The directory server uses the encryption seed to generate a set of Advanced Encryption Standard (AES) secret key values.
The key stash file of a directory server instance store the key values, and are used to encrypt and decrypt password and attributes.
//IMPORTANT://
To be sure to create a correct base installation, you have to use a good conbination between DB2 and LDAP version:\
I've tested the
* version DB2 10.1FP4 with LDAP (ids) v6.3.1.0
* version DB2 9.7FP9 with LDAP (ids) v6.3.0.31
http://www-01.ibm.com/support/docview.wss?uid=swg27009603
==== Requisites ====
Required AIX fileset bos.adt.prof
Logs for install in /tmp
==== Install DB2 ====
Defaulft path for db2 (can't be a mount point):
/opt/IBM/tdsV6.3db2
root@itds3 - /mnt1/ibm_db2 > ./db2_install
Default directory for installation of products - /opt/IBM/db2/V9.7
***********************************************************
Do you want to choose a different directory to install [yes/no] ?
no
Specify one of the following keywords to install DB2 products.
ESE
CLIENT
RTCL
Enter "help" to redisplay product names.
Enter "quit" to exit.
***********************************************************
ESE
Total number of tasks to be performed: 48
Total estimated time for all tasks to be performed: 2504
Task #1 start
Description: Enable IOCP
Estimated time 1 second(s)
iocp0 Task #1 end
............
Task #4 start
Description: The DB2 required component.
Estimated time 15 second(s)
Task #4 end
.............
==== Install GSKIT =====
Needed for encryption
root@itds3 - /mnt1 > installp -agXY -d ibm_gskit GSKit8.gskcrypt32.ppc.rte GSKit8.gskcrypt64.ppc.rte GSKit8.gskssl32.ppc.rte GSKit8.gskssl64.ppc.rte
Selected Filesets
-----------------
GSKit8.gskcrypt32.ppc.rte 8.0.14.26 # IBM GSKit Cryptography Runtime
GSKit8.gskcrypt64.ppc.rte 8.0.14.26 # IBM GSKit Cryptography Runtime
GSKit8.gskssl32.ppc.rte 8.0.14.26 # IBM GSKit SSL Runtime With A...
GSKit8.gskssl64.ppc.rte 8.0.14.26 # IBM GSKit SSL Runtime With A...
==== Install ITDS packages ====
For information a user and group idsldap will be automatically created if it doen't exists
idsldap:!:203:202::/home/idsldap:/usr/bin/ksh
idsldap:!:202:idsldap,root
First accept the license else you can't install all packages
root@itds3 - /mnt1 > ./license/idsLicense
International Program License Agreement
Part 1 - General Terms
BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, CLICKING ON AN "ACCEPT" BUTTON, OR OTHERWISE USING THE PROGRAM, LICENSEE AGREES TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCEPTING THESE TERMS ON
BEHALF OF LICENSEE, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND LICENSEE TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS,
...
Press Enter to continue viewing the license agreement, or, Enter "1" to accept the agreement, "2" to decline it or "99" to go back to the previous screen, "3" Print.
1
root@itds3 - /mnt1 > cd native/
root@itds3 - /mnt1/native > ll
total 185592
6 drwxr-xr-x 2 root system 6144 Nov 24 2013 .
4 drwxr-xr-x 15 root system 4096 Nov 21 2013 ..
2 -rwxr-xr-x 1 root system 55 Nov 24 2013 buildno.txt
2 -rwxr-xr-x 1 root system 83 Nov 24 2013 entitlement.txt
3428 -rwxr-xr-x 1 root system 3509248 Nov 24 2013 idsldap.clt32bit631
3560 -rwxr-xr-x 1 root system 3644416 Nov 24 2013 idsldap.clt64bit631
2584 -rwxr-xr-x 1 root system 2644992 Nov 24 2013 idsldap.clt_max_crypto32bit631
2674 -rwxr-xr-x 1 root system 2738176 Nov 24 2013 idsldap.clt_max_crypto64bit631
2658 -rwxr-xr-x 1 root system 2720768 Nov 24 2013 idsldap.cltbase631
1024 -rwxr-xr-x 1 root system 1047552 Nov 24 2013 idsldap.cltjava631
6 -rwxr-xr-x 1 root system 5120 Nov 24 2013 idsldap.ent631
24 -rwxr-xr-x 1 root system 24576 Nov 24 2013 idsldap.license631
818 -rwxr-xr-x 1 root system 837632 Nov 24 2013 idsldap.msg631.cs_CZ
820 -rwxr-xr-x 1 root system 838656 Nov 24 2013 idsldap.msg631.de_DE
286 -rwxr-xr-x 1 root system 292864 Nov 24 2013 idsldap.msg631.en_US
800 -rwxr-xr-x 1 root system 818176 Nov 24 2013 idsldap.msg631.es_ES
814 -rwxr-xr-x 1 root system 832512 Nov 24 2013 idsldap.msg631.fr_FR
834 -rwxr-xr-x 1 root system 854016 Nov 24 2013 idsldap.msg631.hu_HU
810 -rwxr-xr-x 1 root system 828416 Nov 24 2013 idsldap.msg631.it_IT
894 -rwxr-xr-x 1 root system 914432 Nov 24 2013 idsldap.msg631.ja_JP
854 -rwxr-xr-x 1 root system 873472 Nov 24 2013 idsldap.msg631.ko_KO
826 -rwxr-xr-x 1 root system 844800 Nov 24 2013 idsldap.msg631.pl_PL
804 -rwxr-xr-x 1 root system 822272 Nov 24 2013 idsldap.msg631.pt_BR
914 -rwxr-xr-x 1 root system 934912 Nov 24 2013 idsldap.msg631.ru_RU
