Getting Started with OpenLDAP

I decided to try out the OpenLDAP server that is bundled with Oracle Solaris 11.1 after reading Paul Johnson's blog entry Configuring a Basic LDAP Server + Client in Solaris 11. Paul's instructions were helpful, but he didn't explain how to configure OpenLDAP so that it could be used with the Solaris commands which accept the option:

-S files | ldap.

That option is interpreted by the following commands:

In addition, the passwd(1) command accepts -r files | ldap and the User Manager GUI has a Filter Users dialog which has radio buttons for files and ldap. All of these commands depend on LDAP schema extensions that are not configured in OpenLDAP by default. The various schema are documented in Working with Naming and Directory Services and Trusted Extensions Configuration and Administration:

I combined these into a single file called solaris.schema, and copied it into the /etc/openldap/schema directory. I also created and installed another file called automap.schema which contains just the attributes and object classes for the automount service. These are missing from the existing nis.schema file, which is apparently a subset of RFC 2307bis Network Information Service Schema.

Then I modified the configuration file /etc/openldap/slapd.conf to include the required schema, and changed the domain name to

> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/solaris.schema
> include         /etc/openldap/schema/automap.schema
< suffix                "dc=my-domain,dc=com"
< rootdn                "cn=Manager,dc=my-domain,dc=com"
> suffix                "dc=gfaden,dc=com"
> rootdn                "cn=admin,dc=gfaden,dc=com"

Following Paul's advice, I did the following:

root# chown -R openldap:openldap /var/openldap/
root# svcadm enable ldap/server

Then I wrote two scripts and ran them to create the various containers in the directory. The following script creates empty containers corresponding to the top-level directory object and the organizational units for the object classes.

  1 #!/bin/ksh
  3 ME=gfaden
  4 LDAP_BASEDN="dc=${ME},dc=com"
  5 LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}"
  7 TMP_LDIF=$(mktemp /tmp/toplevels.XXXX)
  9 ( cat << EOF
 10 dn: ${LDAP_BASEDN}
 11 objectClass: dcObject
 12 objectClass: organization
 13 o: ${ME}.com
 14 dc: ${ME}
 16 EOF
 17 )>  ${TMP_LDIF}
 19 for ou in users groups rpc protocols networks netgroup \
 20     aliases hosts services ethers projects \
 21     SolarisAuthAttr SolarisProfAttr ipTnet; do
 23     ( cat << EOF
 24 dn: ou=${ou},${LDAP_BASEDN}
 25 ou: ${ou}
 26 objectClass: top
 27 objectClass: organizationalUnit
 29 EOF
 30 )>>  ${TMP_LDIF}
 31 done
 33 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF}
 34 rm ${TMP_LDIF}

I'm not sure I got all the spelling right in lines 19-21, but it seems to work. There are some subtle differences between what OpenLDAP uses compared to ODSEE. I wrote a similar script to create the automap containers:

  1 #!/bin/ksh
  3 LDAP_BASEDN="dc=gfaden,dc=com"
  4 LDAP_ROOTDN="cn=admin,${LDAP_BASEDN}"
  6 TMP_LDIF=$(mktemp /tmp/automap.XXXX)
  8 for automap in auto_home auto_direct auto_master;do
 10     ( cat << EOF
 11 dn: automountMapName=${automap},${LDAP_BASEDN}
 12 automountMapName: ${automap}
 13 objectClass: top
 14 objectClass: automountMap
 16 EOF
 17 )>>  ${TMP_LDIF}
 18 done
 20 ldapadd -cD ${LDAP_ROOTDN} -f ${TMP_LDIF}
 21 rm ${TMP_LDIF}

The next step was to switch the nameservice configuration so that the host is a client of this ldap server. Since I needed to specify explicit (not anonymous) credentials, I could not use the Automatic Network Configuration Profile (NCP) that is enabled by default for Solaris GUI installations. Instead,  the DefaultFixed NCP must be enabled, and the IP networking must be configured.

root# netadm enable -p ncp DefaultFixed
root# ipadm create-ip net0
root# ipadm create-addr -T dhcp net0/v4

Then I used a modified version of Paul's ldapaddclient(1M) command to make my system an LDAP client of itself:

