Using The LDAP-UX Client Daemon

This section describes the following:

the steps required to activate the client daemon
an explanation of the administration tool ldapclientd, along with the configuration file ldapclientd.conf

Overview

The LDAP-UX client daemon is used to improve the performance and extend the capabilities of LDAP-UX clients by caching entries, supporting multiple domains in the Active Directory Server (ADS), automatically downloading the Configuration profiles and reusing connections to the LDAP Directory Server.

The daemon enables LDAP-UX to use multiple domains for directory servers like Active Directory Server (ADS). The daemon also allows PAM Kerberos to authenticate posix users stored in multiple domains.

Automatic Profile Downloading updates the LDAP client configuration profile by downloading a newer copy from the directory server as the profileTTL (Time To Live) expires.

By default, ldapclientd starts at system boot time. The ldapclientd command can also be used to launch the daemon manually, or control it when the daemon is already running. Please refer to the following section and the ldapclientd man page(s) for information about the ldapclientd command and its parameters.

ldapclientd

Starting the client

Use the following syntax to start the client. Note the use of upper and lower-case characters:

/opt/ldapux/bin/ldapclientd [-d <level>] [-o<stdout|syslog|file[=size]>] [-z]

Controlling the client

Use the following syntax to control the client:

/opt/ldapux/bin/ldapclientd [-d <level>] [-o<stdout|syslog|file[=size]>] >

/opt/ldapux/bin/ldapclientd [-D <cache>]|-E <cache>|-S [cache]>

/opt/ldapux/bin/ldapclientd <-f| -k| -L| -h| -r>

Daemon performance

Performance (client response time) is improved by the use of two techniques:

Caching entries to reduce the LDAP-UX client response time while retrieving the following:
passwd
group
netgroup
X.500 group membership
Since pwgrd caches some categories, lpdapclientd does not cache these areas, therefore pwgrd is still needed to maintain high performance in areas like hosts, protocols and rpc.
Reusing and maintaining connections to the directory server. The reduction in bindings and disconnections significantly reduces the load on server and network traffic.

Command options

Please refer to the ldapclientd man page(s) for option information.

Diagnostics

By default, errors are logged into syslog if the system log is enabled in the LDAP-UX client startup configuration file /etc/opt/ldapux/ldapux_client.conf. Errors occurring before ldapclientd forks into a daemon process leaves an error message directly on the screen.

The following diagnostic messages may be issued:

Message: Already running.

Meaning: An attempt was made to start an LDAP client daemon when one was already running.

Message: Cache daemon is not running (or running but not ready).

Meaning: This message can mean several things:

Attempted to use the control option features of ldapclientd when no ldapclientd daemon process was running, to control.
Attempted to start, or control, ldapclientd without superuser's privilege.
The ldapclientd daemon process is too busy with other requests to respond at this time. Try again later.

Message: Problem reading configuration file.

Meaning: The /etc/opt/ldapux/ldapclientd.conf file is missing or has a syntax error. If the problem is with its syntax, the error message will be accompanied by a line showing exactly where it could not recognize the syntax, or where it found a setting which is out of range.

Warnings

Whenever the system is rebooted, ldapclientd launches if [StartOnBoot] has the parameter enabled=yes in the file /etc/rc.config.d/ldapclientd.conf (the ldapclientd configuration file). Downloading profiles takes time, depending on the server's response time and the number of profiles listed in the LDAP-UX startup file /etc/opt/ldapux/ldapux_client.conf.

ldapclientd.conf

The file ldapclientd.conf is the configuration file for /opt/ldapux/bin/ldapclientd, the LDAP client daemon. Refer to the previous section for more information about the daemon.

Missing settings

ldapclientd uses the default values for any settings which may be missing from the configuration file.

Configuration file syntax

# comment
[section]
setting=value
setting=value
. . .
[section]
setting=value
setting=value
. . .

Where:

comment: ldapclientd ignores any line beginning with a # delimiter.
section: Each section is configured by setting=value information underneath. The section name must be enclosed by brackets ("[ ]") as delimiters. Valid section names are:
- StartOnBoot
- general
- passwd
- group
- netgroup
- uiddn
- domain_pwd
- domain_grp
setting: This will be different for each section.
value: Depending on the setting, this can be <yes|no|number>.

Section details

Within a section, the following syntax applies:

[StartOnBoot]

Determines if ldapclientd starts automatically when the system boots.

setting=value:

enable=<yes|no>
By default, this is enabled after LDAP-UX has been configured by the LDAP-UX setup program /opt/ldapux/config/setup.

[general]

Any cache setting defined here will be used as the default setting for all caches (passwd, group, netgroup, uiddn, domain_pwd and domain_grp).

setting=value:

max_conn=<2-500>
The maximum number of connections ldapclientd can establish to the directory server (or multiple servers when in a multi-domain environment.
The default value is 20.

connection_ttl=<1-2147483647>
The number of seconds before an inactive connection to the directory server is brought down and cleaned up.
The default value is 120.

num_threads=<1-100>
The number of client request handling threads in ldapclientd.
The default value is 10.

socket_cleanup_time=<10-2147483647>
The interval, in seconds, before the next attempt to clean up the socket files created by any LDAP-UX client applications that were terminated abnormally.
The default value is 300.

cache_cleanup_time=<1-300>
The interval, in seconds, between the times when ldapclientd identifies and cleans up stale cache entries.
The default value is 10.

update_ldapux_conf_time=<10-2147483647>
This determines how often, in seconds, ldapclientd re-reads the /etc/opt/ldapux/ldapux_client.conf client configuration file to download new domain profiles.
The default value is 600 (10 minutes).

cache_size=<102400-1073741823>
The maximum number of bytes that should be cached by ldapclientd. This value is the maximum, upper limit, of memory that can be used by ldapclientd. If this limit is reached, new entries are not cached until enough expired entries are freed to allow it.
The default value is 10000000.

poscache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from the positive cache. There is no [general] default value for this setting. Each cache section has its own default values (listed below). Specifying a value under [general] will override poscache_ttl defaults in other sections (where there is no specific poscache_ttl definitions for that section).

negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from the negative cache. There is no [general] default value for this setting. Each cache section has its own default value.

[passwd]

Cache settings for the passwd cache (which caches name, uid and shadow information).

setting=value

enable=<yes|no>
ldapclientd only caches entries for this section, when it is enabled. If the cache is not enabled, ldapclientd will query the directory server for any entry request from this section. Since this impacts LDAP-UX client performance and response time, by default, caching is enabled.

poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from the positive cache. Since personal data can change frequently, this value is typically smaller than some others.
The default value is 120 (2 minutes)

negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from the negative cache.
The default value is 240 (4 minutes).

[group]

Cache settings for the group cache (which caches name, gid and membership information).

setting=value