[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

LDAP Exploitation of the Security Subsystem

The Light Directory Access Protocol (LDAP) defines a standard method for accessing and updating information in a directory (a database) either locally or remotely in a client-server model. The LDAP method is used by a cluster of hosts to allow centralized security authentication as well as access to user and group information. This functionality is intended to be used in a clustering environment to keep authentication, user, and group information common across the cluster.

The LDAP exploitation of the security subsystem is implemented as the LDAP authentication load module. It is conceptually similar to the other load modules such as NIS, DCE, and Kerberos 5. The load modules are defined in the /usr/lib/security/methods.cfg file. The implementation of the LDAP authentication load module is at a low level and is handled by the libraries.

After the LDAP authentication load module is enabled to serve user and group information, most high-level APIs, commands, and system-management tools work in their usual manner. An -R flag is introduced for most high-level commands to work through different load modules. For example, to create an LDAP user named joe from a client machine, use the following command:

mkuser -R LDAP joe

The client system checks whether the user is an LDAP user through the user's SYSTEM attribute in the /etc/security/user file. If the user's SYSTEM attribute is set to LDAP, that user can only authenticate through LDAP. If the SYSTEM attribute in the default stanza is set to LDAP, all users who do not have a SYSTEM attribute set are considered LDAP users. The LDAP keyword can be used with other SYSTEM attribute values as described in User Authentication. The client side communicates to the server through the secldapclntd daemon. The daemon accepts requests from applications (through the library APIs), queries the LDAP server, and returns data to the application. The secldapclntd daemon is also responsible for caching.

Setting Up an LDAP Security Information Server

To set up a system as an LDAP security information server that serves authentication, user, and group information through LDAP, the LDAP server and client packages must be installed. The LDAP server must be configured as a client as well as a server. A DB2 database is also required by the LDAP server. If the Secure Socket Layer (SSL) is required, then the GSKit must be installed. The system administrator must create a key using the ikeyman command. The certificate of the server key must be carried to the clients.

The mksecldap command can be used to set up an LDAP security information server. It sets up a database named ldapdb2, populates the database with the user and group information from the local host, and sets the LDAP server administrator DN (distinguished name) and password. Optionally, it can set up SSL for client/server communication. Then mksecldap loads a server plugin (libsecldap.a) and starts the LDAP server process (slapd). The mksecldap command also adds an entry into the /etc/inittab file to start the LDAP server at every reboot. The entire LDAP server setup is done through the mksecldap command, which updates the slapd.conf file (SecureWay(R) Directory Version 3.1) or slapd32.conf file (SecureWay Directory Version 3.2). There is no need to configure the LDAP Web management interface.

All users and groups from the local system are migrated to LDAP server during LDAP server setup. Select one of the following LDAP schemas for this step:

AIX-specific schema
Includes aixAccount and aixAccessGroup object class. This schema offers a full set of attributes for AIX users and groups.
NIS schema (RFC 2307)
Includes posixAccount and posixGroup account and is used by several vendor's directory products. The NIS schema only defines a small subset of attributes that AIX uses.
NIS schema with full AIX support
Includes posixAccount and posixGroup object classes plus the aixAusAccount and aixAusGroup object classes. The aixAusAccount and aixAuxGroup object classes provide the attributes which are used by AIX but not defined by the NIS schema. Setting up the LDAP server using NIS schema with full AIX support is recommended unless setting up an AIX-specific schema LDAP server for compatibility with the existing LDAP servers is necessary.

All the user and group information is stored under a common AIX tree (suffix). The default suffix is "cn=aixsecdb". The mksecldap command accepts a user-supplied suffix through the -d flag. If the user-supplied suffix does not have "cn=aixsecdb" as its first RDN (Relative Distinguished Name), the mksecldap command prefixes the user-supplied suffix with "cn=aixsecdb". This AIX tree is ACL (Access Control List) protected. A client must bind as the LDAP server administrator to be able to access the AIX tree.

The mksecldap command works even if an LDAP server has been set up for other purposes such as, for example, for blue page information. In this case, mksecldap adds the AIX tree and populates it with the AIX security information to the existing database. This tree is ACL-protected independently from other trees. In this case, the LDAP server works as usual, in addition to serving as an AIX LDAP Security Server.

