wiki

User Tools

Site Tools

Trace: openldap_2.4
ldap:openldap_2.4

Table of Contents

OpenLDAP server installation

The installation is done on CentOS 7.2 ppcLE

http://www.zytrax.com/books/ldap/

https://www.vincentliefooghe.net/content/gestion-des-mots-passe-avec-openldap

http://www.flagword.net/2013/02/openldap-with-tls-ppolicy-and-master-master-replication-on-rhel6-3/comment-page-1/

http://itdavid.blogspot.lu/2012/05/howto-centos-6.html

Reset config from scratch

Optional
As root, cleanup /etc/openldap/slapd.d and /var/lib/ldap folders, and do (this is the post install script from package openldap-servers):

Create LDAP directory and change rights: 

# mkdir /etc/openldap/slap.d
# chown -R ldap. /etc/openldap/slap.d

Then generate LDAP config: 

# /usr/libexec/openldap/convert-config.sh -f /usr/share/openldap-servers/slapd.ldif &>/dev/null

Or: 

# /sbin/runuser --shell /bin/sh --session-command  "/usr/sbin/slapadd -F /etc/openldap/slapd.d -n 0 -l /usr/share/openldap-servers/slapd.ldif" ldap

For info: If you plan to use passwordpolicy (ppolicy), then uncomment in /usr/share/openldap-servers/slapd.ldif 

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath:  /usr/lib64/openldap
olcModuleload: ppolicy.la

Install LDAP server

LDAP server version 2.4.40 

[root@rhldaph1 ~]# yum update && yum install openldap openldap-clients openldap-servers nss-pam-ldapd samba sudo

For LDAP client: 

[root@rhldaph1 ~]# yum update && yum install openldap openldap-clients nss-pam-ldapd

LDAP Initialization

Starting LDAP server 

[root@rhldaph1 ~]# mkdir /var/lib/ldap
[root@rhldaph1 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@rhldaph1 ~]# chown -R ldap. /var/lib/ldap

Manual start (for information, you can add -d 255 for debug): 

[root@rhldaph1 ~]# /usr/sbin/slapd -u ldap -d 3 -F /etc/openldap/slapd.d -h "ldapi:// ldaps://0.0.0.0:636 ldap://127.0.0.1:389"

Or 

systemctl start slapd

Verify access to LDAP server 

[root@rhldaph1 openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=mydom,dc=tst

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Base config

Suffix and RootDN: 

[root@rhldapr1 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mydom,dc=tst
EOF
[root@rhldapr1 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=mydom,dc=tst
EOF

Generate a LDAP password

For test passwd is: ld@pssw0rd 

[root@rhldaph1 Packages]# slappasswd
New password:
Re-enter new password:
{SSHA}vGIzlcCnP35Tt/HkTtjZuakgOkiBg7Rs
[root@rhldapr1 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}vAIzlcCnP23Tt/HkTtjZuakgOkiBg7Rs
EOF

View the changes: 

[root@rhldapr1 ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

Organization, Users, Groups

Create an organization tree and add a user. This is required to start, but later you'll see how create an LDAP user from a host. 

[root@rhldaph1 cn=config]# vi user_init.ldif
dn: dc=mydom,dc=tst
objectClass: dcObject
objectClass: organizationalUnit
dc: mydom
ou: Mydom Dot Tst

dn: cn=Manager,dc=mydom,dc=tst
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator
userPassword: {SSHA}vGIzlcCnP35Tt/HkTtjZuakgOkiBg7Rs

dn: ou=people,dc=mydom,dc=tst
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=mydom,dc=tst
objectClass: organizationalUnit
ou: groups

dn: uid=userldap1,ou=people,dc=mydom,dc=tst
homeDirectory: /home/ldapuser3
isAdministrator: false
loginShell: /usr/bin/ksh
uidNumber: 6001
gidNumber: 20000
passwordChar: *
uid: userldap1
cn: userldap1
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
objectClass: aixAuxAccount
objectClass: ibm-SecurityIdentities

dn: cn=grouptest1,ou=groups,dc=mydom,dc=tst
objectClass: top
objectClass: aixAuxGroup
objectClass: posixGroup
isAdministrator: false
gidNumber: 20000
cn: grouptest1
memberUid: userldap1

The following 2 commands are identic, just no password asked for the first 

ldapadd -Y EXTERNAL -H ldapi:/// -f user_init.ldif   
Or 
ldapadd -x -W -c -D "cn=Manager,dc=mydom,dc=tst" -f user_init.ldif
[root@rhldaph1 cn=config]# ldapadd -x -W -c -D "cn=Manager,dc=mydom,dc=tst" -f user_init.ldif
[root@rhldaph1 cn=config]# ldapsearch -x -D cn=Manager,dc=mydom,dc=tst -H ldap:// -b dc=mydom,dc=tst  -w ld@pssw0rd
[root@rhldaph1 cn=config]# ldapsearch -x -b "dc=mydom,dc=tst" -H ldaps://localhost
# extended LDIF
#
# LDAPv3
# base <dc=mydom,dc=tst> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# mydom.tst
dn: dc=mydom,dc=tst
objectClass: dcObject
objectClass: organizationalUnit
dc: mydom
ou: Mydom Dot Tst

# Manager, mydom.tst
dn: cn=Manager,dc=mydom,dc=tst
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator

Start options

If securure LDAP is required, change the parameter SLAPD_URLS 

[root@rhldaph1 sysconfig]# cat /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information

# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"

# Any custom options
#SLAPD_OPTIONS=""

# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

Enable / Start / Stop /Status LDAP as service

[root@rhldaph1 ~]# systemctl start slapd.service
[root@rhldaph1 ~]# systemctl status slapd.service
â slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2016-06-01 17:38:01 CEST; 1s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 23142 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 23126 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 23143 (slapd)
   CGroup: /system.slice/slapd.service
           ââ23143 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

Jun 01 17:38:01 rhldaph1 systemd[1]: Starting OpenLDAP Server Daemon...
Jun 01 17:38:01 rhldaph1 runuser[23129]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 01 17:38:01 rhldaph1 runuser[23129]: pam_unix(runuser:session): session closed for user ldap
Jun 01 17:38:01 rhldaph1 slapd[23142]: @(#) $OpenLDAP: slapd 2.4.40 (Nov 22 2015 13:57:05) $
                                               mockbuild@p8levm3.lon1.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/servers/slapd
Jun 01 17:38:01 rhldaph1 slapd[23143]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
                                       Expect poor performance for suffix "dc=mydom,dc=tst".
Jun 01 17:38:01 rhldaph1 slapd[23143]: slapd starting
Jun 01 17:38:01 rhldaph1 systemd[1]: Started OpenLDAP Server Daemon.

