ldap.cfg File Format

Purpose

The secldapclntd LDAP client side daemon configuration file.

Description

The /etc/security/ldap/ldap.cfg file contains information for the secldapclntd daemon to start and function properly as well as information for fine tuning the daemon's performance. The /etc/security/ldap/ldap.cfg file is updated by the mksecldap command at client setup.

The /etc/security/ldap/ldap.cfg file may contain the following fields:

Item	Description
ldapservers	Specifies a comma separated list of Lightweight Directory Access Protocol (LDAP) Security Information Servers. These servers can either be the primary server or the replica of the primary server. The first server in the list has the highest priority.
binddn	Specifies the distinguished name (DN) LDAP used to bind to the LDAP Security Information Server(s).
bindpwd	Specifies the password for the binddn.
authtype	Specifies the authentication mechanism to use. Valid values are unix_auth and ldap_auth. The default is unix_auth. unix_auth - Retrieves the user password from LDAP and authenticate the user locally. ldap_auth - Binds to the LDAP server as the authenticating user in order to authenticate. Note: Password will be sent in clear text to the LDAP server for ldap_auth authentication mechanism. Use of SSL is strongly encouraged.
useSSL	Specifies whether to use the SSL communication. Valid values are yes, SSL, TLS, NONE and no. The default value is no. Note: You will need the SSL key and the password to the key to enable this feature.
ldapsslkeyf	Specifies the full path of the SSL or TLS key.
ldapsslkeypwd	Specifies the password of the SSL or TLS key. Note: Comment out this line to use stashed password. The password stash file must reside in the same directory as the SSL, or TLS key, and must have the same name as the key file but with an extension of .sth instead of .kdb.
useKRB5	Specifies whether to use Kerberos for the initial bind to the server. Valid values are yes or no. The default is no. Note: The Kerberos principal, key path and kinit command directory are required to enable this feature. If Kerberos bind is enabled then the binddn and bindpwd are not required.
krbprincipal	Specifies the Kerberos principal used to bind to the server.
krbkeypath	Specifies the path to the kerberos keytab. The default is /etc/security/ldap/krb5.keytab.
krbcmddir	Specifies the directory that contains the Kerberos kinit command. The default is /usr/krb5/bin/.
pwdalgorithm	Specifies the password encryption algorithm used for the unix_auth mode. The ldap_auth mode ignores this attribute. Valid value is either crypt or system. The default value is crypt. crypt Specifies the legacy crypt() (DES) algorithm. system Specifies to use the system-wide password algorithm configured in the /etc/security/login.cfg file. To use the system-wide password algorithm, the LDAP server's password encryption must be disabled to avoid double encryption. Double encryption can make the password unusable. Ensure that all clients of the LDAP server understand the algorithm that is used.
userattrmappath	Specifies the full path to the AIX®-LDAP attribute map for users.
groupattrmappath	Specifies the full path to the AIX-LDAP attribute map for groups.
idattrmappath	Specifies the full path to the AIX-LDAP attribute map for IDs. These IDs are used by the mkuser command when creating LDAP users.
userbasedn	Specifies the user base DN. For more information, see Detailed information.
groupbasedn	Specifies the group base DN. For more information, see Detailed information.
idbasedn	Specifies the ID base DN. For more information, see Detailed information.
hostbasedn	Specifies the host base DN. For more information, see Detailed information.
servicebasedn	Specifies the service base DN. For more information, see Detailed information.
protocolbasedn	Specifies the protocol base DN. For more information, see Detailed information.
networkbasedn	Specifies the network base DN. For more information, see Detailed information.
netgroupbasedn	Specifies the netgroup base DN. For more information, see Detailed information.
rpcbasedn	Specifies the RPC base DN. For more information, see Detailed information.
aliasbasedn	Specifies the alias base DN. For more information, see Detailed information.
automountbasedn	Specifies the automount base DN. For more information, see Detailed information.
bootparambasedn	Specifies the bootparams base DN. For more information, see Detailed information.
etherbasedn	Specifies the ether base DN. For more information, see Detailed information.
authbasedn	Specifies the authorizations base DN. For more information, see Detailed information.
rolebasedn	Specifies the roles base DN. For more information, see Detailed information
privcmdbasedn	Specifies the privileged commands base DN. For more information, see Detailed information
privdevbasedn	Specifies the privileged devices base DN. For more information, see Detailed information
privfilebasedn	Specifies the privileged files base DN. For more information, see Detailed information
domainbasedn	Specifies the domain base DN. For more information, see Detailed information
domobjbasedn	Specifies the domain object base DN. For more information, see Detailed information
tsddatbasedn	Specifies the file’s Trusted Signature Database base DN. For more information, see Detailed information.
tepoliciesbasedn	Specifies the machine’s trusted execution policies base DN. For more information, see Detailed information.
userclasses	Specifies a comma-separated list of object classes that are used for the user entry. For more information, see Detailed information.
groupclasses	Specifies a comma-separated list of object classes that are used for the group entry. For more information, see Detailed information.
ldapversion	Specifies the LDAP server protocol version. Default is 3.
ldapport	Specifies the port on which the LDAP server listens to. The default value is 389. Also, TLS use this port as default port.
ldapsslport	Specifies the SSL port on which the LDAP server listens. The default value is 636.
followaliase	Specifies whether to follow aliases. Valid values are `NEVER, SEARCHING, FINDING`, and `ALWAYS`. Default is `NEVER`.
usercachesize	Specifies the user cache size. Valid values are 100 - 65536 entries. The default value is 1000.
groupcachesize	Specifies the group cache size. Valid values are 10 - 65536 entries. The default value is 100.
cachetimeout	Specifies the cache TTL (time to live) for users and groups. Value must be >=0 seconds. Default is 300. Set to 0 to disable caching. Note: The cachetimeout field is a deprecated attribute. Please use the usercachetimeout and groupcachetimeout attributes instead.
usercachetimeout	Specifies the cache TTL (time to live) for users. Value must be >= 0 seconds. Default is 300. Set to 0 to disable user caching. When specified, this value overrides the cachetimeout setting.
groupcachetimeout	Specifies the cache TTL (time to live) for groups. Value must be >= 0 seconds. Default is 300. Set to 0 to disable group caching. When specified, this value overrides the cachetimeout setting.
