pam_ldap 方面的更改
第14 章• LDAP 一般参考(参考) 199
因为在同一个栈中还使用了其他相关模块,而且还会存在第三方模块,所以不可能为上面
列出的更改提供全新的自动更新(主要是口令提示和口令更新)。
有关更多信息,请参见pam_passwd_auth(5)、pam_authtok_get (5)、pam_authtok_store(5)
和pam.conf(4) 手册页。
LDAP命令
Solaris 系统中存在两组与LDAP 相关的命令。一组命令是常规LDAP 工具,它们不要求用
LDAP 名称服务配置客户机。另一组命令使用客户机上的常见LDAP 配置,因而只有客户机
使用LDAP 作为其名称服务时才使用。
常规LDAP工具
LDAP 命令行工具支持一组常见的选项(包括验证和绑定参数)。下列工具支持用常见的文
本格式来表示名为LDAP 数据交换格式(LDAP Data Interchange Format, LDIF) 的目录信息。
可使用这些命令直接处理目录项。
ldapsearch(1)
ldapmodify(1)
ldapadd(1)
ldapdelete(1)
需要LDAP名称服务的LDAP工具
表14–3LDAP工具
工具功能
ldapaddent(1M) 用于根据相应的/etc 文件在LDAP 容器中创建
项。此工具允许根据文件填充目录。例如,它读
取/etc/passwd 格式的文件,并填充目录中的
passwd 项。
ldaplist(1) 用于列出目录中各个服务的内容。
idsconfig(1M) 用于设置Sun Java System Directory Server,使其为
LDAP 名称服务客户机提供服务。
LDAP 命令
200 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
pam_ldap 的示例pam.conf 文件
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
pam_ldap 的示例pam.conf 文件
第14 章• LDAP 一般参考(参考) 201
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_passwd_auth.so.1
pam_ldap 的示例pam.conf 文件
202 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
pam_ldap 的示例pam.conf 文件
第14 章• LDAP 一般参考(参考) 203
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
为帐户管理配置的pam_ldap 的示例pam_conf 文件
注– 启用pam_ldap 帐户管理后,所有用户在每次登录系统时都必须提供口令。进行验证时
必须提供登录口令。因此,使用rsh、rlogin 或ssh 等工具进行的不基于口令的登录将会失
败。
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
为帐户管理配置的pam_ldap 的示例pam_conf 文件
204 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
为帐户管理配置的pam_ldap 的示例pam_conf 文件
第14 章• LDAP 一般参考(参考) 205
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
为帐户管理配置的pam_ldap 的示例pam_conf 文件
206 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
LDAP的IETF 架构
架构是一些定义,用于描述哪些类型的信息可作为项存储在服务器的目录中。
为了使目录服务器支持Solaris LDAP 名称客户机,本章中定义的架构必须在服务器中进行配
置,除非该架构是使用客户机的架构映射功能进行映射的。
IETF 定义了三个必需的LDAP 架构:RFC 2307 网络信息服务架构、LDAP 邮件组Internet 草
案和LDAP Internet 打印协议(Internet Print Protocol, IPP) 草案架构。为了支持名称信息服
务,必须将这些架构的定义添加到目录服务器中。还可以从IETFWeb 站点
访问各种RFC。
注– Internet 草案是草案文档,有效期最长六个月,随时可能会因其他文档而更新或废弃。
LDAP 的IETF 架构
第14 章• LDAP 一般参考(参考) 207
RFC 2307 网络信息服务架构
必须对LDAP 服务器进行配置,使其支持修订后的RFC 2307。
nisSchema OID 是1.3.6.1.1。RFC 2307 属性如下所示:
( nisSchema.1.0 NAME ’uidNumber’
DESC’An integer uniquely identifying a user in an
administrative domain’
EQUALITY integerMatch SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.1 NAME ’gidNumber’
DESC’An integer uniquely identifying a group in an
administrative domain’
EQUALITY integerMatch SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.2 NAME ’gecos’
DESC’The GECOS field; the common name’
EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5SubstringsMatch
SYNTAX ’IA5String’ SINGLE-VALUE )
( nisSchema.1.3 NAME ’homeDirectory’
DESC’The absolute path to the home directory’
EQUALITY caseExactIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
LDAP 的IETF 架构
208 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
( nisSchema.1.4 NAME ’loginShell’
DESC’The path to the login shell’
EQUALITY caseExactIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( nisSchema.1.5 NAME ’shadowLastChange’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.6 NAME ’shadowMin’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.7 NAME ’shadowMax’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.8 NAME ’shadowWarning’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.9 NAME ’shadowInactive’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
LDAP 的IETF 架构
第14 章• LDAP 一般参考(参考) 209
( nisSchema.1.10 NAME ’shadowExpire’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.11 NAME ’shadowFlag’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.12 NAME ’memberUid’
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX ’IA5String’ )
( nisSchema.1.13 NAME ’memberNisNetgroup’
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX ’IA5String’ )
( nisSchema.1.14 NAME ’nisNetgroupTriple’
DESC’Netgroup triple’
SYNTAX ’nisNetgroupTripleSyntax’ )
( nisSchema.1.15 NAME ’ipServicePort’
LDAP 的IETF 架构
210 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.16 NAME ’ipServiceProtocol’
SUP name )
( nisSchema.1.17 NAME ’ipProtocolNumber’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.18 NAME ’oncRpcNumber’
EQUALITY integerMatch
SYNTAX ’INTEGER’ SINGLE-VALUE )
( nisSchema.1.19 NAME ’ipHostNumber’
DESC’IP address as a dotted decimal, eg. 192.168.1.1
omitting leading zeros’
SUP name )
( nisSchema.1.20 NAME ’ipNetworkNumber’
DESC’IP network as a dotted decimal, eg. 192.168,
omitting leading zeros’
SUP name SINGLE-VALUE )
LDAP 的IETF 架构
第14 章• LDAP 一般参考(参考) 211
( nisSchema.1.21 NAME ’ipNetmaskNumber’
DESC’IP netmask as a dotted decimal, eg. 255.255.255.0,
omitting leading zeros’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String{128}’ SINGLE-VALUE )
( nisSchema.1.22 NAME ’macAddress’
DESC’MACaddress in maximal, colon separated hex
notation, eg. 00:00:92:90:ee:e2’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String{128}’ )
( nisSchema.1.23 NAME ’bootParameter’
DESC’rpc.bootparamd parameter’
SYNTAX ’bootParameterSyntax’ )
( nisSchema.1.24 NAME ’bootFile’
DESC’Boot image name’
EQUALITY caseExactIA5Match
SYNTAX ’IA5String’ )
( nisSchema.1.26 NAME ’nisMapName’
SUP name )
LDAP 的IETF 架构
212 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
( nisSchema.1.27 NAME ’nisMapEntry’
EQUALITY caseExactIA5Match
SUBSTRINGS caseExactIA5SubstringsMatch
SYNTAX ’IA5String{1024}’ SINGLE-VALUE )
( nisSchema.1.28 NAME ’nisPublicKey’
DESC’NIS public key’