812 -rwxr-xr-x 1 root system 831488 Nov 24 2013 idsldap.msg631.sk_SK
782 -rwxr-xr-x 1 root system 799744 Nov 24 2013 idsldap.msg631.zh_CN
784 -rwxr-xr-x 1 root system 802816 Nov 24 2013 idsldap.msg631.zh_TW
6980 -rwxr-xr-x 1 root system 7147520 Nov 24 2013 idsldap.srv64bit631
3670 -rwxr-xr-x 1 root system 3757056 Nov 24 2013 idsldap.srv_max_cryptobase64bit631
28730 -rwxr-xr-x 1 root system 29419520 Nov 24 2013 idsldap.srvbase64bit631
2306 -rwxr-xr-x 1 root system 2361344 Nov 24 2013 idsldap.srvproxy64bit631
58392 -rwxr-xr-x 1 root system 59792384 Nov 24 2013 idsldap.webadmin631
57690 -rwxr-xr-x 1 root system 59073536 Nov 24 2013 idsldap.webadmin_max_crypto631
root@itds3 - /mnt1/native > smit installp
idsldap.clt32bit631.rte:6.3.1.0
idsldap.clt64bit631.rte:6.3.1.0
idsldap.clt_max_crypto32bit631.rte:6.3.1.0
idsldap.clt_max_crypto64bit631.rte:6.3.1.0
idsldap.cltbase631.adt:6.3.1.0
idsldap.cltbase631.rte:6.3.1.0
idsldap.cltjava631.rte:6.3.1.0
idsldap.ent631.rte:6.3.1.0
idsldap.license631.rte:6.3.1.0
idsldap.msg631.en_US:6.3.1.0
idsldap.srv_max_cryptobase64bit631.rte:6.3.1.0
idsldap.srvbase64bit631.rte:6.3.1.0
idsldap.webadmin631.rte:6.3.1.0
idsldap.webadmin_max_crypto631.rte:6.3.1.0
==== Create the symbolic links to programs ====
root@itds3 - /mnt1/ibm_db2 > /opt/IBM/ldap/V6.3.1/bin/idslink -s fullsrv -i
==== Create the users for Directory Server Instance ====
root@itds3 - /root > mkgroup -a id=15 admin=false dbsysadm
root@itds3 - /root > mkuser -a id=205 pgrp=dbsysadm groups=dbsysadm,staff,idsldap stack=65536 ldapdb2
# Add root to group dbsysadm to be able to create the DB2 instance
root@itds3 - /root > chgroup users=ldapdb2,root dbsysadm
root@itds3 - /root > echo "ldapdb2:ldapdb2" | chpasswd -c
==== Create the Instance for DB2 ====
mksecldap command will create the DB2 instance, the DB2 database and will create a base configuration for LDAP. The parameter -u NONE prevent from configuring the local users into LDAP, so you will start with an empty LDAP.
root@itds3 - /mnt1/native > /usr/sbin/mksecldap -s -a cn=root -p passw0rd -S rfc2307aix -u NONE
ldapdb2's New password:
Enter the new password again:
Enter an encryption seed to generate key stash files: encryptseed123456
Encryption seed must be at least 12 characters, please try again.
Enter an encryption seed to generate key stash files: encryptseed123456
GLPWRP123I The program '/opt/IBM/ldap/V6.3.1/sbin/64/idsicrt' is used with the following arguments 'idsicrt -I ldapdb2 -p 389 -e ***** -n'.
You have chosen to perform the following actions:
GLPICR020I A new directory server instance 'ldapdb2' will be created.
GLPICR057I The directory server instance will be created at: '/home/ldapdb2'.
GLPICR013I The directory server instance's port will be set to '389'.
GLPICR014I The directory server instance's secure port will be set to '636'.
GLPICR015I The directory instance's administration server port will be set to '3538'.
GLPICR016I The directory instance's administration server secure port will be set to '3539'.
GLPICR019I The description will be set to: 'IBM Security Directory Server Instance V6.3.1'.
==== Add a domain for users ====
To add a domain, first stop the LDAP server.
[ldapdb2@itds3]/home/ldapdb2# ibmslapd -I ldapdb2 -k
[ldapdb2@itds3]/home/ldapdb2# idscfgsuf -I ldapdb2 -s o=mydom.org
GLPWRP123I The program '/opt/IBM/ldap/V6.3.1/sbin/64/idscfgsuf' is used with the following arguments '-I ldapdb2 -s o=mydom.org'.
You have chosen to perform the following actions:
GLPCSF007I Suffix 'o=mydom.org' will be added to the configuration file of the directory server instance 'ldapdb2'.
Do you want to....
(1) Continue with the above actions, or
(2) Exit without making any changes:1
GLPCSF004I Adding suffix: 'o=mydom.org'.
GLPCSF005I Added suffix: 'o=mydom.org'.
==== Change the password for main LDAP user ====
Reset the LDAP main password if needed
root@itds3 - /home/ldapdb2/idsslapd-ldapdb2/etc > idsdnpw -u cn=root -p passw0rd
GLPWRP123I The program '/opt/IBM/ldap/V6.3.1/sbin/64/idsdnpw' is used with the following arguments '-u cn=root -p *****'.
You have chosen to perform the following actions:
GLPDPW004I The directory server administrator DN will be set.
GLPDPW005I The directory server administrator password will be set.
Do you want to....
(1) Continue with the above actions, or
(2) Exit without making any changes:1
GLPDPW009I Setting the directory server administrator DN.
GLPDPW010I Directory server administrator DN was set.
GLPDPW006I Setting the directory server administrator password.
GLPDPW007I Directory server administrator password was set.
