ldap.cfg File Format

Purpose

The secldapclntd LDAP client side daemon configuration file.

Description

The /etc/security/ldap/ldap.cfg file contains information for the secldapclntd daemon to start and function properly as well as information for fine tuning the daemon's performance. The /etc/security/ldap/ldap.cfg file is updated by the mksecldap command at client setup.

The /etc/security/ldap/ldap.cfg file may contain the following fields:
Item Description
ldapservers Specifies a comma separated list of Lightweight Directory Access Protocol (LDAP) Security Information Servers. These servers can either be the primary server or the replica of the primary server. The first server in the list has the highest priority.
binddn Specifies the distinguished name (DN) LDAP used to bind to the LDAP Security Information Server(s).
bindpwd Specifies the password for the binddn.
autheyhtype Specifies the authentication mechanism to use. Valid values are unix_auth and ldap_auth. The default is unix_auth.
  • unix_auth - Retrieves the user password from LDAP and authenticate the user locally.
  • ldap_auth - Binds to the LDAP server as the authenticating user in order to authenticate.
    Note: Password will be sent in clear text to the LDAP server for ldap_auth authentication mechanism. Use of SSL is strongly encouraged.
useSSL Specifies whether to use the SSL communication. Valid values are yes, SSL, TLS, NONE and no. The default value is no.
Note: You will need the SSL key and the password to the key to enable this feature.
ldapsslkeyf Specifies the full path of the SSL or TLS key.
ldapsslkeypwd Specifies the password of the SSL or TLS key.
Note: Comment out this line to use stashed password. The password stash file must reside in the same directory as the SSL, or TLS key, and must have the same name as the key file but with an extension of .sth instead of .kdb.
useKRB5 Specifies whether to use Kerberos for the initial bind to the server. Valid values are yes or no. The default is no.
Note: The Kerberos principal, key path and kinit command directory are required to enable this feature. If Kerberos bind is enabled then the binddn and bindpwd are not required.
krbprincipal Specifies the Kerberos principal used to bind to the server.
krbkeypath Specifies the path to the kerberos keytab. The default is /etc/security/ldap/krb5.keytab.
krbcmddir Specifies the directory that contains the Kerberos kinit command. The default is /usr/krb5/bin/.
pwdalgorithm Specifies the password encryption algorithm used for the unix_auth mode. The ldap_auth mode ignores this attribute. Valid value is either crypt or system. The default value is crypt.
crypt
Specifies the legacy crypt() (DES) algorithm.
system
Specifies to use the system-wide password algorithm configured in the /etc/security/login.cfg file. To use the system-wide password algorithm, the LDAP server's password encryption must be disabled to avoid double encryption. Double encryption can make the password unusable. Ensure that all clients of the LDAP server understand the algorithm that is used.
userattrmappath Specifies the full path to the AIX®-LDAP attribute map for users.
groupattrmappath Specifies the full path to the AIX-LDAP attribute map for groups.
idattrmappath Specifies the full path to the AIX-LDAP attribute map for IDs. These IDs are used by the mkuser command when creating LDAP users.
userbasedn Specifies the user base DN. For more information, see Detailed information.
groupbasedn Specifies the group base DN. For more information, see Detailed information.
idbasedn Specifies the ID base DN. For more information, see Detailed information.
hostbasedn Specifies the host base DN. For more information, see Detailed information.
servicebasedn Specifies the service base DN. For more information, see Detailed information.
protocolbasedn Specifies the protocol base DN. For more information, see Detailed information.
networkbasedn Specifies the network base DN. For more information, see Detailed information.
netgroupbasedn Specifies the netgroup base DN. For more information, see Detailed information.
rpcbasedn Specifies the RPC base DN. For more information, see Detailed information.
aliasbasedn Specifies the alias base DN. For more information, see Detailed information.
automountbasedn Specifies the automount base DN. For more information, see Detailed information.
bootparambasedn Specifies the bootparams base DN. For more information, see Detailed information.
etherbasedn Specifies the ether base DN. For more information, see Detailed information.
tsddatbasedn Specifies the file’s Trusted Signature Database base DN. For more information, see Detailed information.
tepoliciesbasedn Specifies the machine’s trusted execution policies base DN. For more information, see Detailed information.
userclasses Specifies a comma-separated list of object classes that are used for the user entry. For more information, see Detailed information.
groupclasses Specifies a comma-separated list of object classes that are used for the group entry. For more information, see Detailed information.
ldapversion Specifies the LDAP server protocol version. Default is 3.
ldapport Specifies the port on which the LDAP server listens to. The default value is 389. Also, TLS use this port as default port.
