaris Management Console

Enable remote administration on a system.

By default, a Solaris Management Console client cannot communicate with a Console server on another system. You must explicitly enable remote administration.

Enable the Solaris Management Console to Accept Network Communications

Create the LDAP toolbox.

Create the LDAP toolbox in the Solaris Management Console for Trusted Extensions.

Edit the LDAP Toolbox in the Solaris Management Console

Verify communications.

Verify that Trusted Extensions hosts can become LDAP clients.

Verify That the Solaris Management Console Contains Trusted Extensions Information

Register LDAP Credentials With the Solaris Management Console

Before You Begin

You must be the root user on an LDAP server that is running Trusted Extensions. The server can be a proxy server.

Your Sun Java System Directory Server must be configured. You have completed one of the following configurations:

  1. Register the LDAP administrative credentials.
    LDAP-Server # /usr/sadm/bin/dtsetup storeCred
    Administrator DN:Type the value for cn on your system
    Password:Type the Directory Manager password
    Password (confirm):Retype the password
  2. List the scopes on the Directory Server.
    LDAP-Server # /usr/sadm/bin/dtsetup scopes
    Getting list of manageable scopes...
    Scope 1 file:Displays name of file scope
    Scope 2 ldap:Displays name of ldap scope

    Your LDAP server setup determines the scopes that are listed. The LDAP scope is not listed until the LDAP toolbox is edited. The toolbox cannot be edited until after the server is registered.

Example 5-1 Registering LDAP Credentials

In this example, the name of the LDAP server is LDAP1 and the value for cn is the default, Directory Manager.

# /usr/sadm/bin/dtsetup storeCred
Administrator DN:cn=Directory Manager
Password:abcde1;!
Password (confirm):abcde1;!
# /usr/sadm/bin/dtsetup scopes
Getting list of manageable scopes...
Scope 1 file:/LDAP1/LDAP1
Scope 2 ldap:/LDAP1/cd=LDAP1,dc=example,dc=com

Enable the Solaris Management Console to Accept Network Communications

By default, Solaris systems are not configured to listen on ports that present security risks. Therefore, you must explicitly configure any system that you plan to administer remotely to accept network communications. For example, to administer network databases on the LDAP server from a client, the Solaris Management Console server on the LDAP server must accept network communications.

For an illustration of the Solaris Management Console configuration requirements for a network with an LDAP server, see Client-Server Communication With the Solaris Management Console.

Before You Begin

You must be superuser in the global zone on the Solaris Management Console server system. In this procedure, that system is called the remote system. Also, you must have command line access to the client system as superuser.

  1. On the remote system, enable the system to accept remote connections.

    The smc daemon is controlled by the wbem service. If the options/tcp_listen property to the wbem service is set to true, the Solaris Management Console server accepts remote connections.

    # /usr/sbin/svcprop -p options wbem
    options/tcp_listen boolean false
    # svccfg -s wbem setprop options/tcp_listen=true
  2. Refresh and restart the wbem service.
    # svcadm refresh wbem
    # svcadm restart wbem
  3. Verify that the wbem service is set to accept remote connections.
    # svcprop -p options wbem
    options/tcp_listen boolean true
  4. On the remote system and on any client that needs to access the Solaris Management Console, ensure that remote connections are enabled in the smcserver.config file.
    1. Open the smcserver.config file in the trusted editor.
      # /usr/dt/bin/trusted_edit /etc/smc/smcserver.config
    2. Set the remote.connections parameter to true.
      ## remote.connections=false
      remote.connections=true
    3. Save the file and exit the trusted editor.
Troubleshooting

If you restart or enable the wbem service, you must ensure that the remote.connections parameter in the smcserver.config file remains set to true.

Edit the LDAP Toolbox in the Solaris Management Console

Before You Begin

You must be superuser on the LDAP server. The LDAP credentials must be registered with the Solaris Management Console, and you must know the output of the /usr/sadm/bin/dtsetup scopes command. For details, see Register LDAP Credentials With the Solaris Management Console.

  1. Find the LDAP toolbox.
    # cd /var/sadm/smc/toolboxes/tsol_ldap
    # ls *tbx
    tsol_ldap.tbx
  2. Provide the LDAP server name.
    1. Open the trusted editor.
    2. Copy and paste the full pathname of the tsol_ldap.tbx toolbox as the argument to the editor.