==== Start / Stop LDAP server ====
To start the LDAP server:
ibmslapd -I ldapdb2 or /usr/bin/ibmslapd -I ldapdb2 -f /home/ldapdb2/idsslapd-ldapdb2/etc/ibmslapd.conf
To start the LDAP Admin Daemon Instance:
/usr/bin/ibmdiradm -I ldapdb2
To Stop the server or Admin Daemon, add the agrument **-k**
==== Use SSL encryption between LDAP server and clients ====
http://wenku.baidu.com/view/5cceeb4e2b160b4e767fcf90.html
##############################################
GSK=gsk8capicmd_64
KEY_DIR=/etc/security/ldap/keys
KEY_NAME=itds3
LDAP_PW=passworD
LDAP_CN=root
AIXDATA_DN=aixdata
CERT_PW=Ath13TcU
CERT_LABEL=AIXTOOLS_SELF_SIGN
SERV_PW=Ath13AiX
mkdir -p /etc/security/ldap/keys
mkdir -p ${KEY_DIR}
rm -f ${KEY_DIR}/serverkey.*
# create the key database, will stash the password
${GSK} -keydb -create -db ${KEY_DIR}/${KEY_NAME}.kdb -pw ${CERT_PW} -type cms -stash
# create a certificate, self-signed
${GSK} -cert -create -db ${KEY_DIR}/${KEY_NAME}.kdb -pw ${CERT_PW} -label ${CERT_LABEL} -dn "CN=`hostname`,DC=AIXTOOLS,DC=NET" -default_cert yes -expire 366
# list certificates - watch for out ${CERT_LABEL}
${GSK} -cert -list -db ${KEY_DIR}/${KEY_NAME}.kdb -pw ${CERT_PW}
# extract the self-signed certificate for use by clients
${GSK} -cert -extract -db ${KEY_DIR}/${KEY_NAME}.kdb -pw ${CERT_PW} -label ${CERT_LABEL} -target ${KEY_DIR}/${KEY_NAME}.arm -format binary
mkdir -p ${KEY_DIR}
gsk8capicmd_64 -keydb -create -db /etc/security/ldap/keys/itds3.kdb -pw passw0rd -type cms -stash
gsk8capicmd_64 -cert -create -db /etc/security/ldap/keys/itds3.kdb -pw passw0rd -label itds3 -dn 'cn=mydom.org' -default_cert yes -expire 7000
gsk8capicmd_64 -cert -list -db /etc/security/ldap/keys/itds3.kdb -pw passw0rd
Certificates found
* default, - personal, ! trusted
*- itds3
gsk8capicmd_64 -cert -extract -db /etc/security/ldap/keys/itds3.kdb -pw passw0rd -label itds3 -target /etc/security/ldap/keys/itds3.arm -format binary
cat - >${HOME}/gossl.ldif < diff ibmslapd.conf ibmslapd.conf.old
98c98
< ibm-slapdSecurity: SSL
---
> ibm-slapdSecurity: none
101c101
< ibm-slapdSslCertificate: itds3
---
> ibm-slapdSslCertificate: none
111,112c111
< ibm-slapdSslKeyDatabase: /etc/security/ldap/keys/itds3.kdb
< ibm-slapdSSLKeyDatabasePW: {AES256}3v32qEGtZRR9khNzHOljag==
---
> ibm-slapdSslKeyDatabase: key.kdb
mksecldap -s -a cn=${LDAP_CN} -p ${LDAP_PW} -S rfc2307aix \
-d cn=${AIXDATA_DN} -k ${KEY_DIR}/serverkey.kdb -w ${CERT_PW}
root@itds3 - /home/ldapdb2/idsslapd-ldapdb2/etc > mksecldap -s -a cn=root -p passw0rd -S rfc2307aix -n NONE -k /etc/security/ldap/keys/itds3.kdb -w passw0rd -j SSL
Stopping the LDAP server.
GLPSRV176I Terminated directory server instance 'ldapdb2' normally.
GLPWRP123I The program '/opt/IBM/ldap/V6.3.1/sbin/64/idscfgsuf' is used with the following arguments '-I ldapdb2 -s cn=aixdata -n'.
You have chosen to perform the following actions:
GLPCSF007I Suffix 'cn=aixdata' will be added to the configuration file of the directory server instance 'ldapdb2'.
GLPCSF004I Adding suffix: 'cn=aixdata'.
GLPCSF005I Added suffix: 'cn=aixdata'.
GLPSRV034I Server starting in configuration only mode.
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file.
GLPCOM021I The preoperation plugin is successfully loaded from libDigest.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.a.
GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.a.
GLPCOM025I The audit plugin is successfully loaded from libldapaudit.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.a.
GLPCOM022I The database plugin is successfully loaded from libback-config.a.
GLPSRV015I Server configured to use 636 as the secure port.
GLPCOM024I The extended Operation plugin is successfully loaded from libloga.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.a.
GLPSRV180I Pass-through authentication is disabled.
GLPCOM003I Non-SSL port initialized to 389.
GLPCOM004I SSL port initialized to 636.
Stopping the LDAP server.
GLPSRV176I Terminated directory server instance 'ldapdb2' normally.
GLPSRV041I Server starting.
GLPCTL113I Largest core file size creation limit for the process (in bytes): '0'(Soft limit) and '-1'(Hard limit).
GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is 262144.
GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and the prescribed minimum is 2097151.
GLPCTL122I Maximum Open Files soft ulimit for the process is 2000 and the prescribed minimum is 500.
GLPCTL121I Maximum Physical Memory(Kbytes) soft ulimit for the process was 32768 and it is modified to the prescribed minimum 262144.
GLPCTL121I Maximum Stack Size(Kbytes) soft ulimit for the process was 32768 and it is modified to the prescribed minimum 65536.
GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is 1048576.
