ldap.cfg File Format
Purpose
The secldapclntd LDAP client-side daemon configuration file.
Description
The /etc/security/ldap/ldap.cfg file contains information for the secldapclntd daemon to start and function properly as well as information for fine-tuning the performance of the daemon. The mksecldap command at client setup updates the /etc/security/ldap/ldap.cfg file.
Item | Description |
---|---|
ldapservers | Specifies a comma-separated list of Lightweight Directory Access Protocol (LDAP) Security Information Servers. These servers can either be the primary server or the replica of the primary server. The first server in the list has the highest priority. |
binddn | Specifies the distinguished name (DN) LDAP used to bind to one or more LDAP Security Information Servers. |
bindpwd | Specifies the password for the binddn. |
authtype | Specifies the authentication mechanism to use. Valid values are
unix_auth and ldap_auth. The default is
unix_auth.
|
useSSL | Specifies whether to use the SSL communication. Valid values are
yes, SSL, TLS,
NONE and no. The default value is
no. Note: You need the SSL key and the password to the key to enable this
feature.
|
ldapsslkeyf | Specifies the full path of the SSL or TLS key. |
ldapsslkeypwd | Specifies the password of the SSL or TLS key. Note: Comment out this line to
use stashed password. The password stash file must reside in the same directory as the SSL or TLS
key. The password stash file must have the same name as the key file but with an extension of
.sth instead of .kdb.
|
useKRB5 | Specifies whether to use Kerberos for the initial bind to the server. Valid
values are yes or no. The default is
no. Note: The Kerberos principal, key path, and kinit
command directory are required to enable this feature. If Kerberos bind is enabled, then the
binddn and bindpwd are not required.
|
krbprincipal | Specifies the Kerberos principal that is used to bind to the server. |
krbkeypath | Specifies the path to the Kerberos keytab. The default is /etc/security/ldap/krb5.keytab. |
krbcmddir | Specifies the directory that contains the Kerberos kinit command. The default is /usr/krb5/bin/. |
pwdalgorithm | Specifies the password encryption algorithm that is used for the
unix_auth mode. The ldap_auth mode ignores this
attribute. The valid value is either crypt or system.
The default value is crypt.
|
userattrmappath | Specifies the full path to the AIX®-LDAP attribute map for users. |
groupattrmappath | Specifies the full path to the AIX-LDAP attribute map for groups. |
idattrmappath | Specifies the full path to the AIX-LDAP attribute map for IDs. These IDs are used by the mkuser command to create LDAP users. |
userbasedn | Specifies the user base DN. For more information, see Detailed information. |
groupbasedn | Specifies the group base DN. For more information, see Detailed information. |
idbasedn | Specifies the ID base DN. For more information, see Detailed information. |
hostbasedn | Specifies the host base DN. For more information, see Detailed information. |
servicebasedn | Specifies the service base DN. For more information, see Detailed information. |
protocolbasedn | Specifies the protocol base DN. For more information, see Detailed information. |
networkbasedn | Specifies the network base DN. For more information, see Detailed information. |
netgroupbasedn | Specifies the netgroup base DN. For more information, see Detailed information. |
rpcbasedn | Specifies the RPC base DN. For more information, see Detailed information. |
aliasbasedn | Specifies the alias base DN. For more information, see Detailed information. |
automountbasedn | Specifies the automount base DN. For more information, see Detailed information. |
bootparambasedn | Specifies the bootparams base DN. For more information, see Detailed information. |
etherbasedn | Specifies the ether base DN. For more information, see Detailed information. |
authbasedn | Specifies the authorization base DN. For more information, see Detailed information. |
rolebasedn | Specifies the roles base DN. For more information, see Detailed information |
privcmdbasedn | Specifies the privileged commands base DN. For more information, see Detailed information |
privdevbasedn | Specifies the privileged devices base DN. For more information, see Detailed information |
privfilebasedn | Specifies the privileged files base DN. For more information, see Detailed information |
domainbasedn | Specifies the domain base DN. For more information, see Detailed information |
domobjbasedn | Specifies the domain object base DN. For more information, see Detailed information |
tsddatbasedn | Specifies the file’s Trusted Signature Database base DN. For more information, see Detailed information. |
tepoliciesbasedn | Specifies the machine’s trusted execution policies base DN. For more information, see Detailed information. |
userclasses | Specifies a comma-separated list of object classes that are used for the user entry. For more information, see Detailed information. |
groupclasses | Specifies a comma-separated list of object classes that are used for the group entry. For more information, see Detailed information. |
ldapversion | Specifies the LDAP server protocol version. The default is 3. |
ldapport | Specifies the port on which the LDAP server listens to. The default value is 389. Also, TLS uses this port as the default port. |
ldapsslport | Specifies the SSL port on which the LDAP server listens. The default value is 636. |
followaliase | Specifies whether to follow aliases. Valid values are NEVER, SEARCHING, FINDING, and ALWAYS. The default is NEVER. |
usercachesize | Specifies the user cache size. Valid values are 100 - 65536 entries. The default value is 1000. |
groupcachesize | Specifies the group cache size. Valid values are 10 - 65536 entries. The default value is 100. |
cachetimeout | Specifies the cache TTL (time to live) for users and groups. The value must be
greater than or equal to 0 seconds. The default is 300. Set to 0 to disable caching. Note: The
cachetimeout field is a deprecated attribute. You can use the
usercachetimeout and groupcachetimeout attributes
instead.
