Multiple base DN support

Edit online

AIX® supports multiple base DNs. Up to 10 base DNs for each entity can be specified in the /etc/security/ldap/ldap.cfg file.

The base DNs are prioritized in the order they appear in the /etc/security/ldap/ldap.cfg file. An operation by AIX commands in case of multiple base DNs is done according to the base DN priority with the following behavior:
  • A query operation (for example, by the lsuser command), is done to the base DNs according to their priority until a matching account is found, or failure is returned if all of the base DNs are searched without finding a match. Querying for ALL results in all of the accounts from every base DN being returned.
  • A modification operation (for example, by the chuser command), is done to the first matching account.
  • A delete operation (for example, by the rmuser command), is done to the first matching account.
  • A creation operation (for example, the mkuser command), is done only to the first base DN. AIX does not support creating accounts to other base DNs.

It is the directory server administrator's responsibility to maintain a collision-free account database. If there are multiple definitions of the same account, each under a different subtree, only the first account is visible to AIX. An search operation returns only the first matching account. Similarly, a modification or a delete operation is done only to the first matching account.

The mksecldap command, when used to configure a LDAP client, will find the base DN for each entity and save it to the /etc/security/ldap/ldap.cfg file. When multiple base DNs are available on the LDAP server for a entity, the mksecldap command randomly uses any one of them. To have AIX work with multiple base DNs, you need to edit the /etc/security/ldap/ldap.cfg file after the mksecldap command has completed successfully. Find the appropriate base DN definition and add additional base DNs needed. AIX supports up to 10 base DNs for each entity, any additional base DNs are ignored.

AIX also supports user defined filter and search scope for each base DN. A base DN can have its own filter and scope that might be different from its peer base DNs. Filters can be used to define the set of accounts that are visible to AIX.

Only those accounts that satisfy the filter are visible to AIX.