Manually start LDAP: 

[root@rhldaph1 ~]# /usr/sbin/slapd -u ldap -F /etc/openldap/slapd.d -h "ldapi:// ldaps://0.0.0.0:636 ldap://127.0.0.1:389"

Add new schema to LDAP

List and add schema

List all schema installed 

[root@rhldaph1 cn=config]# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

The minimum schemas should be: 

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

List and update the LDAP config

[root@rhldaph1 cn=config]# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
ldapmodify -Y EXTERNAL -H ldapi:/// -f file.ldif

Other method to configure base parameters

Remove old HDB file 

[root@rhldaph1 ~]# cd /etc/openldap/slapd.d/cn=config
[root@rhldaph1 cn=config]# mv /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif /tmp

Apply parameters 

[root@rhldaph1 ~]# cat newhdb.ldif
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=ldapdom,dc=tst
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=ldapdom,dc=tst
olcRootPW: {SSHA}a23yJUEn9OqA2E6JXVBzfvaaw88IUy3t
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: objectClass eq
olcDbCacheSize: 20000
olcDbCheckpoint: 512 30
olcDbIDLcacheSize: 320000
olcDbConfig: set_lg_bsize 2097512
olcDbConfig: set_flags DB_LOG_AUTOREMOVE
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by dn.base="cn=Manager,dc=ldapdom,dc=tst" write
  by * none
olcAccess: to *
  by self write
  by dn.base="cn=Manager,dc=ldapdom,dc=tst" write
  by * read

Apply parameters 

[root@rhldaph1 ~]# slapd -F /etc/openldap/slapd.d -h "ldapi://"
[root@rhldaph1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f newhdb.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=hdb,cn=config"
[root@rhldaph1 ~]# cd /etc/openldap/slapd.d/cn=config
[root@rhldaph1 ~]# chown ldap.ldap *.ldif

Start LDAP 

[root@rhldaph1 ~]# systemctl start slapd

Error 

[root@rhldaph1 ldap]# systemctl status slapd.service
â slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2016-06-02 15:58:38 CEST; 11s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 29380 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 29349 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)

Jun 02 15:58:38 rhldaph1 runuser[29376]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 02 15:58:38 rhldaph1 runuser[29376]: pam_unix(runuser:session): session closed for user ldap
Jun 02 15:58:38 rhldaph1 slapd[29380]: @(#) $OpenLDAP: slapd 2.4.40 (Nov 22 2015 13:57:05) $
                                               mockbuild@p8levm3.lon1.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/servers/slapd
Jun 02 15:58:38 rhldaph1 slapd[29380]: ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Jun 02 15:58:38 rhldaph1 slapd[29380]: slapd stopped.
.......

List and add schema

List all schema installed 

[root@rhldaph1 cn=config]# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

The minimum schemas should be: 

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

https://wiki.debian.org/LDAP/OpenLDAPSetup

All available schema are located in /etc/openldap/schema 

[root@rhldaph1 cn=schema]# ls /etc/openldap/schema/
collective.ldif      corba.ldif    core.ldif    cosine.ldif    duaconf.ldif    dyngroup.ldif    inetorgperson.ldif   java.ldif     misc.ldif    nis.ldif       openldap.ldif   pmi.ldif     ppolicy.ldif collective.schema    corba.schema  core.schema  cosine.schema  duaconf.schema  dyngroup.schema  inetorgperson.schema java.schema   misc.schema  nis.schema     openldap.schema pmi.schema   ppolicy.schema

For AIX rfc2307aix.schema copy the file from annexe http://emmanuel.iffly.free.fr/doku.php?id=ldap:openldap_2.4#rfc2307aix.schema

Prepare the LDIF file creation: 

# cat /tmp/schema.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/rfc2307aix.schema
# mkdir /tmp/slapd.d
# slaptest -f /tmp/schema.conf -F /tmp/slapd.d/
config file testing succeeded

Copy LDIF files and restart: 

# cd /tmp/slapd.d/cn=config/cn=schema
# cp /etc/openldap/slapd.d/cn=config/cn=schema/cn={0\}core.ldif  /tmp
# cp *.ldif /etc/openldap/slapd.d/cn=config/cn=schema/
# cd /etc/openldap/slapd.d/cn=config/cn=schema/
# chown -R ldap.ldap /etc/openldap/slapd.d/cn=config/cn=schema/*.ldif
# systemctl restart slapd

Validate the full config

[root@rhldaph1 slapd.d]# slaptest -u
config file testing succeeded

Tuning

syslog

Add the lines, and restart syslog and slapd 

[root@rhldaph1 ldap]# cat /etc/rsyslog.conf
......
# Log Openldap
local4.*    /var/log/slapd.log
[root@rhldaph1 ldap]# touch /var/log/slapd.log
[root@rhldaph1 ldap]# systemctl restart rsyslog
[root@rhldaph1 ldap]# systemctl restart slapd

Rotate the slapd.log 

[root@rhldaph1 logrotate.d]# cat /etc/logrotate.d/openldap
# OpenLDAP
/var/log/slapd.log {
   copytruncate
   missingok
   notifempty
   compress
   weekly
   rotate 10
   size=50M
   sharedscripts
   postrotate
 # OpenLDAP logs via syslog, restart syslog if running
   systemctl restart rsyslog
 endscript
}

Indexes

For better performance do more indexing than the default.

Create a LDIF file : olcDbIndex.ldif 

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Use ldapmodify to add this settings to the ldap : 

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif

Don't forget the - ! After the execution, slapd will launch a internal task to create indexes. Don't stop slapd during this indexation.