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libldaprepl.a.
GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file.
GLPCOM021I The preoperation plugin is successfully loaded from libDigest.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.a.
GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.a.
GLPCOM025I The audit plugin is successfully loaded from libldapaudit.a.
GLPCOM025I The audit plugin is successfully loaded from /usr/ccs/lib/libsecldapaudit64.a(shr.o).
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.a.
GLPCOM022I The database plugin is successfully loaded from libback-config.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libevent.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libtranext.a.
GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libpsearch.a.
GLPCOM022I The database plugin is successfully loaded from libback-rdbm.a.
GLPCOM010I Replication plugin is successfully loaded from libldaprepl.a.
GLPSRV189I Virtual list view support is enabled.
GLPCOM021I The preoperation plugin is successfully loaded from libpta.a.
GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database.
GLPSRV207I Group conflict resolution during replication is disabled.
GLPSRV221I Replication of security attributes feature is disabled.
GLPSRV200I Initializing primary database and its connections.
GLPRDB126I The directory server will not use DB2 selectivity.
GLPSRV017I Server configured for secure connections only.
GLPSRV015I Server configured to use 636 as the secure port.
GLPCOM024I The extended Operation plugin is successfully loaded from libloga.a.
GLPCOM024I The extended Operation plugin is successfully loaded from libidsfget.a.
GLPSRV180I Pass-through authentication is disabled.
GLPCOM004I SSL port initialized to 636.
3001-736 LDAP server failed to start.
Server setup failed.
root@itds3 - /opt/IBM/ldap/V6.3.1/appsrv > ./bin/wsadmin.sh -conntype none -profileName TDSWebAdminProfile
WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
WASX7029I: For help, enter: "$Help help"
wsadmin>
idsdb2ldif -I ldapdb2 -o /tmp/ldapdb2.ldif
root@itds3 - /home/ldapdb2/idsslapd-ldapdb2/etc > idsdb2ldif -I ldapdb2 -o /tmp/ldapdb2.ldif
GLPCTL113I Largest core file size creation limit for the process (in bytes): '0'(Soft limit) and '-1'(Hard limit).
GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is 262144.
GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and the prescribed minimum is 2097151.
GLPCTL122I Maximum Open Files soft ulimit for the process is 2000 and the prescribed minimum is 500.
GLPCTL121I Maximum Physical Memory(Kbytes) soft ulimit for the process was 32768 and it is modified to the prescribed minimum 262144.
GLPCTL121I Maximum Stack Size(Kbytes) soft ulimit for the process was 32768 and it is modified to the prescribed minimum 65536.
GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is 1048576.
GLPSRV221I Replication of security attributes feature is disabled.
GLPRDB003E ibm-slapdDbName parameter is missing from LDAP directory configuration file.
GLPRDB039E ibm-slapdDbUserID parameter is missing from LDAP directory configuration file.
GLPRDB040E ibm-slapdDbUserPW parameter is missing from LDAP directory configuration file.
root@itds3 - /home/ldapdb2/idsslapd-ldapdb2/etc > cat /tmp/ldapdb2.ldif
Install Web App
root@itds3 - /mnt1/ibm_ewas > ./install.sh -installRoot /opt/IBM/ldap/V6.3.1/appsrv
+---------------------------------------+
+ EWAS Version 7.0 Install +
+---------------------------------------+
Validating target directory ...
Copying files ...
Setting permissions ...
Installation complete.
root@itds3 - /opt/IBM/ldap/V6.3.1/idstools > ./deploy_IDSWebApp
/opt/IBM/ldap/V6.3.1/appsrv/bin/manageprofiles.sh -create -profileName TDSWebAdminProfile -profilePath /opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile -templatePath /opt/IBM/ldap/V6.3.1/appsrv/profileTemplates/default -nodeName DefaultNode -hostName localhost -cellName DefaultNode -isDefault -portsFile /opt/IBM/ldap/V6.3.1/idstools/TDSWEBPortDef.props
Jun 16, 2014 11:23:50 AM java.util.prefs.FileSystemPreferences$2 run
INFO: Created user preferences directory.
INSTCONFSUCCESS: Success: Profile TDSWebAdminProfile now exists. Please consult /opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/logs/AboutThisProfile.txt for more information about this profile.
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/bin/wsadmin.sh -conntype NONE -c "\$AdminApp install {/opt/IBM/ldap/V6.3.1/idstools/IDSWebApp.war} {-configroot \"${WAS_HOME}/config\" -node DefaultNode -usedefaultbindings -nodeployejb -appname ${IDSWebApp_Name} -contextroot \"IDSWebApp\"}"
WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
WASX7411W: Ignoring the following provided option: [configroot]
WASX7434W: Found the following deprecated option: [configroot]
WASX7327I: Contents of was.policy file:
//
// Template policy file for enterprise application.
// Extra permissions can be added if required by the enterprise application.
//
// NOTE: Syntax errors in the policy files will cause the enterprise application FAIL to start.
// Extreme care should be taken when editing these policy files. It is advised to use
// the policytool provided by the JDK for editing the policy files
// (WAS_HOME/java/jre/bin/policytool).
//
grant codeBase "file:${application}" {
};
grant codeBase "file:${jars}" {
};
grant codeBase "file:${connectorComponent}" {
};
grant codeBase "file:${webComponent}" {
};
grant codeBase "file:${ejbComponent}" {
};
ADMA5016I: Installation of IDSWebApp.war started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IDSWebApp.war is configured in the WebSphere Application Server repository.
ADMA5053I: The library references for the installed optional package are created.
ADMA5005I: The application IDSWebApp.war is configured in the WebSphere Application Server repository.