Note
Backing up the existing database before running the mdsecldap command to set up the security server to share the same database is recommended.

After the LDAP security information server is successfully set up, the same host must be set up as a client so that LDAP user and group management can be completed and LDAP users can log in to this server.

If the LDAP security information server setup is not successful, you can undo the setup by running the mksecldap command with the -U flag. This restores the slapd.conf (or slapd32.conf) file to its pre-setup state. Run the mksecldap command with the -U flag after any unsuccessful setup attempt before trying to run the mksecldap command again. Otherwise, residual setup information might remain in the configuration file and cause a subsequent setup to fail. As a safety precaution, the undo option does not do anything to the database or to its data, because the database could have existed before the mksecldap command was run. Remove any database manually if it was created by the mksecldap command. If the mksecldap command has added data to a pre-existing database, decide what steps to take to recover from a failed setup attempt.

Beginning with AIX 5.2 , the mknisldap command can also be used to set up the LDAP security information server. The mknisldap command sets up the server in the same way as the mksecldap command, and it migrates other NIS data as well as users and groups to the LDAP server.

For more information on setting up an LDAP security information server, see the mksecldap command.

Setting Up an LDAP Client

Each client must have the LDAP client package installed. If the SSL is required, the GSKit must be installed, a key must be created, and the LDAP server SSL key certificate must be added to this key.

The mksecldap command can be used to set up the client. To have this client contact the LDAP security information server, the server name must be supplied during setup. The server's administrator domain name and password are also needed for client access to the AIX tree on the server. The mksecldap command saves the server administrator domain name, password, server name, AIX tree domain name on the server, and the SSL key path and password to the /etc/security/ldap/ldap.cfg file.

Multiple servers can be supplied to the mksecldap command during client setup. In this case, the client contacts the servers in the supplied order and establishes connection to the first server that the client can successfully bind to. If bad connection occurs between the client and the server, a reconnection request is tried using the same logic. The Security LDAP exploitation model does not support referral. It is important that the replicate servers are kept synchronized.

The client communicates to the LDAP security information server through a client side daemon (secldapclntd). If the LDAP load module is enabled on this client, high-level commands eventually find this daemon through the library APIs. The daemon queries the server and returns the information back to the caller.

Other fine-tuning options can be supplied to the mksecldap command during client setup, such as settings for the number of threads used by the daemon, the cache entry size, and the cache expiration timeout. These options are for experienced users only. For most environments, the default values are sufficient.

A comma-separated user list can be supplied to the mksecldap command during client setup. These users' SYSTEM attributes are set to LDAP. Once this is done, these users can only authenticate through the LDAP load module. Note that the mksecldap command does not add these users to the LDAP security information server to avoid duplicate user IDs in the LDAP database. Using the mkuser command with -R LDAP flag to create these users on an LDAP server is recommended.

In the final steps of the client setup, the mksecldap command starts the client-side daemon and adds an entry in the /etc/inittab file so the daemon starts at every reboot. You can check whether the setup is successful by checking the secldapclntd process. Provided that the LDAP security information server is setup and running, this daemon will be running if the setup was successful.

LDAP User Management

You can manage users and groups on an LDAP security information server from any LDAP client by using high-level commands. An -R flag added to most of the high-level commands can manage users and groups using LDAP as well as other authentication load modules such as DCE, NIS, and Kerberos 5. For more information concerning the use of the -R flag, refer to each of the user or group management commands.

To enable a user to authenticate through LDAP, run the chuser command to change the user's SYSTEM attribute value to LDAP. By setting the SYSTEM attribute value according to the defined syntax, a user can be authenticated through more than one load module (for example, compat and LDAP). For more information on setting users' authentication methods, see User Authentication and the SYSTEM attribute syntax defined in the /etc/security/user file.

