mkprojldap Command

Purpose

Configures the LDAP client and server machines for handling advanced accounting subsystem data.

Syntax

mkprojldap -s -h hostname -D bindDN -w bindPWD -i -p projectInstallPoint -a adminInstallPoint

mkprojldap -u -h hostname -D bindDN -w bindPWD

mkprojldap -c -D bindDN -w bindPWD [ -p accountingProjectDN ] [ -a accountingAdminDN ] [ -r cron ]

mkprojldap { -l | -L [ -D bindDN -w bindPWD ] | -V } [ -p ] [ -a ]

Description

The mkprojldap command configures the LDAP server and client machines for handling the advanced accounting subsystem data. The LDAP server and client relationship must already be defined, and mkprojldap makes only incremental changes. The mkprojldap command can be used to configure the basic LDAP connection.

To add advanced accounting support to the LDAP server, the LDAP schema for advanced accounting must be uploaded to the server. The schema describes the format of advanced accounting data to the server, enabling the server to process accounting data without being enabled specifically for accounting. This is accomplished with the -u option. The LDAP server is not dependent on advanced accounting. This command needs to be run only once for each LDAP server. After this command is run, use the -s option to define the location on the LDAP server where advanced accounting data is to be stored. This command can be run one or more times to establish one or more accounting domains. An LDAP client can only access only one accounting domain at a time.

To configure an LDAP client so that it receives advanced accounting data, use the -c option to specify the location of the advanced accounting data sets on the LDAP server that are to be used by the LDAP client. The mkprojldap command is used to configure absolute paths, which are known as distinguished names (DNs), to projects and admin policies. The advanced accounting subsystem stores project definitions and admin policies on LDAP servers, so there are two advanced accounting DNs that can be configured. The mkprojldap -c command must be run on each client.

Flags

Item Description
-a accountingAdminDN Specifies the accounting admin DN location on the LDAP server, when used with -s or -c options. When used with -l or -L options, this flag displays the accounting admin DN.
-c Configures the LDAP client.
-D bindDN Specifies the Bind DN to be used during the server configuration.
-h hostname Specifies the host name of the LDAP server during the server configuration.
-i Provides the admin (-a) and project (-p) install points during the server configuration.
-L Displays the potential accounting DNs that are visible from the server.
-l Displays the accounting DNs in the ldap.cfg file.
-p accountingProjectDN Specifies the accounting project DN location on the LDAP server when used with the -s or -c options. When used with -l or -L options, this flag displays the accounting project DN.
-r con Specifies the frequency for refreshing the LDAP repositories (hourly, daily, or off).
-s Configures the LDAP server.
-u Uploads the advanced accounting schema to the LDAP server.
-V Displays the current LDAP client configuration details in a colon separated format.
-w bindPWD Used to provide the Bind password for the Bind DN specified with the -D option.
Note: When using the preceding flags with this command, use the following guidelines:
  • During server and client configuration, both the -p and -a arguments can be specified at the same time, but neither is required. If neither is specified, the mkprojldap command tries to compute the missing accounting DNs by searching for the objects on the LDAP server. These objects are ou=projects and ou=adminpolicy. If an object is found, the corresponding accounting DN is computed and added to the ldap.cfg file.
  • While listing the accounting DNs using the -l or -L options, both -p and -a can be used. If neither of them are provided, all accounting DNs in the ldap.cfg file are listed.
  • The colon-separated data displayed by the -V option takes the following format: 
    ldap-server-hostname:bind DN:bind password:default-projectdn:default-admindn:cron

Exit Status

Item Description
0 Successful completion.
>0 An error occurred.

Examples

  1. To upload the advanced accounting schema, type: 
    mkprojldap -u -h mozilla -D cn=root -w mozillapasswd
  2. To configure the LDAP server, type: 
    mkprojldap -s -h ldap.svr.com -D cn=root -w passwd -i 
             -p cn=aixdata,o=ibm -a cn=aixdata,o=ibm
    This command creates two DNs in the following format: 
    ou=projects,ou=aacct,cn=aixdata,o=ibm and ou=adminpolicy,ou=aacct,cn=aixdata,o=ibm
  3. To configure the LDAP client, type: 
    mkprojldap -c -D cn=testroot -w testpwd -p ou=projects,ou=aacct,ou=cluster1,cn=aixdata -a 
           ou=adminpolicy,ou=aacct,ou=cluster1,cn=aixdata -r hourly
  4. To display the currently configured accounting DNs, type: 
    mkprojldap -l

Files

Item Description
/usr/sbin/mkprojldap Contains the mkprojldap command.
/etc/security/ldap/ldap.cfg Contains the LDAP configuration data.
/etc/security/ldap/sec.ldif Contains the LDAP schema for advanced accounting.