SYNTAX ’nisPublicKeySyntax’ )
( nisSchema.1.29 NAME ’nisSecretKey’
DESC’NIS secret key’
SYNTAX ’nisSecretKeySyntax’ )
( nisSchema.1.30 NAME ’nisDomain’
DESC’NIS domain’
SYNTAX ’IA5String’ )
( nisSchema.1.31 NAME ’automountMapName’
DESC’automount Map Name’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
( nisSchema.1.32 NAME ’automountKey’
LDAP 的IETF 架构
第14 章• LDAP 一般参考(参考) 213
DESC’Automount Key value’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
( nisSchema.1.33 NAME ’automountInformation’
DESC’Automount information’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
nisSchema OID 是1.3.6.1.1。RFC 2307 objectClasses 如下所示:
( nisSchema.2.0 NAME ’posixAccount’ SUP top AUXILIARY
DESC’Abstraction of an account with POSIX attributes’
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
( nisSchema.2.1 NAME ’shadowAccount’ SUP top AUXILIARY
DESC’Additional attributes for shadow passwords’
MUST uid
MAY ( userPassword $ shadowLastChange $ shadowMin
shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ description ) )
( nisSchema.2.2 NAME ’posixGroup’ SUP top STRUCTURAL
LDAP 的IETF 架构
214 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
DESC’Abstraction of a group of accounts’
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
( nisSchema.2.3 NAME ’ipService’ SUP top STRUCTURAL
DESC’Abstraction an Internet Protocol service.
Maps an IP port and protocol (such as tcp or udp)
to one or more names; the distinguished value of
the cn attribute denotes the service’s canonical
name’
MUST ( cn $ ipServicePort $ ipServiceProtocol )
MAY ( description ) )
( nisSchema.2.4 NAME ’ipProtocol’ SUP top STRUCTURAL
DESC’Abstraction of an IP protocol. Maps a protocol number
to one or more names. The distinguished value of the cn
attribute denotes the protocol’s canonical name’
MUST ( cn $ ipProtocolNumber )
MAY description )
( nisSchema.2.5 NAME ’oncRpc’ SUP top STRUCTURAL
DESC ’Abstraction of an Open Network Computing (ONC)
[RFC1057] Remote Procedure Call (RPC) binding.
This class maps an ONCRPCnumber to a name.
LDAP 的IETF 架构
第14 章• LDAP 一般参考(参考) 215
The distinguished value of the cn attribute denotes
the RPCservice’s canonical name’
MUST ( cn $ oncRpcNumber $ description )
MAY description )
( nisSchema.2.6 NAME ’ipHost’ SUP top AUXILIARY
DESC’Abstraction of a host, an IP device. The distinguished
value of the cn attribute denotes the host’s canonical
name. Device SHOULD be used as a structural class’
MUST ( cn $ ipHostNumber )
MAY ( l $ description $ manager $ userPassword ) )
( nisSchema.2.7 NAME ’ipNetwork’ SUP top STRUCTURAL
DESC’Abstraction of a network. The distinguished value of
the cn attribute denotes the network’s canonical name’
MUST ipNetworkNumber
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
( nisSchema.2.8 NAME ’nisNetgroup’ SUP top STRUCTURAL
DESC’Abstraction of a netgroup. May refer to other netgroups’
MUST cn
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
( nisSchema.2.9 NAME ’nisMap’ SUP top STRUCTURAL
LDAP 的IETF 架构
216 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
DESC’A generic abstraction of a NIS map’
MUST nisMapName
MAY description )
( nisSchema.2.10 NAME ’nisObject’ SUP top STRUCTURAL
DESC’An entry in a NIS map’
MUST ( cn $ nisMapEntry $ nisMapName )
MAY description )
( nisSchema.2.11 NAME ’ieee802Device’ SUP top AUXILIARY
DESC’A device with a MACaddress; device SHOULD be
used as a structural class’
MAY macAddress )
( nisSchema.2.12 NAME ’bootableDevice’ SUP top AUXILIARY
DESC’A device with boot parameters; device SHOULD be
used as a structural class’
MAY ( bootFile $ bootParameter ) )
( nisSchema.2.14 NAME ’nisKeyObject’ SUP top AUXILIARY
DESC’An object with a public and secret key’
MUST ( cn $ nisPublicKey $ nisSecretKey )
MAY ( uidNumber $ description ) )
LDAP 的IETF 架构
第14 章• LDAP 一般参考(参考) 217
( nisSchema.2.15 NAME ’nisDomainObject’ SUP top AUXILIARY
DESC’Associates a NIS domain with a naming context’
MUST nisDomain )
( nisSchema.2.16 NAME ’automountMap’ SUP top STRUCTURAL
MUST ( automountMapName )
MAY description )
( nisSchema.2.17 NAME ’automount’ SUP top STRUCTURAL
DESC’Automount information’
MUST ( automountKey $ automountInformation )
MAY description )
邮件别名架构
邮件别名信息使用由LDAP 邮件组Internet 草案(以前称为draft-steinback-ldap-mailgroups
草案)定义的架构。Solaris LDAP 客户机将继续对邮件别名信息使用此架构,直到有新的架
构可用。
原来的LDAP 邮件组架构中包含大量属性和对象类。Solaris 客户机仅使用下面列出的两个属
性和一个对象类:
邮件别名属性如下所示:
( 0.9.2342.19200300.100.1.3
NAME ’mail’
DESC’RFC 822 email address for this person’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String(256)’
SINGLE-VALUE )
LDAP 的IETF 架构
218 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
( 2.16.840.1.113730.3.1.30
NAME ’mgrpRFC822MailMember’
DESC’RFC 822 mail address of email only member of group’
EQUALITY CaseIgnoreIA5Match
SYNTAX ’IA5String(256)’ )
邮件别名objectClass 如下所示:
( 2.16.840.1.113730.3.2.4
NAME ’mailGroup’
SUP top
STRUCTURAL
MUST mail
MAY ( cn $ mailAlternateAddress $ mailHost $ mailRequireAuth $
mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $
mgrpApprovePassword $ mgrpBroadcasterModeration $ mgrpDeliverTo $
mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $
mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoMatchAddrs $
mgrpRemoveHeader $ mgrpRFC822MailMember ))
目录用户代理配置文件(DUAProfile) 架构
DUAConfSchemaOID 是1.3.6.1.4.1.11.1.3.1。
DESC’Default LDAP server host address used by a DUA’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
目录用户代理配置文件(DUAProfile) 架构
第14 章• LDAP 一般参考(参考) 219