A user can become an LDAP user at client setup time by running the mksecldap command with the -u flag in either of the following forms:

  1. Run mksecldap -c -u user1,user2,... , where user1,user2,... is a list of users. The users in this list can be either locally defined or remotely LDAP-defined users. The SYSTEM attribute is set to LDAP in each of the above users' stanzas in the /etc/security/user file. Such users are only authenticated through LDAP. The users in this list must exist on the LDAP security information server; otherwise, they can not log in from this host. Run the chuser command to modify the SYSTEM attribute and allow authentication through multiple methods (for example, both local and LDAP).
  2. Run "mksecldap -c -u ALL" . This command sets the SYSTEM attribute to LDAP in each user's stanza in the /etc/security/user file for all locally defined users. All such users only authenticate through LDAP. The locally defined users must exist on the LDAP security information server; otherwise they can not log in from this host. A user that is defined on the LDAP server but not defined locally cannot log in from this host. To allow a remotely LDAP-defined user to log in from this host, run the chuser command to set the SYSTEM attribute to LDAP for that user.

Alternatively, you can enable all LDAP users, whether they are defined locally or not, to authenticate through LDAP on a local host by modifying the "default" stanza of the /etc/security/user file to use "LDAP" as its value. All users that do not have a value defined for their SYSTEM attribute must follow what is defined in the default stanza. For example, if the default stanza has "SYSTEM = "compat"" , changing it to "SYSTEM = "compat OR LDAP"" allows authentication of these users either through AIX or LDAP. Changing the default stanza to "SYSTEM = "LDAP"" enables these users to authenticate exclusively through LDAP. Those users who have a SYSTEM attribute value defined are not affected by the default stanza.

LDAP Host Access Control

AIX provides user-level host access (login) control for a system. Administrators can configure LDAP users to log in to an AIX system by setting their SYSTEM attribute to LDAP. The SYSTEM attribute is in the /etc/security/user file. The chuser command can be used to set its value, similar to the following:

# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo
Note
With this type of control, do not set the default SYSTEM attribute to LDAP, which allows all LDAP users to login to the system.

This sets the LDAP attribute to allow user foo to log in to this system. It also sets the registry to LDAP, which allows the login process to log foo's login attempts to LDAP, and also allows any user management tasks done on LDAP.

The administrator needs to run such setup on each of the client systems to enable login by certain users.

Starting with AIX 5.2, AIX has implemented a feature to limit a LDAP user only to log in to certain LDAP client systems. This feature allows centralized host access control management. Administrators can specify two host access control lists for a user account: an allow list and a deny list. These two user attributes are stored in the LDAP server with the user account. A user is allowed access to systems or networks that are specified in the allow list, while he is denied access to systems or networks in the deny list. If a system is specified in both the allow list and the deny list, the user is denied access to the system. There are two ways to specify the access lists for a user: with the mkuser command when the user is created or with the chuser command for a existing user. For backward compatibility, if both the allow list and deny list do not exist for a user, the user is allowed to login to any LDAP client systems by default. To exploit this host access control feature, it is strongly recommended that all LDAP client systems are upgraded to AIX 5.2 or later so that users with both allow and deny lists defined can not log in to specific systems.

Examples of setting allow and deny permission lists for users are the following:

      # mkuser -R LDAP hostsallowedlogin=host1,host2 foo

This creates a user foo, and user foo is only allowed to log in to host1 and host2.

      # mkuser -R LDAP hostsdeniedlogin=host2 foo

This create user foo, and user foo can log in to any LDAP client systems except host2. 

     # chuser -R LDAP hostsallowedlogin=192.9.200.1 foo

This sets user foo with permission to log in to the client system at address 192.9.200.1. 

# chuser -R LDAP hostsallowedlogin=192.9.200/24 \
hostsdeniedlogin=192.9.200.1 foo

This sets user foo with permission to log in to any client system within the 192.9.200/24 subnet , except the client system at address 192.9.200.1.

For more information, see the chuser command.

LDAP Security Information Server Auditing

SecureWay Directory version 3.2 provides a default server audit logging function. Once enabled, this default audit plugin logs LDAP server activities to a log file. See the LDAP documentation in Packaging Guide for LPP Installation for more information on this default audit plugin.

