The Light Directory Access Protocol (LDAP) defines a standard method for accessing and updating information in a directory (a database) either locally or remotely in a client-server model. The LDAP method is used by a cluster of hosts to allow centralized security authentication as well as access to user and group information. This functionality is intended to be used in a clustering environment to keep authentication, user, and group information common across the cluster.
The LDAP exploitation of the security subsystem is implemented as the LDAP authentication load module. It is conceptually similar to the other load modules such as NIS, DCE, and Kerberos 5. The load modules are defined in the /usr/lib/security/methods.cfg file. The implementation of the LDAP authentication load module is at a low level and is handled by the libraries.
After the LDAP authentication load module is enabled to serve user and group information, most high-level APIs, commands, and system-management tools work in their usual manner. An -R flag is introduced for most high-level commands to work through different load modules. For example, to create an LDAP user named joe from a client machine, use the following command:
mkuser -R LDAP joe
The client system checks whether the user is an LDAP user through the user's SYSTEM attribute in the /etc/security/user file. If the user's SYSTEM attribute is set to LDAP, that user can only authenticate through LDAP. If the SYSTEM attribute in the default stanza is set to LDAP, all users who do not have a SYSTEM attribute set are considered LDAP users. The LDAP keyword can be used with other SYSTEM attribute values as described in User Authentication. The client side communicates to the server through the secldapclntd daemon. The daemon accepts requests from applications (through the library APIs), queries the LDAP server, and returns data to the application. The secldapclntd daemon is also responsible for caching.
To set up a system as an LDAP security information server that serves authentication, user, and group information through LDAP, the LDAP server and client packages must be installed. The LDAP server must be configured as a client as well as a server. A DB2 database is also required by the LDAP server. If the Secure Socket Layer (SSL) is required, then the GSKit must be installed. The system administrator must create a key using the ikeyman command. The certificate of the server key must be carried to the clients.
The mksecldap command can be used to set up an LDAP security information server. It sets up a database named ldapdb2, populates the database with the user and group information from the local host, and sets the LDAP server administrator DN (distinguished name) and password. Optionally, it can set up SSL for client/server communication. Then mksecldap loads a server plugin (libsecldap.a) and starts the LDAP server process (slapd). The mksecldap command also adds an entry into the /etc/inittab file to start the LDAP server at every reboot. The entire LDAP server setup is done through the mksecldap command, which updates the slapd.conf file (SecureWay(R) Directory Version 3.1) or slapd32.conf file (SecureWay Directory Version 3.2). There is no need to configure the LDAP Web management interface.
All users and groups from the local system are migrated to LDAP server during LDAP server setup. Select one of the following LDAP schemas for this step:
All the user and group information is stored under a common AIX tree (suffix). The default suffix is "cn=aixsecdb". The mksecldap command accepts a user-supplied suffix through the -d flag. If the user-supplied suffix does not have "cn=aixsecdb" as its first RDN (Relative Distinguished Name), the mksecldap command prefixes the user-supplied suffix with "cn=aixsecdb". This AIX tree is ACL (Access Control List) protected. A client must bind as the LDAP server administrator to be able to access the AIX tree.
The mksecldap command works even if an LDAP server has been set up for other purposes such as, for example, for blue page information. In this case, mksecldap adds the AIX tree and populates it with the AIX security information to the existing database. This tree is ACL-protected independently from other trees. In this case, the LDAP server works as usual, in addition to serving as an AIX LDAP Security Server.
After the LDAP security information server is successfully set up, the same host must be set up as a client so that LDAP user and group management can be completed and LDAP users can log in to this server.
If the LDAP security information server setup is not successful, you can undo the setup by running the mksecldap command with the -U flag. This restores the slapd.conf (or slapd32.conf) file to its pre-setup state. Run the mksecldap command with the -U flag after any unsuccessful setup attempt before trying to run the mksecldap command again. Otherwise, residual setup information might remain in the configuration file and cause a subsequent setup to fail. As a safety precaution, the undo option does not do anything to the database or to its data, because the database could have existed before the mksecldap command was run. Remove any database manually if it was created by the mksecldap command. If the mksecldap command has added data to a pre-existing database, decide what steps to take to recover from a failed setup attempt.