Access control

Configuring 'chsh' and 'chfn' to work with LDAP Create a LDIF file olcAccess.ldif with access permissions to loginShell and gecos entries for the user and admins : 

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=loginShell,gecos
  by dn="cn=admin,dc=example,dc=com" write
  by self write
  by * read

Instantly apply these new permissions to ldap with : 

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif

Clients authentification

Local linux authentification

Local authentification 

[root@rhldaph1 ~]# slapd -u ldap -d127 -h "ldap:/// ldaps:/// ldapi:///"
[root@rhldaph1 openldap]# ldapsearch  -x -D "cn=Manager,dc=mydom,dc=tst" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydom,dc=tst> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
[root@rhldaph1 openldap]#  openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 CN = rhldaph1
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = rhldaph1
verify return:1
---
........
SSL handshake has read 839 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Linux clients

[root@rhlabh1 ~]# yum -y install openldap-clients nss-pam-ldapd
[root@rhlabh1 ~]# authconfig --enableldap  --enableldapauth --ldapserver=rhldaph1 --ldapbasedn="dc=mydom,dc=tst" --enablemkhomedir --update
[root@rhlabh1 openldap]# cat ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON    on
URI ldap://rhldaph1/
BASE dc=mydom,dc=tst

[root@rhlabh1 home]# cat /etc/nslcd.conf | grep -v '^#'
uid nslcd
gid ldap
uri ldap://rhldaph1/
base dc=mydom,dc=tst
ssl no
tls_cacertdir /etc/openldap/cacerts

[root@rhlabh1 home]# cat /etc/nsswitch.conf
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
...

[root@rhlabh1 openldap]# su - ldapuser1
Creating directory '/home/ldapuser1'.

AIX clients

http://www-01.ibm.com/support/docview.wss?uid=swg2700977

Install LDAP client AIX packages

Search on IBM Fix Central https://www-945.ibm.com/support/fixcentral/ the latest packages for “IBM Security Directory Server”

Example packages 

9 6.4.0.10-ISS-ISDS-AIX-IF0010.tar.gz
8.0.50.67-ISS-GSKIT-AIX-FP0067.tar.gz

Untar the packages, the go into the directories, first install 

ISS-GSKIT-AIX

Then in the folder ISS-ISDS-AIX, accept the license 

echo 1 | ./license/idsLicense
cd images
installp -agXY -d ./ idsldap.license64 idsldap.clt_max_crypto64bit64 idsldap.clt64bit64

Also required 32bits ldap packages: 

installp -agXY -d ./ idsldap.clt32bit64 idsldap.clt_max_crypto32bit64
[root@aixsrv]/root# lslpp -Lc | egrep 'idsldap|GSK'
GSKit8:GSKit8.gskcrypt64.ppc.rte:8.0.50.67: : :C: :IBM GSKit Cryptography Runtime: : : : : : :0:0:/:
GSKit8:GSKit8.gskssl64.ppc.rte:8.0.50.67: : :C: :IBM GSKit SSL Runtime With Acme Toolkit: : : : : : :0:0:/:
idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/:
idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/:
idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/:
idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.license64:idsldap.license64.rte:6.4.0.10: : :C: :Directory Server - License: : : : : : :0:0:/:

Configure LDAP client AIX

As you can see in the following example if OpenLDAP if in order to use rfc2307aix, then it's validated in the AIX config: serverschematype=RFC2307AIX 

[root@aixsrv]/root# mksecldap -c -h rhldaph1 -A ldap_auth -D ldap -d "dc=mydom,dc=tst" -a "cn=Manager,dc=mydom,dc=tst" -p ld@pssw0rd -S rfc2307aix  -u NONE

[root@aixsrv]/root# ls-secldapclntd
ldapservers=rhldaph1
current ldapserver=rhldaph1
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=0
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=LDAP_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=RFC2307
userbasedn=ou=people,dc=mydom,dc=tst
groupbasedn=ou=groups,dc=mydom,dc=tst
userobjectclass=posixaccount,account,shadowaccount
groupobjectclass=posixgroup

[root@aixsrv]/root# ps -ef | grep ldap
    root 5767328       1   0 10:40:18      -  0:00 /usr/sbin/secldapclntd

List all users on LDAP, create users, groups. Up now don't forget to add in you commands: -R LDAP or -R files 

[root@aixsrv]/root# lsuser -R LDAP ALL
ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

[root@aixsrv]/root# mkgroup -R LDAP  id=1 staff
[root@aixsrv]/root# mkuser -R LDAP id=6002 pgrp=staff ldapuser2
[root@aixsrv]/root# lsuser -R LDAP ALL
ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
ldapuser2 id=6002 pgrp=staff groups=staff home=/home/ldapuser2 shell=/usr/bin/ksh93 auditclasses=general,SRC,cron,tcpip login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

Change AIX default behaviour (for info root will never be defined in a LDAP) 

[root@aixsrv]/root# chsec -f /etc/security/user -s default -a registry=LDAP
[root@aixsrv]/root# chsec -f /etc/security/user -s default -a SYSTEM=LDAP
[root@aixsrv]/root# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
[root@aixsrv]/root# chdev -l sys0 -a max_logname=256
[root@aixsrv]/root# chdev -l sys0 -a ngroups_allowed=2048

AIX LDAP config files and schema are stored in /etc/security/ldap/, /etc/security/login.cfg , and /etc/security/user 

[root@aixsrv]/etc/security/ldap# cat ldap.cfg | grep -v '^#' | sed '/^$/d'
ldapservers:rhldaph1.mydom.lu
binddn:cn=Manager,dc=mydom,dc=tst
bindpwd:{DESv2}DB483D108C643477D2B2F192 7C07C1FFE513FB8325B81B6
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/2307aixuser.map
groupattrmappath:/etc/security/ldap/2307aixgroup.map
userbasedn:ou=people,dc=mydom,dc=tst
groupbasedn:ou=groups,dc=mydom,dc=tst
userclasses:posixaccount,account,shadowaccount,aixauxaccount,ibm-securityIdentities
groupclasses:posixgroup,aixauxgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:rfc2307aix