ADMA5001I: The application binaries are saved in /opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/wstemp/Script146a3fe85f2/workspace/cells/DefaultNode/applications/IDSWebApp.war.ear/IDSWebApp.war.ear
ADMA5005I: The application IDSWebApp.war is configured in the WebSphere Application Server repository.
SECJ0400I: Successfully updated the application IDSWebApp.war with the appContextIDForSecurity information.
ADMA5005I: The application IDSWebApp.war is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IDSWebApp.war is complete.
ADMA5013I: Application IDSWebApp.war installed successfully.
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/bin/stopServer.sh server1
ADMU0116I: Tool information is being logged in file
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/logs/server1/stopServer.log
ADMU0128I: Starting tool with the TDSWebAdminProfile profile
ADMU3100I: Reading configuration for server: server1
ADMU0509I: The server "server1" cannot be reached. It appears to be stopped.
ADMU0211I: Error details may be seen in the file:
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/logs/server1/stopServer.log
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/bin/startServer.sh server1
ADMU0116I: Tool information is being logged in file
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/logs/server1/startServer.log
ADMU0128I: Starting tool with the TDSWebAdminProfile profile
ADMU3100I: Reading configuration for server: server1
ADMU3200I: Server launched. Waiting for initialization status.
ADMU3000I: Server server1 open for e-business; process id is 6225928
WASX7209I: Connected to process "server1" on node DefaultNode using SOAP connector; The type of process is: UnManagedProcess
WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[/opt/IBM/ldap/V6.3.1/appsrv, TDSWebAdminProfile, DefaultNode, IDSWebApp.war]"
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/bin/stopServer.sh server1
ADMU0116I: Tool information is being logged in file
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/logs/server1/stopServer.log
ADMU0128I: Starting tool with the TDSWebAdminProfile profile
ADMU3100I: Reading configuration for server: server1
ADMU3201I: Server stop request issued. Waiting for stop status.
ADMU4000I: Server server1 stop completed.
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/bin/startServer.sh server1
ADMU0116I: Tool information is being logged in file
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/logs/server1/startServer.log
ADMU0128I: Starting tool with the TDSWebAdminProfile profile
ADMU3100I: Reading configuration for server: server1
ADMU3200I: Server launched. Waiting for initialization status.
ADMU3000I: Server server1 open for e-business; process id is 6225930
/opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/bin/stopServer.sh server1
http://itds3:12100/IDSWebApp/
GLPWCO010E Authentication error: Either the user name or password (or both) is incorrect, or the password has expired.
root@itds3 - /opt/IBM/ldap/V6.3.1/appsrv/profiles/TDSWebAdminProfile/config/cells/DefaultNode > /opt/IBM/ldap/V6.3.1/appsrv/bin/wsadmin.sh -conntype none -profileName TDSWebAdminProfile
WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
WASX7029I: For help, enter: "$Help help"
wsadmin>securityoff
LOCAL OS security is off now but you need to restart server1 to make it affected.
wsadmin>exit
superadmin/secret
########################################################################
==== Set individual password policy / group password policy ====
=== Using the command line ===
To enable the password policy, issue the following command:
idsldapmodify –D adminDN –w adminPW -p port -k
dn: cn=pwdpolicy,cn=ibmpolicies
ibm-pwdpolicy:true
ibm-pwdGroupAndIndividualEnabled:true
To define group and individual password policies issue the following commands:
idsldapadd -D adminDN –w adminPW
dn:cn=grp1_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:grp_pwd_policy
pwdAttribute: userPassword
pwdGraceLoginLimit: 1
pwdLockoutDuration: 30
pwdMaxFailure: 2
pwdFailureCountInterval: 5
pwdMaxAge: 999
pwdExpireWarning: 0
pwdMinLength: 8
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: false
ibm-pwdpolicy:true
idsldapadd -D adminDN –w adminPW
dn:cn=individual1_pwd_policy,cn=ibmpolicies
objectclass: container
objectclass: pwdPolicy
objectclass: ibm-pwdPolicyExt
objectclass: top
cn:grp_pwd_policy
pwdAttribute: userPassword
pwdGraceLoginLimit: 3
pwdLockoutDuration: 50
pwdMaxFailure: 3
pwdFailureCountInterval:pwdMaxAge: 500
pwdExpireWarning: 0
pwdMinLength: 5
pwdLockout: true
pwdAllowUserChange: true
pwdMustChange: false
ibm-pwdpolicy:true
To associate the group and individual password policies with a group or a user,
issue the following commands. For instance, to associate a group password policy
with a group:
idsldapmodify -D adminDN -w adminPW -k
dn:cn=group1,o=sample
changetype:modify
add:ibm-pwdGroupPolicyDN
