Solaris 8 with OpenLDAP: LDAP Cache Manager

/usr/lib/ldap/ldap_cachgemgr


5/28/2002 Update:

The bug in nss_ldap which causes multiple NS_LDAP_SEARCH_DNs to be ignored when specified on the same line has been fixed. This means that ldap_cachemgr can be used with LDAP hierarchies other than ou=People. Note that I have not tested the functionality, however Sun specifically addresses this issue in PatchID #108993-07.

This is a very evil, yet oddly helpful program which has a couple of bugs. As far as I can tell, the ldap_cachemgr serves a few purposes:

  1. It caches the contents of the ldap_client_file and ldap_client_cred file. This is important. See the bug list of ldap_cachemgr below.
  2. It can update the ldap_client_file and ldap_client_cred file automatically based on profiles which can be stored in the LDAP directory.
  3. Assits nscd, and allows regular users to perform ldap lookups.
Bugs with Solaris LDAP support as of Solaris maintenance update 4:

  1. (This bug is fixed by PatchID #108993-07 - See above)
    If you chose a directory other than ou=People, you CAN NOT run ldap_cachemgr. Doing so will cause major problems. It seems that ldap_cachemgr can't deal with having both passwd:(ou=SomethingThatsNotPeople,dc=example,dc=com) and shadow:(ou=SomethingThatsNotPeople,dc=example,dc=com) defined in your ldap_client_file. If you do try this, ldap_cachemgr will be able to lookup the passwd information, but it will look for shadow information under ou=People regardless of what you specify. The effect that this has is getspnam() calls, so your users will have NO password. By no password, I mean that you can log in as any user without specifying a password at all.
  2. It appears that if ldap_cachemgr is not running, the contents of the ldap_client_file and ldap_client_cred files are read unbuffered from disk, 1 character at a time. Obviously if your server is performing massive amounts of LDAP queries, this can be a problem. Luckily, the operating system's filesystem cache will cache this information.
Since the ldap_client_cred file should only be readable by root (it contains the solaris DN's bind password), normal users cannot perform directory server lookups unless there is a go-between from the user's shell to the ldap server. This go-between is usually the ldap_cachemgr.

If you decide not to run ldap_cachemgr, it is extremely important that nscd is running. nscd does a fairly reasonable job accessing the directory server for standard users.

Now that you've heard why not to run ldap_cachemgr, let's talk about why you should run ldap_cachemgr. If you have chosen to conform to Sun's ou=People style hierarchy for your LDAP schema, you are in luck. You can store profiles in your LDAP server which hosts will occasionally check, and if they have been updated, they will update their cold start config (the /var/ldap/ldap_client_*) files by themselves.

To generate this profile, you can use the ldap_gen_profile command. Here is an example ldap_gen_profile command:

ldap_gen_profile -P default \
    -a simple \
    -D cn=solaris,ou=ldapusers,dc=viawest,dc=net \
    -w abc123 \
    -e 3600 \
    -o 30 \
    -b dc=viawest,dc=net \
    127.0.0.1,192.168.0.1
This specifies (in order):
  • Authentication method of simple
  • BindDN of cn=solaris,ou=ldapusers,dc=viawest,dc=net
  • The bind password is abc123
  • Profile is cached for one hour
  • The search time limit is 30 seconds
  • The base dn is dc=viawest,dc=net
  • The LDAP servers are 127.0.0.1 and 192.168.0.1

This command will output:

dn: cn=default,ou=profile,dc=viawest,dc=net
    SolarisBindDN: cn=solaris,ou=ldapusers,dc=viawest,dc=net
    SolarisBindPassword: {NS1}a1ee08dc7d61
    SolarisLDAPServers: 127.0.0.1, 192.168.0.1
    SolarisSearchBaseDN: dc=viawest,dc=net
    SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
    SolarisTransportSecurity: NS_LDAP_SEC_NONE
    SolarisSearchReferral: NS_LDAP_FOLLOWREF
    SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
    SolarisSearchTimeLimit: 30
    SolarisCacheTTL: 3600
    cn: profile
    ObjectClass: top
    ObjectClass: SolarisNamingProfile
It is important to note that the output of ldap_gen_profile is not a valid LDIF file. You need to remove the blank spaces at the beginning of the lines. Now, if you haven't done so already, you'll need to create the directory inside of the directory server for ou=Profile. So, if we wanted to add this profile, we would create the LDIF file:
dn: ou=Profile,dc=Viawest,dc=Net
objectclass: top
objectclass: organizationalUnit
ou: Profile

dn: cn=default,ou=profile,dc=viawest,dc=net
SolarisBindDN: cn=solaris,ou=ldapusers,dc=viawest,dc=net
SolarisBindPassword: {NS1}a1ee08dc7d61
SolarisLDAPServers: 127.0.0.1, 192.168.0.1
SolarisSearchBaseDN: dc=viawest,dc=net
SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 3600
SolarisCacheTTL: 3600
cn: default
ObjectClass: top
ObjectClass: SolarisNamingProfile
Save this ldif as profile.ldif and add it to the directory server:
# /etc/init.d/slapd stop
# slapadd -n 1 -l profile.ldif
# /etc/init.d/slapd start
Now, you can easily configure any Solaris 8 machine as an LDAP client with the ldapclient command:
# ldapclient -v -P default -d viawest.net 127.0.0.1