Beginning with AIX 5.2 , the mknisldap command can also be used to set up the LDAP security information server. The mknisldap command sets up the server in the same way as the mksecldap command, and it migrates other NIS data as well as users and groups to the LDAP server.
For more information on setting up an LDAP security information server, see the mksecldap command.
Each client must have the LDAP client package installed. If the SSL is required, the GSKit must be installed, a key must be created, and the LDAP server SSL key certificate must be added to this key.
The mksecldap command can be used to set up the client. To have this client contact the LDAP security information server, the server name must be supplied during setup. The server's administrator domain name and password are also needed for client access to the AIX tree on the server. The mksecldap command saves the server administrator domain name, password, server name, AIX tree domain name on the server, and the SSL key path and password to the /etc/security/ldap/ldap.cfg file.
Multiple servers can be supplied to the mksecldap command during client setup. In this case, the client contacts the servers in the supplied order and establishes connection to the first server that the client can successfully bind to. If bad connection occurs between the client and the server, a reconnection request is tried using the same logic. The Security LDAP exploitation model does not support referral. It is important that the replicate servers are kept synchronized.
The client communicates to the LDAP security information server through a client side daemon (secldapclntd). If the LDAP load module is enabled on this client, high-level commands eventually find this daemon through the library APIs. The daemon queries the server and returns the information back to the caller.
Other fine-tuning options can be supplied to the mksecldap command during client setup, such as settings for the number of threads used by the daemon, the cache entry size, and the cache expiration timeout. These options are for experienced users only. For most environments, the default values are sufficient.
A comma-separated user list can be supplied to the mksecldap command during client setup. These users' SYSTEM attributes are set to LDAP. Once this is done, these users can only authenticate through the LDAP load module. Note that the mksecldap command does not add these users to the LDAP security information server to avoid duplicate user IDs in the LDAP database. Using the mkuser command with -R LDAP flag to create these users on an LDAP server is recommended.
In the final steps of the client setup, the mksecldap command starts the client-side daemon and adds an entry in the /etc/inittab file so the daemon starts at every reboot. You can check whether the setup is successful by checking the secldapclntd process. Provided that the LDAP security information server is setup and running, this daemon will be running if the setup was successful.
You can manage users and groups on an LDAP security information server from any LDAP client by using high-level commands. An -R flag added to most of the high-level commands can manage users and groups using LDAP as well as other authentication load modules such as DCE, NIS, and Kerberos 5. For more information concerning the use of the -R flag, refer to each of the user or group management commands.
To enable a user to authenticate through LDAP, run the chuser command to change the user's SYSTEM attribute value to LDAP. By setting the SYSTEM attribute value according to the defined syntax, a user can be authenticated through more than one load module (for example, compat and LDAP). For more information on setting users' authentication methods, see User Authentication and the SYSTEM attribute syntax defined in the /etc/security/user file.
A user can become an LDAP user at client setup time by running the mksecldap command with the -u flag in either of the following forms:
Alternatively, you can enable all LDAP users, whether they are defined locally or not, to authenticate through LDAP on a local host by modifying the "default" stanza of the /etc/security/user file to use "LDAP" as its value. All users that do not have a value defined for their SYSTEM attribute must follow what is defined in the default stanza. For example, if the default stanza has "SYSTEM = "compat"" , changing it to "SYSTEM = "compat OR LDAP"" allows authentication of these users either through AIX or LDAP. Changing the default stanza to "SYSTEM = "LDAP"" enables these users to authenticate exclusively through LDAP. Those users who have a SYSTEM attribute value defined are not affected by the default stanza.
AIX provides user-level host access (login) control for a system. Administrators can configure LDAP users to log in to an AIX system by setting their SYSTEM attribute to LDAP. The SYSTEM attribute is in the /etc/security/user file. The chuser command can be used to set its value, similar to the following:
# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo
This sets the LDAP attribute to allow user foo to log in to this system. It also sets the registry to LDAP, which allows the login process to log foo's login attempts to LDAP, and also allows any user management tasks done on LDAP.
The administrator needs to run such setup on each of the client systems to enable login by certain users.