ibm-pwdGroupPolicyDN:cn=grp1_pwd_policy,cn=ibmpolicies
To associate an individual password policy with a user:
idsldapmodify -D adminDN -w adminPW -k
dn:cn=user1 ,o=sample
changetype:modify
add:ibm-pwdIndividualPolicyDN
ibm-pwdIndividualPolicyDN:cn= Individual1 _pwd_policy,cn=ibmpolicies
==== Replication ====
http://www-01.ibm.com/support/docview.wss?uid=swg21396012
==== Audit LDAP ====
http://www.ibm.com/developerworks/aix/library/au-aix-audit-on-ldap/#download
cat audit.ldif
#audit schema
###################################################################################################
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3651
NAME 'ibm-auditBinStanza'
DESC 'Specifies the audit bin stanza, with value being attribute=value pairs separated by colon'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3651
DBNAME( 'auditBinStanza' 'auditBinStanza' )
ACCESS-CLASS normal
LENGTH 1024
)
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3650
NAME 'ibm-auditStreamStanza'
DESC 'Specifies the audit stream stanza, with value being attribute=value pairs separated by colon'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3650
DBNAME( 'auditStreamStanza' 'auditStreamStanza' )
ACCESS-CLASS normal
LENGTH 1024
)
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3649
NAME 'ibm-auditStartStanza'
DESC 'Specifies the audit start stanza, with value being attribute=value pairs separated by colon'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3649
DBNAME( 'auditStartStanza' 'auditStartStanza' )
ACCESS-CLASS normal
LENGTH 1024
)
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3648
NAME 'ibm-auditTimeStamp'
DESC 'Specifies the time when audit configuration is updated'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3648
DBNAME( 'auditTimeStamp' 'auditTimeStamp' )
ACCESS-CLASS normal
LENGTH 64
)
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3647
NAME 'ibm-auditconfig'
DESC 'Specifies the audit configuration name'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3647
DBNAME( 'auditconfig' 'auditconfig' )
ACCESS-CLASS normal
LENGTH 1024
)
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3654
NAME 'ibm-auditClassEvents'
DESC 'Specify the audit class events'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3654
DBNAME( 'auditClassEvents' 'auditClassEvents' )
ACCESS-CLASS normal
LENGTH 1024
)
dn:cn=schema
changetype: modify
add: attributetypes
attributetypes: (
1.3.18.0.2.4.3655
NAME 'ibm-auditClassName'
DESC 'Specifies the audit class name of the audit config file'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications
)
-
add: ibmattributetypes
ibmattributetypes: (
1.3.18.0.2.4.3655
DBNAME( 'auditclassName' 'auditclassName' )
ACCESS-CLASS normal
LENGTH 16
)
dn:cn=schema
changetype: modify
add: objectclasses
objectclasses: (
1.3.18.0.2.6.680
NAME 'ibm-aixAuditConfig'
STRUCTURAL
)
dn:cn=schema
changetype: modify
replace: objectclasses
objectclasses: (
1.3.18.0.2.6.680
NAME 'ibm-aixAuditConfig'
DESC 'Represents the AIX audit configuration information'
SUP top
STRUCTURAL
MUST ibm-auditconfig
MAY ( ibm-auditTimeStamp $ ibm-auditStartStanza $ ibm-auditBinStanza $ ibm-auditStreamStanza )
)
dn:cn=schema
changetype: modify
add: objectclasses
objectclasses: (
1.3.18.0.2.6.681
NAME 'ibm-aixAuditClass'
STRUCTURAL
)
dn:cn=schema
changetype: modify
replace: objectclasses
objectclasses: (
1.3.18.0.2.6.681
NAME 'ibm-aixAuditClass'
DESC 'AIX Audit Class Stanza'
SUP top
STRUCTURAL
MUST ibm-auditClassName
MAY ( ibm-auditClassEvents )
)
#End of audit schema
###################################################################################################
Preparation
chsec -f /etc/security/user -s default -a "SYSTEM=files"
chsec -f /etc/security/user -s default -a registry=files
mkgroup -R files admin=false id=650 idsldap
mkgroup -R files admin=false id=651 dbsysadm
mkuser -R files admin=false id=650 pgrp=idsldap gecos='LDAP administrator' idsldap
mkuser -R files admin=false id=651 pgrp=idsldap gecos='LDAP instance' ldapdb2
echo "idsldap:idsldap" | chpasswd -c
echo "ldapdb2:ldapdb2pwd" | chpasswd -c
/usr/bin/chgrpmem -m + root idsldap
mklv -tjfs2 -y worklv rootvg 15G
crfs -vjfs2 -d worklv -m /work -Ayes
mount /work
mklv -tjfs2 -y ldapdb2lv ldapvg 3G
crfs -vjfs2 -d ldapdb2lv -m /home/ldapdb2 -Ayes
mount /home/ldapdb2
chown -R ldapdb2.idsldap /home/ldapdb2
chmod g+w /home/ldapdb2
mkdir /home/ldapdb2/backups
mv /opt/IBM /opt/IBM1
mklv -tjfs2 -y ldapbinlv ldapvg 3G
crfs -vjfs2 -d ldapbinlv -m /opt/IBM -Ayes
chmod 755 /opt/IBM
mount /opt/IBM
cd /opt/IBM1
mv * /opt/IBM
cd ; rm -r /opt/IBM1
chfs -a size=5G /tmp
chfs -a size=7G /opt
Install prerequisites
mount nimbcp:/export/other /mnt
cp /mnt/rpm/ibm_official_gtk_bundlev1/gtk2_bundle_v1.tar /work
cd /work
tar xvf gtk2_bundle_v1.tar
cd /work/gtk2_bundle_v1
root@itds3 - /work/gtk2_bundle_v1 > ll
total 38348
4 drwxr-xr-x 2 root system 4096 Dec 10 2013 .
0 drwxr-xr-x 4 root system 256 Aug 18 11:27 ..