ldapsizelimit	Specifies the maximum entries to be reqested to the ldap server in an ALL query. Default is 0 (no limit). If the ldapsizelimit is greater than the server size limit, the server size limits the number of entries returned. Setting the ldapsizelimit to a lower number increases the performance of some commands. For example, the lsuser -R LDAP ALL command.
heartbeatinterval	Specifies the interval in seconds that the client contacts the server for server status. Valid values are 60 - 3,600 seconds. Default is 300.
numberofthread	Specifies the number of threads for the secldapclntd daemon. Valid values are 1 - 256. Default is 10.
nsorder	Specifies the order of host name resolution by the secldapclntd daemon. The default order is dns, nis, local. For more information about valid resolvers, see TCP⁄IP Name Resolution. Note: Do not use nis_ldap, because it could result in the secldapclntd daemon hang.
searchmode	Specifies the set of user and group attributes to be retrieved. This attribute is intended for use for performance reasons. The AIX commands may not be enabled to support all non-OS attributes. Valid values are ALL and OS. The default is ALL. ALL - Retrieve all attributes of an entry. OS - Retrieve only the operating system required attributes of an entry. Non-OS attributes like telephone number, binary images etc. will not be returned. Note: Only use OS when entries have many non-OS required attributes or attributes with large value, e.g. binary data, to reduce sorting effort by the LDAP server.
defaultentrylocation	Specifies the location of the default entry. Valid values are ldap and local. The default is ldap. ldap - Use the default entry in LDAP for all attribute default values. local - Use the default stanza from local /etc/security/user file for all attribute default values.
ldaptimeout	Specifies the timeout period in seconds for LDAP client requests to the server. This value determines how long the client will wait for a response from the LDAP server. Valid range is 0 - 3600 (1 hour). Default is 60 seconds. Set this value to 0 to disable the timeout.
connectionsperserver	Specifies the maximum number of connections to the LDAP server. If the specified value is greater than the value in the numberofthread field, the secldapclntd field uses the value of the numberofthread field instead. The secldapclntd daemon starts with one connection and dynamically adds new connections at high LDAP request demand into the connectionsperserver field, and closes the idle connections at low demand. The valid value of this field ranges from 1 through 100. The default value is 10.
connectionmissratio	Specifies the percentage of LDAP operations that can miss an LDAP handle in the first attempt (handle-miss). If the number of missed attempts reaches this value, the secldapclntd daemon adds a new connection. The total number of connections do not exceed the value of the connectionsperserver field. The valid value of this field ranges from 10 through 90. The default value is 50.
newconnT	Specifies the interval to check for connection-miss-ratio (connectionmissratio) to determine if a new connection needs to be created.
connectiontimeout	Specifies time in seconds that an LDAP connection to the server can be idle before the secldapclntd daemon closes it. The valid value is 5 seconds or greater. The default value is 300.
serverschematype	Specifies the schema type of the LDAP server. It is set by the mksecldap command at LDAP client configuration time. Do not modify this attribute. Valid values are: rfc2307aix, rfc2307, aix, sfu30, and sfur2.
enableutf8_xlation	Enables the saving of data to the LDAP server in UTF-8 format. Valid values are yes and no. The default value is no.
rbacinterval	Specifies the time interval (in seconds) for the secldapclntd daemon to invoke the setkst command to update the kernel RBAC tables. The value must be greater than 60 seconds. Set the value to 0 to disable the setkst command. The default value is 3600.
useprivport	Specifies whether to use local privileged ports to connect to LDAP servers. The valid values are yes and no. The default value is no. The useprivport attribute is for backward compatibility only.
memberfulldn	Specifies whether to use DN or account name for group members. The valid values are yes and no. The default value is no. In most cases when you use account names, do not change the value of the memberfulldn attribute. If you want group members in DN format, set the value to yes. For backward compatibility, if the LDAP server is Active Directory, the group member attribute is mapped to the msSFU30PosixMember member. The secldapclntd daemon always uses DN format regardless of this setting.
pwdpolicydn	Specifies the DN of the LDAP server global password policies. The secldapclntd daemon uses this policy entry to inform the user what is wrong in case of a noncompliant password. If you have specified password policies, these policies are used instead of the global policies.
usrkeystorebasedn	Specifies the User’s EFS PKCS#12 keystore base DN. For more information, see Detailed information.
grpkeystorebasedn	Specifies the Groups’s EFS PKCS#12 keystore base DN. For more information, see Detailed information.
efscookiesbasedn	Specifies the EFS Cookie base DN. For more information, see Detailed information.
admkeystorebasedn	Specifies the EFS Admin’s PKCS#12 keystore base DN. For more information, see Detailed information.
followreferrals	Specifies if the AIX LDAP client should chase the referrals received from the LDAP server. The valid values are on and off, default is on meaning chase the referrals.
caseExactAccountName	Specifies whether to match account names as case-sensitive or case-insensitive. Most LDAP servers treat account names as case-insensitive. Therefore, account names like foo, Foo, FOo, and FOO are treated as the same user, and these servers allow only one of them defined in LDAP. The valid values are: No Specifies to return account name which matches the requested name as case-insensitive. For example, querying user foo may return any of foo, Foo, FOo, and FOO. This is the default value. Yes Specifies to return account name which matches the requested name as case-sensitive. For example, querying user foo will fail if one of the names Foo, FOo, or FOO exists in LDAP instead of foo.
auditpolicy	Specifies the action that needs to be taken if there is any change in audit configuration on LDAP. It is effective only when an attribute auditrefreshed is set. It takes following two values: WARN Logs in message in the syslog file on LDAP client, whenever there is a change in audit configuration on LDAP so that administrator starts auditing on the LDAP client. RESTART Automatically starts the auditing on the LDAP client, whenever there is a change in audit configuration on LDAP.
auditrefreshed	Specifies the time interval (in seconds) or time in 24 hour format for the secldapclntd daemon to take action according to the auditpolicy attribute. If the auditpolicy attribute is not set then this attribute is disabled. The time interval mentioned in seconds. The value must be greater than 60 seconds. Set the value to 0 to disable it. The default value is 3600. If the time is mentioned in 24 hr format then it should start with letter T.

