secldapclntd Daemon
Purpose
Provides and manages connection and handles transactions between the LDAP load module and the LDAP Security Information Server.
Syntax
/usr/sbin/secldapclntd [ -C CacheSize ] [ -p NumOfThread ] [ -t CacheTimeOut ] [ -T HeartBeatIntv ] [ -o ldapTimeOut ]
Description
The secldapclntd daemon accepts requests from the LDAP load module, forwards the request to the LDAP Security Information Server, and passes the result from the server back to the LDAP load module. This daemon reads the configuration information defined in the /etc/security/ldap/ldap.cfg file during its startup, authenticates to the LDAP Security Information Server using the specified server distinguished name and password, and establishes a connection between the local host and the server.
If multiple servers are specified in the /etc/security/ldap/ldap.cfg file, the secldapclntd daemon connects to all of the servers. At a specific time, however, it talks to only one of them. The priority of the server connection is determined by its location in the server list with the highest priority server listed first. The secldapclntd daemon can detect when the server it is currently communicating with is down, and automatically switches to another available server. It can also detect when a server becomes available again and re-establish connection to that server. If the reconnected server is of higher priority than the current server then communication is switched to it. This auto-detect feature is done by the secldapclntd daemon checking on each of the servers periodically. The time interval between subsequent checking is defaulted to 300 seconds, and can be changed at the daemon startup time from the command line with the -T option or by modifying the heartbeatinterval value in the /etc/ security/ldap/ldap.cfg file.
At startup, the secldapclntd daemon tries to establish a connection to the LDAP servers. If it cannot connect to any of the servers, it goes to sleep, and tries again in 30 seconds. It repeats this process twice, and if it still cannot establish any connection, the secldapclntd daemon process exits.
The secldapclntd daemon is a multi-threaded program. The default number of threads used by this daemon is 10. An administrator can fine-tune the system performance by adjusting the number of threads used by this daemon.
The secldapclntd daemon caches information retrieved from the LDAP Security Information Server for performance purpose. If the requested data can be found in the cache and the cache entry is not expired, the data in the cache is handed back to the requester. Otherwise, the secldapclntd daemon makes a request to the LDAP Security Information Server for the information.
The valid number of cache entries for users is in the range of 100-10,000, and that for groups is in the range of 10-1,000. The default is 1000 entries for users, and 100 entries for groups.
The cache timeout or TTL (time to live) can be from 60 seconds to 1 hour (60*60=3600 seconds). By default, a cache entry expires in 300 seconds. If the cache timeout is set to 0, the caching feature is disabled.
Communication between the secldapclntd daemon and the LDAP server is performed using asynchronous methods. This allows the daemon to request information from the server and then perform other steps while waiting for the request to return. The length of time that the client will wait for a response from a server is configurable by the administrator and defaults to 60 seconds.
When connecting to LDAP servers, the secldapclntd daemon needs to do host lookups. The nis_ldap resolver may cause the lookup to be routed back to the daemon itself, resulting in a hang situation. To avoid this problem, the secldapclntd daemon ignores the system order of name resolution. Instead, it uses the order defined by the nsorder attribute in the /etc/security/ldap/ldap.cfg file.
Flags
| Flag | Description |
|---|---|
| -C CacheSize | Sets the maximum cache entries used by the secldapclntd daemon to CacheSize number of entries. The valid range is 100-65536 entries for user cache entry. The default value is 1000. The valid range is 10-65536 for group cache entry. The default is value 100. If you set the user cache entry in the start-secldapclntd command, by using the -C option, the group cache entry is set to 10% of the user cache entry. |
| -o ldapTimeOut | Timeout period in seconds for LDAP client requests to the server. This value determines how long the client will wait for a response from the LDAP server. Valid range is 0 - 3600 (1 hour). Default is 60 seconds. Set this value to 0 to disable the timeout and force the client to wait indefinitely. |
| -p NumOfThread | Sets the number of threads used by the secldapclntd daemon to NumOfThread threads. Valid range is 1-256. The default is 10. |
| -t CacheTimeout | Sets the cache to expire in CacheTimeout seconds. Valid range is 60- 3600 seconds. The default is 300 seconds. |
| -T HeartBeatIntv | Sets the time interval of heartbeat between this client and the LDAP server. Valid values are 60-3,600 seconds. Default is 300. |
Examples
- To start the secldapclntd daemon, type:
/usr/sbin/secldapclntd - To start the secldapclntd using 20 threads and cache timeout
value of 600 seconds, type:
/usr/sbin/secldapclntd -p 20 -t 600
Use of the start-secldapclntd command is recommended for starting the secldapclntd daemon. It is also recommended configuration values are specified in the /etc/security/ldap/ldap.cfg file instead of using command line flags, so that these values will be used each time you start the secldapclntd process.