Starting with AIX 5.2, AIX has implemented a feature to limit a LDAP user only to log in to certain LDAP client systems. This feature allows centralized host access control management. Administrators can specify two host access control lists for a user account: an allow list and a deny list. These two user attributes are stored in the LDAP server with the user account. A user is allowed access to systems or networks that are specified in the allow list, while he is denied access to systems or networks in the deny list. If a system is specified in both the allow list and the deny list, the user is denied access to the system. There are two ways to specify the access lists for a user: with the mkuser command when the user is created or with the chuser command for a existing user. For backward compatibility, if both the allow list and deny list do not exist for a user, the user is allowed to login to any LDAP client systems by default. To exploit this host access control feature, it is strongly recommended that all LDAP client systems are upgraded to AIX 5.2 or later so that users with both allow and deny lists defined can not log in to specific systems.
Examples of setting allow and deny permission lists for users are the following:
# mkuser -R LDAP hostsallowedlogin=host1,host2 foo
This creates a user foo, and user foo is only allowed to log in to host1 and host2.
# mkuser -R LDAP hostsdeniedlogin=host2 foo
This create user foo, and user foo can log in to any LDAP client systems except host2.
# chuser -R LDAP hostsallowedlogin=192.9.200.1 foo
This sets user foo with permission to log in to the client system at address 192.9.200.1.
# chuser -R LDAP hostsallowedlogin=192.9.200/24 \ hostsdeniedlogin=192.9.200.1 foo
This sets user foo with permission to log in to any client system within the 192.9.200/24 subnet , except the client system at address 192.9.200.1.
For more information, see the chuser command.
SecureWay Directory version 3.2 provides a default server audit logging function. Once enabled, this default audit plugin logs LDAP server activities to a log file. See the LDAP documentation in Packaging Guide for LPP Installation for more information on this default audit plugin.
An LDAP security information server auditing function has been implemented in AIX 5.1 and later, called the LDAP security audit plugin. It is independent of the SecureWay Directory default auditing service, so that either one or both of these auditing subsystems can be enabled. The AIX audit plugin records only those events that update or query the AIX security information on an LDAP server. It works within the framework of AIX system auditing.
To accommodate LDAP, the following audit events are contained in the /etc/security/audit/event file:
An ldapserver audit class definition is also created in the /etc/security/audit/config file that contains all of the above events.
To audit the LDAP security information server, add the following line to each user's stanza in the /etc/security/audit/config file:
ldap = ldapserver
Because the LDAP security information server audit plugin is implemented within the frame of the AIX system auditing, it is part of the AIX system auditing subsystem. Enable or disable the LDAP security information server audit using system audit commands, such as audit start or audit shutdown. All audit records are added to the system audit trails, which can be reviewed with the auditpr command. For more information, see Auditing.
The mksecldap command can be used to set up IBM SecureWay Directory servers and clients for security authentication and data management. This command must be run on the server and all clients.
For server setup, make sure that the ldap.server fileset is installed. When installing the ldap.server fileset, the ldap.client fileset and the backend DB2 software are automatically installed as well. No DB2 preconfiguration is required to run this command for LDAP server setup. When you run the mksecldap command to set up the server, the command will:
CMD-line DN: | [o=ibm] |
suffix: | cn=aixdata[,o=ibm] |
sucurrity DN: | cn=aixsecdb,cn=aixdata[,o=ibm] |
user DN: | ou=aixuser,cn=aixsecdb,cn=aixdata[,o=ibm] |
group DN: | ou=aixgroup,cn=aixsecdb,cn=aixdata[,o=ibm] |
If cn=aixsecdb is not found in the suffixes and the database, the mksecldap command checks for the cn=aixdata keyword. cn=aixdata is a common base DN shared by various AIX LDAP components. If the mksecldap command find the keyword, it compares it with the user supplied DN. If they are the same, the users/groups will be put under the cn=aixsecdb,cn=aixdata,[userDN]. If they are different, the mksecldap command prints an error message warning the existence of the cn=aixdata,... DN, and it will not migrate the users/groups under the user supplied DN. You can choose to use the existing cn=aixdata,... by running the mksecldap command again with that existing DN.
For client setup, make sure the LDAP server has been setup and is running. The mksecldap command does the follows during for client setup:
If the posixaccount objectclass is found during client setup, mksecldap will also try to search for base DNs for these entities: hosts, networks, services, netgroups, protocols, and rpc from the server and save any that is found.
mksecldap -s -a cn=admin -p adminpwd -S aixThis sets up a LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is migrated from local files to the default cn=aixdata suffix.
mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 \ -k /usr/ldap/serverkey.kdb -w keypwdThis sets up a LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is migrated from local files to the cn=aix-data,o=mycompany,c=us suffix. The LDAP server uses SSL communications by using the key stored at /usr/ldap/serverkey.kdb. The password to the key, keypwd, must also be supplied. Users and groups are migrated with the RFC 2307 schema.
mksecldap -s -UThis undoes the previous setup to the /etc/slapd32.conf server configuration file. For safety reasons, this does not remove any database entries or database created my a previous setup. If they are not needed any more, remove the database entries/database manually.
mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.comThe LDAP server adminstrator DN and password must be supplied for this client to authenticate to the server. The mksecldap command contacts the LDAP server for schema type used, and sets up the client accordingly. Without the -d option from the command line, the entire server DIT is searched for the user base DN and the group base DN.
mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2This sets up a LDAP client similar to case 3, but with SSL communication. The mksecldap command searches the o=mycompany,c=us RDN for user base DN and group base DN. Account user1 and user2 are configured to authenticate through LDAP.
mksecldap -c -UThis undo the previous setup to the /etc/security/ldap/ldap.cfg file. This does not remove the SYSTEM=LDAP and registry=LDAP from the /etc/security/user file.
For more information on the mksecldap command, see mksecldap in the AIX 5L Version 5.2 Commands Reference.
The secldapclntd daemon accepts requests from the LDAP load module, forwards the request to the LDAP Security Information Server, and passes the result from the server back to the LDAP load module. This daemon reads the configuration information defined in the /etc/security/ldap/ldap.cfg file during its startup, and authenticates to the LDAP Security Information Server using the server administrator's distinguished name and password, and establishes a connection between the local host and the server.
If multiple servers are specified in the /etc/security/ldap/ldap.cfg file, the secldapclntd daemon connects to all of the servers. At a specific time, however, it talks to only one of them. The secldapclntd daemon can detect when the server it talks to is down, and automatically talks to another available server. It can also detect when a server becomes available again, and re-establishes connection to that server (but it continues to talk to the server it was talking to). This auto-detect feature is done by the secldapclntd daemon checking on each of the servers periodically. The time interval between subsequent checking is defaulted to 300 seconds, and can be changed at the daemon startup time from command line or by modify the corresponding values of the /etc/ security/ldap/ldap.cfg file.
At startup, the secldapclntd daemon tries to establish a connection to the LDAP servers. If it cannot connect to any of the servers, it goes to sleep, and tries again in 30 seconds. It repeats this process twice, and if it still cannot establish any connection, the secldapclntd daemon process exits.
The secldapclntd daemon is a multi-threaded program. The default number of threads used by this daemon is 10. An administrator can fine-tune the system performance by adjusting the number of threads used by this daemon.
The secldapclntd daemon caches information retrieved from the LDAP Security Information Server for performance purpose. If the requested data can be found in the cache and the cache entry is not expired, the data in the cache is handed back to the requester. Otherwise, the secldapclntd daemon makes a request to the LDAP Security Information Server for the information.
The valid number of cache entries for users is in the range of 100-10,000, and that for groups is in the range of 10-1,000. The default is 1000 entries for users, and 100 entries for groups.
The cache timeout or TTL (time to live) can be from 60 seconds to 1 hour (60*60=3600 seconds). By default, a cache entry expires in 300 seconds. If the cache timeout is set to 0, the caching feature is disabled.
/usr/sbin/secldapclntd
/usr/sbin/secldapclntd -p 20 -t 600
It is recommended that you start the secldapclntd daemon by running the start-secldapclntd command. It is also recommended that you specify these values in the /etc/security/ldap/ldap.cfg file, so that these values will be used each time you start the secldapclntd process.
For more information on the secldapclntd daemon, see secldapclntd in the AIX 5L Version 5.2 Commands Reference.
The start-secldapclntd command starts the secldapclntd daemon if it is not running. It does not do anything if the secldapclntd daemon is already running. The script also cleans the portmapper registration (if there is any) from previous secldapclntd daemon process before it starts the secldapclntd daemon. This prevents the startup failure of the new daemon process from portmap-per registration failure.