Detailed information

Multiple base DNs
All of the base DN attributes accept multiple values, with each <basedn>: <value> pair on a separate line. For example, to allow users in the ou=dept1users,cn=aixdata base DNs and the ou=dept2users,cn=aixdata base DNs to log in to the system, you can specify the userbasedn attribute as follows:
```
userbasedn: ou=dept1users,cn=aixdata
userbasedn: ou=dept2users,cn=aixdata
```
You can specify up to 10 base DNs for each entity in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order they appear in the /etc/security/ldap/ldap.cfg file. The following list describes the system behaviors in regards to multiple base DNs:
- Query operations, such as the lsuser command, are done according to the base DN order that is specified until a matching account is found. A failure is returned only if all of the base DNs are searched without finding a match.
- Modification operations, such as the chuser command, are done to the first matching account.
- Deletion operations, such as the rmuser command, are done to the first matching account.
- Creation operations, such as the mkuser command, are done only to the first base DN.
Domain RBAC base DNs
```
#domainbasedn:ou=domains,cn=aixdata
#domobjbasedn:ou=domobjs,cn=aixdata
```
The time interval in minutes specifies the frequency in which the kernel RBAC and the domain RBAC tables are updated. A value of 0 disables the automatic update.
```
rbacinterval: 0
```
Extended base DN format
You can specify optional parameters of search scope and search filter for base DN attributes. You can append the parameters to the base DN with fields separated by question mark (?) characters. The following list shows the valid base DN formats:
- This format represents the default format that the secldapclntd daemon uses:
```
userbasedn: ou=people, cn=aixdata
```
- This format limits the search by a scope attribute:
```
userbasedn: ou=people, cn=aixdata?scope
```
  The scope attribute accepts the following values:
  - sub
  - one
  - base
  If you do not specify the scope attribute, the default value is sub.
- This format limits the search by a filter attribute.
```
userbasedn: ou=people, cn=aixdata??filter 
```
  The filter attribute limits the entries that are defined in the LDAP server. You can use this filter to make only users with certain properties visible to the system. The following list shows some valid filter formats, where attribute is the name of an LDAP attribute, and value specifies the search criteria, which can be a wild card (*).
  - (attribute=value)
  - (&(attribute=value)(attribute=value))
  - (|(attribute=value)(attribute=value))
- This format uses both a scope attribute and a filter attribute.
```
userbasedn: ou=people, cn=aixdata?scope?filter
```
Object classes
The first object class in the list is the key object class, which can be used for search operations. By default, the keyobjectclass attribute in the attribute mapping file is used for this purpose. But if the mapping file does not exist, or the keyobjectclass attribute is not present in the mapping file, the first object class in this list is used.