The secldapclntd LDAP client side daemon configuration file.
The /etc/security/ldap/ldap.cfg file contains information for the secldapclntd daemon to start and function properly as well as information for fine tuning the daemon's performance. The /etc/security/ldap/ldap.cfg file is updated by the mksecldap command at client setup.
Item | Description |
---|---|
ldapservers | Specifies a comma separated list of Lightweight Directory Access Protocol (LDAP) Security Information Servers. These servers can either be the primary server or the replica of the primary server. The first server in the list has the highest priority. |
binddn | Specifies the distinguished name (DN) LDAP used to bind to the LDAP Security Information Server(s). |
bindpwd | Specifies the password for the binddn. |
autheyhtype | Specifies the authentication mechanism to use.
Valid values are unix_auth and ldap_auth. The default
is unix_auth.
|
useSSL | Specifies whether to use the SSL communication.
Valid values are yes, SSL, TLS, NONE and no. The default
value is no. Note: You will need the SSL key and the password
to the key to enable this feature.
|
ldapsslkeyf | Specifies the full path of the SSL or TLS key. |
ldapsslkeypwd | Specifies the password of the SSL or TLS key.
Note: Comment out this line to use stashed password. The password
stash file must reside in the same directory as the SSL, or TLS key,
and must have the same name as the key file but with an extension
of .sth instead of .kdb.
|
useKRB5 | Specifies whether to use Kerberos for the initial
bind to the server. Valid values are yes or no. The
default is no. Note: The Kerberos principal, key path and
kinit command directory are required to enable this feature. If Kerberos
bind is enabled then the binddn and bindpwd are not
required.
|
krbprincipal | Specifies the Kerberos principal used to bind to the server. |
krbkeypath | Specifies the path to the kerberos keytab. The default is /etc/security/ldap/krb5.keytab. |
krbcmddir | Specifies the directory that contains the Kerberos kinit command. The default is /usr/krb5/bin/. |
pwdalgorithm | Specifies the password encryption algorithm
used for the unix_auth mode. The ldap_auth mode ignores
this attribute. Valid value is either crypt or system. The default value is crypt.
|
userattrmappath | Specifies the full path to the AIX®-LDAP attribute map for users. |
groupattrmappath | Specifies the full path to the AIX-LDAP attribute map for groups. |
idattrmappath | Specifies the full path to the AIX-LDAP attribute map for IDs. These IDs are used by the mkuser command when creating LDAP users. |
userbasedn | Specifies the user base DN. For more information, see Detailed information. |
groupbasedn | Specifies the group base DN. For more information, see Detailed information. |
idbasedn | Specifies the ID base DN. For more information, see Detailed information. |
hostbasedn | Specifies the host base DN. For more information, see Detailed information. |
servicebasedn | Specifies the service base DN. For more information, see Detailed information. |
protocolbasedn | Specifies the protocol base DN. For more information, see Detailed information. |
networkbasedn | Specifies the network base DN. For more information, see Detailed information. |
netgroupbasedn | Specifies the netgroup base DN. For more information, see Detailed information. |
rpcbasedn | Specifies the RPC base DN. For more information, see Detailed information. |
aliasbasedn | Specifies the alias base DN. For more information, see Detailed information. |
automountbasedn | Specifies the automount base DN. For more information, see Detailed information. |
bootparambasedn | Specifies the bootparams base DN. For more information, see Detailed information. |
etherbasedn | Specifies the ether base DN. For more information, see Detailed information. |
tsddatbasedn | Specifies the file’s Trusted Signature Database base DN. For more information, see Detailed information. |
tepoliciesbasedn | Specifies the machine’s trusted execution policies base DN. For more information, see Detailed information. |
userclasses | Specifies a comma-separated list of object classes that are used for the user entry. For more information, see Detailed information. |
groupclasses | Specifies a comma-separated list of object classes that are used for the group entry. For more information, see Detailed information. |
ldapversion | Specifies the LDAP server protocol version. Default is 3. |
ldapport | Specifies the port on which the LDAP server listens to. The default value is 389. Also, TLS use this port as default port. |
ldapsslport | Specifies the SSL port on which the LDAP server listens. The default value is 636. |
followaliase | Specifies whether to follow aliases. Valid values are NEVER, SEARCHING, FINDING, and ALWAYS. Default is NEVER. |
usercachesize | Specifies the user cache size. Valid values are 100 - 10,000 entries. Default is 1,000. |
groupcachesize | Specifies the group cache size. Valid values are 10 - 1,000 entries. Default is 100. |
cachetimeout | Specifies the cache TTL (time to live) for users
and groups. Value must be >=0 seconds. Default is 300. Set to 0 to
disable caching. Note: The cachetimeout field is a deprecated attribute.