ldapsslport Specifies the SSL port on which the LDAP server listens. The default value is 636.
followaliase Specifies whether to follow aliases. Valid values are NEVER, SEARCHING, FINDING, and ALWAYS. Default is NEVER.
usercachesize Specifies the user cache size. Valid values are 100 - 10,000 entries. Default is 1,000.
groupcachesize Specifies the group cache size. Valid values are 10 - 1,000 entries. Default is 100.
cachetimeout Specifies the cache TTL (time to live) for users and groups. Value must be >=0 seconds. Default is 300. Set to 0 to disable caching.
Note: The cachetimeout field is a deprecated attribute. Please use the usercachetimeout and groupcachetimeout attributes instead.
usercachetimeout Specifies the cache TTL (time to live) for users. Value must be >= 0 seconds. Default is 300. Set to 0 to disable user caching. When specified, this value overrides the cachetimeout setting.
groupcachetimeout Specifies the cache TTL (time to live) for groups. Value must be >= 0 seconds. Default is 300. Set to 0 to disable group caching. When specified, this value overrides the cachetimeout setting.
ldapsizelimit Specifies the maximum entries to be reqested to the ldap server in an ALL query. Default is 0 (no limit). If the ldapsizelimit is greater than the server size limit, the server size limits the number of entries returned. Setting the ldapsizelimit to a lower number increases the performance of some commands. For example, the lsuser -R LDAP ALL command.
heartbeatinterval Specifies the interval in seconds that the client contacts the server for server status. Valid values are 60 - 3,600 seconds. Default is 300.
numberofthread Specifies the number of threads for the secldapclntd daemon. Valid values are 1 - 1,000. Default is 10.
nsorder Specifies the order of host name resolution by the secldapclntd daemon. The default order is dns, nis, local. For more information about valid resolvers, see TCP⁄IP Name Resolution.
Note: Do not use nis_ldap, because it could result in the secldapclntd daemon hang.
searchmode Specifies the set of user and group attributes to be retrieved. This attribute is intended for use for performance reasons. The AIX commands may not be enabled to support all non-OS attributes. Valid values are ALL and OS. The default is ALL.
  • ALL - Retrieve all attributes of an entry.
  • OS - Retrieve only the operating system required attributes of an entry. Non-OS attributes like telephone number, binary images etc. will not be returned.
    Note: Only use OS when entries have many non-OS required attributes or attributes with large value, e.g. binary data, to reduce sorting effort by the LDAP server.
defaultentrylocation Specifies the location of the default entry. Valid values are ldap and local. The default is ldap.
  • ldap - Use the default entry in LDAP for all attribute default values.
  • local - Use the default stanza from local /etc/security/user file for all attribute default values.
ldaptimeout Specifies the timeout period in seconds for LDAP client requests to the server. This value determines how long the client will wait for a response from the LDAP server. Valid range is 0 - 3600 (1 hour). Default is 60 seconds. Set this value to 0 to disable the timeout.
connectionsperserver Specifies the maximum number of connections to the LDAP server. If the specified value is greater than the value in the numberofthread field, the secldapclntd field uses the value of the numberofthread field instead. The secldapclntd daemon starts with one connection and dynamically adds new connections at high LDAP request demand into the connectionsperserver field, and closes the idle connections at low demand. The valid value of this field ranges from 1 through 100. The default value is 10.
connectionmissratio Specifies the percentage of LDAP operations that can miss an LDAP handle in the first attempt (handle-miss). If the number of missed attempts reaches this value, the secldapclntd daemon adds a new connection. The total number of connections do not exceed the value of the connectionsperserver field. The valid value of this field ranges from 10 through 90. The default value is 50.
newconnT Specifies the interval to check for connection-miss-ratio (connectionmissratio) to determine if a new connection needs to be created.
connectiontimeout Specifies time in seconds that an LDAP connection to the server can be idle before the secldapclntd daemon closes it. The valid value is 5 seconds or greater. The default value is 300.
serverschematype Specifies the schema type of the LDAP server. It is set by the mksecldap command at LDAP client configuration time. Do not modify this attribute. Valid values are: rfc2307aix, rfc2307, aix, sfu30, and sfur2.
enableutf8_xlation Enables the saving of data to the LDAP server in UTF-8 format. Valid values are yes and no. The default value is no.
rbacinterval Specifies the time interval (in seconds) for the secldapclntd daemon to invoke the setkst command to update the kernel RBAC tables. The value must be greater than 60 seconds. Set the value to 0 to disable the setkst command. The default value is 3600.
useprivport Specifies whether to use local privileged ports to connect to LDAP servers. The valid values are yes and no. The default value is no. The useprivport attribute is for backward compatibility only.
