Configuring Oracle Authentication Services for Operating Systems 3-7 The output from the lslpp command should include ldap.client.adt and ldap.client.rte. Add At Least One User and One Group to Oracle Internet Directory on AIX Before you execute the client script on AIX, you must add at least one user and group to LDAP. Otherwise, the mksecldap command executed by the configuration script on AIX might fail with one of these error messages: Cannot find users from all base DN client setup failed. Cannot find the group base DN from the LDAP server. Client setup failed. To prevent this problem, you can simply add one user and one group, or you can migrate all your users and groups to Oracle Internet Directory now, rather than waiting until you have run the configuration script. To migrate all your users and groups, proceed as follows:

1. Convert local system entries to LDAP entries by using the sectoldif command.

Type: sectoldif -d realm -S RFC2307 users.ldif

2. Ensure that all users to be migrated are associated with a system group or net

group. That is, edit user.ldif so that each user has a gidnumber. For example: dn: uid=test,ou=People,dc=us,dc=example,dc=com uid: test objectClass: posixaccount objectClass: shadowaccount objectClass: account cn: test3 uidnumber: 209 gidnumber: 502 homedirectory: hometest loginshell: usrbinksh userpassword: passwordhash shadowlastchange: 13182 cn=testgroup,ou=Group,dc=us,dc=example,dc=com gidnumber=502 cn=testgroup objectclass=posixGroup objectclass=groupOfUniqueNames objectclass=top

3. Add the user entries in users.ldif to Oracle Internet Directory:

ldapadd -h host -p port -D cn=orcladmin -q -c -f users.ldif

4. If you are using the non-SSL script, perform the tasks described under

All Client Platforms on page 3-8. Otherwise, proceed as described in the next section. See Also: LDAP configuration management and troubleshooting on AIX at http:www.ibm.comdeveloperworks for more information and an alternative solution. 3-8 Oracle Authentication Services for Operating Systems Administrators Guide Install SSL-Related Client Packages on AIX If you plan to use SSL to connect to the LDAP server, you must install the gskta.rte and ldap.max_crypto_client file sets located on the AIX 5L Expansion Pack.

1. The following packages are required for SSL Configuration on an AIX 5L Version

5.3 client: ■ gskta.rte ■ ldap.max_crypto.client If these packages are not already installed, install them from the AIX 5L Version 5.3 Expansion Package CD 5705-603 or from the equivalent package in Tivoli Directory Server, which is available at the IBM web site. Type: installp -acgXd LPPSOURCE gskta ldap.max_crypto_client 2. Verify the installed packages by typing: lslpp -l | grep gskta ldap The output of the lslpp command should include gskta.rte, ldap.client.adt, ldap.client.rte, ldap.max_crypto_client.adt, and ldap.max_crypto_client.rte. 3. If necessary, create a symbolic link in usrlib to the new LDAP client library. For example: ln -s optIBMldapreleaseliblibidsldap.a usrliblibibmldap.a

4. Proceed as described for all client platforms.