Configuring an LDAP client for Encrypted File System keystore

To use Encrypted File System (EFS) keystore data that is stored in LDAP, you must configure a system as an LDAP client.

To configure an LDAP client for EFS keystore, complete the following steps:

Run the /usr/sbin/mksecldap command to configure a system as an LDAP client.
The mksecldap command dynamically searches the specified LDAP server to determine the location of the EFS keystore data. Then, it saves the results to the /etc/security/ldap/ldap.cfg file. The mksecldap command determines the location for user, group, admin, and efscookies keystore data.

Complete one of the following steps to enable LDAP as a lookup domain for EFS keystore data:

Set the user and group efs_keystore_access attribute to file or ldap.

Define the search order for the keystore at the system level by using the /etc/nscontrol.conf file. The following table shows an example.

Table 1. Example configuration for the /etc/nscontrol.conf file
Attribute	Description	Search order (secorder)
efsusrkeystore	This search order is common for all users.	LDAP, files
efsgrpkeystore	This search order is common for all groups.	files, LDAP
efsadmkeystore	This search order locates the admin keystore for any target keystore.	LDAP, files

Attention: The configuration defined in the /etc/nscontrol.conf file overrides any values set for the user and group efs_keystore_access attribute. The same is true for the user efs_adminks_access attribute.

After you configure a system as an LDAP client and enable LDAP as a lookup domain for EFS keystore data, the /usr/sbin/secldapclntd client daemon retrieves the EFS keystore data from the LDAP server whenever you perform LDAP keystore operations.