You can initialize the LDAP client with the ldapclient in one of two ways:
Using a profile – When you use the ldapclient command, you must specify the server address of the profile and the domain. If you do not specify a profile, the default profile is assumed. The server provides the rest of the required information from the profile except the proxy and certificate database information.
If a client's credential level is proxy or proxy anonymous, you must supply the proxy bind DN and password. For more information, see Client Credential Levels.
To enable shadow data update, you must provide the administrator's credentials (adminDN and the adminPassword).
Using a profile reduces the complexity of LDAP configuration, particularly in enterprise environments.
Defining all the parameters in a single command line – If profile does not exist, you can create the profile on the client itself. With this method, the profile information is stored in cache files and is never refreshed by the server.
You can use various options with the ldapclient command to initialize the client depending on the type of client and the client profile:
Initializing a client by using a profile that is configured with default values. For example:
# ldapclient init -a profilename=new -a domainname=west.example.com 192.0.2.1 System successfully configured
Initialize a client whose profile is configured with per-user credentials and uses the sasl/GSSAPI authentication method.
The example assumes that when you built the DIT with the idsconfig command, you specified the appropriate authentication method and credential level, such as self for the credential level and sasl/GSSAPI for the authentication method. The following output shows the how the idsconfig command is used to create per-user credentials.
# /usr/lib/ldap/idsconfig Do you wish to continue with server setup (y/n/h)? [n] y Enter the Directory Server's hostname to setup: kdc.example.com Enter the port number for DSEE (h=help): [389] <Enter your port> Enter the directory manager DN: [cn=Directory Manager] <Enter your DN> Enter passwd for cn=Directory Manager: <Enter your password> Enter the domainname to be served (h=help): [example.com] <Enter your domain> Enter LDAP Base DN (h=help): [dc=example,dc=com] <Enter your DN> GSSAPI is supported. Do you want to set up gssapi:(y/n) [n] y Enter Kerberos Realm: [EXAMPLE.COM] EXAMPLE.COM
In this example the name of the profile is gssapi_EXAMPLE.COM. After creating the profile, you can issue the ldapclient command to initialize the client with the per-user profile.
# ldapclient init -a profilename=gssapi_EXAMPLE.COM \ -a domainname=example.com 192.0.2.1
Initializing a client that uses proxy credentials. For example:
# ldapclient init \ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ -a domainname=west.example.com \ -a profilename=pit1 \ -a proxypassword=test1234 192.0.2.1
The –a proxyDN and –a proxyPassword options are required if the profile to be used is set up for proxy. Because the credentials are not stored in the profile saved on the server, you must supply the information when you initialize the client. This method is more secure than the older method of storing the proxy credentials on the server.
The proxy information is stored in the svc:/network/ldap/client service in the config and cred property groups.
Initializing a client to enable the shadow data to be updated. For example:
# ldapclient init \ -a adminDN=cn=admin,ou=profile,dc=west,dc=example,dc=com \ -a adminPassword=admin-password \ -a domainName=west.example.com \ -a profileName=WestUserProfile \ -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com \ -a proxyPassword=proxy-password \ -a enableShadowUpdate=TRUE \ 192.0.2.1 System successfully configured