      For example, the following path is the default location of the LDAP toolbox:

      /var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx
    3. Replace the scope information.

      Replace the server tags between the <Scope> and </Scope> tags with the output of the ldap:/...... line from the /usr/sadm/bin/dtsetup scopes command.

      <Scope>ldap:/<ldap-server-name>/<dc=domain,dc=suffix></Scope>
    4. Replace every instance of <?server?> or <?server ?> with the LDAP server.
      <Name>This Computer (ldap-server-name: Scope=ldap, Policy=TSOL)</Name>
      services and configuration of ldap-server-name.</Description>
      and configuring ldap-server-name.</Description>
      ...
    5. Save the file, and exit the editor.
  3. Refresh and restart the wbem service.
    # svcadm refresh wbem
    # svcadm restart wbem
Example 5-2 Configuring the LDAP Toolbox

In this example, the name of the LDAP server is LDAP1. To configure the toolbox, the administrator replaces the instances of <?server ?> with LDAP1.

# cd /var/sadm/smc/toolboxes/tsol_ldap
# /usr/dt/bin/trusted_edit /tsol_ldap.tbx
<Scope>ldap:/LDAP1/cd=LDAP1,dc=example,dc=com</Scope

...
<Name>This Computer (LDAP1: Scope=ldap, Policy=TSOL)</Name>
services and configuration of LDAP1.</Description>
and configuring LDAP1.</Description>
...

Verify That the Solaris Management Console Contains Trusted Extensions Information

For an illustration of the Solaris Management Console configuration requirements for a network with an LDAP server and for a network without an LDAP server, see Client-Server Communication With the Solaris Management Console.

Before You Begin

You must be logged in to an LDAP client in an administrative role, or as superuser. To make a system an LDAP client, see Make the Global Zone an LDAP Client in Trusted Extensions.

To administer the local system, you must have completed Initialize the Solaris Management Console Server in Trusted Extensions.

To connect to a Console server on a remote system from the local system, you must have completed Initialize the Solaris Management Console Server in Trusted Extensions on both systems. Also, on the remote system, you must have completed Enable the Solaris Management Console to Accept Network Communications.

To administer the databases in the LDAP naming service from the LDAP client, on the LDAP server you must have completed Edit the LDAP Toolbox in the Solaris Management Console, in addition to the preceding procedures.

  1. Start the Solaris Management Console.
    # /usr/sbin/smc &
  2. Open a Trusted Extensions toolbox.

    A Trusted Extensions toolbox has the value Policy=TSOL.

    • On a trusted network that uses LDAP as a naming service, perform the following tests:
      1. To check that local administrative databases can be accessed, open the following toolbox:
        This Computer (this-host: Scope=Files, Policy=TSOL)
      2. To check that the LDAP server's local administrative databases can be accessed, specify the following toolbox:
        This Computer (ldap-server: Scope=Files, Policy=TSOL)
      3. To check that the naming service databases on the LDAP server can be accessed, specify the following toolbox:
        This Computer (ldap-server: Scope=LDAP, Policy=TSOL)
    • On a trusted network that does not use LDAP as a naming service, perform the following tests:
      1. To check that local administrative databases can be accessed, open the following toolbox:
        This Computer (this-host: Scope=Files, Policy=TSOL)
      2. To check that a remote system's local administrative databases can be accessed, specify the following toolbox:
        This Computer (remote-system: Scope=Files, Policy=TSOL)
  3. Under System Configuration, navigate to Computers and Networks, then Security Templates.
  4. Check that the correct templates and labels have been applied to the remote systems.

    Note - When you try to access network database information from a system that is not the LDAP server, the operation fails. The Console allows you to log in to the remote host and open the toolbox. However, when you try to access or change information, the following error message indicates that you have selected Scope=LDAP on a system that is not the LDAP server:

    Management server cannot perform the operation requested.
    ...
    Error extracting the value-from-tool.
    The keys received from the client were machine, domain, Scope.
    Problem with Scope.

Troubleshooting

To troubleshoot LDAP configuration, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Previous Next