[root@aixsrv]/etc/security/ldap# ll
total 396
   4 drwxr-xr-x    2 root     security       4096 Oct 20 10:58 .
   4 drwxr-x---   12 root     security       4096 Oct 19 00:17 ..
   4 -rw-r-----    1 root     security       2973 May 19 16:41 2307aixgroup.map
   8 -rw-r-----    1 root     security       7863 May 19 16:41 2307aixuser.map
   4 -rw-r-----    1 root     security       2598 Apr 18 2010  2307group.map
   4 -rw-r-----    1 root     security       3429 Aug 23 2010  2307user.map
 120 -rw-r-----    1 root     security     122375 Jun 07 12:10 aixSchemaForAD.ldif
  52 -rw-r-----    1 root     security      50385 Jun 07 12:10 aixSchemaForNS5.ldif
   4 -rw-r-----    1 root     security       2852 May 19 16:41 aixgroup.map
   4 -rw-r-----    1 root     security       2837 May 25 2010  aixid.map
   8 -rw-r-----    1 root     security       7515 May 19 16:41 aixuser.map
  12 -rw-------    1 root     security      12102 Oct 20 10:58 ldap.cfg
   4 -rw-r-----    1 root     security       1567 Sep 21 2009  ldapid.ldif.template
  28 -rw-r-----    1 root     security      25523 Feb 19 2008  nisSchema.ldif
   4 -rw-------    1 root     security       3893 Sep 21 2009  proxy.ldif.template
  52 -rw-r-----    1 root     security      52063 Jun 07 12:10 sec.ldif
   4 -rw-r-----    1 root     security       2294 Apr 23 2009  sectoldif.cfg
   4 -rw-r-----    1 root     security       2495 May 25 2010  sfu20group.map
   4 -rw-r-----    1 root     security       2933 May 25 2010  sfu20user.map
   4 -rw-r-----    1 root     security       2781 May 25 2010  sfu30aixgroup.map
   8 -rw-r-----    1 root     security       7634 May 17 2011  sfu30aixuser.map
   4 -rw-r-----    1 root     security       2503 Aug 23 2010  sfu30group.map
   4 -rw-r-----    1 root     security       3005 Aug 23 2010  sfu30user.map
   4 -rw-r-----    1 root     security       2739 May 25 2010  sfur2aixgroup.map
   8 -rw-r-----    1 root     security       7611 May 17 2011  sfur2aixuser.map
   4 -rw-r-----    1 root     security       2390 May 25 2010  sfur2group.map
   4 -rw-r-----    1 root     security       2853 May 25 2010  sfur2user.map

Change a user's password from AIX LDAP client: 

[root@aixsrv]/root# echo "testuser:testuser" | chpasswd -R LDAP -c
[root@aixsrv]/root# lsldap -a passwd testuser

ANNEXE

rfc2307aix.schema

/etc/openldap/schema/rfc2307aix.schema 

# Definitions from RFC2307AIX (Experimental)
# An Approach for Using LDAP as a Network Information Service for AIX
#
# Author: Patrick Vaughan <patrick_a_vaughan@hotmail.com>
#
# Depends upon core.schema, cosine.schema, and nis.schema
#
# Note: The definitions in RFC2307aix are not entirely known,
# and this information is taken from the work of others.
# This schema may contain extra information not necessarily needed by AIX,
# but used by IBM with other products.  Some modifications had to be made to
# work with OpenLDAP, mainly that boolean types were changed to text because
# of an incompatibility with some of the attributes and OpenLDAP. This seems
# to work with AIX, until a better solution is found.

# Attribute Type Definitions

attributetype ( 1.3.18.0.2.4.810 NAME 'adminGroupNames'
	DESC 'list of groups a user adminstrates'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.793 NAME 'AIXDefaultMACLevel'
	DESC 'AIX default level mac'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.766 NAME 'AIXFuncMode'
	DESC 'AIX smit acl function modes'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.797 NAME 'AIXisDCEExport'
	DESC 'DCE integration flag'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.778 NAME 'AIXLowMACLevel'
	DESC 'AIX low level mac'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.777 NAME 'AIXPromptMAC'
	DESC 'prompt MAC, Mandatory Access Control, or not'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.752 NAME 'AIXScreens'
	DESC 'AIX SMIT screen access list'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.746 NAME 'AIXUpperMACLevel'
	DESC 'AIX upper level mac'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.812 NAME 'auditClasses'
	DESC 'classes, events, a user will be audited on'
	EQUALITY 2.5.13.5
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.762 NAME 'authMethod1' DESC 'the primary method for authenticating a user'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.780 NAME 'authMethod2'
	DESC 'secondary method for authenticating a user'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.483 NAME 'caption'
	DESC 'CIM-derived attribute to provide short description of the directory object entry for display purposes.'
	EQUALITY 2.5.13.2
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.751 NAME 'coreSizeLimit'
	DESC 'core file size limit'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.798 NAME 'coreSizeLimitHard'
	DESC 'hard core file size limit'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.805 NAME 'cpuSize'
	DESC 'limit of system units a process can use'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.789 NAME 'cpuSizeHard'
	DESC 'largest amount of system time process can use'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.763 NAME 'dataSegSize'
	DESC 'size for data segment'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.758 NAME 'dataSegSizeHard'
	DESC 'largest size of data segment'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.757 NAME 'filePermMask'
	DESC 'mask to set file permission'
	EQUALITY 2.5.13.8
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.785 NAME 'fileSizeLimit'
	DESC 'file size limit'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.779 NAME 'fileSizeLimitHard'
	DESC 'file size limit'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.803 NAME 'groupList'
	DESC 'list of groups a user or role can belong to'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.538 NAME 'groupid'
	DESC 'Required attribute for eDominoGroup'
	EQUALITY 2.5.13.2
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.773 NAME 'groupSwitchUserAllowed'
	DESC 'list of groups that can switch user to this user'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.787 NAME 'hostLastLogin'
	DESC 'host name of the last successful login'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.748 NAME 'hostLastUnsuccessfulLogin'
	DESC 'host name of last unsuccessful login'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.726 NAME 'isAccountEnabled'
	DESC 'indicates whether users are allowed to login using an account (true) or not (false)'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.728 NAME 'isAdministrator'
	DESC 'indicates whether an account has administrative authority'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.761 NAME 'isDaemon'
	DESC 'AIX indicator whether a user can run programs under cron or src'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.743 NAME 'isLoginAllowed'
	DESC 'indicate wheter a user can login'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.799 NAME 'isRemoteAccessAllowed'
	DESC 'permits access from a remote system'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.808 NAME 'isSwitchUserAllowed'
	DESC 'indicate whether a user can switch to this users account'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.760 NAME 'ixLastUpdate'
	DESC 'time of last update'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.771 NAME 'ixTimeLastLogin'
	DESC 'time of users last login'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.749 NAME 'ixTimeLastUnsuccessfulLogin'
	DESC 'user time of last unsuccessful'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.801 NAME 'loginTimes'
	DESC 'valid times a user is allowed to login'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.710 NAME 'maxFailedLogins'
	DESC 'Maximum number of failed logins before the account is locked'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.807 NAME 'maxLogin'
	DESC 'maximum number of logins'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.464 NAME 'numberWarnDays'
	DESC '  '
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.781 NAME 'openFileLimit'
	DESC 'limit for number of open files'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.784 NAME 'openFileLimitHard'
	DESC 'maximun number of open files'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.458 NAME 'passwordCheckMethods'
	DESC 'Methods for checking passwords.'
	EQUALITY 2.5.13.5
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.463 NAME 'passwordDictFiles'
	DESC 'Password dictionary files.'
	EQUALITY 2.5.13.5
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.788 NAME 'passwordExpiredWeeks'
	DESC 'number of weeks a user passwd history expired'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.485 NAME 'passwordExpireTime'
	DESC 'Defines, in YYYYMMDDHHMMSS format, the date and time when a user password expires.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.753 NAME 'passwordFlags'
	DESC 'password flags'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.772 NAME 'passwordHistSize'
	DESC 'number of previous passwords that can be stored in password history'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 2.16.840.1.113730.3.1.97 NAME 'passwordMaxAge'
	DESC 'Specifies, in seconds, the period of time passwords can be used before they expire.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.802 NAME 'passwordChar'
	DESC 'password existance character'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.454 NAME 'passwordMaxRepeatedChars'
	DESC '  '
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.473 NAME 'passwordMinAlphaChars'
	DESC 'Specifies the minimum number of characters required for a users password.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.499 NAME 'passwordMinDiffChars'
	DESC 'Specifies the minimum number of different (unique) characters required for a users password.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 2.16.840.1.113730.3.1.99 NAME 'passwordMinLength'
	DESC 'Specifies the minimum number of characters required for a user\27s password.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.469 NAME 'passwordMinOtherChars'
	DESC '  '
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.790 NAME 'physicalMemLimit'
	DESC 'limit for the amount fo physical memory that can be allocated'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.744 NAME 'physicalMemLimitHard'
	DESC 'largest amount of physical memory that can be allocated'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.319 NAME 'principalPtr'
	DESC 'DN pointer to a principal object (e.g. person, user, service, etc.)'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.786 NAME 'roleList'
	DESC 'list of roles a user or role may belong to'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE USAGE userApplications )

