LDAP Planning Overview

Language:

LDAP planning principally consists of determining which information to put into the LDAP client profile. A client uses the collection of configuration information in the profile to access naming service information from the LDAP server. You specify the configuration information when you build the profile on the LDAP server. During the server setup, you are prompted for the information. Some of the information that is prompted is required, while other information is optional. In most cases, you would accept the default values that are already provided. The individual types of information that are prompted for the profile are called client attributes.

As you accumulate the configuration information for the profile, you can use template checklists on Blank Checklists for Configuring LDAP . You can use these checklists as a reference when you set up the LDAP server.

The following table shows the LDAP client profile attributes.

Table 3-1 LDAP Client Profile Attributes

Attribute	Description
`cn`	The profile name. The attribute has no default value. The value must be specified.
`preferredServerList`	The host addresses of the preferred servers as a space-separated list of server addresses. (Do not use host names.) The servers in this list are tried in order before those in `defaultServerList` until a successful connection is made. This attribute has no default value. At least one server must be specified in either `preferredServerList` or `defaultServerList`. Note - If you are using host names to define both `defaultServerList` and `preferredServerList`, then you must not use LDAP for host server lookup searches. Do not configure the `config/host` property of the `svc:/network/name-service/switch` service with the value `ldap`.
`defaultServerList`	The host addresses of the default servers as a space-separated list of server addresses. (Do not use host names.) After the servers in `preferredServerlist` are tried, the default servers on the client's subnet are tried, followed by the remaining default servers, until a connection is made. At least one server must be specified in either `preferredServerList` or `defaultServerList`. The servers in this list are tried only after those on the preferred server list. This attribute has no default value.
`defaultSearchBase`	The DN relative to which to locate the well-known containers. This attribute has no default value. However, this value can be overridden for a given service by the `serviceSearchDescriptor` attribute.
`defaultSearchScope`	Defines the scope of a database search by a client. It can be overridden by the `serviceSearchDescriptor` attribute. The possible values are `one` or `sub`. The default value is a single-level search.
`authenticationMethod`	Identifies the method of authentication used by the client. The default is `none` (`anonymous`). See Authentication Methods for the LDAP Naming Service for more information.
`credentialLevel`	Identifies the type of credentials a client should use to authenticate. The choices are `anonymous`, `proxy`, or `self` (also known as per-user). The default is `anonymous`.
`serviceSearchDescriptor`	Defines how and where a client should search for a naming database, for example, whether the client should look in one or more points in the DIT. By default no SSDs are defined.
`serviceAuthenticationMethod`	Authentication method used by a client for the specified service. By default, no service authentication methods are defined. If a service does not have `serviceAuthenticationMethod` defined, it will default to the value of `authenticationMethod`.
`attributeMap`	Attribute mappings used by client. By default no `attributeMap` is defined.
`objectclassMap`	Object class mappings used by client. By default no `objectclassMap` is defined.
`searchTimeLimit`	Maximum time [in seconds] a client should allow for a search to complete before timing out. This value does not affect the time the LDAP server will allow for a search to complete. The default value is `30` seconds.
`bindTimeLimit`	Maximum time in seconds a client should allow to bind with a server before timing out. The default value is `30` seconds.
`followReferrals`	Specifies whether a client should follow an LDAP referral. Possible values are `TRUE` or `FALSE`. The default value is `TRUE`.
`profileTTL`	Time between refreshes of the client profile from the LDAP server by the `ldap_cachemgr` (1M) . The default value is `43200` seconds or 12 hours. If given a value of 0, the profile will never be refreshed.

These attributes are automatically set up when you run the idsconfig command on the server.

Other client attributes can be set up locally on the client systems by using the ldapclient command. For more information about these attributes, see Defining Local Client Attributes.