An LDAP security information server auditing function has been implemented in AIX 5.1 and later, called the LDAP security audit plugin. It is independent of the SecureWay Directory default auditing service, so that either one or both of these auditing subsystems can be enabled. The AIX audit plugin records only those events that update or query the AIX security information on an LDAP server. It works within the framework of AIX system auditing.

To accommodate LDAP, the following audit events are contained in the /etc/security/audit/event file:

An ldapserver audit class definition is also created in the /etc/security/audit/config file that contains all of the above events.

To audit the LDAP security information server, add the following line to each user's stanza in the /etc/security/audit/config file:

ldap = ldapserver

Because the LDAP security information server audit plugin is implemented within the frame of the AIX system auditing, it is part of the AIX system auditing subsystem. Enable or disable the LDAP security information server audit using system audit commands, such as audit start or audit shutdown. All audit records are added to the system audit trails, which can be reviewed with the auditpr command. For more information, see Auditing.

LDAP Commands

The mksecldap Command

The mksecldap command can be used to set up IBM SecureWay Directory servers and clients for security authentication and data management. This command must be run on the server and all clients.

Notes:
  1. The client (-c flag) and the server (-s flag) options cannot be run at the same time. When setting up a server, the mksecldap command should be run twice on that machine. Once to set up the server, and again to set up the client.
  2. The SecureWay Directory server configuration file is /etc/slapd32.conf for AIX 3.2 or later. AIX 5.2 only supports SecureWay Directory 3.2 and later.

For server setup, make sure that the ldap.server fileset is installed. When installing the ldap.server fileset, the ldap.client fileset and the backend DB2 software are automatically installed as well. No DB2 preconfiguration is required to run this command for LDAP server setup. When you run the mksecldap command to set up the server, the command will:

  1. Create a DB2 instance with ldapdb2 as the default instance name.
  2. Create a DB2 database with ldapdb2 as the default database name. If a database already exists, mksecldap will bypass the above two steps. (This is the case when the LDAP server has been set up for other usage.) The mksecldap command will use the existing database to store the AIX user/group data.
  3. Create the AIX tree DN (suffix). If no baseDN is supplied from the command line, the default suffix is set to cn=aixdata and the user/group data is placed to the cn=aixsecdb,cn=aixdata DN. This is the recommended case. Otherwise, the mksecldap command takes the user-supplied DN and prefixes it with cn=aixdata and makes the newly constructed DN the suffix. This behavior is shown in the following table. The value within the brackets represents the optional user supplied DN from command line.
    CMD-line DN: [o=ibm]
    suffix: cn=aixdata[,o=ibm]
    sucurrity DN: cn=aixsecdb,cn=aixdata[,o=ibm]
    user DN: ou=aixuser,cn=aixsecdb,cn=aixdata[,o=ibm]
    group DN: ou=aixgroup,cn=aixsecdb,cn=aixdata[,o=ibm]
    In case the LDAP server has already been setup in the local system, the mksecldap command searches for the cn=aixsecdb keyword from the suffixes defined in the slapd32.conf configuration file and from the database. If it finds the keyword, it assumes that mksecldap has been run, and bypasses the base DN setup step and the user/group migration step, and exits.

    If cn=aixsecdb is not found in the suffixes and the database, the mksecldap command checks for the cn=aixdata keyword. cn=aixdata is a common base DN shared by various AIX LDAP components. If the mksecldap command find the keyword, it compares it with the user supplied DN. If they are the same, the users/groups will be put under the cn=aixsecdb,cn=aixdata,[userDN]. If they are different, the mksecldap command prints an error message warning the existence of the cn=aixdata,... DN, and it will not migrate the users/groups under the user supplied DN. You can choose to use the existing cn=aixdata,... by running the mksecldap command again with that existing DN.

