Setting up an LDAP client

To set up a client to use LDAP for authentication and user and group information, make sure that each client has the LDAP client package installed. For information specific to LDAP client package installation, refer to steps 3 through 7. If the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) support is required, the GSKit must be installed. a key must be created, and the LDAP server SSL key certificate must be added to this key. See steps 1 through 2.

Similar to LDAP server setup, client setup can be done using the mksecldap command. To have this client contact the LDAP security information server, the server name must be supplied during setup. The bind DN and password of the server are also needed for client access to the AIX® tree on the server. The mksecldap command saves the server bind DN, password, server name, AIX tree DN on the server, the SSL key path and password, and other configuration attributes to the /etc/security/ldap/ldap.cfg file.

The mksecldap command saves the bind password and SSL key password (if you are configuring SSL) to the /etc/security/ldap/ldap.cfg file in encrypted format. The encrypted passwords are system specific, and can only be used by the secldapclntd daemon on the system where they are generated. The secldapclntd daemon can make use of clear text or encrypted password from the /etc/security/ldap/ldap.cfg file.

Multiple servers can be supplied to the mksecldap command during client setup. In this case, the client contacts the servers in the supplied order and establishes connection to the first server that the client can successfully bind to. If a connection error occurs between the client and the server, a reconnection request is tried using the same logic. The Security LDAP exploitation model does not support referral. It is important that the replicate servers are kept synchronized.

The client communicates to the LDAP security information server through a client side daemon (secldapclntd). If the LDAP load module is enabled on the client, high-level commands are routed to the daemon through the library APIs for users defined in LDAP. The daemon maintains a cache of requested LDAP entries. If a request is not satisfied from the cache, the daemon queries the server, updates the cache, and returns the information back to the caller.

Other fine-tuning options can be supplied to the mksecldap command during client setup, such as settings for the number of threads used by the daemon, the cache entry size, and the cache expiration timeout. These options are for experienced users only. For most environments, the default values are sufficient.

In the final steps of the client setup, the mksecldap command starts the client-side daemon and adds an entry in the /etc/inittab file so the daemon starts at every reboot. You can check whether the setup is successful by checking the secldapclntd daemon process through the ls-secldapclntd command. Provided that the LDAP security information server is setup and running, this daemon will be running if the setup was successful.

The LDAP security information server must be set up before setting up the client. Client setup depends on the migrated data being on the server. Follow these steps to install and set up the client:
  1. Install GSKit related filesets as the root user.
    1. Mount the AIX 7.2 expansion pack DVD.
    2. Change the directory to the GSKit fileset location.
      cd <mount_point>/installp/ppc
  2. Run the installp command to install the GSKit packages.
    • To install GSKit 64-bit packages, run the following commands:
      installp -acXgYd . GSKit8.gskcrypt64.ppc.rte
      installp -acXgYd . GSKit8.gskssl64.ppc.rte
    • To install GSKit 32-bit packages, run the following commands:
      installp -acXgYd . GSKit8.gskcrypt32.ppc.rte
      installp -acXgYd . GSKit8.gskssl32.ppc.rte
      Note: You can also use SMIT or SMITTY to install the GSKit filesets from the DVD.
  3. Install the idsldap clients as the root user.
    1. Mount the second volume (volume 2 of 2) of the AIX 7.2 DVD.
    2. Run the idsLicense command.
      cd <mount_point>/license
      ./idsLicense
  4. If you agree to accept the terms in the software license agreement, enter the number 1 from the following list of available options:
    1: To accept the license agreement.
    2: To decline the license agreement and exit the installation. 
    3: To print the license agreement. 
    4: To read non-IBM terms in the license agreement. 
    99: To go back to the previous screen.

    On accepting the terms in the software license agreement, a LAPID file and a license folder are created in the IBM Security Directory Server installation location. The license folder contains the IBM Security Directory Server license files in all of the supported languages.

  5. Determine the IBM Security Directory Server idsldap client packages you want to install.
    • For non-SSL LDAP client functionality, install the following filesets:
      • idsldap.license64
      • idsldap.cltbase64
      • idsldap.clt32bit64
      • idsldap.clt64bit64
    • For SSL LDAP client functionality, install the following filesets:
      • idsldap.license64
      • idsldap.cltbase64
      • idsldap.clt32bit64
      • idsldap.clt64bit64
      • idsldap.clt_max_crypto32bit64
      • idsldap.clt_max_crypto64bit64
      Note: SSL functionality requires the installation of GSKitv8 filesets.
  6. Install the IBM Security Directory Server idsldap client packages.
    • To install one or more of the IBM Security Directory Server idsldap client packages, run the following commands:
      cd <mount_point>/installp/ppc/
      installp -acXgYd . <package_names>
      Note: You can also use SMIT or SMITTY to install the identified filesets and packages from the DVD.
  7. Verify whether the IBM Security Directory Server installation was successful by using the system generated installation summary.
  8. To configure the LDAP client, run the following command by replacing the values according to your environment:
    # mksecldap -c -h server1.ibm.com -a cn=admindn -p adminpwd -d cn=basedn