mksecldap Command

Commands Reference, Volume 3

mksecldap Command

Purpose

Sets up an AIX cluster to use LDAP for security authentication and data management.

Syntax

To Set Up an LDAP Server

mksecldap -server [-a adminDN] [-p adminpasswd] [-k ssl key file path]

To Enable an LDAP Client

mksecldap -client [-h hostlist] [-d AixTreeDN] [-u ALL|userlist] [-a adminDN] [-p adminpasswd] [-k ssl key file path] [-w client certificate password] [-t timeout]

Note: This command can be run by root user only.

Description

The mksecldap command sets up an AIX cluster consisting of one server, and one or more clients to use LDAP for security authentication and data management. This command must be run on the server and all the clients.

Note: The client (-c flag) and the server (-s flag) options cannot be run at the same time. When setting up a server, the mksecldap command should be run twice on that machine. Once to set up the server, and again to set up the client.

On the server side, the mksecldap command:

Sets up an alternate LDAP server program (via a different /etc/slapd.conf file) to serve the AIX subtree.
Sets up the schema and copies the data from the security database files into the LDAP database.
Sets up DN (Distinquished Names) and password for the AIX subtree. LDAP clients use this DN and password to bind.
Sets up indexes over the database for performance advantage.
If ssl (Secure Socket Layer) version is desired, then it expects to find the ssl key database file in the specified path.

On the client side, the mksecldap command:

Saves the list of hostnames, for the server and backup server, in a local file.
Saves the DN of the AIX subtree, the admin DN, it's password, and key file path and password, if ssl version is used, in the same local file.
Sets the list of users or all users to use LDAP by modifying their SYSTEM line in the user file.
Starts a daemon that receives requests from libs/libcs APIs and makes LDAP client library API calls.

Flags

On the server side:

-sserver	Indicates that the command is being run to setup the server.
-aadminDN	Specifies the adminDN to be used.
-padminpasswd	Specifies the cleartext password for the adminDN.
-kssl key file path	Specifies the ssl key file pathname.

On the client side:

-cclient	Indicates the command is being run to setup the client.
-hhostlist	Specifies a comma separated list of hostnames (server and backup server).
-dAIXTreeDN	Specifies DN of the AIX subtree.
-uuserlist ALL\|	Specifies the comma separated list of usernames. ALL to enable all users on the client.
-aadminDN	Specifies the adminDN to be used.
-padminpasswd	Specifies the cleartext password for the adminDN.
-kssl key file path	Specifies the path to the ssl key certificate.
-wclient certificate password	Password for the key certificate.
-tmaxtimeout	Amount of time the daemon will wait before unbinding with the server if there is no activity.

Files Accessed:

Mode	File

r	/etc/passwd
r	/etc/group
r	/etc/security/passwd
r	/etc/security/limits
r	/etc/security/user (on the server)
rw	/etc/security/user (on the clients)
r	/etc/security/environ
r	/etc/security/user.roles
r	/etc/security/lastlog
r	/etc/security/smitacl.user
r	/etc/security/mac_user
r	/etc/security/group
r	/etc/security/smitacl.group
r	/etc/security/roles
rw	/etc/security/login.cfg (on the server)
rw	/etc/slapd.conf (on the server)
rw	/etc/aix.slapd.conf (on the server)

Examples

To setup the server using ssl:

mksecldap -s -l -a  cn=admin,o=ibm,c=us  -p  adminpwd  -k 
/etc/security/ldap/server/key.kdb

To setup the client:

mksecldap  -c  -h / 
master.ldap.business.com,replica1.ldap.business.com,replica2.business.com  -d /
ou=aixtree,o=ibm,c=us  -u  joe,jack,jeremy  -a "cn=admin,o=ibm,c=us"  -p /
adminpwd -k/etc/security/ldap/client/key.kdb  -w clientpwd /

Related Information

LDAP Administrator's Guide