An LDAP client uses the collection of configuration information in the LDAP client profile to access naming service information from the LDAP server. You must specify the configuration information when you build the profile on the LDAP server. During the server setup, you are prompted for the configuration information. Some of the information that is prompted is required, while other information is optional. In most cases, you accept the default values that are already provided. The individual types of information that are prompted for the profile are called client attributes.
As you gather the configuration information for the profile, you can refer to the template checklists used for configuring LDAP in Checklists for Configuring LDAP.
The LDAP client profile attributes are as follows:
profileName – Specifies the profile name that is used by clients to select the profile. The default value is default. See the ldapclient(8) man page for a description.
preferredServerList – Specifies the host addresses of the preferred servers as a space-separated list of server addresses. Do not use host names of the servers in this list. The servers in this list are tried in order before those in defaultServerList until a successful connection is made. This attribute has no default value. You must specify at least one server in either preferredServerList or defaultServerList.
defaultServerList – Specifies the host addresses of the default servers as a space-separated list of server addresses. Do not use host names of the servers in this list. After the servers in preferredServerList are tried, the default servers on the client’s subnet are tried, followed by the remaining default servers, until a connection is made. You must specify at least one server in either preferredServerList or defaultServerList. The servers in this list are tried only after the servers in the preferred server list. This attribute has no default value.
defaultSearchBase – Specifies the DN relative to which to locate the well-known containers. This attribute has no default value. However, this value can be overridden for a given service by the serviceSearchDescriptor attribute.
defaultSearchScope – Defines the scope of a database search by an LDAP client. It can be overridden by the serviceSearchDescriptor attribute. The possible values are one or sub. The default value is a single-level search.
authenticationMethod – Identifies the method of authentication used by the LDAP client. The default value is none. For more information, see Authentication Methods for the LDAP Naming Service.
credentialLevel – Identifies the type of credentials an LDAP client must use to authenticate. The possible values are anonymous, proxy, or self. self is also known as "per-user". The default value is anonymous
serviceSearchDescriptor – Defines how and where an LDAP client should search for a naming database, for example, whether the LDAP client should look in one or more points in the DIT. By default, no SSDs are defined.
serviceAuthenticationMethod – Defines the authentication method used by an LDAP client for the specified service. By default, no service authentication methods are defined. If a service does not have serviceAuthenticationMethod defined, it defaults to the value of authenticationMethod.
searchTimeLimit – Specifies the maximum time, in seconds, that an LDAP client must allow for a search to complete before timing out. This value does not affect the time the LDAP server will allow for a search to complete. The default value is 30 seconds.
profileTTL – Specifies time between refreshes of the LDAP client profile from the LDAP server by the ldap_cachemgr daemon. The default value is 43200 seconds or 12 hours. If given a value of 0, the profile will never be refreshed. For more information, see the ldap_cachemgr(8) man page.
The LDAP client profile attributes are automatically set up when you run the ldapservercfg command on the server. Additional profiles can be generated by using ldapclient genprofile, as described in the ldapclient(8) man page.
You can use the ldapclient command to set up local client attributes. For more information, see Defining LDAP Local Client Attributes.