  4. Migrates the data from the security database files from the local host into the LDAP database. Depending on the -S option, the mksecldap command migrates users/groups using one of the three LDAP schemas:
  5. Set the LDAP server administrator DN and password. This name/password pair is also used for access control of the AIX tree.
  6. Set the SSL (secure socket layer) for secure data transfer between this server and the clients. This setup requires the GSKIT to be installed.
    Note
    If this option is used, the SSL key must be created before running the mksecldap command. Otherwise the server may not be able to start.
  7. Installs the /usr/ccs/lib/libsecldapaudit.a, a LDAP server plug-in. This plugin supports AIX audit of the LDAP server.
  8. Start/restart the LDAP server after all the above is done.
  9. Add the LDAP server process (slapd) to /etc/inittab to have the LDAP server start after reboot.
  10. With the -U option, undo a previous setup for the server configuration file. The first time you run the mksecldap command, it saves two copies of the slapd32.conf server configuration file. One is saved to /etc/security/ldap/slap32.conf.save.orig and the other to /etc/ security/ldap/slapd32.conf.save. Each subsequent run of mksecldap, the current slapd32.conf is only saved to /etc/security/ldap/slapd32.conf.save file. The undo option restores the /etc/slapd32.conf server configuration file with the /etc/security/ ldap/slapd32.conf.save copy.
    Note
    The undo option applies to the server configuration file only. It has no effect on the database.
Note
All the LDAP configuration is saved into the /etc/slapd32.conf LDAP server configuration file.

For client setup, make sure the LDAP server has been setup and is running. The mksecldap command does the follows during for client setup:

  1. Saves the LDAP server(s)' host name.
  2. Saves the user base DN and group base DN of the server. If no -d option is supplied from command line, the mksecldap command searches the LDAP server for aixaccount, aixaccessgroup, posixaccount, posixgroup, and aixauxaccount objectclasses from the LDAP server, and set up the base DNs accordingly. If the server has multiple user/group bases, you must supply the -d option with a RDN so that the mksecldap command can setup the base DNs to the ones within that RDN.

    If the posixaccount objectclass is found during client setup, mksecldap will also try to search for base DNs for these entities: hosts, networks, services, netgroups, protocols, and rpc from the server and save any that is found.

  3. Determines the schema type used by the LDAP server - AIX specific schema, RFC 2307 schema, or RFC 2307 schema with full AIX support (see objectclasses listed in step 2). It sets the objectclasses and attribute maps in the /etc/security/ldap/ ldap.cfg file accordingly. The mksecldap command does not recognize other schema types, so clients must be setup manually.
  4. Sets SSL for secure data transfer between this host and the LDAP server. This step requires that the client SSL key and the key password are created in advance, and the server must be setup to use SSL for the client SSL to work.
  5. Saves the LDAP server administrator DN and password. The DN/password pair must be the same as the pair specified during server setup.
  6. Sets the cache size in terms of the number of entries used by the client side daemon. Valid values are 100-10,000 for users and 10-1,000 for groups. The default value is 1,000 for users and 100 for groups.
  7. Sets the cache timeout of the client side daemon. Valid values are 60-3600 seconds. The default is 300 seconds. Set this value to 0 to disable caching.
  8. Sets the number of threads used by the client side daemon. Valid values are 1-1,000. The default is 10.
  9. Sets the time interval in seconds that the client daemon checks for the LDAP server status. Valid value are 60-3,600 seconds. The default is 300.
  10. Optionally sets the list of users or all users to use LDAP by modifying their SYSTEM line in the /etc/security/user file. For more information on enabling ldap login, see the following note.
  11. Starts the client daemon process (secldapclntd).
  12. Adds the client side daemon process to /etc/inittab to have this daemon start after a reboot.
  13. With the -U option, undo a previous setup to the /etc/security/ldap/ldap.cfg file.
    Note
    The client configuration data is saved to the /etc/security/ldap/ldap.cfg file. Setting the SYSTEM to LDAP for the default stanza of /etc/security/user only allows LDAP users to login to the system. Setting the SYSTEM to LDAP or compat allows both LDAP users and local users to login to the system.

