You can configure an AIX LDAP
client system to use Kerberos in its initial bind to an LDAP server.
The IDS server must be configured in this manner for the server
host to be a client to itself.
This example was tested using IDS v
5.1:
- Install the krb5.client fileset.
- Make sure the /etc/krb.conf file exists and
is configured properly. If it is not properly configured, you can run the /usr/sbin/config.krb5 command
to configure it.
- Get the keytab file of the bind principal, and place it in the /etc/security/ldap directory.
- Set the permission to 600.
- Configure the client using the mksecldap command
using the bind DN and the bind password. Make sure that AIX commands
work on LDAP users.
- Edit the /etc/security/ldap/ldap.cfg file
to set the Kerberos related attributes. In the following example, the bind
principal is ldapproxy and the keytab file is ldapproxy.keytab.
If you want IDS server administrator privileges, replace the ldapproxy with ldapadmin and
replace the ldapproxy.keytab with ldapadmin.keytab.
useKRB5:yes
krbprincipal:ldapproxy
krbkeypath:/etc/security/ldap/ldapproxy.keytab
krbcmddir:/usr/krb5/bin/
Now the bind DN and bind
password can be removed or commented out of the ldap.cfg file
because the secldapclntd daemon now uses Kerberos bind.
- Restart the secldapclntd daemon.
- The /etc/security/ldap/ldap.cfg file can now
be propagated to other client systems.