[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 3
Sets up an AIX cluster to use LDAP for security authentication and data
management.
To Set Up an LDAP Security
Information Server
mksecldap -s [ -a AdminDN] [ -p Adminpasswd] [ -d Suffix ] [ -k SSLkey] [ -w SSLkeypasswd ] [ -U ]
To Set Up an LDAP Client
mksecldap -c [ -a AdminDN] [ -p Adminpasswd] [ -h Serverlist] [ -d Suffix] [ -u ALL|userlist] [ -k SSLkeyfilepath] [ -w SSLkeypasswd] [ -t Cachetimeout] [ -C CacheSize ] [ -P NumberofThreads ][ -m ]
Note: This command can be run by root user only.
The mksecldap command sets up an AIX cluster consisting of a
server(s), and one or more clients to use LDAP for security authentication and
data management. This command must be run on the server and all the
clients.
Note: The client (-c flag) and the server
(-s flag) options cannot be run at the same time. When
setting up a server, the mksecldap command should be run twice on
that machine. Once to set up the server, and again to set up the
client.
For server setup, using the -s flag, the mksecldap
command:
- Creates a db2 instance with ldapdb2 as the default instance
name.
- Creates a db2 database with ldapdb2 as the default database
name. If there exists a database already, mksecldap adds the
AIX data into the existing database.
- Creates the AIX tree dn (suffix). The AIX security data
is stored under this suffix.
- Copies the data from the security database files from local host into the
LDAP database.
- Sets LDAP server administrator DN and password. This name/password
pair is also used for access control of the AIX tree.
- Sets SSL (secure socket layer) for secure data transfer between this
server and the clients.
Note: If this option is used, the SSL key must be created
before running the mksecldap command. Otherwise the server
may not be able to start.
- Installs the LDAP server plug-in.
- Starts the LDAP server after all the above is done.
- Adds the LDAP server process (slapd) to /etc/inittab
to have LDAP server start after a reboot.
- Undo a previous setup. Each time the mksecldap command
runs, a copy of the server configuration file is saved. The undo option
restores the slapd.conf (slapd32.conf)
server configuration file using this saved copy.
Note: The undo option applies to the server configuration
file only. It has no effect on the database.
Note: All the LDAP configuration are saved into the
/etc/slapd.conf (SecureWay Directory version 3.1) or
/etc/slapd32.conf (SecureWay Directory version 3.2)
LDAP server configuration file.
For client setup, using the -c flag, the mksecldap
command:
- Saves the LDAP server(s)' host name.
- Saves the AIX tree DN (suffix) of the server.
- Sets SSL for secure data transfer between this host and the LDAP
server.
Note: The server must be setup to use SSL for the client SSL
to work.
- Saves the LDAP server administrator DN and password. The
DN/password pair must be the same as specified during server setup.
- Sets the cache size in terms of the number of entries used by the client
side daemon. This option is for advanced user only to adjust the system
performance. The default value is 1000 (user/group entries).
- Sets the cache timeout of the client side daemon. The default value
is 300 (seconds).
- Sets the number of threads used by the client side daemon. This
option is for advance user only to adjust the system performance. The
default value is 10 (threads).
- Sets the list of users or all users to use LDAP by modifying their SYSTEM
line in the /etc/security/user file. For more information on
enabling ldap login in, see the following note.
- Starts the client daemon process (secldapclntd).
- Adds the client side daemon process to /etc/inittab to have
this daemon start after a reboot.
Note: The client configuration data is saved to the
/etc/security/ldap/ldap.cfg file.
AIX user/group management commands can be used to do LDAP user/group
management, by supplying a -R LDAP flag following the
command.
On the server side:
| -a AdminDN
| Specifies the LDAP server administrator DN.
|
| -d Suffix
| Specifies the suffix of the AIX subtree.
|
| -k SSLkey
| Specifies the full path to the SSL key database of the server.
|
| -p
Adminpasswd
| Specifies the clear text password for the administrator DN.
|
| -s
| Indicates that the command is being run to setup the server.
|
| -w
SSLkeyfilepath
| Specifies the password for the SSL key.
|
| -U
| Specifies to undo the previous server setup to the LDAP configuration
file.
|
On the client side:
| -a AdminDN
| Specifies the LDAP server administrator DN. It must match the one
used for the server setup.