  1 #!/bin/ksh
  2 ldapclient manual \
  3 -a credentialLevel=proxy \
  4 -a authenticationMethod=simple \
  5 -a defaultSearchBase=dc=gfaden,dc=com \
  6 -a \
  7 -a defaultServerList= \
  8 -a proxyDN=cn=admin,dc=gfaden,dc=com \
  9 -a adminDN=cn=admin,dc=gfaden,dc=com \
 10 -a proxyPassword=secret \
 11 -a enableShadowUpdate=true \
 12 -a objectClassMap=shadow:shadowAccount=posixaccount \
 13 -a serviceSearchDescriptor=passwd:ou=users,dc=gfaden,dc=com \
 14 -a serviceSearchDescriptor=shadow:ou=users,dc=gfaden,dc=com \
 15 -a serviceSearchDescriptor=group:ou=groups,dc=gfaden,dc=com

Since I was doing this on my laptop, I just used localhost for the IP address (line 7). However, I needed to add the admin distinguished name (line 9), and enable shadow update (line 11). Together, these two settings allow the client to make updates without re-authenticating if it is running as root or with all privileges.

Again, following Paul's blog, I enabled DNS, and restarted the name service:

root# svccfg -s name-service/switch setprop config/host = astring: "files dns ldap"
root# svccfg  -s name-service/switch:default refresh
root# svcadm restart name-service/cache

Now I can specify the ldap option for any of the commands listed above. For example:

root# groupadd -S ldap -g 1001 world
root# ldapaddent -d group


Thank you!

Posted by Carlos Azevedo on April 09, 2013 at 03:42 AM PDT #

Too bad ISC's dhcpd isn't build with LDAP support, otherwise you could move that info into LDAP as well

Posted by guest on April 10, 2013 at 12:53 AM PDT #

Hi Glenn!

Just a nit, to help our cutting-and-pasting friends. :-)

It's "passwd -r files" with the trailing s, just like the other commands.

Cheers -- Volker

Posted by Volker A. Brandt on April 11, 2013 at 02:22 AM PDT #


I fixed the "passwd -r files" typo. I also removed some unnecessary objectClassMap settings from the ldapclient command. Probably this could be further simplified.

Posted by Glenn Faden on April 11, 2013 at 09:14 AM PDT #

can we get support from Oracle ?

Posted by Abhsihek on July 18, 2013 at 09:16 PM PDT #

If you have a Solaris support contract you can file bugs against OpenLDAP since it is delivered via the IPS repository. However, community software issues may be better discussed at

Posted by guest on July 19, 2013 at 09:58 AM PDT #

Appreciate this post - and Paul's. Wish there were more like it - with greater detail/explanation.

I've tried to implement this verbatim on a fresh Solaris 11.1 install (in a fresh zone) with only partial success. It seems that some basic things are working (ldapadds worked and I can login and see them in Apache Directory Studio).

ldaplist errors with "Object not found (Session error no available conn". getent fails as well. slapd debug shows "err=49" which I believe is authentication error. I suspect that the Solaris client side is the problem.

Sadly it seems that many people have problems getting LDAP to work. There is a lot of black magic - for example, what exactly does Solaris expect? No doubt if I ever get it working completely on Solaris my next obstacle would be more black magic trying to add OS X to the mix.

After all this time it's just strange that there is still not a definitive (ie bulletproof) multi-platform guide for implementing OpenLDAP.

Posted by guest on August 20, 2013 at 01:24 PM PDT #

I posted previous comment.

When I change rootpw (and proxyPassword) to be simple text ldaplist works! Both {SSHA}... and {MD5}... fail.

I've turned on full debug on slapd and I see the login packet and it is correct.

Any ideas?

Posted by guest on August 22, 2013 at 09:50 AM PDT #

I used simple text authentication in my testing. My focus was on determining whether the RBAC commands (with -S ldap) worked correctly.

The ldapclient(1M) man page lists the following authentication methods as being supported:

But I suspect that these may only been verified with Oracle's Directory Server Enterprise Edition. Which of these did you try?