( DUAConfSchemaOID.1.1 NAME ’defaultSearchBase’
DESC’Default LDAP base DN used by a DUA’
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE )
( DUAConfSchemaOID.1.2 NAME ’preferredServerList’
DESC’Preferred LDAP server host addresses to be used by a
DUA’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
( DUAConfSchemaOID.1.3 NAME ’searchTimeLimit’
DESC’Maximum time in seconds a DUA should allow for a
search to complete’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( DUAConfSchemaOID.1.4 NAME ’bindTimeLimit’
DESC’Maximum time in seconds a DUA should allow for the
bind operation to complete’
目录用户代理配置文件(DUAProfile) 架构
220 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( DUAConfSchemaOID.1.5 NAME ’followReferrals’
DESC’Tells DUA if it should follow referrals
returned by a DSA search result’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
( DUAConfSchemaOID.1.6 NAME ’authenticationMethod’
DESC’A keystring which identifies the type of
authentication method used to contact the DSA’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
( DUAConfSchemaOID.1.7 NAME ’profileTTL’
DESC’Time to live, in seconds, before a client DUA
should re-read this configuration profile’
’serviceSearchDescriptor’
DESC’LDAP search descriptor list used by a DUA’
EQUALITY caseExactMatch
目录用户代理配置文件(DUAProfile) 架构
第14 章• LDAP 一般参考(参考) 221
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
( DUAConfSchemaOID.1.9 NAME ’attributeMap’
DESC’Attribute mappings used by a DUA’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
( DUAConfSchemaOID.1.10 NAME ’credentialLevel’
DESC’Identifies type of credentials a DUA should
use when binding to the LDAP server’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
( DUAConfSchemaOID.1.11 NAME ’objectclassMap’
DESC’Objectclass mappings used by a DUA’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
( DUAConfSchemaOID.1.12 NAME ’defaultSearchScope’ SINGLE-VALUE )
( DUAConfSchemaOID.1.13 NAME ’serviceCredentialLevel’
DESC’Identifies type of credentials a DUA
should use when binding to the LDAP server for a
目录用户代理配置文件(DUAProfile) 架构
222 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
specific service’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
( DUAConfSchemaOID.1.15 NAME ’serviceAuthenticationMethod’
DESC’Authentication Method used by a service of the DUA’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
( DUAConfSchemaOID.2.4 NAME ’DUAConfigProfile’
SUP top STRUCTURAL
DESC’Abstraction of a base configuration for a DUA’
MUST ( cn )
MAY ( defaultServerList $ preferredServerList $
defaultSearchBase $ defaultSearchScope $
searchTimeLimit $ bindTimeLimit $
credentialLevel $ authenticationMethod $
followReferrals $ serviceSearchDescriptor $
serviceCredentialLevel $ serviceAuthenticationMethod $
objectclassMap $ attributeMap $
profileTTL ) )
目录用户代理配置文件(DUAProfile) 架构
第14 章• LDAP 一般参考(参考) 223
Solaris 架构
Solaris 平台所需的架构有:
� Solaris 项目架构
� 基于角色的访问控制和执行配置文件架构
� 打印机架构
Solaris 项目架构
/etc/project 是与项目相关联的属性的本地源。有关更多信息,请参见project(4)。
项目属性如下所示:
( 1.3.6.1.4.1.42.2.27.5.1.1 NAME ’SolarisProjectID’
DESC’Unique ID for a Solaris Project entry’
EQUALITY integerMatch
SYNTAX INTEGER SINGLE )
( 1.3.6.1.4.1.42.2.27.5.1.2 NAME ’SolarisProjectName’
DESC’Name of a Solaris Project entry’
EQUALITY caseExactIA5Match
SYNTAX IA5String SINGLE )
( 1.3.6.1.4.1.42.2.27.5.1.3 NAME ’SolarisProjectAttr’
DESC’Attributes of a Solaris Project entry’
EQUALITY caseExactIA5Match
SYNTAX IA5String )
( 1.3.6.1.4.1.42.2.27.5.1.30 NAME ’memberGid’
DESC’Posix Group Name’
Solaris 架构
224 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
EQUALITY caseExactIA5Match
SYNTAX ’IA5String’ )
项目objectClass 如下所示:
( 1.3.6.1.4.1.42.2.27.5.2.1 NAME ’SolarisProject’
SUP top STRUCTURAL
MUST ( SolarisProjectID $ SolarisProjectName )
MAY ( memberUid $ memberGid $ description $ SolarisProjectAttr ) )
基于角色的访问控制和执行配置文件架构
/etc/user_attr 是与用户和角色相关联的扩展属性的本地源。有关更多信息,请参见
user_attr(4)。
基于角色的访问控制属性如下所示:
( 1.3.6.1.4.1.42.2.27.5.1.4 NAME ’SolarisAttrKeyValue’
DESC’Semi-colon separated key=value pairs of attributes’
EQUALITY caseIgnoreIA5Match
SUBSTRINGS caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.7 NAME ’SolarisAttrShortDesc’
DESC’Short description about an entry, used by GUIs’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.8 NAME ’SolarisAttrLongDesc’
DESC’Detail description about an entry’
Solaris 架构
第14 章• LDAP 一般参考(参考) 225
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.9 NAME ’SolarisKernelSecurityPolicy’
DESC’Solaris kernel security policy’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.10 NAME ’SolarisProfileType’
DESC’Type of object defined in profile’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.11 NAME ’SolarisProfileId’
DESC’Identifier of object defined in profile’
EQUALITY caseExactIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.12 NAME ’SolarisUserQualifier’
DESC’Per-user login attributes’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.13 NAME ’SolarisReserved1’
Solaris 架构
226 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
DESC’Reserved for future use’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.14 NAME ’SolarisReserved2’
DESC’Reserved for future use’
EQUALITY caseIgnoreIA5Match
SYNTAX ’IA5String’ SINGLE-VALUE )
基于角色的访问控制objectClassses 如下所示:
( 1.3.6.1.4.1.42.2.27.5.2.3 NAME ’SolarisUserAttr’ SUP top AUXILIARY
DESC’User attributes’
MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ \
SolarisAttrReserved2 $ SolarisAttrKeyValue ) )
( 1.3.6.1.4.1.42.2.27.5.2.4 NAME ’SolarisAuthAttr’ SUP top STRUCTURAL
DESC’Authorizations data’
MUST cn
MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ \
SolarisAttrShortDesc $ SolarisAttrLongDesc $ \
SolarisAttrKeyValue ) )
( 1.3.6.1.4.1.42.2.27.5.2.5 NAME ’SolarisProfAttr’ SUP top STRUCTURAL
DESC’Profiles data’
MUST cn
Solaris 架构
第14 章• LDAP 一般参考(参考) 227
MAY ( SolarisAttrReserved1 $ SolarisAttrReserved2 $ \
SolarisAttrLongDesc $ SolarisAttrKeyValue ) )
( 1.3.6.1.4.1.42.2.27.5.2.6 NAME ’SolarisExecAttr’ SUP top AUXILIARY
DESC’Profiles execution attributes’
MAY ( SolarisKernelSecurityPolicy $ SolarisProfileType $ \
SolarisAttrReserved1 $ SolarisAttrReserved2 $ \
SolarisProfileId $ SolarisAttrKeyValue ) )
LDAP的Internet 打印协议信息
以下各节提供有关Internet 打印协议和Sun 打印机的属性和ObjectClasses 的信息。
Internet 打印协议(Internet Print Protocol, IPP) 属性
( 1.3.18.0.2.4.1140
NAME ’printer-uri’
DESC’A URI supported by this printer.
This URI SHOULD be used as a relative distinguished name (RDN).
If printer-xri-supported is implemented, then this URI value
MUST be listed in a member value of printer-xri-supported.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
( 1.3.18.0.2.4.1107
NAME ’printer-xri-supported’
LDAP 的Internet 打印协议信息
228 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
DESC’The unordered list of XRI (extended resource identifiers) supported
by this printer.
Each member of the list consists of a URI (uniform resource identifier)
followed by optional authentication and security metaparameters.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
( 1.3.18.0.2.4.1135
NAME ’printer-name’
DESC’The site-specific administrative name of this printer, more end-user
friendly than a URI.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
( 1.3.18.0.2.4.1119
NAME ’printer-natural-language-configured’
DESC’The configured language in which error and status messages will be
generated (by default) by this printer.
Also, a possible language for printer string attributes set by operator,
system administrator, or manufacturer.
Also, the (declared) language of the "printer-name", "printer-location",
"printer-info", and "printer-make-and-model" attributes of this printer.
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 229
For example: "en-us" (US English) or "fr-fr" (French in France) Legal values of
language tags conform to [RFC3066] "Tags for the Identification of Languages".’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
( 1.3.18.0.2.4.1136
NAME ’printer-location’
DESC’Identifies the location of the printer. This could include
things like: "in Room 123A", "second floor of building XYZ".’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
( 1.3.18.0.2.4.1139
NAME ’printer-info’
DESC’Identifies the descriptive information about this printer.
This could include things like: "This printer can be used for
printing color transparencies for HR presentations", or
"Out of courtesy for others, please print only small (1-5 page)
jobs at this printer", or even "This printer is going away on July 1, 1997,
please find a new printer".’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
LDAP 的Internet 打印协议信息
230 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127}
SINGLE-VALUE )
( 1.3.18.0.2.4.1134
NAME ’printer-more-info’
DESC’A URI used to obtain more information about this specific printer.
For example, this could be an HTTP type URI referencing an HTML page
accessible to a Web Browser.
The information obtained from this URI is intended for end user consumption.’
EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
( 1.3.18.0.2.4.1138
NAME ’printer-make-and-model’
DESC’Identifies the make and model of the device.
The device manufacturer MAY initially populate this attribute.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} SINGLE-VALUE )
( 1.3.18.0.2.4.1133
NAME ’printer-ipp-versions-supported’
DESC’Identifies the IPP protocol version(s) that this printer supports,
including major and minor versions,
i.e., the version numbers for which this Printer implementation meets
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 231
the conformance requirements.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1132
NAME ’printer-multiple-document-jobs-supported’
DESC’Indicates whether or not the printer supports more than one
document per job, i.e., more than one Send-Document or Send-Data
operation with document data.’
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
( 1.3.18.0.2.4.1109
NAME ’printer-charset-configured’
DESC’The configured charset in which error and status messages will be
generated (by default) by this printer.
Also, a possible charset for printer string attributes set by operator,
system administrator, or manufacturer.
For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).
Legal values are defined by the IANA Registry of Coded Character Sets and
the "(preferred MIME name)" SHALL be used as the tag.
For coherence with IPP Model, charset tags in this attribute SHALL be
lowercase normalized.
This attribute SHOULD be static (time of registration) and SHOULD NOT be
dynamically refreshed attributetypes: (subsequently).’
LDAP 的Internet 打印协议信息
232 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} SINGLE-VALUE )
( 1.3.18.0.2.4.1131
NAME ’printer-charset-supported’
DESC’Identifies the set of charsets supported for attribute type values of
type Directory String for this directory entry.