312 -rw-r----- 1 202 staff 316946 Jun 29 2010 atk-1.12.3-2.aix5.2.ppc.rpm
976 -rw-r----- 1 root system 996515 Oct 4 2013 cairo-1.8.8-1.aix5.2.ppc.rpm
160 -rw-r----- 1 202 staff 160182 Jun 29 2010 expat-2.0.1-1.aix5.2.ppc.rpm
292 -rw-r----- 1 202 staff 295348 Jun 29 2010 fontconfig-2.4.2-1.aix5.2.ppc.rpm
696 -rw-r----- 1 202 staff 711492 Jun 29 2010 freetype2-2.3.9-1.aix5.2.ppc.rpm
696 -rw-r----- 1 202 staff 710948 Jun 29 2010 gettext-0.10.40-6.aix5.1.ppc.rpm
1580 -rw-r----- 1 root system 1615082 Oct 4 2013 glib2-2.12.4-2.aix5.2.ppc.rpm
11508 -rw-r----- 1 root system 11784046 Oct 4 2013 gtk2-2.10.6-4.aix5.2.ppc.rpm
19160 -rw-r----- 1 root system 19619840 Nov 12 2013 gtk2_bundle_v1.tar
4 -rwxr-xr-x 1 root system 3536 Nov 15 2013 install.sh
264 -rw-r----- 1 202 staff 267086 Jun 29 2010 libjpeg-6b-6.aix5.1.ppc.rpm
484 -rw-r----- 1 202 staff 493057 Jun 29 2010 libpng-1.2.32-2.aix5.2.ppc.rpm
776 -rw-r----- 1 202 staff 792582 Jun 29 2010 libtiff-3.8.2-1.aix5.2.ppc.rpm
872 -rw-r--r-- 1 202 staff 892588 Jun 10 2010 pango-1.14.5-4.aix5.2.ppc.rpm
204 -rw-r----- 1 root system 206727 Oct 4 2013 pixman-0.12.0-3.aix5.2.ppc.rpm
56 -rw-r----- 1 202 staff 55509 Jun 29 2010 xcursor-1.1.7-3.aix5.2.ppc.rpm
120 -rw-r----- 1 202 staff 120078 Jun 29 2010 xft-2.1.6-5.aix5.1.ppc.rpm
72 -rw-r----- 1 202 staff 71653 Jun 29 2010 xrender-0.9.1-3.aix5.2.ppc.rpm
112 -rw-r----- 1 202 staff 110689 Jun 29 2010 zlib-1.2.3-3.aix5.1.ppc.rpm
rpm --nodeps -e libXft-2.3.1-1
rpm --nodeps -e libXrender-0.9.8-1
rpm --nodeps -e freetype2
rpm --nodeps -e fontconfig-2.10.2-1
rpm --nodeps -e expat
./install.sh
root@itds3 - /work/gtk2_bundle_v1 > ./install.sh
Package atk already installed
Package cairo already installed
Package expat already installed
Package fontconfig already installed
Package freetype2 already installed
Package gettext already installed
Package glib2 already installed
Package gtk2 already installed
Package libjpeg already installed
Package libpng already installed
Package libtiff already installed
Package pango already installed
Package pixman already installed
Package xcursor already installed
Package xft already installed
Package xrender already installed
Package zlib already installed
rpm -Uhv /mnt/rpm/latest/tar\-1.27\-1.aix5.1.ppc.rpm
rpm -Uhv /mnt/rpm/latest/firefox\-3.5.16\-2.aix5.1.ppc.rpm
rpm -Uhv /mnt/rpm/latest/tightvnc\-server\-1.3.10\-2.aix5.1.ppc.rpm
root@asdsprdds1 - /work > vncserver :1
You will require a password to access your desktops.
Password:
Verify:
Would you like to enter a view-only password (y/n)? n
1356-364 xauth: creating new authority file /root/.Xauthority
New 'X' desktop is asdsprdds1:1
Creating default startup script /root/.vnc/xstartup
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/asdsprdds1:1.log
lslpp -Lc | egrep "X11.adt.lib|bos.loc.iso.en_US"
X11.adt:X11.adt.lib:7.1.2.15: : :C:F:AIXwindows Application Development Toolkit Libraries: : : : : : :1:0:/:1316
bos.loc.iso:bos.loc.iso.en_US:7.1.1.0: : :C:F:Base System Locale ISO Code Set - U.S. English: : : : : : :1:0:/:1140
cp /mnt/itds/server/631/sds631_aix_ppc64.iso /work
mkdir /mnt1
loopmount -i /work/sds631_aix_ppc64.iso -o "-V cdrfs -o ro" -m /mnt1
# Add the hostname to /etc/hosts, else instance won't be created
root@itds3 - /opt/IBM > echo "192.168.0.26 itds3" >> /etc/hosts
Install Installation Manager (optional)
root@asdsprdds2 - /mnt1/ibm_im > /mnt1/ibm_im/installc -acceptLicense
Installed com.ibm.cic.agent_1.7.0.20130828_2012 to the /opt/IBM/InstallationManager/eclipse directory.
Install DB2
root@asdsprdds2 - /mnt1/ibm_db2 > /mnt1/ibm_db2/db2_install
Default directory for installation of products - /opt/IBM/db2/V9.7
***********************************************************
Do you want to choose a different directory to install [yes/no] ?
no
Specify one of the following keywords to install DB2 products.
ESE
CLIENT
RTCL
Enter "help" to redisplay product names.
Enter "quit" to exit.
***********************************************************
ESE
....
