mkldap command

Purpose

Sets up Virtual I/O Server as a Lightweight Direct Access Protocol (LDAP) client.

Syntax

mkldap -host serverlist -bind bindDN -passwd bindpwd [ -base baseDN ] [ -port serverport ] [ -ctimeout cacheTimeout ] [ -csize cacheSize ] [ -threads NumberofThreads ] [ -hbeatint heartBeatInt ] [-keypath SSL_database_path ] [-keypasswd SSL_password ] [ -auth authType ] [ -users userlist | ALL]

mkldap -deconfig

Description

The mkldap command is used to set up the Virtual I/O Server as an LDAP client. The server bind distinguished name (DN) and password for client access to the LDAP server. The mkldap command saves server bind DN, password, server name, the SSL key path and password, and other configuration attributes to the /etc/security/ldap/ldap.cfg file. The mkldap command saves the bind password and SSL key password (if SSL is configured) to the /etc/security/ldap/ldap.cfg file in encrypted format.

Note: These encrypted passwords are system specific, and can only be used by the secldapclntd daemon on the system where they are generated.

You can supply multiple LDAP servers to the mkldap command during client setup. In this case, the client contacts the servers in the supplied order and establishes connection to the first server to which the client can successfully bind.

The LDAP client communicates to the LDAP server through a client side daemon, secldapclntd.

The secldapclntd command is enabled or disabled by using the startnetsvc and stopnetsvc commands.

Flags

-host serverlist	Specifies comma-separated list of host names.
-bind bindDN	Specifies the DN (distinguished name) to bind to the LDAP server.
-passwd bindpwd	Specifies the clear text password for the bindDN used to bind to the LDAP server.
-base baseDN	Specifies the base DN for the mkldap command, in which to search for the user base DN and group base DN. If you do not specify this flag, the entire database is searched.
-port serverport	Specifies the port number to which the LDAP server is listening.
-ctimeout cachetimeout	Specifies the maximum time length that a cache entry expires. Set this value to 0 to disable caching.
-csize cacheSize	Specifies the maximum number of user entries used in the client side daemon cache.
-threads NumberofThreads	Specifies the numbers of threads that the client side daemon uses.
-hbeatint heartBeatInt	Specifies the time interval of heartbeats between the client and the LDAP server.
-keypath SSL_database_path	Specifies the full path to the SSL database. Note: This requires the ldap.max_crypto_client fileset to be installed.
-keypasswd SSL_password	Specifies the password for the SSL key. Note: This requires the ldap.max_crypto_client fileset to be installed.
-auth authType	Specifies the authentication mechanism that is used to authenticated users. Valid values are unix_auth and ldap_auth.
-users userlist	Specifies the comma-separted list of user names to enable for LDAP authentication. Specify ALL to enable all users on the client.
-deconfig bindpwd	Specifies that the previous client setup to the LDAP client configuration file should be undone.

Exit Status

0	Success
1	Invalid flag, argument, or command failure

Examples

Run one of the following mkldap commands with the -u flag for a user ID to become an LDAP user ID at client setup time:

mkldap -host ldapserv1 -bind cn=admin -passwd adminpwd  -users user1,user2

mkldap -host ldapserv1 -bind cn=admin -passwd adminpwd

To setup the client to talk to the server3.your_company.com LDAP server using SSL, enter the following command:

mkdap -bind cn=admin -passwd adminpwd -host server3.your_company.com 
-base o=mycompany,c=us -keypath /usr/ldap/clientkey.kdb 
-keypasswd keypwd -users user1,user2

Either of these commands set up the local host as the client of the LDAP server running on host ldapserv1 and cn=admin and -passwd adminpwd are the LDAP server administrator DN and password.

Files

/etc/security/ldap/ldap.cfg

Contains the mkldap command, and server bind DN, password, server name, the SSL key path and password, and other configuration attributes.

Related Information

The ldapadd command and the ldapsearch command.