====== Configure LDAP AIX ====== 
 

Use command line :  
  mksecldap -c -h ldapserver1,ldapserver2 -a cn=root -p password -S rfc2307aix

or 

file /etc/security/ldap/ldap.cfg
<code>
ldapservers:ldapserver1,ldapserver2
binddn:cn=proxyuser,dc=azienda,dc=local
bindpwd:secretpassword
authtype:ldap_auth
useSSL: yes
ldapsslkeyf:/etc/security/ldap/ldap.kdb
ldapsslkeypwd:password
serverschematype: rfc2307

userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map

userbasedn:ou=people,dc=azienda,dc=local
groupbasedn:ou=groups,dc=azienda,dc=local
</code>

Copy the file ldap.krb in /etc/security/ldap: this file contains the public key of the certification authority that issued the LDAP certificate. Please note that to generate this file use the program gsk7ikm.

Start the LDAP client daemon with:
  start-secldapclntd

Test that the client works:
  lsldap -a passwd

If the above procedure works, autostart the ldap client service using:
  mkitab 'ldapclntd:2:once: /usr/sbin/secldapclntd > /dev/console 2>&1'

In the file /usr/lib/security/methods.cfg enable LDAP module with:
<cli>
  LDAP:
      program = /usr/lib/security/LDAP
      program_64 =/usr/lib/security/LDAP64
</cli>

Set default authentication to LDAP:
<cli>
  chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or files"
  chsec -f /etc/security/user -s default -a "registry=LDAP"
</cli>

Add creation of user home directory after first login in AIX STD_AUTH, standard authentification, since AIX 6.1 TL2. For PAM_AUTHentification, add the right parameter into /etc/pam.conf 
  chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true


To allow local login, for each local user stanza in /etc/security/user specify the following:
<cli>
        SYSTEM = "files"
        registry = files
</cli>


Before doing anything, install the following packages. You can find it on the AIX media.

  idsldap.clt32bit61.rte    6.1.0.17    C     F    Directory Server - 32 bit
  idsldap.clt64bit61.rte    6.1.0.17    C     F    Directory Server - 64 bit
  idsldap.clt_max_crypto32bit61.rte
  idsldap.clt_max_crypto64bit61.rte
  idsldap.cltbase61.adt     6.1.0.17    C     F    Directory Server - Base Client
  idsldap.cltbase61.rte     6.1.0.17    C     F    Directory Server - Base Client

Then, re-establish the links with the following command:
 /opt/IBM/ldap/V6.1/bin/idslink  -l 64

==== Start/Stop IBM LDAP ====

<cli prompt='#'>
root@itds_server - /root >cat /etc/inittab | grep ldap
ldapd63:2:once: /opt/IBM/ldap/V6.3/sbin/ibmslapd -I ldapdb2 -f/home/ldapdb2/idsslapd-ldapdb2/etc/ibmslapd.conf > /dev/console 2>&1
ids0:2345:once:/opt/IBM/ldap/V6.3/sbin/ibmdiradm -I ldapdb2 > /dev/null 2>&1 #Autostart IBM LDAP Admin Daemon Instance
idsweb:2:once:/opt/IBM/ldap/V6.3/idstools/bin/startWebadminApp > /dev/null 2>&1
</cli>

<cli prompt='#'>
root@itds_server - /root >cat /etc/rc.shutdown
#!/bin/ksh
#CT_NODE_RUNSTATE_BEGIN: Do not modify this section manually
   if [[ -f /usr/sbin/rsct/bin/ct_node_runstate ]]
   then
        /usr/sbin/rsct/bin/ct_node_runstate -w SHUTDOWN
   fi
#CT_NODE_RUNSTATE_END:

main ()
{

/usr/bin/ibmslapd -k -I ldapdb2
su - ldapdb2 -c "/opt/IBM/ldap/V6.3/sbin/64/ibmdiradm -k"
su - ldapdb2 -c "/home/ldapdb2/sqllib/adm/db2stop"
/opt/IBM/tdsV6.3db2/bin/db2fmcd -k
/opt/IBM/ldap/V6.3/appsrv/profiles/TDSWebAdminProfile/bin/stopServer.sh server1
}
main > /etc/rc.shutdown.log 2>&1

# Exit 0 is required, else server won t stop
exit 0
</cli>