Description of problem: Step 3 of the AIX client installation documentation states: "Configure the LDAP client settings to use the IPA directory services: # mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret" However, this user is not created on the ipa server until step 11 h: "On the IPA server, add a user that is only used for authentication. (This can be substituted with krb5 authentication if that works from the LDAP client). Otherwise go to the IPA server and use ldapmodify, bind as Directory Manager and create this user. The user should be assigned a shared password. ldapmodify -D "cn=directory manager" -w secret -p 389 -h ipaserver.example.com -x -a dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: nss userPassword: secretpassword" If a user follows these instructions in this order then the mksecldap command will fail. Step 11 h should be moved to step 3 a, and the existing step 3 should be moved to step 3 b.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2666
The steps have been reordered: http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication Closing the bug.