Examples

  1. To setup a LDAP server of AIX specific schema for users and groups, enter: 
    mksecldap -s -a cn=admin -p adminpwd -S aix
    This sets up a LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is migrated from local files to the default cn=aixdata suffix.
  2. To setup a LDAP server with a baseDN other than the default and with SSL secure communication , enter: 
    mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 \ -k /usr/ldap/serverkey.kdb
 -w keypwd
    This sets up a LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is migrated from local files to the cn=aix-data,o=mycompany,c=us suffix. The LDAP server uses SSL communications by using the key stored at /usr/ldap/serverkey.kdb. The password to the key, keypwd, must also be supplied. Users and groups are migrated with the RFC 2307 schema.
  3. To undo a previous server setup: 
    mksecldap -s -U
    This undoes the previous setup to the /etc/slapd32.conf server configuration file. For safety reasons, this does not remove any database entries or database created my a previous setup. If they are not needed any more, remove the database entries/database manually.
  4. To setup a client to use the server1.ibm.com and server2.ibm.com LDAP servers, enter: 
    mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com
    The LDAP server adminstrator DN and password must be supplied for this client to authenticate to the server. The mksecldap command contacts the LDAP server for schema type used, and sets up the client accordingly. Without the -d option from the command line, the entire server DIT is searched for the user base DN and the group base DN.
  5. To setup the client to talk to the server3.ibm.com LDAP server using SSL, enter: 
    mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2
    This sets up a LDAP client similar to case 3, but with SSL communication. The mksecldap command searches the o=mycompany,c=us RDN for user base DN and group base DN. Account user1 and user2 are configured to authenticate through LDAP.
    Note
    The -u ALL option enables all LDAP users to login to this client.
  6. To undo a previous client setup, enter: 
    mksecldap -c -U
    This undo the previous setup to the /etc/security/ldap/ldap.cfg file. This does not remove the SYSTEM=LDAP and registry=LDAP from the /etc/security/user file.

For more information on the mksecldap command, see mksecldap in the AIX 5L Version 5.2 Commands Reference.

The secldapclntd Daemon

The secldapclntd daemon accepts requests from the LDAP load module, forwards the request to the LDAP Security Information Server, and passes the result from the server back to the LDAP load module. This daemon reads the configuration information defined in the /etc/security/ldap/ldap.cfg file during its startup, and authenticates to the LDAP Security Information Server using the server administrator's distinguished name and password, and establishes a connection between the local host and the server.

If multiple servers are specified in the /etc/security/ldap/ldap.cfg file, the secldapclntd daemon connects to all of the servers. At a specific time, however, it talks to only one of them. The secldapclntd daemon can detect when the server it talks to is down, and automatically talks to another available server. It can also detect when a server becomes available again, and re-establishes connection to that server (but it continues to talk to the server it was talking to). This auto-detect feature is done by the secldapclntd daemon checking on each of the servers periodically. The time interval between subsequent checking is defaulted to 300 seconds, and can be changed at the daemon startup time from command line or by modify the corresponding values of the /etc/ security/ldap/ldap.cfg file.

At startup, the secldapclntd daemon tries to establish a connection to the LDAP servers. If it cannot connect to any of the servers, it goes to sleep, and tries again in 30 seconds. It repeats this process twice, and if it still cannot establish any connection, the secldapclntd daemon process exits.

The secldapclntd daemon is a multi-threaded program. The default number of threads used by this daemon is 10. An administrator can fine-tune the system performance by adjusting the number of threads used by this daemon.

The secldapclntd daemon caches information retrieved from the LDAP Security Information Server for performance purpose. If the requested data can be found in the cache and the cache entry is not expired, the data in the cache is handed back to the requester. Otherwise, the secldapclntd daemon makes a request to the LDAP Security Information Server for the information.

The valid number of cache entries for users is in the range of 100-10,000, and that for groups is in the range of 10-1,000. The default is 1000 entries for users, and 100 entries for groups.

The cache timeout or TTL (time to live) can be from 60 seconds to 1 hour (60*60=3600 seconds). By default, a cache entry expires in 300 seconds. If the cache timeout is set to 0, the caching feature is disabled.

Examples

  1. To start the secldapclntd daemon, type: 
    /usr/sbin/secldapclntd
  2. To start the secldapclntd with using 20 threads and cache timeout value of 600 seconds, type: 
    /usr/sbin/secldapclntd -p 20 -t 600

It is recommended that you start the secldapclntd daemon by running the start-secldapclntd command. It is also recommended that you specify these values in the /etc/security/ldap/ldap.cfg file, so that these values will be used each time you start the secldapclntd process.

