You can initialize the LDAP client with the ldapclient in one of two ways:
Using a profile
When you issue the ldapclient command, you must specify at a minimum the server address of the profile and the domain. If you do not specify a profile, the default profile is assumed. The server provides the rest of the required information from the profile except the proxy and certificate database information.
If a client's credential level is proxy or proxy anonymous, you must supply the proxy bind DN and password. See Client Credential Levels for more information. To enable shadow data update, you must provide the administrator's credentials (adminDN and the adminPassword).
Using a profile reduces the complexity of LDAP configuration, particularly in enterprise environments.
Defining all the parameters in a single command line
No profile exists. Thus, you create the profile on the client itself. With this method, the profile information is stored in cache files and is never refreshed by the server.
You can use different command syntaxes that use the ldapclient command to initialize the client.
Initialize a client by using a profile that has been configured with default values. For example:
# ldapclient init -a profilename=new -a domainname=west.example.com 192.168.0.1 System successfully configured
Initialize a client whose profile is configured with per-user credentials and uses the sasl/GSSAPI authentication method.
The example assumes that when you built the DIT with the idsconfig command, you specified the appropriate authentication method and credential level, such as self for the credential level and sasl/GSSAPI for the authentication method. See the following partial output of the idsconfig command where per-user is being created on the server.
# /usr/lib/ldap/idsconfig Do you wish to continue with server setup (y/n/h)? [n] y Enter the Directory Server's hostname to setup: kdc.example.com Enter the port number for DSEE (h=help): [389] <Enter your port> Enter the directory manager DN: [cn=Directory Manager] <Enter your DN> Enter passwd for cn=Directory Manager: <Enter your password> Enter the domainname to be served (h=help): [example.com] <Enter your domain> Enter LDAP Base DN (h=help): [dc=example,dc=com] <Enter your DN> GSSAPI is supported. Do you want to set up gssapi:(y/n) [n] y Enter Kerberos Realm: [EXAMPLE.COM] EXAMPLE.COM
The name of the profile is gssapi_EXAMPLE.COM. After you have created the profile in the manner shown in the example, then you can issue the ldapclient command to initialize the client with the per-user profile.
# ldapclient init -a profilename=gssapi_EXAMPLE.COM -a \ domainname=example.com 9.9.9.50
Initialize a client that uses proxy credentials. For example:
# ldapclient init \ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ -a domainname=west.example.com \ -a profilename=pit1 \ -a proxypassword=test1234 192.168.0.1
The –a proxyDN and –a proxyPassword are required if the profile to be used is set up for proxy. Because the credentials are not stored in the profile saved on the server, you must supply the information when you initialize the client. This method is more secure than the older method of storing the proxy credentials on the server.
The proxy information is stored in the svc:/network/ldap/client service in the config and cred property groups.
Initialize a client to enable the shadow data to be updated. For example:
# ldapclient init \ -a adminDN=cn=admin,ou=profile,dc=west,dc=example,dc=com \ -a adminPassword=admin-password \ -a domainName=west.example.com \ -a profileName=WestUserProfile \ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ -a proxyPassword=proxy-password \ -a enableShadowUpdate=TRUE \ 192.168.0.1 System successfully configured