attributetype ( 1.3.18.0.2.4.759 NAME 'stackSizeLimit'
	DESC 'size limit for process stack'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE USAGE userApplications )

attributetype ( 1.3.18.0.2.4.754 NAME 'stackSizeLimitHard'
	DESC 'largest stack segment for a process'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE USAGE userApplications )

attributetype ( 1.3.18.0.2.4.804 NAME 'systemEnvironment'
	DESC 'protect environment'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE USAGE userApplications )

attributetype ( 1.3.18.0.2.4.809 NAME 'terminalAccess'
	DESC 'list of terminals that can access users account'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE USAGE userApplications )

attributetype ( 1.3.18.0.2.4.767 NAME 'terminalLastLogin'
	DESC 'terminal users last successfully login'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE USAGE userApplications )

attributetype ( 1.3.18.0.2.4.769 NAME 'terminalLastUnsuccessfulLogin'
	DESC 'terminal of users last unsuccessful login'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.806 NAME 'timeExpiredLogout'
	DESC 'inactivity time out'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.474 NAME 'timeExpireLockout'
	DESC '  '
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.800 NAME 'trustedPathStatus'
	DESC 'indicates the users trusted path status'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.811 NAME 'unsuccessfulLoginCount'
	DESC 'count of unsuccessful logins'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.795 NAME 'userEnvironment'
	DESC 'user public environment'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.783 NAME 'userName'
	DESC 'user name'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.1101 NAME 'passwordHistList'
	DESC 'list of user passwords'
	EQUALITY 2.5.13.5
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.2321 NAME 'hostsAllowedLogin'
	DESC 'The names or addresses of computer systems or networks to which a user is allowed to login.'
	EQUALITY caseIgnoreMatch
	ORDERING caseIgnoreOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications)

attributetype ( 1.3.18.0.2.4.2322 NAME 'hostsDeniedLogin'
	DESC 'The names or addresses of a computer systems or networks to which a user is not allowed to login.'
	EQUALITY caseIgnoreMatch
	ORDERING caseIgnoreOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications)

