Configuring an LDAP client for accounting using the command line

Edit online

You can set up an LDAP client for accounting purposes using the command line.

These instructions assume that the client system is configured as an LDAP client.

Use the mksecldap command to establish the basic connection between the LDAP client and server.

Use the mkprojldap command to provide accounting-specific parameters to establish an accounting-aware LDAP client.

Use the projctl command to configure projects and policies as required by the billing strategy. The final step involves specifying a refresh policy for data provided by an LDAP server.

To configure an LDAP client, perform the following steps:
  1. Log in as a root user.
  2. Run the mkprojldap –c –D bindDN -w bindPWD -a default-adminDN –p default-projectDN command, where default-adminDN and default-projectDN are the base locations on the LDAP server on which the client will look for accounting data.
    This command adds accounting-specific information to the LDAP configuration file (ldap.cfg) and restarts the LDAP client daemon.
    This is an example of the command: mkprojldap –c -D cn=testroot -w testpwd –a ou=adminpolicy,ou=aacct,cn=aixdata –p ou=projects,ou=aacct,cn=aixdata.
  3. Optional: If you want to upload LDAP projects or Admin policies to the LDAP server, you can do so at this point.
  4. Optional: If you want to configure the current system to automatically use LDAP projects when a policy is loaded, run the projctl ldprojs -g -a command.
    Projects are resolved in the order that they are loaded. Therefore, if you want local projects to take precedence, run the projctl ldprojs –a command first. The –g flag indicates that data is to be retrieved from the LDAP server. You must configure both sources if you intend to use both sources.
  5. Optional: If you want to configure the current system to automatically load an LDAP Admin policy, when accounting is started, run the projctl ldadm –g -a command. You might also want to configure a local Admin policy. You can do this by running projctl ldadm –a.
    Unlike projects, there is not a precedence issue between Admin policies. The local Admin policy takes precedence over the LDAP Admin policy.
  6. Use the cron facility to periodically refresh projects and Admin policies that are loaded from the LDAP server.
    The interval might be once an hour or once a day depending on the site-specific policy for accommodating new users.

You can also perform the above steps through SMIT.

After the client has been configured to use the accounting capabilities provided by an LDAP server, it is not necessary to have LDAP-specific knowledge to administer the Advanced Accounting subsystem, unless you want to add new project definitions to the LDAP project repository or modify an LDAP-based accounting policy or project definition.