LDAP client configuration for RBAC

A system must be configured as an LDAP client to use RBAC data stored in LDAP.

You can use the AIX /usr/sbin/mksecldap command to configure a system as an LDAP client. The mksecldap command dynamically searches the specified LDAP server to determine the location of the authorization, role, privileged command, device, and file data, and saves the results to the /etc/security/ldap/ldap.cfg file.

After successfully configuring the system as an LDAP client with the mksecldap command, the system must be further configured to enable LDAP as a lookup domain for RBAC data. The /etc/nscontrol.conf file must be modified to include LDAP in the secorder attribute for databases that are stored in LDAP.

Once the system has been configured as both an LDAP client and as a lookup domain for RBAC data, the /usr/sbin/secldapclntd client daemon periodically retrieves the RBAC data from LDAP and sends the data to the Kernel Security Tables (KST) with the setkst command. You can configure the time period used by the daemon to retrieve the RBAC data from LDAP with the rbacinterval attribute in the /etc/security/ldap/ldap.cfg file. The default value of this attribute is 3600, which specifies to retrieve the RBAC data from LDAP and update the KST once every hour. The KST can also be manually updated when an administrator runs the setkst command.