For more information on the secldapclntd daemon, see secldapclntd in the AIX 5L Version 5.2 Commands Reference.

LDAP Management Commands

start-secldapclntd Command

The start-secldapclntd command starts the secldapclntd daemon if it is not running. It does not do anything if the secldapclntd daemon is already running. The script also cleans the portmapper registration (if there is any) from previous secldapclntd daemon process before it starts the secldapclntd daemon. This prevents the startup failure of the new daemon process from portmap-per registration failure.

Examples
  1. To start the secldapclntd daemon, type: 
    /usr/sbin/start-secldapclntd
  2. To start the secldapclntd with using 20 threads and cache timeout value of 600 seconds, type: 
    /usr/sbin/start-secldapclntd -p 20 -t 600
    It is recommended that you specify these values in the /etc/security/ldap/ldap.cfg file, so that these values will be used each time you start the secldapclntd process.

For more information on the start-secldapclntd command, see start-secldapclntd in the AIX 5L Version 5.2 Commands Reference.

stop-secldapclntd Command

The stop-secldapclntd command terminates the running secldapclntd daemon process. It returns an error if the secldapclntd daemon is not running.

Example

To stop the running secldapclntd daemon process, type: 

/usr/sbin/stop-secldapclntd

For more information on the stop-secldapclntd command, see stop-secldapclntd in the AIX 5L Version 5.2 Commands Reference.

restart-secldapclntd Command

The restart-secldapclntd script stops the secldapclntd daemon if it is running, and then restarts it. If the secldapclntd daemon is not running, it simply starts it.

Examples
  1. To restart the secldapclntd daemon, type: 
    /usr/sbin/restart-secldapclntd
  2. To restart the secldapclntd with using 30 threads and cache timeout value of 500 seconds, type: 
    /usr/sbin/restart-secldapclntd -p 30 -t 500

For more information on the restart-secldapclntd command, see restart-secldapclntd in the AIX 5L Version 5.2 Commands Reference.

ls-secldapclntd Command

The ls-secldapclntd command lists the secldapclntd daemon status. The information returned includes the following:

Example
  1. 1.To list the status of the secldapclntd daemon, type: 
    /usr/sbin/ls-secldapclntd

For more information on the ls-secldapclntd command, see ls-secldapclntd in the AIX 5L Version 5.2 Commands Reference.

flush-secldapclntd Command

The flush-secldapclntd command clears the cache for the secldapclntd daemon process.

Example
  1. To flush the secldapclntd daemon cache, type: 
    /usr/sbin/flush-secldapclntd

For more information on the flush-secldapclntd command, see flush-secldapclntd in the AIX 5L Version 5.2 Commands Reference.

sectoldif Command

The sectoldif command reads users and groups defined locally, and prints the result to stdout in ldif format. If redirected to a file, the result can be added to a LDAP server with the ldapadd command or the db2ldif command.

The -S option specifies the schema type used for the ldif output. The sectoldif command accepts three schema types:

The sectoldif command is called by the mksecldap command to migrate users and groups during LDAP server setup. Be cautious when migrating additional users and groups from other systems to the LDAP server using the sectoldif output. The ldapadd and db2ldif commands check only for entry name (user name or group name) but not for the numeric id when adding entries, migrating users and groups from multiple systems using sectoldif output may result in sharing of a numeric id by multiple accounts, which is a security violation.

Examples
  1. To print all users and groups defined locally, enter the following: 
    sectoldif -d cn=aixsecdb,cn=aixdata -S rfc2307aix

    This prints all users and groups defined locally to stdout in ldif format. User entries and group entries are represented using the rfc2307aix schema type. The base DN is set to cn=aixsecdb, cn=aixdata.

  2. To print only locally defined user foo, enter the following: 
    sectoldif -d cn=aixsecdb,cn=aixdata -u foo

    This prints locally defined user foo to stdout in ldif format. Without the -S option, the default AIX schema type is used to represent foo's ldif output.

For more information on the sectoldif command, see sectoldif in the AIX 5L Version 5.2 Commands Reference.