|
usercachetimeout | Specifies the cache TTL (time to live) for users. The value must be greater than or equal to 0 seconds. The default is 300. Set to 0 to disable user caching. When specified, this value overrides the cachetimeout setting. |
groupcachetimeout | Specifies the cache TTL (time to live) for groups. The value must be greater than or equal to 0 seconds. The default is 300. Set to 0 to disable group caching. When specified, this value overrides the cachetimeout setting. |
ldapsizelimit | Specifies the maximum entries to be requested to the LDAP server in an ALL
query. The default is 0 (no limit). If the ldapsizelimit is greater than the
server size limit, the server size limits the number of entries returned. Setting the
ldapsizelimit to a lesser number increases the performance of some commands.
For example, the lsuser -R LDAP ALL command. |
heartbeatinterval | Specifies the interval in seconds that the client contacts the server for server status. Valid values are 5 - 3,600 seconds. The default is 300. |
numberofthread | Specifies the number of threads for the secldapclntd daemon. Valid values are 1 - 256. The default is 10. |
nsorder | Specifies the order of host name resolution by the
secldapclntd daemon. The default order is dns,
nis, local. For more information about valid
resolvers, see TCP⁄IP Name
Resolution. Note: Do not use nis_ldap because it could result in the
secldapclntd daemon hang.
|
searchmode | Specifies the set of user and group attributes to be retrieved. This attribute
is intended for use for performance reasons. The AIX commands might not be enabled to support all
non-OS attributes. Valid values are ALL and OS. The
default is ALL.
|
defaultentrylocation | Specifies the location of the default entry. Valid values are
ldap and local. The default is
ldap.
|
ldaptimeout | Specifies the timeout period in seconds for LDAP client requests to the server. This value determines how long the client waits for a response from the LDAP server. The valid range is 0 - 3600 (1 hour). The default is 60 seconds. Set this value to 0 to disable the timeout. |
connectionsperserver | Specifies the maximum number of connections to the LDAP server. If the specified value is greater than the value in the numberofthread field, the secldapclntd field uses the value of the numberofthread field instead. The secldapclntd daemon starts with one connection and dynamically adds new connections at high LDAP request demand into the connectionsperserver field, and closes the idle connections at low demand. The valid value of this field ranges from 1 through 100. The default value is 10. |
connectionmissratio | Specifies the percentage of LDAP operations that can miss an LDAP handle in the first attempt (handle-miss). If the number of missed attempts reaches this value, the secldapclntd daemon adds a new connection. The total number of connections do not exceed the value of the connectionsperserver field. The valid value of this field ranges from 10 through 90. The default value is 50. |
newconnT | Specifies the interval to check for connection-miss-ratio (connectionmissratio) to determine whether a new connection needs to be created. |
connectiontimeout | Specifies time in seconds that an LDAP connection to the server can be idle before the secldapclntd daemon closes it. The valid value is 5 seconds or greater. The default value is 300. |
serverschematype | Specifies the schema type of the LDAP server. The mksecldap
command sets the serverschematype field at the LDAP client configuration time.