For example: "utf-8" (ISO 10646/Unicode) or "iso-8859-1" (Latin1).
Legal values are defined by the IANA Registry of Coded Character Sets and
the preferred MIME name.’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} )
( 1.3.18.0.2.4.1137
NAME ’printer-generated-natural-language-supported’
DESC’Identifies the natural language(s) supported for this directory entry.
For example: "en-us" (US English) or "fr-fr" (French in France).
Legal values conform to [RFC3066], Tags for the Identification of Languages.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{63} )
( 1.3.18.0.2.4.1130
NAME ’printer-document-format-supported’
DESC’The possible document formats in which data may be interpreted
and printed by this printer.
Legal values are MIME types come from the IANA Registry of Internet Media Types.’
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 233
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1129
NAME ’printer-color-supported’
DESC’Indicates whether this printer is capable of any type of color printing
at all, including highlight color.’
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
( 1.3.18.0.2.4.1128
NAME ’printer-compression-supported’
DESC’C ompression algorithms supported by this printer.
For example: "deflate, gzip". Legal values include; "none", "deflate"
attributetypes: (public domain ZIP), "gzip" (GNU ZIP), "compress" (UNIX).’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
( 1.3.18.0.2.4.1127
NAME ’printer-pages-per-minute’
DESC’The nominal number of pages per minute which may be output by this
printer (e.g., a simplex or black-and-white printer).
This attribute is informative, NOT a service guarantee.
Typically, it is the value used in marketing literature to describe this printer.’
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
LDAP 的Internet 打印协议信息
234 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
( 1.3.18.0.2.4.1126 NAME ’printer-pages-per-minute-color’
DESC’The nominal number of color pages per minute which may be output by this
printer (e.g., a simplex or color printer).
This attribute is informative, NOT a service guarantee.
Typically, it is the value used in marketing literature to describe this printer.’
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
( 1.3.18.0.2.4.1125 NAME ’printer-finishings-supported’
DESC’The possible finishing operations supported by this printer.
Legal values include; "none", "staple", "punch", "cover", "bind", "saddle-stitch",
"edge-stitch", "staple-top-left", "staple-bottom-left", "staple-top-right",
"staple-bottom-right", "edge-stitch-left", "edge-stitch-top", "edge-stitch-right",
"edge-stitch-bottom", "staple-dual-left", "staple-dual-top", "staple-dual-right",
"staple-dual-bottom".’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
( 1.3.18.0.2.4.1124 NAME ’printer-number-up-supported’
DESC’The possible numbers of print-stream pages to impose upon a single side of
an instance of a selected medium. Legal values include; 1, 2, and 4.
Implementations may support other values.’
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 235
( 1.3.18.0.2.4.1123 NAME ’printer-sides-supported’
DESC’The number of impression sides (one or two) and the two-sided impression
rotations supported by this printer.
Legal values include; "one-sided", "two-sided-long-edge", "two-sided-short-edge".’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1122 NAME ’printer-media-supported’
DESC’The standard names/types/sizes (and optional color suffixes) of the media
supported by this printer.
For example: "iso-a4", "envelope", or "na-letter-white".
Legal values conform to ISO 10175, Document Printing Application (DPA), and any
IANA registered extensions.’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
( 1.3.18.0.2.4.1117 NAME ’printer-media-local-supported’
DESC’Site-specific names of media supported by this printer, in the language in
"printer-natural-language-configured".
For example: "purchasing-form" (site-specific name) as opposed to
(in "printer-media-supported"): "na-letter" (standard keyword from ISO 10175).’
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
( 1.3.18.0.2.4.1121 NAME ’printer-resolution-supported’
DESC’List of resolutions supported for printing documents by this printer.
Each resolution value is a string with 3 fields:
LDAP 的Internet 打印协议信息
236 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
1) Cross feed direction resolution (positive integer), 2) Feed direction
resolution (positive integer), 3) Resolution unit.
Legal values are "dpi" (dots per inch) and "dpcm" (dots per centimeter).
Each resolution field is delimited by ">". For example: "300> 300> dpi>".’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
( 1.3.18.0.2.4.1120 NAME ’printer-print-quality-supported’
DESC’List of print qualities supported for printing documents on this printer.
For example: "draft, normal". Legal values include; "unknown", "draft", "normal",
"high".’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1110 NAME ’printer-job-priority-supported’
DESC’Indicates the number of job priority levels supported.
An IPP conformant printer which supports job priority must always support a
full range of priorities from "1" to "100"
(to ensure consistent behavior), therefore this attribute describes the
"granularity".
Legal values of this attribute are from "1" to "100".’
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
( 1.3.18.0.2.4.1118
NAME ’printer-copies-supported’
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 237
DESC’The maximum number of copies of a document that may be printed as a single job.
A value of "0" indicates no maximum limit.
A value of "-1" indicates unknown.’
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
( 1.3.18.0.2.4.1111
NAME ’printer-job-k-octets-supported’
DESC’The maximum size in kilobytes (1,024 octets actually) incoming print job that
this printer will accept.
A value of "0" indicates no maximum limit. A value of "-1" indicates unknown.’
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
( 1.3.18.0.2.4.1113
NAME ’printer-service-person’
DESC’The name of the current human service person responsible for servicing this
printer.
It is suggested that this string include information that would enable other humans
to reach the service person, such as a phone number.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127}
SINGLE-VALUE )
LDAP 的Internet 打印协议信息
238 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
( 1.3.18.0.2.4.1114
NAME ’printer-delivery-orientation-supported’
DESC’The possible delivery orientations of pages as they are printed and ejected
from this printer.
Legal values include; "unknown", "face-up", and "face-down".’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1115
NAME ’printer-stacking-order-supported’
DESC’The possible stacking order of pages as they are printed and ejected from
this printer.
Legal values include; "unknown", "first-to-last", "last-to-first".’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1116
NAME ’printer-output-features-supported’
DESC’The possible output features supported by this printer.
Legal values include; "unknown", "bursting", "decollating", "page-collating",
"offset-stacking".’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.18.0.2.4.1108
NAME ’printer-aliases’
DESC’Site-specific administrative names of this printer in addition the printer
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 239
name specified for printer-name.’
