Use this task to configure a Lightweight Directory Access
Protocol (LDAP) server, to configure the client on the cluster node,
and to establish a connection between the server and client.
Using an LDAP registry provides the best means of secure authentication
for PowerHA® SystemMirror, along
with easier maintenance of authentication across all clusters and
sites.
LDAP is a standard method for accessing and
updating information in a centrally located directory. PowerHA SystemMirror uses LDAP to
keep authentication, group, and user information common across clusters.
The connection that you configure uses the Secure Sockets Layer
(SSL) and a key database for secure communications.
After you configure LDAP, you cannot change the LDAP server configuration.
You must disconnect from the existing LDAP server and configure a
new connection.
Fields
- New or existing LDAP server
- Select whether to use a new LDAP server or an existing LDAP server
for federated security:
New
- Configures a new peer-to-peer LDAP server in the cluster. To use
this option, you must have the required file sets installed. For better
scalability, a peer-to peer configuration has a maximum four nodes.
- Existing
Adds one or more existing LDAP servers to the cluster.
Alternatively, you can manually specify the host names for the LDAP
servers. PowerHA SystemMirror uses
the information you provide to update the current configuration on
the existing LDAP servers. Before you select this option, ensure that
the LDAP servers that you select meet all prerequisite requirements
for using them with PowerHA SystemMirror. 
- LDAP servers or hostnames
Select one or more listed nodes where you want to configure
an LDAP server and to which you want to create a connection. Alternatively,
you can specify the fully qualified host name of one or more LDAP
servers. Use a comma to separate host names for an existing connection. 
- LDAP admin DN
- Specify the LDAP administrator distinguished name (DN) that PowerHA SystemMirror must use to
bind to the LDAP server.
The DN that you specify must exist on the
LDAP server.
The ability of the LDAP client to perform operations
on entries in the LDAP server depends on the access permissions for
this binding DN.
For example, you might specify a bind DN, such
as cn=admin cn=proxy, o=ibm, cn=user, ou=people, cn=aixdata.
The default value is cn=admin.
- LDAP admin password
- Specify the LDAP administrator password for the LDAP
admin DN property by using only alphanumeric characters.
The
password you use must match the password on the LDAP server for the
specified DN.
- DB2 instance password
- Specify the DB2® instance
password to access the database instance that stores security information
for the cluster. The password must consist of only alphanumeric characters.
- Suffix/base DN
- Specify the suffix or base distinguished name (DN) to search on
the LDAP server for users, groups, and other network information entities.
This DN is the root for all other DNs that store information in the
LDAP directory for the cluster.
The default value is cn=aixdata,
o=ibm.
- Server port number
- Specify the port number on the LDAP server to use for communicating
with the LDAP server.
The default port number is 636, which is
the standard port for SSL communications on LDAP servers.
- Encryption seed for key stash files
- Specify a minimum of 12 alphanumeric characters to generate key
stash files for the LDAP server.
- Schema type
- Shows the LDAP schema that PowerHA SystemMirror requires to
represent user and group entries in the LDAP server.
The default
value is rfc2307aix. This value indicates that
the LDAP server must be configured to use RFC 2307 and the auxiliary AIX® schema. The LDAP server must
have this configuration to provide full AIX attribute
support.
- LDAP version
- Shows the LDAP version number of the specified LDAP server.
- Authentication type
- Select one of the following methods for authenticating users:
- unix_auth
- Retrieves the user password from the LDAP server and authenticates
the user locally.
- ldap_auth
- Retrieves the user password and authenticates the user. This option
is the default value.
- Server SSL
- Server key path
- Specify the full path to the SSL key server database.
- Server key password
- Specify the SSL key password for the SSL server.
Client SSL
- Client key path
- Specify the full path to the SSL key client database.
- Client key password
- Specify the SSL key password for the SSL client.
If you do
not specify a password, a password stash file must exist. This existing
stash file must be in the same path as the server SSL key server database,
and it must have an extension of .sth.
For more information about adding LDAP server
and client connections, see the Creating an LDAP connection topic in the AIX Information Center.