Directory User Agents (DUAs) Configuration Profile #

The LDAP protocol has brought about a new and nearly ubiquitous acceptance of the directory server. Many new client applications (DUAs) are being created that use LDAP directories for many different services. And although the LDAP protocol has eased the development of these applications, some challenges still exist for both developers and directory administrators.

The DUAConfigProfile is an attempt to provide for the common setup of LDAP for Linux and Unix Clients.

The goal of the DUAConfigProfile is an implementation of Directory User Agents (DUAs) described by RFC 2307. In developing these agents, we felt there are several issues that still need to be addressed to ease the deployment and configuration of a large network of these DUAs.

One of these challenges stems from the lack of a utopian schema. A utopian schema would be one that every application developer could agree upon and that would support every application. Unfortunately today, many DUAs define their own schema (like RFC 2307 vs. Microsoft's Services for Unix) containing similar attributes, but with different attribute names. This can lead to data redundancy within directory entries and give directory administrators unwanted challenges, updating schemas and synchronizing data.

So, one goal of RFC 4876 is to eliminate data redundancy by having DUAs configure themselves to the schema of the deployed directory, instead of forcing its own schema on the directory.

PAM Support by Platforms #

Although the goal of the duaConfigProfile is not aimed at Operating System LDAP Clients, the use of the duaConfigProfile, as near as we know, has only been implemented on Operating System LDAP Clients.

Solaris #

The Solaris 9 implementation uses of DUAconfigProfile. The old profile (SolarisNamingProfile) type is identified as NS_LDAP_FILE_VERSION = 1.0 and the new profile (DUAconfigProfile) type is NS_LDAP_FILE_VERSION = 2.0


Starting with LDAP-UX Integration product version B.03.01, the Configuration Profile Schema has been expanded to reflect the definitions in the most current IETF draft titled, A Configuration Schema for LDAP Based Directory User Agents in the document file titled, draft-joslin-config-schema-04.txt (which became RFC 4876). This allows LDAP-UX to integrate with configuration profiles that are supported by other vendors.

In so doing, the object classes posixNamingProfile and posixDUAProfile have been replaced by DUAConfigProfile.

Linux #

Please advise which Linux Operating System and Versions (we can not find any) have support for the DUAConfigProfile in their LDAP clients!

Now and RFC #

The draft-joslin-config-schema-0#.txt (May 2007) was accepted as RFC 4876.

Schema for DUAConfigProfile #

The ldif file is based on the schema described in RFC 4876

LDIF Schema file to create the DUAConfigProfile(info)

DUA Profile Attributes #

Sample DUAConfigProfile #

For details of the attributes or ObjectClasses refer to RFC 4876.
version: 1 

dn: ou=profile,ou=services,dc=willeke,dc=com 
changetype: add 
objectClass: top 
objectClass: organizationalUnit 
ou: profile 

dn: cn=default,ou=profile,ou=services,dc=willeke,dc=com 
changetype: add 
ObjectClass: top 
ObjectClass: DUAConfigProfile 
defaultSearchBase: ou=services,dc=willeke,dc=com?one 
authenticationMethod: tls:simple 
followReferrals: FALSE 
defaultSearchScope: one 
searchTimeLimit: 30 
profileTTL: 3000 
bindTimeLimit: 10 
cn: default 
credentialLevel: proxy 
serviceSearchDescriptor: passwd: ou=people,dc=willeke,dc=com?sub 
serviceSearchDescriptor: group: group:ou=group,ou=services,dc=willeke,dc=com?one 
serviceSearchDescriptor: netgroup:ou=netgroups,ou=services,dc=willeke,dc=com?one 
serviceSearchDescriptor: sudoers:ou=Sudoers,ou=services,dc=willeke,dc=com?one 
objectclassMap: passwd:posixAccount=posixAccount 
objectclassMap: group:posixGroup=posixGroup 
objectclassMap: sudoers:sudoRole=sudoRole 
objectclassMap: netgroup:nisNetgroup=nisNetgroup 

More Information #

There might be more information for this subject on one of the following: