Steps for tailoring the LDAP section of the configuration file
Before you begin
- Important: You need to update the LDAP section of the pkiserv.conf configuration file only if you are configuring PKI Services for the first time or your company is using encrypted passwords for your LDAP servers.
- You need UNIX programming skills to complete this procedure.
- Table 1 lists some parameters that are in the LDAP section of the pkiserv.conf configuration file. The rightmost column lists the default values. You need to change some of these values. Fill in the blank lines with your company's information (and cross out these defaults). If you decide to change any of the other defaults, cross out these values and record your company's information.
Parameter | Information needed | Where to get this information | Default value and your company's information |
---|---|---|---|
NumServers= | The number of available LDAP servers. These are replicas that can post certificates and CRLs. | From LDAP programmer | 1 |
PostInterval= | How often the posting thread scans the request
database for certificates and CRLs to post to the LDAP server in weeks
(w), days (d), hours (h), minutes (m), or seconds (s)
if NumServers > 0. Notes:
|
UNIX programmer
decides this. Specify a number followed by h (hours), m (minutes), or s (seconds). Example:
|
5m |
Server1= | You use this parameter only if you are storing LDAP passwords in the clear. This parameter's value is the fully qualified domain name (domain name or IP address and port) for the first LDAP server. If you are using a Secure Sockets Layer (SSL) session, the fully qualified domain name should be preceded by ldaps://. |
Copy this information from the earlier (completed) table, Table 1. | myldapserver.mycompany.com:389 ___________________________ Note: If the number of servers (the value in the row containing NumServers=) is greater than one, you need one value for each server.
|
UseBinaryAttr1= | Specifies whether the CA posts certificates and CRLs to the LDAP server with the binary attribute. Valid values are T (True) or F (False). If NumServers is greater than 1, specify a value for each server; for example, specify UseBinaryAttr2 for server 2. If a value of UseBinaryAttrn is not specified, it defaults to F. | UNIX programmer decides this (after consulting with LDAP programmer) | F |
AuthName1= | You use this parameter only if you are storing LDAP passwords in the clear. This parameter's value is the distinguished name to use for LDAP binding. (See Table 1 for a definition of distinguished name.) |
Copy this information from the earlier (completed) table, Table 1. | CN=root Notes:
|
AuthPwd1= | You use this parameter only if you are storing LDAP passwords in the clear. This parameter's value is the password to use for LDAP binding. The LDAP programmer sets this. Note: Include
this parameter, Server1, and AuthName1 only if you are storing the LDAP password in the clear. Alternately,
if you encrypt the password for an LDAP server, use the BindProfile1 parameter. Omitting BindProfile1 and Server1 specifies using the PROXY segment information from the IRR.PROXY.DEFAULTS
profile in the FACILITY class. (For more information, see Using encrypted passwords for LDAP servers.)
|
Copy this information from the earlier (completed) table, Table 1. | root ____________________ Note: If the number of servers (the value in the row containing NumServers=) is greater than one, you need one value for each server.
|
CreateOUValue= | Value to use for the OU attribute when creating LDAP entries under the objectclass organizationalUnit. (See Table 1.) This is used only when no OU value is specified in the relative distinguished name. | UNIX programmer decides this (after consulting with LDAP programmer) | Created by PKI Services |
RetryMissingSuffix= | True (T) or False (F) setting that indicates whether LDAP post requests should be tried again later if the distinguished name suffix does not exist. When set to F, LDAP post requests that fail because of a missing suffix are discarded. | UNIX programmer decides this (after consulting with LDAP programmer) | T |
BindProfile1= | You use this parameter only if you intend to use an encrypted password for your LDAP server. This parameter's value is the name of the LDAPBIND class profile containing the bind information for the LDAP server. (For more information, see Using encrypted passwords for LDAP servers.) |
Get the profile name from the RACF® administrator who creates the profile. See Using encrypted passwords for LDAP servers for more information. | LOCALPKI.BINDINFO.LDAP1 ____________________ Note: If the number of servers (the value in the row containing NumServers=) is greater than one, you need one value for each server.
|
Procedure
- If necessary, change 1 (the default) in the following
line to the number of available LDAP servers listed in Table 1:
NumServers=1
_______________________________________________________________
- Optionally change 5m in the following line to
the posting interval in Table 1:
PostInterval=5m
_______________________________________________________________
- If necessary, update the BindProfile1 line or the
Server1, AuthName1, and AuthPwd1 lines:
- If you intend to use an encrypted password for your LDAP server
and you are configuring PKI Services for the
first time, perform the following steps:
- If you are using an LDAPBIND class profile, remove the comment
delimiter (#) from the start of the following line
and change LOCALPKI.BINDINFO.LDAP1 to the name of
the LDAPBIND class profile. (See Step 3).
# BindProfile1=LOCALPKI.BINDINFO.LDAP1
- Delete the following three lines in the LDAP section:
Server1=myldapserver.mycompany.com:389 AuthName1=CN=root AuthPwd1=root
- If you are using an LDAPBIND class profile, remove the comment
delimiter (#) from the start of the following line
and change LOCALPKI.BINDINFO.LDAP1 to the name of
the LDAPBIND class profile. (See Step 3).
- If you are not using an encrypted password for your
LDAP server and are configuring PKI Services for the
first time, perform the following steps:
- Change your-ldap-server-address:port to your fully qualified domain name and port as listed in Table 1:
Server1=your-ldap-server-address:port
- Change CN=root in the following
line to the value of the administrator distinguished name in Table 1:
AuthName1=CN=root
- Change root in the following line
to the value of the administrator password in Table 1:
AuthPwd1=root
- Change your-ldap-server-address:port to your fully qualified domain name and port as listed in Table 1:
_______________________________________________________________
- If you intend to use an encrypted password for your LDAP server
and you are configuring PKI Services for the
first time, perform the following steps:
- If the value of NumServers= is greater than 1, repeat Step 3 for
each additional server. (You need to increment the number in the parameter
names for each additional server, for example Server2, AuthName2, AuthPwd2.
_______________________________________________________________
- If necessary, change Created by PKI Services in
the following line to the OU attribute value in Table 1:
CreateOUValue=Created by PKI Services
_______________________________________________________________
- If necessary, change T in the following line
to the RetryMissingSuffix value in Table 1:
RetryMissingSuffix=T
_______________________________________________________________
- If you want certificates and CRLs posted to the LDAP server with
the binary attribute, remove the comment delimiter (#) from the start of the following line and change F to T:
If the value of NumServers= is greater than 1, repeat this step for each server. Increment the number in the parameter name for each additional server, for example UseBinaryAttr2.#UseBinaryAttr1=F
_______________________________________________________________