Install GSKit
root@asdsprdds2 - /mnt1/ibm_db2 > installp -agXY -d /mnt1/ibm_gskit GSKit8.gskcrypt64.ppc.rte GSKit8.gskssl64.ppc.rte
install_all_updates -d /mnt1/ibm_gskit -rc -Y
Install LDAP server packages
echo "1" | /mnt1/license/idsLicense
Install packages (smit installp)
idsldap.clt64bit631:idsldap.clt64bit631.rte:6.3.1.0: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/:
idsldap.clt_max_crypto64bit631:idsldap.clt_max_crypto64bit631.rte:6.3.1.0: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/:
idsldap.cltbase631:idsldap.cltbase631.adt:6.3.1.0: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.cltbase631:idsldap.cltbase631.rte:6.3.1.0: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.ent631:idsldap.ent631.rte:6.3.1.0: : :C: :Directory Server - Entitlement: : : : : : :0:0:/:
idsldap.license631:idsldap.license631.rte:6.3.1.0: : :C: :Directory Server - License: : : : : : :0:0:/:
idsldap.msg:idsldap.msg631.en_US:6.3.1.0: : :C: :Directory Server - Messages - U.S. English (en): : : : : : :0:0:/:
idsldap.srv64bit631:idsldap.srv64bit631.rte:6.3.1.0: : :C: :Directory Server - 64 bit Server: : : : : : :0:0:/:
idsldap.srv_max_cryptobase64bit631:idsldap.srv_max_cryptobase64bit631.rte:6.3.1.0: : :C: :Directory Server - base Server (SSL): : : : : : :0:0:/:
idsldap.srvbase64bit631:idsldap.srvbase64bit631.rte:6.3.1.0: : :C: :Directory Server - Base Server: : : : : : :0:0:/:
Install Java for LDAP (optional), required for idsxcfgdb and idsxinst
tar -xvf /mnt1/ibm_jdk/ibm-java-16sr14-aix-ppc-64.tar -C /opt/IBM/ldap/V6.3.1/
chmod a+x /opt/IBM/ldap/V6.3.1/java/jre/bin/java
Setup LDAP
# Instance creation
/opt/IBM/ldap/V6.3.1/sbin/idsicrt -n -I ldapdb2 -e mydomain1234 -g encrypt_salt -l /home/ldapdb2 -i 192.168.0.22,127.0.0.1 -p389 -s 636 -a 3538 -c 3539 -t ldapdb2
# Database creation
/opt/IBM/ldap/V6.3.1/sbin/idscfgdb -n -I ldapdb2 -t ldapdb2 -l /home/ldapdb2 -a ldapdb2 -w ldapdb2pwd -k /home/ldapdb2/backup
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I ldapdb2
/opt/IBM/ldap/V6.3.1/sbin/ibmdiradm
# Set password for
/opt/IBM/ldap/V6.3.1/sbin/idsdnpw -n -u cn=root -p mydomain1234
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -k -I ldapdb2
/opt/IBM/ldap/V6.3.1/sbin/ibmdiradm -k
# Add suffix (mydomain.org)
/opt/IBM/ldap/V6.3.1/sbin/idscfgsuf -n -I ldapdb2 -s o=mydomain.org
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I ldapdb2 -k
# Configure symbolic links
/opt/IBM/ldap/V6.3.1/bin/idslink -g -i -s fullsrv -f
LDAP initialization, add a user and group, else LDAP client won't work
root@asdspds2 - /home/ldapdb2/samples > cat group_add.ldif
dn: ou=aix,o=mydomain.org
ou: aix
objectclass: organizationalUnit
objectclass: top
dn: ou=Groups,ou=aix,o=mydomain.org
ou: Groups
objectClass: organizationalUnit
objectclass: top
dn: ou=People,ou=aix,o=mydomain.org
ou: People
objectClass: organizationalUnit
objectclass: top
dn: cn=staff,ou=Groups,ou=aix,o=mydomain.org
cn: staff
objectclass: aixauxgroup
objectclass: posixgroup
objectclass: top
gidnumber: 203
memberuid: testuser
isadministrator: false
dn: uid=testuser,ou=People,ou=aix,o=mydomain.org
uid: testuser
objectClass: aixauxaccount
objectClass: shadowaccount
objectClass: posixaccount
objectClass: account
objectClass: ibm-securityidentities
objectclass: top
cn: testuser
passwordchar: *
uidnumber: 203
gidnumber: 203
homedirectory: /home/testuser
loginshell: /usr/bin/ksh
isadministrator: false
root@asdspds2 - /home/ldapdb2/samples > /usr/bin/idsldapadd -D cn=root -w mydomain1234 -f group_add.ldif
Operation 0 adding new entry ou=Groups,o=mydomain.org
Operation 1 adding new entry cn=staff,ou=Groups,o=mydomain.org
Operation 2 adding new entry ou=People,o=mydomain.org
Operation 3 adding new entry uid=testuser,ou=People,o=mydomain.org
On client side, register the LDAP server on the client:
root@tstbcp2 - /root > mksecldap -c -h asdspds2 -a cn=root -p mydomain1234 -S rfc2307aix
root@tstbcp2 - /root > /usr/sbin/start\-secldapclntd
The secldapclntd daemon is already running.
root@tstbcp2 - /root > lsuser -R LDAP ALL
testuser id=203 pgrp=staff groups=staff home=/home/testuser shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP or files logintimes= loginretries=5 pwdwarntime=0 account_locked=false minage=1 maxage=13 maxexpired=3 minalpha=2 minloweralpha=1 minupperalpha=1 minother=1 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=0 minlen=8 histexpire=13 histsize=8 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
Now you can manage users and groups directly from client side
Uninstall LDAP
# stop LDAP
ibmslapd -k -I ldapdb2
ibmdiradm -k
su - ldapdb2 -c "db2stop"
# Uninstall LDAP components
installp -u -g idsldap.clt64bit63 idsldap.clt_max_crypto64bit63 idsldap.cltbase63 idsldap.cltbase63 idsldap.cltjava63 idsldap.msg idsldap.srv64bit63
idsldap.srv_max_cryptobase64bit63 idsldap.srvbase64bit63 idsldap.srvproxy64bit63
# Uninstall DB2
/opt/IBM/db2/V9.7/instance/db2idrop ldapdb2
/opt/IBM/db2/V9.7/install/db2_deinstall -a
rm -rf /var/db2 /var/idsldap
rm -rf /tmp/db2* /tmp/prer* /tmp/inst* /tmp/SQLD*
rm -rf /opt/IBM/db2
rm -rf /opt/IBM/ldap/idsinstinfo /opt/IBM/ldap/V*
#Uninstall Installation Manager
/var/ibm/InstallationManager/uninstall/uninstallc
/opt/IBM/tsamp/sam/uninst/uninstallSAM