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{127} )
( 1.3.6.1.4.1.42.2.27.5.1.63
NAME ’sun-printer-bsdaddr’
DESC’Sets the server, print queue destination name and whether the client generates
protocol extensions.
"Solaris" specifies a Solaris print server extension. The value is represented b the
following value: server "," destination ", Solaris".’
SYNTAX ’1.3.6.1.4.1.1466.115.121.1.15’ SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.5.1.64
NAME ’sun-printer-kvp’
DESC’This attribute contains a set of key value pairs which may have meaning to the
print subsystem or may be user defined.
Each value is represented by the following: key "=" value.’
SYNTAX ’1.3.6.1.4.1.1466.115.121.1.15’ )
Internet 打印协议(Internet Print Protocol, IPP)
ObjectClasses
objectclasses: ( 1.3.18.0.2.6.2549
NAME ’slpService’
DESC’DUMMY definition’
SUP ’top’ MUST (objectclass) MAY ())
LDAP 的Internet 打印协议信息
240 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
objectclasses: ( 1.3.18.0.2.6.254
NAME ’slpServicePrinter’
DESC’Service Location Protocol (SLP) information.’
AUXILIARY SUP ’slpService’)
objectclasses: ( 1.3.18.0.2.6.258
NAME ’printerAbstract’
DESC’Printer related information.’
ABSTRACT SUP ’top’ MAY ( printer-name
$ printer-natural-language-configured
$ printer-location
$ printer-info
$ printer-more-info
$ printer-make-and-model
$ printer-multiple-document-jobs-supported
$ printer-charset-configured
$ printer-charset-supported
$ printer-generated-natural-language-supported
$ printer-document-format-supported
$ printer-color-supported
$ printer-compression-supported
$ printer-pages-per-minute
$ printer-pages-per-minute-color
$ printer-finishings-supported
$ printer-number-up-supported
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 241
$ printer-sides-supported
$ printer-media-supported
$ printer-media-local-supported
$ printer-resolution-supported
$ printer-print-quality-supported
$ printer-job-priority-supported
$ printer-copies-supported
$ printer-job-k-octets-supported
$ printer-current-operator
$ printer-service-person
$ printer-delivery-orientation-supported
$ printer-stacking-order-supported $ printer! -output-features-supported ))
objectclasses: ( 1.3.18.0.2.6.255
NAME ’printerService’
DESC’Printer information.’
STRUCTURAL SUP ’printerAbstract’ MAY ( printer-uri
$ printer-xri-supported ))
objectclasses: ( 1.3.18.0.2.6.257
NAME ’printerServiceAuxClass’
DESC’Printer information.’
AUXILIARY SUP ’printerAbstract’ MAY ( printer-uri $ printer-xri-supported ))
objectclasses: ( 1.3.18.0.2.6.256
NAME ’printerIPP’
DESC’Internet Printing Protocol (IPP) information.’
LDAP 的Internet 打印协议信息
242 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
AUXILIARY SUP ’top’ MAY ( printer-ipp-versions-supported $
printer-multiple-document-jobs-supported ))
objectclasses: ( 1.3.18.0.2.6.253
NAME ’printerLPR’
DESC’LPR information.’
AUXILIARY SUP ’top’ MUST ( printer-name ) MAY ( printer-aliases))
objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.14
NAME ’sunPrinter’
DESC’Sun printer information’
SUP ’top’ AUXILIARY MUST (objectclass $ printer-name) MAY
(sun-printer-bsdaddr $ sun-printer-kvp))
Sun 打印机属性
ATTRIBUTE ( 1.3.6.1.4.1.42.2.27.5.1.63
NAME sun-printer-bsdaddr
DESC’Sets the server, print queue destination name and whether the
client generates protocol extensions. "Solaris" specifies a
Solaris print server extension. The value is represented by
the following value: server "," destination ", Solaris".’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
LDAP 的Internet 打印协议信息
第14 章• LDAP 一般参考(参考) 243
ATTRIBUTE ( 1.3.6.1.4.1.42.2.27.5.1.64
NAME sun-printer-kvp
DESC’This attribute contains a set of key value pairs which may have
meaning to the print subsystem or may be user defined. Each
value is represented by the following: key "=" value.’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
Sun 打印机ObjectClasses
OBJECTCLASS ( 1.3.6.1.4.1.42.2.27.5.2.14