Posted by guest on August 22, 2013 at 10:43 AM PDT #

Kindly Find the below error...

root@ldapcnt:/etc/openldap# useradd -S ldap foo
UX: useradd: ERROR: group 10 does not exist. Choose another.

root@ldapcnt:/etc/openldap# useradd -D
group=staff,10 project=default,3 basedir=/export/home
skel=/etc/skel shell=/usr/bin/bash inactive=365
expire=1/17/2038 auths= profiles= roles=
limitpriv= defaultpriv= lock_after_retries=

Posted by venkat on September 22, 2013 at 03:59 AM PDT #

Before adding a user to LDAP, the user's primary group must be added to LDAP. For example:

# groupadd -S ldap -g 10 staff

Posted by guest on September 22, 2013 at 10:17 PM PDT #

any ideas why i cant add entries?

groupadd -S ldap -g 1001 world
UX: groupadd: ERROR: Cannot update system files - group cannot be created.

Posted by guest on December 12, 2013 at 12:14 PM PST #

Try running:
echo $?
after the command to get the exit status. There are several error codes listed in the man page. But if the exit code is a negative value, it probably corresponds to one of these:

-1 /* Password database busy */
-2 /* stat of password file failed */
-3 /* password file open failed */
-4 /* can't write to password file */
-5 /* close returned error */
-6 /* user not found in database */
-7 /* couldn't update password file */
-8 /* Not enough memory */
-9 /* server errors */
-10 /* local configuration problem */
-11 /* update denied */
-12 /* Data hasn't changed */
-13 /* Cannot call repository */
-14 /* invalid args passed */
-15 /* operation not supported */

Posted by guest on December 12, 2013 at 04:55 PM PST #

Attempting this on OmniOS which is an Illumos derivative which is an Open Solaris derivative. Granted that's a bit of a stretch but most administrative guides for the current Solaris map quite accurately. Unfortunately this feature which is quite significant has little representation in the relevant community. Most things up until this point have gone well but the server itself won't initialize. Any thoughts?

root@OmniOS:/# svcadm enable ldap/server
svcadm: Pattern 'ldap/server' doesn't match any instances

Thanks in advance.

Posted by guest on April 19, 2014 at 06:37 PM PDT #

In Oracle Solaris 11 the OpenLDAP server is delivered as an SMF service. If OmniOS doesn't provide an SMF manifest for the OpenLDAP server, you could create your own manifest file to launch OpenLDAP as a new service. Of course you could also use a legacy rc file. Try a Google search for "openldap rc file"

Posted by Glenn Faden on April 20, 2014 at 02:28 PM PDT #

Thank Glen for taking the time to post this invaluable walkthrough as it is a very sparse subject to Solaris based systems.

I seem to have ran into a problem when I include your solaris.schema lookup in the slapd.conf file. When i start the ldap/server i get a maintenance error and will not comeup online. When i take this out it starts up fine. I have tried copying the solaris.schema numerous times just in case I had a typo, but that did not seem to work. Any ideas are greatly appreciated. Thanks again

Posted by guest on June 18, 2014 at 04:52 PM PDT #

Maybe your download didn't preserve line breaks. The solaris.schema file should have 152 lines. Here's the output from sum:

sum solaris.schema
14582 5 solaris.schema

Posted by Glenn Faden on June 18, 2014 at 10:09 PM PDT #

Hello Glen,
Running Solaris 11 SRU which came with opendlap 2.4.3
I was looking for the ldap backend functionality and the output of /usr/lib/slapd -VVV does not show ldap as a static back end. Also get errors when defining an ldap backend on slapd.conf.

Could you please confirm that this version released by Oracle does not provide the ldap backend functionality?
Thank you

Posted by guest on September 19, 2014 at 02:42 PM PDT #

I don't work in Oracle's name service group, so I can't confirm what is supported. However, we do deliver the man page slapd-ldap(5olap), so there may be a way to configure it.

Oracle's directory for the enterprise is Oracle Unified Directory.

Posted by Glenn Faden on September 19, 2014 at 03:17 PM PDT #

Hi Glenn,

I noticed you have used admin as the proxyDN which is overly powerful. Any possibility having an updated blog entry with a proper proxyAgent and TLS setup?



Posted by sean on July 02, 2015 at 06:42 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.


« July 2016