📖 ~1 min read
Table of contents
Symptom & Impact
`lsuser ALL` returns `3004-687` and SSH logins via LDAP fall back to local users.
Environment & Reproduction
AIX 7.2 client bound to AD or IBM Directory Server with `ldap.cfg` and `secldapclntd`.
Root Cause Analysis
`secldapclntd` lost its bind because of expired TLS certificate or rotated bind DN password.
Quick Triage
Check `lssec -f /etc/security/ldap/ldap.cfg -s server -a bindpwd` and `ls-secldapclntd`.
Step-by-Step Diagnosis
Run `ldapsearch -h -D -w -b uid=root` to test bind.
Solution – Primary Fix
Refresh credentials: `mksecldap -c -h -a -p ` and `restart-secldapclntd`.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Rotate to LDAPS with `ldap.cfg` `usessl=YES` and re-import the CA into `gskcapicmd`.
Verification & Acceptance Criteria
`lsuser -R LDAP ALL` lists directory users and `id ` resolves on the AIX host.
Rollback Plan
Stop `secldapclntd` and reset `/usr/lib/security/methods.cfg` to local-only as fallback.
Prevention & Hardening
Monitor `secldapclntd` via `errnotify` and pre-stage CA renewals before expiry.
Related Errors & Cross-Refs
Related to `secldapclntd` core dumps and `loginrestrictions` LDAP module errors.
Related tutorial: View the step-by-step tutorial for aix-7.2.
View all aix-7.2 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
IBM Docs: AIX LDAP client integration, `mksecldap`, `secldapclntd`.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