NAME sunPrinter
DESC’Sun printer information’
SUP top
AUXILIARY
MUST ( printer-name )
MAY ( sun-printer-bsdaddr $ sun-printer-kvp ))
LDAP的常规目录服务器要求
为了支持基于Solaris 9 或更高Solaris 版本的LDAP 客户机,无论哪个品牌的服务器都必须支
持LDAP 3.0 版协议以及复合命名和辅助对象类。另外,还必须至少支持下列控制之一:
� 简单换页模式(RFC 2696)
� 虚拟列表视图控制
服务器必须至少支持下列验证方法之一:
anonymous
simple
sasl/cram-MD5
sasl/digest-MD5
LDAP 的常规目录服务器要求
244 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
如果使用pam_unix,则服务器必须支持以UNIX crypt 格式存储口令。
如果使用TLS,则服务器必须支持SSL 或TLS。
LDAP名称服务使用的缺省过滤器
如果没有使用SSD 为给定的服务手动指定参数,将使用缺省过滤器。要列出给定服务的缺
省过滤器,请使用带-v 选项的ldaplist。
在以下示例中,filter=(&(objectclass=iphost)(cn=abcde) 定义了缺省过滤器:
database=hosts
filter=(&(objectclass=iphost)(cn=abcde)
user data=(&(%s) (cn=abcde))
ldaplist 生成缺省过滤器的以下列表,其中%s 表示一个字符串,%d 表示一个数字:
hosts
(&(objectclass=iphost)(cn=%s))
--------------
passwd
(&(objectclass=posixaccount)(uid=%s))
--------------
services
(&(objectclass=ipservice)(cn=%s))
--------------
group
(&(objectclass=posixgroup)(cn=%s))
--------------
netgroup
(&(objectclass=nisnetgroup)(cn=%s))
LDAP 名称服务使用的缺省过滤器
第14 章• LDAP 一般参考(参考) 245
--------------
networks
(&(objectclass=ipnetwork)(ipnetworknumber=%s))
--------------
netmasks
(&(objectclass=ipnetwork)(ipnetworknumber=%s))
--------------
rpc
(&(objectclass=oncrpc)(cn=%s))
--------------
protocols
(&(objectclass=ipprotocol)(cn=%s))
--------------
bootparams
(&(objectclass=bootableDevice)(cn=%s))
--------------
ethers
(&(objectclass=ieee802Device)(cn=%s))
--------------
publickey
(&(objectclass=niskeyobject)(cn=%s))
or
(&(objectclass=niskeyobject)(uidnumber=%d))
--------------
LDAP 名称服务使用的缺省过滤器
246 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
aliases
(&(objectclass=mailGroup)(cn=%s))
--------------
表14–4 用在getXbyY 调用中的LDAP过滤器
过滤器定义
bootparamByName (&(objectClass=bootableDevice)(cn=%s))
etherByHost (&(objectClass=ieee802Device)(cn=%s))
etherByEther (&(objectClass=ieee802Device)(macAddress=%s))
groupByName (&(objectClass=posixGroup)(cn=%s))
groupByGID (&(objectClass=posixGroup)(gidNumber=%ld))
groupByMember (&(objectClass=posixGroup)(memberUid=%s))
hostsByName (&(objectClass=ipHost)(cn=%s))
hostsByAddr (&(objectClass=ipHost)(ipHostNumber=%s))
keyByUID (&(objectClass=nisKeyObject)(uidNumber=%s))
keyByHost (&(objectClass=nisKeyObject)(cn=%s))
netByName (&(objectClass=ipNetwork)(cn=%s))
netByAddr (&(objectClass=ipNetwork)(ipNetworkNumber=%s))
nisgroupMember (membernisnetgroup=%s)
maskByNet (&(objectClass=ipNetwork)(ipNetworkNumber=%s))
printerByName (&
(objectClass=sunPrinter)(|(printer-name=%s)(printer-aliases=%s)))
projectByName (&(objectClass=SolarisProject)(SolarisProjectName=%s))
projectByID (&(objectClass=SolarisProject)(SolarisProjectID=%ld))
protoByName (&(objectClass=ipProtocol)(cn=%s))
protoByNumber (&(objectClass=ipProtocol)(ipProtocolNumber=%d))
passwordByName (&(objectClass=posixAccount)(uid=%s))
passwordByNumber (&(objectClass=posixAccount)(uidNumber=%ld))
rpcByName (&(objectClass=oncRpc)(cn=%s))
rpcByNumber (&(objectClass=oncRpc)(oncRpcNumber=%d))
LDAP 名称服务使用的缺省过滤器
第14 章• LDAP 一般参考(参考) 247
表14–4 用在getXbyY 调用中的LDAP过滤器(续)
过滤器定义
serverByName (&(objectClass=ipService)(cn=%s))
serverByPort (&(objectClass=ipService)(ipServicePort=%ld))
serverByNameAndProto (&(objectClass=ipService)(cn=%s)(ipServiceProtocol=%s))
specialByNameserver (ipServiceProtocol=%s))
ByPortAndProto (&(objectClass=shadowAccount)(uid=%s))
netgroupByTriple (&(objectClass=nisNetGroup)(nisnetgrouptriple=(%s,%s,%s)))
netgroupByMember (&(objectClass=nisNetGroup)(|(membernisnetgroup=%s)
authName (&(objectClass=SolarisAuthAttr)(cn=%s))
auditUserByName (&(objectClass=SolarisAuditUser)(uid=%s))
execByName (&(objectClass=SolarisExecAttr)(cn=%s)
(SolarisKernelSecurityPolicy=%s)(SolarisProfileType=%s))
execByPolicy (&(objectClass=SolarisExecAttr)(SolarisProfileId=%s)
(SolarisKernelSecurityPolicy=%s)(SolarisProfileType=%s))
profileByName (&(objectClass=SolarisProfAttr)(cn=%s))