Do not modify this attribute. The valid values are rfc2307aix,
rfc2307, aix ,
sfu30, and sfur2. |
enableutf8_xlation | This field enables the saving of data to the LDAP server in UTF-8 format. Valid values are yes and no. The default value is no. |
rbacinterval | Specifies the time interval (in seconds) for the secldapclntd daemon to invoke the setkst command to update the kernel RBAC tables. The value must be greater than 60 seconds. Set the value to 0 to disable the setkst command. The default value is 3600. |
useprivport | Specifies whether to use local privileged ports to connect to LDAP servers. The valid values are yes and no. The default value is no. The useprivport attribute is compatible with an earlier version only. |
memberfulldn | Specifies whether to use DN or account name for group members. The valid values are yes and no. The default value is no. Usually when you use account names, do not change the value of the memberfulldn attribute. If you want group members in DN format, set the value to yes. For compatibility with an earlier version, if the LDAP server is Active Directory, the group member attribute is mapped to the msSFU30PosixMember member. The secldapclntd daemon always uses DN format regardless of this setting. |
pwdpolicydn | Specifies the DN of the LDAP server global password policies. The secldapclntd daemon uses this policy entry to inform the user what is wrong when a noncompliant password is used. If password policies are specified, then the specified policies are used instead of the global policies. |
usrkeystorebasedn | Specifies the User's EFS PKCS#12 keystore base DN. For more information, see Detailed information. |
grpkeystorebasedn | Specifies the Groups's EFS PKCS#12 keystore base DN. For more information, see Detailed information. |
efscookiesbasedn | Specifies the EFS Cookie base DN. For more information, see Detailed information. |
admkeystorebasedn | Specifies the EFS Admin's PKCS#12 keystore base DN. For more information, see Detailed information. |
followreferrals | Specifies whether the AIX LDAP client must chase the referrals that are received from the LDAP server. The valid values are on and off, default is on meaning chase the referrals. |
caseExactAccountName | Specifies whether to match account names as case-sensitive or
case-insensitive. Most LDAP servers treat account names as case-insensitive. Therefore, account
names like foo , Foo , FOo , and
FOO are treated as the same user, and these servers allow only one of them defined
in LDAP. The valid values are:
|
auditpolicy | Specifies the action that needs to be taken if there is any change in audit
configuration on LDAP. It is effective only when an attribute auditrefreshed
is set. It takes the following two values:
|
auditrefreshed | Specifies the time interval (in seconds) or time in a 24-hour format for the secldapclntd daemon to act according to the auditpolicy attribute. If the auditpolicy attribute is not set, then this attribute is disabled. The time interval is mentioned in seconds. The value must be greater than 60 seconds. Set the value to 0 to disable it. The default value is 3600. If the time is mentioned in a 24-hour format, then it must start with letter T. |
DisplayNetgroupUserInfo | Specifies whether nonprivileged users can or cannot run lsldap -a passwd
command to display users that belong to a Netgroup enabled LDAP module. Specify
yes, the default value to display users from Netgroup
enabled LDAP module. Specify no if you do not want to display users from
Netgroup enabled LDAP module. This option does not affect root
users or users who have the aix.security.ldap authorization. |
reconnT | Specifies the time in seconds for which an LDAP connection attempt will wait before timing out. The valid value of this field ranges from 5 to 3600 seconds. The default value is 75 seconds. |
Detailed information
- Multiple base DNs
-
All the base DN attributes accept multiple values, with each
<basedn>: <value>
pair on a separate line. For example, to allow users in theou=dept1users,cn=aixdata
base DNs and theou=dept2users,cn=aixdata
base DNs to log in to the system, you can specify the userbasedn attribute as follows:userbasedn: ou=dept1users,cn=aixdata userbasedn: ou=dept2users,cn=aixdata
You can specify up to 10 base DNs for each entity in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order that they appear in the /etc/security/ldap/ldap.cfg file. The following list describes the system behaviors with regards to multiple base DNs:- Query operations, such as the lsuser command, are done according to the base DN order that is specified until a matching account is found. A failure is returned only if all the base DNs are searched without finding a match.
- Modification operations, such as the chuser command, are done to the first matching account.
- Deletion operations, such as the rmuser command, are done to the first matching account.
- Creation operations, such as the mkuser command, are done only to the first base DN.
- Domain RBAC base DNs
-
#domainbasedn:ou=domains,cn=aixdata #domobjbasedn:ou=domobjs,cn=aixdata
The time interval in minutes specifies the frequency in which the kernel RBAC and the domain RBAC tables are updated. A value of 0 disables the automatic update.rbacinterval: 0
- Extended base DN format
-
You can specify optional parameters of the search scope and search filter for base DN attributes. You can append the parameters to the base DN with fields separated by question mark (?) characters. The following list shows the valid base DN formats:
-
The following format represents the default format that the secldapclntd daemon uses:
userbasedn: ou=people, cn=aixdata
-
This format limits the search by a scope attribute:
userbasedn: ou=people, cn=aixdata?scope
The valid values of the scope attribute are sub, one, and base. If you do not specify the scope attribute, the default value is sub.
-
This format limits the search by a filter attribute.
userbasedn: ou=people, cn=aixdata??filter
The filter attribute limits the entries that are defined in the LDAP server. You can use this filter to make only users with certain properties visible to the system. The following list shows some valid filter formats, where attribute is the name of an LDAP attribute, and value specifies the search criteria, which can be a wildcard (*).(attribute=value)
(&(attribute=value)(attribute=value))
(|(attribute=value)(attribute=value))
-
This format uses both a scope attribute and a filter attribute.
userbasedn: ou=people, cn=aixdata?scope?filter
-
- Object classes
-
The first object class in the list is the key object class, which can be used for search operations. By default, the keyobjectclass attribute in the attribute mapping file is used for this purpose. But if the mapping file does not exist, or the keyobjectclass attribute is not present in the mapping file, the first object class in this list is used.