|
| -c
| Indicates the command is being run to setup the client.
|
| -C Cachsize
| Specifies the maximum number of user or group entries used in the client
side daemon cache. The default is 1000 (1000 for user entries and 1000
for group entries).
|
| -d TreeDN
| Specifies the suffix of the AIX subtree of the LDAP server. It
must match the one used for the server setup.
|
| -h Serverlist
| Specifies a comma separated list of hostnames (server and backup
server).
|
| -k
SSLkeyfilepath
| Specifies the full path to the client SSL key.
|
| -m
| Sets the client daemon to always talk to the master server when it is
available.
|
| -p
Adminpasswd
| Specifies the clear text password for the administrator DN of the LDAP
server. It must match the one used for the server setup.
|
| -P
NumberofTreads
| Specifies the number of threads the client side daemon uses. The
default is 10. This is for advanced users to adjust the system
performance.
|
| -t
Cachetimeout
| Specifies the maximum time length that a cache entry expires. The
default is 300 seconds.
|
| -u
ALL|userlist
| Specifies the comma separated list of usernames. Specify
ALL to enable all users on the client.
|
| -w
SSLkeyfilepath
| Specifies the password for the client SSL key.
|
| Mode
| File
|
| r
| /etc/passwd
|
| r
| /etc/group
|
| r
| /etc/security/passwd
|
| r
| /etc/security/limits
|
| r
| /etc/security/user (on the server)
|
| rw
| /etc/security/user (on the clients)
|
| r
| /etc/security/environ
|
| r
| /etc/security/user.roles
|
| r
| /etc/security/lastlog
|
| r
| /etc/security/smitacl.user
|
| r
| /etc/security/mac_user
|
| r
| /etc/security/group
|
| r
| /etc/security/smitacl.group
|
| r
| /etc/security/roles
|
| rw
| /etc/security/login.cfg (on the server)
|
| rw
| /etc/slapd.conf (on the server)
|
| rw
| /etc/aix.slapd.conf (on the server)
|
- To setup the server with the administrator DN as
cn=admin,o=ibm,c=us and the password as adminpwd,
type:
mksecldap -s -a cn=admin,o=ibm,c=us -p adminpwd
The AIX tree DN (suffix) is set to default: cn=aixsecdb.
- To setup the server using suffix cn=aixsecdb,o=mycompany,c=us,
type:
mksecldap -s -a cn=admin,o=ibm,c=us -p adminpwd -d \
o=mycompany,c=us -k /usr/ldap/serverkey.kdb -w keypwd
The mksecldap command automatically converts the
o=mycompany,c=us suffix to
cn=aixsecdb,o=mycompany,c=us. It also sets the server to use
the key stored at /usr/ldap/serverkey.kdb for SSL
connections.
- To setup the client to use server1.ibm.com and
server2.ibm.com as its ldap server, type:
mksecldap -c -a cn=admin,o=ibm,c=us -p adminpwd -h \
server1.ibm.com,server2.ibm.com
The administrator DN and password of the server must be supplied for this
client to authenticate to the server.
Note: The server must be set up to use the default AIX suffix
in order for this to work, otherwise the explicit server AIX suffix must be
supplied with the -d flag for the client setup.
- To setup the client to use server1.ibm.com as its
ldap server and to tell the client that the AIX tree suffix is
cn=aixsecdb,o=mycompany,c=us, type:
mksecldap -c -a cn=admin,o=ibm,c=us -p adminpwd -h server1.ibm.com -d \
o=mycompany,c=us -k /usr/ldap/serverkey.kdb -w keypwd -u user1, user2, ....
The mksecldap command automatically converts the
o=mycompany,c=us suffix to
cn=aixsecdb,o=mycompany,c=us. The suffix supplied with the
-d flag must match that used for the server setup. This also
sets the client to use the key stored at
/usr/ldap/serverkey.kdb for SSL connections. Users in
the user1, user2, ...list are set up to
authenticate through ldap.
- To set all users on the local host so that they authenticate through ldap,
type:
mksecldap -c -u ALL
The secldapclntd Daemon.
The /etc/security/ldap/ldap.cfg
File.
The /etc/sldap.conf and
/etc/sldap32.conf File.
LDAP Exploitation of the Security Subsystem in the
AIX 5L Version 5.1 System Management Guide: Operating System
and Devices.
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]