attributetype ( 1.3.18.0.2.4.2504 NAME 'passwordHistExpire'
	DESC 'number of weeks a user passwd history expired'
	EQUALITY 2.5.13.14
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.145 NAME 'capability'
	DESC 'Indicates the capabilities this GSO Target Service Type allows.'
	EQUALITY 2.5.13.2
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.814 NAME 'GroupName'
	DESC 'Name of DCE group'
	EQUALITY 2.5.13.5
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.768 NAME 'AIXGroupAdminList'
	DESC 'list of administrators'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.765 NAME 'groupPassword'
	DESC 'Group Password'
	EQUALITY 2.5.13.5
	ORDERING 2.5.13.6
	SUBSTR 2.5.13.7
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities'
	DESC 'Alternate security identities.  A Kerberos identity must be defined in the format kerberos:<principal>@<realm>; for example, kerberos:alice@austin.ibm.com.  This attribute is defined on Active Directory.'
	EQUALITY 2.5.13.2
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName'
	DESC 'Primary security identity in the form <principal>@<realm>; for example, alice@austin.ibm.com.  This attribute is defined on Active Directory.'
	EQUALITY 2.5.13.5
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.813 NAME 'gid'
	DESC 'integer ID of the group name. Used for access control of resources.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3396 NAME 'passwordMaxConsecutiveRepeatedChars'
	DESC 'Attribute used to impose the maximum number of consecutive repeated characters in the password field.'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3107 NAME 'rcmds'
	DESC 'allow, deny, hostlogincontrol. Specifies whether a user is allowed to run remote commands.'
	EQUALITY caseIgnoreMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.756 NAME 'AIXAdminGroupId'
	DESC 'AIX new admin group id storage'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.776 NAME 'AIXAdminUserId'
	DESC 'AIX new admin user id storage'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.782 NAME 'AIXGroupID'
	DESC 'AIX new group id storage'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.770 NAME 'AIXUserID'
	DESC 'Aix new user id storage attribute'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3237 NAME 'ibm-aixProjectNameList'
	DESC 'Advanced accounting, list of project names'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTR caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetypes: ( 1.3.18.0.2.4.3349 NAME 'ibm-defaultRoles'
	DESC 'List of default roles'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3337 NAME 'ibm-coreNamingPolicy'
	DESC 'Specifies core file naming policy'
	EQUALITY caseIgnoreMatch
	ORDERING caseIgnoreOrderingMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetypes: ( 1.3.18.0.2.4.3336 NAME 'ibm-coreCompressionEnable'
	DESC 'Enable or disable corefile compression'
	EQUALITY caseIgnoreMatch
	ORDERING caseIgnoreOrderingMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3338 NAME 'ibm-corePathEnable'
	DESC 'Enable or disable core file path specification.'
	EQUALITY caseIgnoreMatch
	ORDERING caseIgnoreOrderingMatch
	SUBSTR caseIgnoreSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3339 NAME 'ibm-corePathName'
	DESC 'Specifies a location for core files'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3233 NAME 'ibm-aixAdminPolicyEntry'
	DESC 'Advanced accounting, admin policy rule'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTR caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3234 NAME 'ibm-aixAdminPolicyName'
	DESC 'Advanced accounting, name of admin policy'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTR caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3235 NAME 'ibm-aixProjectDefinition'
	DESC 'Advanced accounting, project definition entry'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTR caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3236 NAME 'ibm-aixProjectName'
	DESC 'Advanced accounting, name of project definition file'
	EQUALITY caseExactMatch
	ORDERING caseExactOrderingMatch
	SUBSTR caseExactSubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3340 NAME 'ibm-aixpertLabel'
	DESC 'An unique label for a XML file'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3341 NAME 'ibm-aixpertXmlConfigFile'
	DESC 'Aixpert XML configuration file'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
	SINGLE-VALUE
	USAGE userApplications )
#  EQUALITY octetStringMatch

attributetype ( 1.3.18.0.2.4.3363 NAME 'ibm-authorizationID'
	DESC 'authorization numeric ID'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.332 NAME 'msgFileName'
	DESC 'This attribute is used to indicate a message file name which contains displayable/translatable strings for those attributes which are displayable.'
	EQUALITY caseExactMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.774 NAME 'msgNumber'
	DESC 'index into a message catalog'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3364 NAME 'ibm-msgSet'
	DESC 'Message set'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3359 NAME 'ibm-accessAuths'
	DESC 'Access authorizations'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3354 NAME 'ibm-authPrivs'
	DESC 'Authorized privieges'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3361 NAME 'ibm-egid'
	DESC 'The effective group id'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3362 NAME 'ibm-euid'
	DESC 'The effective user id'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
	SINGLE-VALUE
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3358 NAME 'ibm-innatePrivs'
	DESC 'Innate privileges'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3365 NAME 'ibm-inheritPrivs'
	DESC 'Inheritable privileges'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3357 NAME 'ibm-secFlags'
	DESC 'Security flags'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetype ( 1.3.18.0.2.4.3356 NAME 'ibm-readPrivs'
	DESC 'Privileges required to read an object'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetypes: ( 1.3.18.0.2.4.3355	NAME 'ibm-writePrivs'
	DESC 'Privileges required to write to an object'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetypes: ( 1.3.18.0.2.4.3353	NAME 'ibm-readAuths'
	DESC 'Authorizations required to read an object'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )

attributetypes: ( 1.3.18.0.2.4.3352	NAME 'ibm-writeAuths'
	DESC 'Authorizations requried to write to an object'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	USAGE userApplications )


# No OID
#attributetype ( NAME 'IBM-ENTRYUUID' DESC 'A Unique Entry UUID from TDS' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
#attributetype ( NAME 'control' DESC 'Some IBM Control attribute from TDS' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Invalid Name 'userCertificate;binary'
#attributetype (  2.5.4.36 NAME ( 'userCertificate'  'userCertificate;binary'  ) DESC 'Used to represent certificates from one or more Certification Authorities representing a user.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 USAGE userApplications )

# Attributes already in the core.schema
#attributetype ( 2.5.4.7 NAME ( 'l'  'localityName'  ) DESC 'This attribute contains the name of a locality, such as a city, county or other geographic region (localityName).'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
#attributetype ( 2.5.4.31 NAME 'member' DESC 'Identifies the distinguished names for each member of the group.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE userApplications )
#attributetype ( 2.5.4.10 NAME ( 'o'  'organizationName'  'organization'  ) DESC 'This attribute contains the name of an organization (organizationName).' SUP 2.5.4.11 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )


objectclass ( 1.3.18.0.2.6.78 NAME 'eAccount'
	DESC 'Account information as used and maintained by the system.'
	SUP 'account'
	STRUCTURAL
	MAY ( caption $ userPassword $ userCertificate $ principalPtr ) )

objectclass ( 1.3.18.0.2.6.167 NAME 'AIXAccount'
	DESC 'AIX user information object class'
	SUP 'eAccount'
	STRUCTURAL
	MUST ( gid $ passwordChar $ userName )
	MAY ( adminGroupNames $ AIXDefaultMACLevel $ AIXFuncMode $ AIXisDCEExport $ AIXLowMACLevel $ AIXPromptMAC $ AIXScreens $ AIXUpperMACLevel $ auditClasses $ authMethod1 $ authMethod2 $ coreSizeLimit $ coreSizeLimitHard $ cpuSize $ cpuSizeHard $ dataSegSize $ dataSegSizeHard $ filePermMask $ fileSizeLimit $ fileSizeLimitHard $ gecos $ groupList $ groupSwitchUserAllowed $ homeDirectory $ hostLastLogin $ hostLastUnsuccessfulLogin $ isAccountEnabled $ isadministrator $ isDaemon $ isLoginAllowed $ isRemoteAccessAllowed $ isSwitchUserAllowed $ ixLastUpdate $ ixTimeLastLogin $ ixTimeLastUnsuccessfulLogin $ loginShell $ loginTimes $ maxFailedLogins $ maxLogin $ numberWarnDays $ openFileLimit $ openFileLimitHard $ passwordCheckMethods $ passwordDictFiles $ passwordExpiredWeeks $ passwordExpireTime $ passwordFlags $ passwordHistSize $ passwordMaxAge $ passwordMaxRepeatedChars $ passwordMinAlphaChars $ passwordMinDiffChars $ passwordMinLength $ passwordMinOtherChars $ physicalMemLimit $ physicalMemLimitHard $ roleList $ stackSizeLimit $ stackSizeLimitHard $ systemEnvironment $ terminalAccess $ terminalLastLogin $ terminalLastUnsuccessfulLogin $ timeExpiredLogout $ timeExpireLockout $ trustedPathStatus $ unsuccessfulLoginCount $ userEnvironment $ passwordHistList $ passwordHistExpire $ hostsAllowedLogin $ hostsDeniedLogin ) )