Please use the usercachetimeout and groupcachetimeout attributes instead.
|
usercachetimeout | Specifies the cache TTL (time to live) for users. Value must be >= 0 seconds. Default is 300. Set to 0 to disable user caching. When specified, this value overrides the cachetimeout setting. |
groupcachetimeout | Specifies the cache TTL (time to live) for groups. Value must be >= 0 seconds. Default is 300. Set to 0 to disable group caching. When specified, this value overrides the cachetimeout setting. |
ldapsizelimit | Specifies the maximum entries to be reqested to the ldap server in an ALL query. Default is 0 (no limit). If the ldapsizelimit is greater than the server size limit, the server size limits the number of entries returned. Setting the ldapsizelimit to a lower number increases the performance of some commands. For example, the lsuser -R LDAP ALL command. |
heartbeatinterval | Specifies the interval in seconds that the client contacts the server for server status. Valid values are 60 - 3,600 seconds. Default is 300. |
numberofthread | Specifies the number of threads for the secldapclntd daemon. Valid values are 1 - 1,000. Default is 10. |
nsorder | Specifies the order of host name resolution
by the secldapclntd daemon. The default order is dns, nis, local. For more information about valid resolvers,
see TCP⁄IP Name Resolution. Note: Do not use nis_ldap, because it could result in the secldapclntd daemon hang.
|
searchmode | Specifies the set of user and group attributes
to be retrieved. This attribute is intended for use for performance
reasons. The AIX commands
may not be enabled to support all non-OS attributes. Valid values
are ALL and OS. The default is ALL.
|
defaultentrylocation | Specifies the location of the default entry.
Valid values are ldap and local. The default is ldap.
|
ldaptimeout | Specifies the timeout period in seconds for LDAP client requests to the server. This value determines how long the client will wait for a response from the LDAP server. Valid range is 0 - 3600 (1 hour). Default is 60 seconds. Set this value to 0 to disable the timeout. |
connectionsperserver | Specifies the maximum number of connections to the LDAP server. If the specified value is greater than the value in the numberofthread field, the secldapclntd field uses the value of the numberofthread field instead. The secldapclntd daemon starts with one connection and dynamically adds new connections at high LDAP request demand into the connectionsperserver field, and closes the idle connections at low demand. The valid value of this field ranges from 1 through 100. The default value is 10. |
connectionmissratio | Specifies the percentage of LDAP operations that can miss an LDAP handle in the first attempt (handle-miss). If the number of missed attempts reaches this value, the secldapclntd daemon adds a new connection. The total number of connections do not exceed the value of the connectionsperserver field. The valid value of this field ranges from 10 through 90. The default value is 50. |
newconnT | Specifies the interval to check for connection-miss-ratio (connectionmissratio) to determine if a new connection needs to be created. |
connectiontimeout | Specifies time in seconds that an LDAP connection to the server can be idle before the secldapclntd daemon closes it. The valid value is 5 seconds or greater. The default value is 300. |
serverschematype | Specifies the schema type of the LDAP server. It is set by the mksecldap command at LDAP client configuration time. Do not modify this attribute. Valid values are: rfc2307aix, rfc2307, aix, sfu30, and sfur2. |
enableutf8_xlation | Enables the saving of data to the LDAP server in UTF-8 format. Valid values are yes and no. The default value is no. |
rbacinterval | Specifies the time interval (in seconds) for the secldapclntd daemon to invoke the setkst command to update the kernel RBAC tables. The value must be greater than 60 seconds. Set the value to 0 to disable the setkst command. The default value is 3600. |
useprivport | Specifies whether to use local privileged ports to connect to LDAP servers. The valid values are yes and no. The default value is no. The useprivport attribute is for backward compatibility only. |
memberfulldn | Specifies whether to use DN or account name for group members. The valid values are yes and no. The default value is no. In most cases when you use account names, do not change the value of the memberfulldn attribute. If you want group members in DN format, set the value to yes. For backward compatibility, if the LDAP server is Active Directory, the group member attribute is mapped to the msSFU30PosixMember member. The secldapclntd daemon always uses DN format regardless of this setting. |
pwdpolicydn | Specifies the DN of the LDAP server global password policies. The secldapclntd daemon uses this policy entry to inform the user what is wrong in case of a noncompliant password. If you have specified password policies, these policies are used instead of the global policies. |
usrkeystorebasedn | Specifies the User’s EFS PKCS#12 keystore base DN. For more information, see Detailed information. |
grpkeystorebasedn | Specifies the Groups’s EFS PKCS#12 keystore base DN. For more information, see Detailed information. |
efscookiesbasedn | Specifies the EFS Cookie base DN. For more information, see Detailed information. |
admkeystorebasedn | Specifies the EFS Admin’s PKCS#12 keystore base DN. For more information, see Detailed information. |
followreferrals | Specifies if the AIX LDAP client should chase the referrals received from the LDAP server. The valid values are on and off, default is on meaning chase the referrals. |
caseExactAccountName | Specifies whether to match account names as
case-sensitive or case-insensitive. Most LDAP servers treat account
names as case-insensitive. Therefore, account names like foo, Foo,
FOo, and FOO are treated as the same user, and these servers allow
only one of them defined in LDAP. The valid values are:
|
userbasedn: ou=dept1users,cn=aixdata
userbasedn: ou=dept2users,cn=aixdata
#domauthbasedn:ou=domains,cn=aixdata
#domobjbasedn:ou=domobjs,cn=aixdata
rbacinterval: 0
userbasedn: ou=people, cn=aixdata
userbasedn: ou=people, cn=aixdata?scope
The scope attribute
accepts the following values: userbasedn: ou=people, cn=aixdata??filter
The filter
attribute limits the entries that are defined in the LDAP server.
You can use this filter to make only users with certain properties
visible to the system. The following list shows some valid filter
formats, where attribute is the name of an LDAP attribute,
and value specifies the search criteria, which can be a wild
card (*). userbasedn: ou=people, cn=aixdata?scope?filter
The first object class in the list is the key object class, which can be used for search operations. By default, the keyobjectclass attribute in the attribute mapping file is used for this purpose. But if the mapping file does not exist, or the keyobjectclass attribute is not present in the mapping file, the first object class in this list is used.