start of change

Create LDAP server and client connection

Use this task to configure a Lightweight Directory Access Protocol (LDAP) server, to configure the client on the cluster node, and to establish a connection between the server and client.

Using an LDAP registry provides the best means of secure authentication for PowerHA® SystemMirror, along with easier maintenance of authentication across all clusters and sites.

LDAP is a standard method for accessing and updating information in a centrally located directory. PowerHA SystemMirror uses LDAP to keep authentication, group, and user information common across clusters.

The connection that you configure uses the Secure Sockets Layer (SSL) and a key database for secure communications.

After you configure LDAP, you cannot change the LDAP server configuration. You must disconnect from the existing LDAP server and configure a new connection.

Fields

New or existing LDAP server
Select whether to use a new LDAP server or an existing LDAP server for federated security:
start of changeNewend of change
Configures a new peer-to-peer LDAP server in the cluster. To use this option, you must have the required file sets installed. For better scalability, a peer-to peer configuration has a maximum four nodes.
Existing
start of changeAdds one or more existing LDAP servers to the cluster. Alternatively, you can manually specify the host names for the LDAP servers. PowerHA SystemMirror uses the information you provide to update the current configuration on the existing LDAP servers. Before you select this option, ensure that the LDAP servers that you select meet all prerequisite requirements for using them with PowerHA SystemMirror. end of change
LDAP servers or hostnames
start of changeSelect one or more listed nodes where you want to configure an LDAP server and to which you want to create a connection. Alternatively, you can specify the fully qualified host name of one or more LDAP servers. Use a comma to separate host names for an existing connection. end of change
LDAP admin DN
Specify the LDAP administrator distinguished name (DN) that PowerHA SystemMirror must use to bind to the LDAP server.

The DN that you specify must exist on the LDAP server.

The ability of the LDAP client to perform operations on entries in the LDAP server depends on the access permissions for this binding DN.

For example, you might specify a bind DN, such as cn=admin cn=proxy, o=ibm, cn=user, ou=people, cn=aixdata. The default value is cn=admin.

LDAP admin password
Specify the LDAP administrator password for the LDAP admin DN property by using only alphanumeric characters.

The password you use must match the password on the LDAP server for the specified DN.

DB2 instance password
Specify the DB2® instance password to access the database instance that stores security information for the cluster. The password must consist of only alphanumeric characters.
Suffix/base DN
Specify the suffix or base distinguished name (DN) to search on the LDAP server for users, groups, and other network information entities. This DN is the root for all other DNs that store information in the LDAP directory for the cluster.

The default value is cn=aixdata, o=ibm.

Server port number
Specify the port number on the LDAP server to use for communicating with the LDAP server.

The default port number is 636, which is the standard port for SSL communications on LDAP servers.

Encryption seed for key stash files
Specify a minimum of 12 alphanumeric characters to generate key stash files for the LDAP server.
Schema type
Shows the LDAP schema that PowerHA SystemMirror requires to represent user and group entries in the LDAP server.

The default value is rfc2307aix. This value indicates that the LDAP server must be configured to use RFC 2307 and the auxiliary AIX® schema. The LDAP server must have this configuration to provide full AIX attribute support.

LDAP version
Shows the LDAP version number of the specified LDAP server.
Authentication type
Select one of the following methods for authenticating users:
unix_auth
Retrieves the user password from the LDAP server and authenticates the user locally.
ldap_auth
Retrieves the user password and authenticates the user. This option is the default value.
Server SSL
Server key path
Specify the full path to the SSL key server database.
Server key password
Specify the SSL key password for the SSL server.
start of changeClient SSLend of change
Client key path
Specify the full path to the SSL key client database.
Client key password
Specify the SSL key password for the SSL client.

If you do not specify a password, a password stash file must exist. This existing stash file must be in the same path as the server SSL key server database, and it must have an extension of .sth.

For more information about adding LDAP server and client connections, see the Creating an LDAP connection topic in the AIX Information Center.

end of change