objectclass ( 1.3.18.0.2.6.170 NAME 'AIXaccessGroup'
	DESC 'AIX  group information'
	SUP 'top'
	STRUCTURAL
	MUST ( gid $ GroupName )
	MAY ( AIXGroupAdminList $ AIXisDCEExport $ AIXScreens $ groupPassword $ isadministrator $ member ) )

objectclass ( 1.3.18.0.2.6.28 NAME 'container'
	DESC 'An object that can contain other objects.'
	SUP 'top'
	STRUCTURAL
	MUST ( cn ) )

objectclass ( 1.3.18.0.2.6.169 NAME 'AIXAdmin'
	DESC 'AIX class to store user/group administration attributes'
	SUP top
	STRUCTURAL
	MAY ( AIXAdminGroupId $ AIXAdminUserId $ AIXGroupID $ AIXUserID $ cn ) )

objectclass ( 1.3.18.0.2.6.473 NAME 'aixAuxGroup'
	DESC 'Auxiliary AIX group information objectclass, for use with the posixgroup objectclass.'
	SUP top
	AUXILIARY
	MAY ( aIXGroupAdminList $ aIXisDCEExport $ aIXScreens $ groupPassword $ isadministrator $ ibm-aixProjectNameList ) )

objectclass ( 1.3.18.0.2.6.620 NAME 'ibm-aixAccountingAdminPolicy'
	DESC 'Advanced Accounting admin policy object'
	SUP top
	STRUCTURAL
	MUST ( ibm-aixAdminPolicyEntry $ ibm-aixAdminPolicyName ) )

objectclass ( 1.3.18.0.2.6.621 NAME 'ibm-aixAccountingProject'
	DESC 'Advanced Accounting project defintion object'
	SUP top
	STRUCTURAL
	MUST ( ibm-aixProjectDefinition $ ibm-aixProjectName ) )

objectclass ( 1.3.18.0.2.6.637 NAME 'ibm-aixAixpert'
	DESC 'For storing Aixpert specific data'
	SUP top
	STRUCTURAL
	MUST ( ibm-aixpertLabel $ ibm-aixpertXmlConfigFile ) )

objectclass ( 1.3.18.0.2.6.640 NAME 'ibm-authorization'
	DESC 'Contains authorization definition'
	SUP top
	STRUCTURAL
	MUST ( cn $ ibm-authorizationID )
	MAY ( msgFileName $ msgNumber $ ibm-msgSet $ description ) )

objectclass ( 1.3.18.0.2.6.642 NAME 'ibm-privcmd'
	DESC 'Contains privileged command definition'
	SUP top
	STRUCTURAL
	MUST cn
	MAY ( ibm-accessAuths $ ibm-authPrivs $ ibm-egid $ ibm-euid $ ibm-innatePrivs $ ibm-inheritPrivs $ ibm-secFlags $ description ) )

objectclass ( 1.3.18.0.2.6.641 NAME 'ibm-privdev'
	DESC 'Contains privileged device definition'
	SUP top
	STRUCTURAL
	MUST cn
	MAY ( ibm-readPrivs $ ibm-writePrivs $ description ) )

objectclass ( 1.3.18.0.2.6.639 NAME 'ibm-privfile'
	DESC 'Trusted configruation files'
	SUP top
	STRUCTURAL
	MUST cn
	MAY ( ibm-readAuths $ ibm-writeAuths $ description ) )

objectclass ( 1.3.18.0.2.6.241 NAME 'ibm-SecurityIdentities'
	DESC 'Defines the security identities of a user.  The user could be a person or a service.'
	SUP top
	AUXILIARY
	MAY ( altSecurityIdentities $ userPrincipalName ) )

objectclass ( 1.3.18.0.2.6.472 NAME 'aixAuxAccount'
	DESC 'Auxiliary AIX user information objectclass, for use with posixaccount and shadowaccount objectclasses'
	SUP top
	AUXILIARY
	MAY ( passwordChar $ adminGroupNames $ aIXDefaultMACLevel $ aIXFuncMode $ aIXisDCEExport $ aIXLowMACLevel $ aIXPromptMAC $ aIXScreens $ aIXUpperMACLevel $ auditClasses $ authMethod1 $ authMethod2 $ coreSizeLimit $ coreSizeLimitHard $ cPuSize $ cPuSizeHard $ dataSegSize $ dataSegSizeHard $ filePermMask $ fileSizeLimit $ fileSizeLimitHard $ groupList $ groupSwitchUserAllowed $ hostLastLogin $ hostLastUnsuccessfulLogin $ hostsAllowedLogin $ hostsDeniedLogin $ isAdministrator $ isAccountEnabled $ isDaemon $ isLoginAllowed $ isRemoteAccessAllowed $ isSwitchUserAllowed $ ixTimeLastLogin $ ixTimeLastUnsuccessfulLogin $ loginTimes $ maxFailedLogins $ maxLogin $ openFileLimit $ openFileLimitHard $ passwordCheckMethods $ passwordDictFiles $ passwordExpireTime $ passwordHistSize $ passwordMaxRepeatedChars $ passwordMinAlphaChars $ passwordMinDiffChars $ passwordMinLength $ passwordMinOtherChars $ physicalMemLimit $ physicalMemLimitHard $ roleList $ StackSizeLimit $ StackSizeLimitHard $ SystemEnvironment $ terminalAccess $ terminalLastLogin $ terminalLastUnsuccessfulLogin $ timeExpiredLogout $ timeExpireLockout $ trustedPathStatus $ unsuccessfulLoginCount $ userEnvironment $ passwordFlags $ capability $ passwordHistExpire $ passwordHistList $ rcmds $ ibm-aixProjectNameList $ ibm-defaultRoles $ ibm-coreNamingPolicy $ ibm-coreCompressionEnable $ ibm-corePathEnable $ ibm-corePathName $ passwordMaxConsecutiveRepeatedChars ) )