memberfulldn Specifies whether to use DN or account name for group members. The valid values are yes and no. The default value is no. In most cases when you use account names, do not change the value of the memberfulldn attribute. If you want group members in DN format, set the value to yes. For backward compatibility, if the LDAP server is Active Directory, the group member attribute is mapped to the msSFU30PosixMember member. The secldapclntd daemon always uses DN format regardless of this setting.
pwdpolicydn Specifies the DN of the LDAP server global password policies. The secldapclntd daemon uses this policy entry to inform the user what is wrong in case of a noncompliant password. If you have specified password policies, these policies are used instead of the global policies.
usrkeystorebasedn Specifies the User’s EFS PKCS#12 keystore base DN. For more information, see Detailed information.
grpkeystorebasedn Specifies the Groups’s EFS PKCS#12 keystore base DN. For more information, see Detailed information.
efscookiesbasedn Specifies the EFS Cookie base DN. For more information, see Detailed information.
admkeystorebasedn Specifies the EFS Admin’s PKCS#12 keystore base DN. For more information, see Detailed information.
followreferrals Specifies if the AIX LDAP client should chase the referrals received from the LDAP server. The valid values are on and off, default is on meaning chase the referrals.
caseExactAccountName Specifies whether to match account names as case-sensitive or case-insensitive. Most LDAP servers treat account names as case-insensitive. Therefore, account names like foo, Foo, FOo, and FOO are treated as the same user, and these servers allow only one of them defined in LDAP. The valid values are:
No
Specifies to return account name which matches the requested name as case-insensitive. For example, querying user foo may return any of foo, Foo, FOo, and FOO. This is the default value.
Yes
Specifies to return account name which matches the requested name as case-sensitive. For example, querying user foo will fail if one of the names Foo, FOo, or FOO exists in LDAP instead of foo.
Detailed information
  • Multiple base DNs
    All of the base DN attributes accept multiple values, with each <basedn>: <value> pair on a separate line. For example, to allow users in the ou=dept1users,cn=aixdata base DNs and the ou=dept2users,cn=aixdata base DNs to log in to the system, you can specify the userbasedn attribute as follows:
    userbasedn: ou=dept1users,cn=aixdata
    userbasedn: ou=dept2users,cn=aixdata
    You can specify up to 10 base DNs for each entity in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order they appear in the /etc/security/ldap/ldap.cfg file. The following list describes the system behaviors in regards to multiple base DNs:
    • Query operations, such as the lsuser command, are done according to the base DN order that is specified until a matching account is found. A failure is returned only if all of the base DNs are searched without finding a match.
    • Modification operations, such as the chuser command, are done to the first matching account.
    • Deletion operations, such as the rmuser command, are done to the first matching account.
    • Creation operations, such as the mkuser command, are done only to the first base DN.
  • Domain RBAC base DNs
    #domauthbasedn:ou=domains,cn=aixdata
    #domobjbasedn:ou=domobjs,cn=aixdata
    The time interval in minutes specifies the frequency in which the kernel RBAC and the domain RBAC tables are updated. A value of 0 disables the automatic update.
    rbacinterval: 0
  • Extended base DN format
    You can specify optional parameters of search scope and search filter for base DN attributes. You can append the parameters to the base DN with fields separated by question mark (?) characters. The following list shows the valid base DN formats:
    • This format represents the default format that the secldapclntd daemon uses:
      userbasedn: ou=people, cn=aixdata
    • This format limits the search by a scope attribute:
      userbasedn: ou=people, cn=aixdata?scope
      The scope attribute accepts the following values:
      • sub
      • one
      • base
      If you do not specify the scope attribute, the default value is sub.
    • This format limits the search by a filter attribute.
      userbasedn: ou=people, cn=aixdata??filter 
      The filter attribute limits the entries that are defined in the LDAP server. You can use this filter to make only users with certain properties visible to the system. The following list shows some valid filter formats, where attribute is the name of an LDAP attribute, and value specifies the search criteria, which can be a wild card (*).
      • (attribute=value)
      • (&(attribute=value)(attribute=value))
      • (|(attribute=value)(attribute=value))
    • This format uses both a scope attribute and a filter attribute.
      userbasedn: ou=people, cn=aixdata?scope?filter

  • Object classes

    The first object class in the list is the key object class, which can be used for search operations. By default, the keyobjectclass attribute in the attribute mapping file is used for this purpose. But if the mapping file does not exist, or the keyobjectclass attribute is not present in the mapping file, the first object class in this list is used.