First of all, LDAP-UX does not support updating an OpenLDAP directory, so to get this to work, add the following profile to the LDAP directory (requires the DUAConfig.schema and possibly ldap-printer.schema):
dn: cn=uxprofile,ou=Profiles,dc=example,dc=com cn: uxprofile objectClass: DUAConfigProfile defaultSearchBase: dc=example,dc=com defaultSearchScope: one profileTTL: 3600 serviceSearchDescriptor: passwd:OU=People,DC=example,DC=com serviceSearchDescriptor: group:OU=Group,DC=example,DC=com authenticationMethod: tls:simple defaultServerList: <space separated list of LDAP server hosts:ports>
If you don't have the LDAP-UX package installed...
# swinstall -s /yourDepot
Create a key-store:
/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
Import the CA cert:
/opt/ldapux/contrib/bin/certutil -A -n ca-cert -t "C,," -d /etc/opt/ldapux -a -i cacert.crt
Configure LDAP-UX:
/opt/ldapux/config/setup
...specify TLS and use port 389.
NOTE: do NOT attempt to extend any sachems -- OpenLDAP does not support this.