Schemas

core.schema - Standard schema defined by the core LDAP RFCs 2252, 2256 (required)
cosine.schema - Cosine and Internet X.500 (recommended)
interorgperson.schema - interorgperson as defined in RFC 2798 (recommended)
java.schema - Java objects as defined by RFC 2713
krb5-kdc.schema - Kerberos v5 key distribution center
misc.schema - Assorted definitions
openldap.schema - OpenLDAP Project
ndaf.schema - North American Directory Forum
nis.schema - Network Information Services
corba.schema - CORBA object as defined by RFC 2714 
dyngroup.schema - Dynamic Group (experimental)
policy.schema - Password Policy Schema (work in progress)
java.schema             Java Object
nadf.schema             North American Directory Forum (obsolete)

Configure redhat as LDAP client

# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --update

Change loglevel

To modify LDAP loglevel, add values from following array to reach the required level. Ex trace and connections: 9 

# ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 9
numberhex-valuelog-nameLogging description
-10xFFFFanyenable all logging
00x0000 nonelogging inhibited - no logging occurs including critical errors. Not recommended.
10x1tracetrace function calls
20x2packetsdebug packet handling
40x4argsheavy trace debugging
80x8connsconnection management
160x10BERprint out packets sent and received
320x20filtersearch filter processing
640x40configconfiguration file processing
1280x80ACLaccess control list processing
2560x100statsstats log connections/operations/results (default)
5120x200stats2stats log entries sent
10240x400shellprint communication with shell backends
20480x800parseentry parsing debugging
40960x1000cachecaching (unused)
81920x2000indexindexing (unused)
163840x4000syncprint syncrepl (replica) logging
327680x8000noneA misnomer - it will log messages that are not categorized - specifically including critical messages

Under construction

Test secure connection

From AIX node: 

[root@aixsrv]/root# openssl s_client -host rhldaph1 -port 636
CONNECTED(00000004)
depth=0 CN = rhldaph1
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = rhldaph1
verify return:1
---
Certificate chain
 0 s:/CN=rhldaph1
   i:/CN=rhldaph1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2TCCAUKgAwIBAgIFAKaHEF8wDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAxMI
cmhsZGFwaDEwHhcNMTYwNjAxMTQ0MzI0WhcNMTcwNjAxMTQ0MzI0WjATMREwDwYD
VQQDEwhyaGxkYXBoMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAveR19sGO
SlUkFNTkYeAheaGbFqNqGTJxo8VEdsfsdaXhL1YmuHfwqPKbsaw0kc/PQWyEIx1qs
T2cXrXruupT308HA4cdYsGIyO98MfjfghcMUIsJ5S+vbmNo6D6ODNdjBdmMDcL/5H
k5QPOqgZSHArURlyOfgvQCL61jntfmHXN+UCAwEAAaM5MDcwNQYDVR0RBC4wLIII
cmhsZGFwaDGCCWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluMA0GCSqG
SIb3DQEBCwUAA4GBAIdY6JYXHyoEIixeDSDEz/8xwg18Uw3WCDFOsQc/mQW95Z/I
XsoCpCLh48jHlCWD/5vnUHgxiL4ezb1siPqg4ZuEcSOWFfrmpA+I8KexP3kGA5dZ
mi5cY/nYYrAZrh1uFWqtX21fj34qiUUVz7c2piHhyzbW/BcMQBJfGAALemzp
-----END CERTIFICATE-----
subject=/CN=rhldaph1
issuer=/CN=rhldaph1
---
No client certificate CA names sent
---
SSL handshake has read 839 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0E0B9DDB007ACF1EA6FC7B42122C0BBED0CDB91A83182B7C5001CBCD7CDE9D
    Session-ID-ctx:
    Master-Key: AFF74402BAEBFC5C846F179413FAA8683E412533ECFD9DA91488A1D7E45D8F4E9FC3CC90325200D4FB5C3163
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1465401511
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Generate openssl certificates on server

[root@rhldaph1 certs]# openssl req -newkey rsa:2048 -x509 -nodes -out /etc/pki/tls/certs/rhldaph1_pubkey.pem -keyout /etc/pki/tls/certs/rhldaph1_privkey.pem -days 3650
Generating a 2048 bit RSA private key
.....+++
...................................................................+++
writing new private key to '/etc/pki/tls/certs/rhldaph1_privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:LU
State or Province Name (full name) []:Luxembourg
Locality Name (eg, city) [Default City]:Luxembourg
Organization Name (eg, company) [Default Company Ltd]:mydom
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:rhldaph1
Email Address []:rhldaph1@mydomain.com

[root@rhldaph1 certs]# chown ldap. rhldaph*pem
[root@rhldaph1 certs]# ll
total 20
lrwxrwxrwx. 1 root root   49 Jun  1 14:24 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root   55 Jun  1 14:24 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root  610 Oct 10  2015 make-dummy-cert
-rw-r--r--. 1 root root 2388 Oct 10  2015 Makefile
-rwxr-xr-x. 1 root root  829 Oct 10  2015 renew-dummy-cert
-rw-r--r--  1 ldap ldap 1704 Jun  8 18:17 rhldaph1_privkey.pem
-rw-r--r--  1 ldap ldap 1472 Jun  8 18:17 rhldaph1_pubkey.pem

Install PHP LDAP Admin

[root@rhldaph1 ldap]# yum -y install php php-ldap
[root@rhldaph1 ldap]# rpm -Uhv phpldapadmin-1.2.3-5.el7.noarch.rpm

# install from EPEL 

[root@rhldaph1 ldap]# vi /etc/phpldapadmin/config.php
# line 397: uncomment, line 398: comment out

$servers->setValue('login','attr','dn');
//
$servers->setValue('login','attr','uid');
[root@rhldaph1 ldap]# vi /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    # line 12: add access permission

    Require local
    Require ip 10.0.0.0/24
[root@rhldaph1 ldap]#systemctl restart httpd

http://10.10.10.120/ldapadmin

References

http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4

ldap/openldap_2.4.txt · Last modified: 2021/01/01 21:25 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki