IBM Support

How To: Edit the ldap.cfg to make changes after the initial configuration

Question & Answer


Question

Customers frequently ask: "I need to make changes to the ldap.cfg file, such as changing the LDAP server or adding filters, but I prefer to use the command line rather than manually editing the file. Can I use the mksecldap command for this purpose?"

Cause

The answer to this question is No. The mksecldap command is primarily designed for the initial configuration of the AIX LDAP client. Once the initial setup is complete and mksecldap has been run, it is strongly advised not to run it again for subsequent modifications.

The reason for this is that mksecldap operates based on a predefined script and a limited set of flags. It does not possess flags or logic to account for every possible configuration change that can be made to the ldap.cfg file. If mksecldap is executed again after manual changes have been applied to ldap.cfg (changes that mksecldap does not explicitly manage or "see" through its flags), there is a significant risk that these existing, custom configurations will be overwritten or lost. This could lead to unexpected behavior, service disruptions, and potentially a longer downtime period as you would need to manually re-apply the lost configurations.

Answer

Therefore, to safely make changes to the ldap.cfg file, the recommended and safest method is to manually edit it using a text editor like vi. This approach ensures that all existing configurations are preserved, and only the intended modifications are applied.

Follow these steps to safely modify ldap.cfg:

  1. Backup the current configuration:

    cp -p /etc/security/ldap/ldap.cfg /etc/security/ldap/ldap.cfg.backup

  2. Edit the file manually:

    vi /etc/security/ldap/ldap.cfg

  3. Restart the LDAP client daemon for changes to take effect:

    restart-secldapclntd

This process typically results in a minimal downtime of approximately 2 seconds, which is the time required for the LDAP client daemon to restart. This is considered the most reliable and safest way to manage changes to ldap.cfg after its initial setup.

IMPORTANT NOTE:

I have created an RFE/Idea suggesting a command-line utility that enables and provides a more robust way to edit the ldap.cfg without having to manually modify it. Please consider upvoting this idea, as voting helps RFEs gain more attention from the development team.

Here is the link to this RFE/Idea:
https://ideas.ibm.com/ideas/AIX-I-813

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m3p000000hBBEAA2","label":"Communication Applications-\u003ELDAP"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"and future releases;7.2.0"}]

Document Information

More support for:
AIX

Component:
Communication Applications->LDAP

Software version:
and future releases, 7.2.0

Operating system(s):
AIX

Document number:
7239760

Modified date:
15 July 2025

UID

ibm17239760

Manage My Notification Subscriptions

Page Feedback