The ldap.cfg File Format

The /etc/security/ldap/ldap.cfg file contains information for the secldapclntd daemon to start and function properly as well as information for fine tuning the daemon's performance. The /etc/security/ldap/ldap.cfg file is updated by the mksecldap command at client setup.

The /etc/security/ldap/ldap.cfg file may contain the following fields:

ldapservers Specifies a comma separated LDAP Security Information Servers. These servers can either be the primary server and/or replica of the primary server.
ldapadmin Specifies the administrator DN of the LDAP Security Information Server(s).
ldapadmpwd Specifies the password of the administrator DN.
useSSL Specifies whether to use SSL communication. Valid values are ON and OFF. The default is OFF.
Note
You will need the SSL key and the password to the key to enable this feature.
ldapsslkeyf Specifies the full path to the SSL key.
ldapsslkeypwd Specifies the password to the SSL key.
Note
Comment out this line to use stashed password. The password stash file must reside in the same directory as the SSL key itself, and must have the same name as the key file, but with an extension of .sth instead of .kdb.
userattrmappath Specifies the full path to the AIX-LDAP attribute map for users.
groupattrmappath Specifies the full path to the AIX-LDAP attribute map for groups.
idattrmappath Specifies the full path to the AIX-LDAP attribute map for IDs. These IDs are used by the mkuser command when creating LDAP users.
userbasedn Specifies the user base DN.
groupbasedn Specifies the group base DN.
idbasedn Specifies the ID base DN.
hostbasedn Specifies the host base DN.
servicebasedn Specifies the service base DN.
protocolbasedn Specifies the protocol base DN.
networkbasedn Specifies the network base DN.
netgroupbasedn Specifies the netgroup base DN.
rpcbasedn Specifies the RPC base DN.
userclasses Specifies the objectclasses used for user entry.
groupclasses Specifies the objectclasses used for group entry.
ldapversion Specifies the LDAP server protocol version. Default is 3.
ldapport Specifies the port that the LDAP server listens to. Default is 389.
ldapsslport Specifies the SSL port that the LDAP server listens to. Default is 636.
followaliase Specifies whether to follow aliases. Valid values are NEVER, SEARCHING, FINDING, and ALWAYS. Default is NEVER.
usercachesize Specifies the user cache size. Valid values are 100 - 10,000 entries. Default is 1,000.
groupcachesize Specifies the group cache size. Valid values are 10 - 1,000 entries. Default is 100.
cachetimeout Specifies the cache TTL (time to live). Valid values are 60 - 3,600 seconds. Default is 300. Set to 0 to disable caching.
heartbeatinterval Specifies the interval in seconds that the client contacts the server for server status. Valid values are 60 - 3,600 seconds. Default is 300.
numberofthread Specifies the number of threads for the secldapclntd daemon. Valid values are 1 - 1,000. Default is 10.

For more information on the /etc/security/ldap/ldap.cfg file, see /etc/security/ldap/ldap.cfg in the AIX 5L Version 5.2 Files Reference.

LDAP Attribute Mapping File Format

These map files are used by the /usr/lib/security/LDAP module and the secldapclntd daemon for translation between AIX attribute names to LDAP attribute names. Each entry in a mapping file represents a translation for an attribute. A entry has four space separated fields:

AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type
AIX_Attribute_Name Specifies the AIX attribute name.
AIX_Attribute_Type Specifies the AIX attribute type. Values are SEC_CHAR, SEC_INT, SEC_LIST, and SEC_BOOL.
LDAP_Attribute_Name Specifies the LDAP attribute name.
LDAP_Value_Type Specifies the LDAP value type. Values are s for single value and m for multi-value.

For more information on the LDAP attribute mapping file format, see LDAP attribute mapping file format in the AIX 5L Version 5.2 Files Reference.

Related Information

The mksecldap, start-secldapclntd, stop-secldapclntd, restart-secldapclntd, ls-secldapclntd, sectoldif, and flush-secldapclntd commands.

The secldapclntd daemon.

The /etc/security/ldap/ldap.cfg file.

The LDAP attribute mapping file format.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]