Directory User Agents (DUAs) Configuration Profile #
The LDAP protocol has brought about a new and nearly ubiquitous acceptance of the directory server. Many new client applications (DUAs) are being created that use LDAP directories for many different services. And although the LDAP protocol has eased the development of these applications, some challenges still exist for both developers and directory administrators.The DUAConfigProfile is an attempt to provide for the common setup of LDAP for Linux and Unix Clients.
The goal of the DUAConfigProfile is an implementation of Directory User Agents (DUAs) described by RFC 2307. In developing these agents, we felt there are several issues that still need to be addressed to ease the deployment and configuration of a large network of these DUAs.
One of these challenges stems from the lack of a utopian schema. A utopian schema would be one that every application developer could agree upon and that would support every application. Unfortunately today, many DUAs define their own schema (like RFC 2307 vs. Microsoft's Services for Unix) containing similar attributes, but with different attribute names. This can lead to data redundancy within directory entries and give directory administrators unwanted challenges, updating schemas and synchronizing data.
So, one goal of RFC 4876
is to eliminate data redundancy by having DUAs configure themselves to the schema of the deployed directory, instead of forcing its own schema on the directory.
PAM Support by Platforms #
Although the goal of the duaConfigProfile is not aimed at Operating System LDAP Clients, the use of the duaConfigProfile, as near as we know, has only been implemented on Operating System LDAP Clients.Solaris #
The Solaris 9 implementation uses of DUAconfigProfile. The old profile (SolarisNamingProfile) type is identified as NS_LDAP_FILE_VERSION = 1.0 and the new profile (DUAconfigProfile) type is NS_LDAP_FILE_VERSION = 2.0HP-UX #
Starting with LDAP-UX Integration product version B.03.01, the Configuration Profile Schema has been expanded to reflect the definitions in the most current IETF draft titled, A Configuration Schema for LDAP Based Directory User Agents in the document file titled, draft-joslin-config-schema-04.txt (which became RFC 4876). This allows LDAP-UX to integrate with configuration profiles that are supported by other vendors.
In so doing, the object classes posixNamingProfile and posixDUAProfile have been replaced by DUAConfigProfile.
Linux #
Now and RFC #
The draft-joslin-config-schema-0#.txt (May 2007) was accepted as RFC 4876.Schema for DUAConfigProfile #
The ldif file is based on the schema described in RFC 4876LDIF Schema file to create the DUAConfigProfile
DUA Profile Attributes #
Sample DUAConfigProfile #
For details of the attributes or ObjectClasses refer to RFC 4876.version: 1 dn: ou=profile,ou=services,dc=willeke,dc=com changetype: add objectClass: top objectClass: organizationalUnit ou: profile dn: cn=default,ou=profile,ou=services,dc=willeke,dc=com changetype: add ObjectClass: top ObjectClass: DUAConfigProfile defaultServerList: 10.44.82.1 10.44.82.2 defaultSearchBase: ou=services,dc=willeke,dc=com?one authenticationMethod: tls:simple followReferrals: FALSE defaultSearchScope: one searchTimeLimit: 30 profileTTL: 3000 bindTimeLimit: 10 cn: default credentialLevel: proxy serviceSearchDescriptor: passwd: ou=people,dc=willeke,dc=com?sub serviceSearchDescriptor: group: group:ou=group,ou=services,dc=willeke,dc=com?one serviceSearchDescriptor: netgroup:ou=netgroups,ou=services,dc=willeke,dc=com?one serviceSearchDescriptor: sudoers:ou=Sudoers,ou=services,dc=willeke,dc=com?one objectclassMap: passwd:posixAccount=posixAccount objectclassMap: group:posixGroup=posixGroup objectclassMap: sudoers:sudoRole=sudoRole objectclassMap: netgroup:nisNetgroup=nisNetgroup