Commands Reference, Volume 3

mksecldap Command

Purpose

Sets up an AIX cluster to use LDAP for security authentication and data management.

Syntax

The syntax to set up a server is:

mksecldap -s -a adminDN -p adminpasswd -S schematype [ -d baseDN ] [ -n port ] [ -k SSLkeypath] [ -w SSLkeypasswd ] [ -u NONE ] [ -U ]

The syntax to set up a client is:

mksecldap -c -h serverlist -a adminDN -p adminpasswd [ -d baseDN ] [ -n serverport ] [ -k SSLkeypath ] [ -w SSLkeypasswd ] [ -t cachetimeout ] [ -C cachesize ] [ -P NumberofThreads ] [ -T heartBeatInt ] [ -u userlist ] [ -U ]

Description

The mksecldap command can be used to set up IBM SecureWay Directory servers and clients for security authentication and data management. This command must be run on the server and all clients.

1. The client (-c flag) and the server (-s flag) options cannot be run at the same time. When setting up a server, the mksecldap command should be run twice on that machine. Once to set up the server, and again to set up the client.
2. The SecureWay Directory server configuration file is /etc/slapd.conf for AIX 3.1 or earlier and /etc/slapd32.conf for AIX 3.2 or later. AIX 5.2 only supports SecureWay Directory 3.2 and later.

For server setup, make sure that the ldap.server fileset is installed. When installing the ldap.server fileset, the ldap.client fileset and the backend DB2 software are automatically installed as well. No DB2 preconfiguration is required to run this command for LDAP server setup. When you run the mksecldap command to set up the server, the command will:

1. Create a DB2 instance with ldapdb2 as the default instance name.
2. Create a DB2 database with ldapdb2 as the default database name. If a database already exists, mksecldap will bypass the above two steps. (This is the case when the LDAP server has been set up for other usage.) The mksecldap command will use the existing database to store the AIX user/group data.
3. Create the AIX tree DN (suffix). If no baseDN is supplied from the command line, the default suffix is set to cn=aixdata and the user/group data is placed to the cn=aixsecdb,cn=aixdata DN. This is the recommended case. Otherwise, the mksecldap command takes the user-supplied DN and prefixes it with cn=aixdata and makes the newly constructed DN the suffix. This behavior is shown in the following table. The value within the brackets represents the optional user supplied DN from command line.

   CMD-line DN:	[o=ibm]
   suffix:	cn=aixdata[,o=ibm]
   sucurrity DN:	cn=aixsecdb,cn=aixdata[,o=ibm]
   user DN:	ou=aixuser,cn=aixsecdb,cn=aixdata[,o=ibm]
   group DN:	ou=aixgroup,cn=aixsecdb,cn=aixdata[,o=ibm]

   In case the LDAP server has already been setup in the local system, the mksecldap command searches for the cn=aixsecdb keyword from the suffixes defined in the slapd32.conf configuration file and from the database. If it finds the keyword, it assumes that mksecldap has been run, and bypasses the base DN setup step and the user/group migration step, and exits.

   If cn=aixsecdb is not found in the suffixes and the database, the mksecldap command checks for the cn=aixdata keyword. cn=aixdata is a common base DN shared by various AIX LDAP components. If the mksecldap command find the keyword, it compares it with the user supplied DN. If they are the same, the users/groups will be put under the cn=aixsecdb,cn=aixdata,[userDN]. If they are different, the mksecldap command prints an error message warning the existence of the cn=aixdata,... DN, and it will not migrate the users/groups under the user supplied DN. You can choose to use the existing cn=aixdata,... by running the mksecldap command again with that existing DN.

4. Migrates the data from the security database files from the local host into the LDAP database. Depending on the -S option, the mksecldap command migrates users/groups using one of the three LDAP schemas:
   • AIX - AIX schema (aixaccount and aixaccessgroup objectclasses)
   • RFC2307 - RFC 2307 schema (posixaccount, shadowaccount, and posixgroup objectclasses)
   • RFC2307AIX - RFC 2307 schema with full AIX support (posixaccount, shadowaccount, and posixgroup objectclasses, plus the aixauxaccount and aixauxgroup object classes).
     Attention: Systems running AIX 4.3 and AIX 5.1 which are configured as LDAP clients will only work with servers of AIX schema type. They will not talk to ldap servers of RFC2307 or RFC2307AIX types.
5. Set the LDAP server administrator DN and password. This name/password pair is also used for access control of the AIX tree.
6. Set the SSL (secure socket layer) for secure data transfer between this server and the clients. This setup requires the GSKIT to be installed.
   Note
   If this option is used, the SSL key must be created before running the mksecldap command. Otherwise the server may not be able to start.
7. Installs the /usr/ccs/lib/libsecldapaudit.a, a LDAP server plug-in. This plugin supports AIX audit of the LDAP server.
8. Start/restart the LDAP server after all the above is done.
9. Add the LDAP server process (slapd) to /etc/inittab to have the LDAP server start after reboot.
10. With the -U option, undo a previous setup for the server configuration file. The first time you run the mksecldap command, it saves two copies of the slapd32.conf server configuration file. One is saved to /etc/security/ldap/slap32.conf.save.orig and the other to /etc/ security/ldap/slapd32.conf.save. Each subsequent run of mksecldap, the current slapd32.conf is only saved to /etc/security/ldap/slapd32.conf.save file. The undo option restores the /etc/slapd32.conf server configuration file with the /etc/security/ ldap/slapd32.conf.save copy.
    Note
    The undo option applies to the server configuration file only. It has no effect on the database.

For client setup, make sure the LDAP server has been setup and is running. The mksecldap command does the follows during for client setup:

1. Saves the LDAP server(s)' host name.
2. Saves the user base DN and group base DN of the server. If no -d option is supplied from command line, the mksecldap command searches the LDAP server for aixaccount, aixaccessgroup, posixaccount, posixgroup, and aixauxaccount objectclasses from the LDAP server, and set up the base DNs accordingly. If the server has multiple user/group bases, you must supply the -d option with a RDN so that the mksecldap command can setup the base DNs to the ones within that RDN.

   If the posixaccount objectclass is found during client setup, mksecldap will also try to search for base DNs for these entities: hosts, networks, services, netgroups, protocols, and rpc from the server and save any that is found.

3. Determines the schema type used by the LDAP server - AIX specific schema, RFC 2307 schema, or RFC 2307 schema with full AIX support (see objectclasses listed in step 2). It sets the objectclasses and attribute maps in the /etc/security/ldap/ ldap.cfg file accordingly. The mksecldap command does not recognize other schema types, so clients must be setup manually.
4. Sets SSL for secure data transfer between this host and the LDAP server. This step requires that the client SSL key and the key password are created in advance, and the server must be setup to use SSL for the client SSL to work.
5. Saves the LDAP server administrator DN and password. The DN/password pair must be the same as the pair specified during server setup.
6. Sets the cache size in terms of the number of entries used by the client side daemon. Valid values are 100-10,000 for users and 10-1,000 for groups. The default value is 1,000 for users and 100 for groups.
7. Sets the cache timeout of the client side daemon. Valid values are 60-3600 seconds. The default is 300 seconds. Set this value to 0 to disable caching.
8. Sets the number of threads used by the client side daemon. Valid values are 1-1,000. The default is 10.
9. Sets the time interval in seconds that the client daemon checks for the LDAP server status. Valid value are 60-3,600 seconds. The default is 300.
10. Optionally sets the list of users or all users to use LDAP by modifying their SYSTEM line in the /etc/security/user file. For more information on enabling ldap login in, see the following note.
11. Starts the client daemon process (secldapclntd).
12. Adds the client side daemon process to /etc/inittab to have this daemon start after a reboot.
13. With the -U option, undo a previous setup to the /etc/security/ldap/ldap.cfg file.
    Note
    The client configuration data is saved to the /etc/security/ldap/ldap.cfg file. Setting the SYSTEM to LDAP for the default stanza of /etc/security/user only allows LDAP users to login to the system. Setting the SYSTEM to LDAP or compat allows both LDAP users and local users to login to the system.

Flags

For Server Setup

For Client Setup

Examples

1. To setup a LDAP server of AIX specific schema for users and groups, enter:

   mksecldap -s -a cn=admin -p adminpwd -S aix

   This sets up a LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is migrated from local files to the default cn=aixdata suffix.
2. To setup a LDAP server with a baseDN other than the default and with SSL secure communication , enter:

   mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 \ -k /usr/ldap/serverkey.kdb
    -w keypwd 

   This sets up a LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is migrated from local files to the cn=aix-data,o=mycompany,c=us suffix. The LDAP server uses SSL communications by using the key stored at /usr/ldap/serverkey.kdb. The password to the key, keypwd, must also be supplied. Users and groups are migrated with the RFC 2307 schema.
3. To undo a previous server setup:

   mksecldap -s -U 

   This undo the previous setup to the /etc/slapd32.conf server configuration file. Note, for safty reasons, this does not remove any database entries or database created my a previous setup. One has to remove the database entries/database manually if they are not needed any more.
4. To setup a client to use the server1.ibm.com and server2.ibm.com LDAP servers, enter:

   mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com

   The LDAP server adminstrator DN and password mut be supplied for this client to authenticate to the server. The mksecldap command contacts the LDAP server for schema type used, and sets up the client accordingly. Without the -d option from the command line, the entire server DIT is searched for the user base DN and the group base DN.
5. To setup the client to talk to the server3.ibm.com LDAP server using SSL, enter:

   mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2 

   This sets up a LDAP client similar to case 3, but with SSL communication. The mksecldap command searches the o=mycompany,c=us RDN for user base DN and group base DN. Account user1 and user2 are configured to authenticate through LDAP.
   Note
   The -u ALL option enables all LDAP users to login to this client.
6. To undo a previous client setup, enter:

   mksecldap -c -U

   This undo the previous setup to the /etc/security/ldap/ldap.cfg file. This does not remove the SYSTEM=LDAP and registry=LDAP from the /etc/security/user file.

Files Accessed:

Related Information

The secldapclntd daemon.

The start-secldapclntd, stop-secldapclntd, restart-secldapclntd, ls-secldapclntd, flush-secldapclntd, sectoldif, and nistoldif commands.

The /etc/security/ldap/ldap.cfg file.

LDAP Exploitation of the Security Subsystem in AIX 5L Version 5.2 Security Guide.