userByName (&(objectClass=SolarisUserAttr)(uid=%s))
下表列出了getent 属性过滤器。
表14–5 getent 属性过滤器
过滤器定义
aliases (objectClass=rfc822MailGroup)
auth_attr (objectClass=SolarisAuthAttr)
audit_user (objectClass=SolarisAuditUser)
exec_attr (objectClass=SolarisExecAttr)
group (objectClass=posixGroup)
hosts (objectClass=ipHost)
networks (objectClass=ipNetwork)
prof_attr (objectClass=SolarisProfAttr)
protocols (objectClass=ipProtocol)
LDAP 名称服务使用的缺省过滤器
248 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
表14–5 getent 属性过滤器(续)
过滤器定义
passwd (objectClass=posixAccount)
printers (objectClass=sunPrinter)
rpc (objectClass=oncRpc)
services (objectClass=ipService)
shadow (objectclass=shadowAccount)
project (objectClass=SolarisProject)
usr_attr (objectClass=SolarisUserAttr)
LDAP 名称服务使用的缺省过滤器
第14 章• LDAP 一般参考(参考) 249
250
从NIS 转换为LDAP(概述/任务)
本章介绍如何启用对使用存储在LDAP 目录中名称信息的NIS 客户机的支持。通过遵照本
章中的过程操作,可以从使用NIS 名称服务转换为使用LDAP 名称服务。
要了解转换到LDAP 的益处,请参见第130 页中的“LDAP 名称服务与其他名称服务的比较
”。
本章将介绍以下信息:
� 第251 页中的“NIS 到LDAP 转换服务概述”
� 第256 页中的“从NIS 转换为LDAP(任务列表)”
� 第257 页中的“NIS 到LDAP 转换的先决条件”
� 第258 页中的“设置NIS 到LDAP 转换服务”
� 第265 页中的“使用Sun Java System Directory Server 进行NIS 到LDAP 转换的最佳做法”
� 第267 页中的“NIS 到LDAP 转换限制”
� 第267 页中的“NIS 到LDAP 转换疑难解答”
� 第271 页中的“恢复为NIS”
NIS 到LDAP转换服务概述
NIS 到LDAP 转换服务(N2L 服务)使用NIS 到LDAP 转换守护进程来替换NIS 主服务器上
现有的NIS 守护进程。N2L服务还在该服务器上创建一个NIS 到LDAP 的转换映射文件。该
映射文件指定NIS 映射项和LDAP 中目录信息树(Directory Information Tree, DIT) 等效项之
间的映射。已经进行这种转换的NIS 主服务器称为N2L 服务器。从属服务器上没有
NISLDAPmapping 文件,因此它们继续以通常的方式工作。从属服务器定期从N2L服务器更
新其数据,就好像N2L服务器是常规的NIS 主服务器一样。
N2L服务的行为由ypserv 和NISLDAPmapping 配置文件控制。脚本inityp2l 可帮助对这些配
置文件进行初始设置。一旦建立了N2L服务器,就可以通过直接编辑这些配置文件来维护
N2L。
N2L服务支持以下功能:
� 将NIS 映射导入到LDAP 目录信息树(Directory Information Tree, DIT) 中
15 第1 5 章
251
� 客户机借助于NIS 的速度和可扩展性访问DIT 信息
在任何名称系统中,仅有一个信息源可以是权威来源。在传统的NIS 中,NIS 源是权威信
息。在使用N2L服务时,权威数据源自LDAP 目录。如第9 章中所述,该目录是通过使用
目录管理工具进行管理的。
NIS 源仅保留用于紧急备份或卸载。在使用N2L服务之后,可以逐步淘汰NIS 客户机。最
终,所有的NIS 客户机都会被Solaris LDAP 名称服务客户机所取代。
以下各小节中提供了其他概述信息:
� 第252 页中的“NIS 到LDAP 转换的目标用户”
� 第252 页中的“不应使用NIS 到LDAP 转换服务的情况”
� 第253 页中的“NIS 到LDAP 转换服务对用户造成的影响”
� 第253 页中的“NIS 到LDAP 转换术语”
� 第254 页中的“NIS 到LDAP 转换命令、文件和映射”
� 第255 页中的“支持的标准映射”
NIS 到LDAP转换工具和服务管理工具
NIS 和LDAP 服务由服务管理工具管理。可以使用svcadm 命令对这些服务执行启用、禁用
或重新启动等管理操作。使用svcs 命令可以查询服务的状态。有关使用SMF 对LDAP 和
NIS 进行管理的更多信息,请参见第180 页中的“LDAP 和服务管理工具”和第88 页中的
“NIS 和服务管理工具”。有关SMF 的概述,请参阅System Administration Guide: Basic
Administration中的“ Managing Services (Overview)”。另请参阅svcadm(1M) 和svcs(1) 手册
页以了解更多详细信息。
NIS 到LDAP转换的目标用户
您需要熟悉NIS 和LDAP 概念、术语和ID 才能执行本章中的过程。有关NIS 和LDAP 名称
服务的更多信息,请参见本书中的以下两章:
� 第4 章(提供NIS 的概述)
� 第8 章(提供LDAP 的概述)
不应使用NIS 到LDAP转换服务的情况
请勿在以下情况下使用N2L服务:
� 不打算在NIS 客户机和LDAP 名称服务客户机之间共享数据。
在这种情况下,N2L服务器将充当极其复杂的NIS 主服务器。
� NIS 映射由修改NIS 源文件的工具(而非yppasswd)来管理。
从DIT 映射重新生成NIS 源是一项不精确的任务,该任务需要手动检查生成的映射。一
旦使用了N2L服务,提供的NIS 源的重新生成功能就仅用于卸载NIS 或恢复为NIS。
NIS 到LDAP 转换服务概述
252 系统管理指南:名称和目录服务(DNS、NIS 和LDAP) • 2006 年9 月
� 没有NIS 客户机
在这种情况下,可以使用Solaris LDAP 名称服务客户机及其相应工具。
NIS 到LDAP转换服务对用户造成的影响
仅安装与N2L服务相关的文件不会更改NIS 服务器的缺省行为。在安装时,管理员将会看
到NIS 手册页发生了一些变化,而且服务器上增加了N2L帮助脚本inityp2l 和ypmap2src。
但是,只要在NIS 服务器上没有运行inityp2l 或没有手动创建N2L配置文件,NIS 组件就
会继续在传统的NIS 模式下启动并像通常那样工作。
运行inityp2l 之后,用户会看到服务器和客户机行为发生了一些变化。以下是NIS 和
LDAP 用户类型的列表,其中说明了在部署N2L服务之后每种类型的用户应当注意到的情
况。
用户类型N2L 服务的影响
NIS 主服务器管理员NIS 主服务器转换为N2L服务器。NISLDAPmapping 和ypserv 配置文件将会
安装在N2L服务器上。建立N2L服务器之后,可以使用LDAP 命令来管理
名称信息。
NIS 从属服务器管理员进行N2L转换之后,NIS 从属服务器继续以通常的方式运行NIS。当
ypmake 调用yppush 时,N2L服务器会将已更新的NIS 映射推送到从属服务
器。请参见ypmake(1M) 手册页。
NIS 客户机NIS 读取操作与传统的NIS 没有区别。当Solaris LDAP 名称服务客户机更
改DIT 中的信息时,这些信息会复制到NIS 映射中。复制操作是在可配置
的超时时间过期之后完成的。这类行为与连接到NIS 从属服务器的常规
NIS 客户机的行为相似。
如果N2L服务器无法绑定到LDAP 服务器进行读取,则N2L服务器将从其
自身的缓存副本中返回信息。或者,N2L服务器还可能会返回内部服务器
错误。可以将N2L服务器配置为按照上述任一方式响应。有关更多详细信
息,请参见ypserv(1M) 手册页。
所有用户当NIS 客户机请求更改口令时,所做的更改将立即显示在N2L主服务器和
本地LDAP 客户机上。
如果尝试在NIS 客户机上更改口令,而且LDAP 服务器不可用,则更改将
被拒绝,N2L服务器将返回内部服务器错误。此行为可防止将不正确的信
息写入高速缓存中。
NIS 到LDAP转换术语
以下是与实现N2L服务相关的术语。
以上文章转自于 : http://developers.sun.com.cn/
阅读(1618) | 评论(0) | 转发(0) |