/usr/sbin/start-secldapclntd
/usr/sbin/start-secldapclntd -p 20 -t 600It is recommended that you specify these values in the /etc/security/ldap/ldap.cfg file, so that these values will be used each time you start the secldapclntd process.
For more information on the start-secldapclntd command, see start-secldapclntd in the AIX 5L Version 5.2 Commands Reference.
The stop-secldapclntd command terminates the running secldapclntd daemon process. It returns an error if the secldapclntd daemon is not running.
To stop the running secldapclntd daemon process, type:
/usr/sbin/stop-secldapclntd
For more information on the stop-secldapclntd command, see stop-secldapclntd in the AIX 5L Version 5.2 Commands Reference.
The restart-secldapclntd script stops the secldapclntd daemon if it is running, and then restarts it. If the secldapclntd daemon is not running, it simply starts it.
/usr/sbin/restart-secldapclntd
/usr/sbin/restart-secldapclntd -p 30 -t 500
For more information on the restart-secldapclntd command, see restart-secldapclntd in the AIX 5L Version 5.2 Commands Reference.
The ls-secldapclntd command lists the secldapclntd daemon status. The information returned includes the following:
/usr/sbin/ls-secldapclntd
For more information on the ls-secldapclntd command, see ls-secldapclntd in the AIX 5L Version 5.2 Commands Reference.
The flush-secldapclntd command clears the cache for the secldapclntd daemon process.
/usr/sbin/flush-secldapclntd
For more information on the flush-secldapclntd command, see flush-secldapclntd in the AIX 5L Version 5.2 Commands Reference.
The sectoldif command reads users and groups defined locally, and prints the result to stdout in ldif format. If redirected to a file, the result can be added to a LDAP server with the ldapadd command or the db2ldif command.
The -S option specifies the schema type used for the ldif output. The sectoldif command accepts three schema types:
The sectoldif command is called by the mksecldap command to migrate users and groups during LDAP server setup. Be cautious when migrating additional users and groups from other systems to the LDAP server using the sectoldif output. The ldapadd and db2ldif commands check only for entry name (user name or group name) but not for the numeric id when adding entries, migrating users and groups from multiple systems using sectoldif output may result in sharing of a numeric id by multiple accounts, which is a security violation.
sectoldif -d cn=aixsecdb,cn=aixdata -S rfc2307aix
This prints all users and groups defined locally to stdout in ldif format. User entries and group entries are represented using the rfc2307aix schema type. The base DN is set to cn=aixsecdb, cn=aixdata.
sectoldif -d cn=aixsecdb,cn=aixdata -u foo
This prints locally defined user foo to stdout in ldif format. Without the -S option, the default AIX schema type is used to represent foo's ldif output.
For more information on the sectoldif command, see sectoldif in the AIX 5L Version 5.2 Commands Reference.
The /etc/security/ldap/ldap.cfg file contains information for the secldapclntd daemon to start and function properly as well as information for fine tuning the daemon's performance. The /etc/security/ldap/ldap.cfg file is updated by the mksecldap command at client setup.
The /etc/security/ldap/ldap.cfg file may contain the following fields:
For more information on the /etc/security/ldap/ldap.cfg file, see /etc/security/ldap/ldap.cfg in the AIX 5L Version 5.2 Files Reference.
These map files are used by the /usr/lib/security/LDAP module and the secldapclntd daemon for translation between AIX attribute names to LDAP attribute names. Each entry in a mapping file represents a translation for an attribute. A entry has four space separated fields:
AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type
AIX_Attribute_Name | Specifies the AIX attribute name. |
AIX_Attribute_Type | Specifies the AIX attribute type. Values are SEC_CHAR, SEC_INT, SEC_LIST, and SEC_BOOL. |
LDAP_Attribute_Name | Specifies the LDAP attribute name. |
LDAP_Value_Type | Specifies the LDAP value type. Values are s for single value and m for multi-value. |
For more information on the LDAP attribute mapping file format, see LDAP attribute mapping file format in the AIX 5L Version 5.2 Files Reference.
The mksecldap, start-secldapclntd, stop-secldapclntd, restart-secldapclntd, ls-secldapclntd, sectoldif, and flush-secldapclntd commands.
The secldapclntd daemon.
The /etc/security/ldap/ldap.cfg file.
The LDAP attribute mapping file format.