LDAP Planning Overview
LDAP planning principally consists of determining which information to put into the LDAP
client profile. A client uses the collection of configuration information in the profile to access
naming service information from the LDAP server. You specify the configuration information when you
build the profile on the LDAP server. During the server setup, you are prompted for the information.
Some of the information that is prompted is required, while other information is optional. In most
cases, you would accept the default values that are already provided. The individual types of
information that are prompted for the profile are called client
attributes.
As you accumulate the configuration information for the profile, you can use template
checklists on Blank Checklists for Configuring LDAP . You can
use these checklists as a reference when you set up the LDAP server.
The following table shows the LDAP client profile attributes.
Table 3-1 LDAP Client Profile Attributes
|
|
|
The profile name. The attribute has no default value. The value must be specified.
|
|
The host addresses of the preferred servers as a space-separated list of server addresses. (Do
not use host names.) The servers in this list are tried in order before those
in defaultServerList until a successful connection is made. This attribute has no
default value. At least one server must be specified in either
preferredServerList or defaultServerList.
Note -
If you are using host names to define both defaultServerList and
preferredServerList, then you must not use LDAP for host server lookup searches.
Do not configure the config/host property of the
svc:/network/name-service/switch service with the value
ldap.
|
|
The host addresses of the default servers as a space-separated list of server addresses. (Do
not use host names.) After the servers in preferredServerlist are tried, the
default servers on the client's subnet are tried, followed by the remaining default servers, until a
connection is made. At least one server must be specified in either
preferredServerList or defaultServerList. The servers in this
list are tried only after those on the preferred server list. This attribute has no default
value.
|
|
The DN relative to which to locate the well-known containers. This attribute has no default
value. However, this value can be overridden for a given service by the
serviceSearchDescriptor attribute.
|
|
Defines the scope of a database search by a client. It can be overridden by the
serviceSearchDescriptor attribute. The possible values are one
or sub. The default value is a single-level search.
|
|
|
|
Identifies the type of credentials a client should use to authenticate. The choices are
anonymous, proxy, or self (also known as
per-user). The default is anonymous.
|
|
Defines how and where a client should search for a naming database, for example, whether the
client should look in one or more points in the DIT. By default no SSDs are defined.
|
serviceAuthenticationMethod
|
Authentication method used by a client for the specified service. By default, no service
authentication methods are defined. If a service does not have
serviceAuthenticationMethod defined, it will default to the value of
authenticationMethod.
|
|
Attribute mappings used by client. By default no attributeMap is defined.
|
|
Object class mappings used by client. By default no objectclassMap is
defined.
|
|
Maximum time [in seconds] a client should allow for a search to complete before timing out.
This value does not affect the time the LDAP server will allow for a search to complete. The default
value is 30 seconds.
|
|
Maximum time in seconds a client should allow to bind with a server before timing out. The
default value is 30 seconds.
|
|
Specifies whether a client should follow an LDAP referral. Possible values are
TRUE or FALSE. The default value is
TRUE.
|
|
Time between refreshes of the client profile from the LDAP server by the
ldap_cachemgr
(1M)
. The default value is 43200 seconds or 12 hours. If given
a value of 0, the profile will never be refreshed.
|
|
These attributes are automatically set up when you run the idsconfig
command on the server.
Other client attributes can be set up locally on the client systems by using the
ldapclient command. For more information about these attributes, see Defining Local Client Attributes.