Académique Documents
Professionnel Documents
Culture Documents
29 November 2011
Introduction
AIX provides LDAP as a load module starting from the AIX 4.3 release. LDAP is a connection
oriented protocol that runs on TCP/IP. This module can be configured for user and group
management on AIX systems. AIX native commands are integrated to support LDAP functionality.
The AIX LDAP client daemon, secldapclntd, makes request to the LDAP server and fetch details
based on application or command request from LDAP server. The scope of this article is to
cover the enhancements for AIX LDAP client environment from AIX 6.1 Tl06 and AIX 7.1 release
onwards. The LDAP client enhancements for AIX 6.1 Tl06 onward are:
Trademarks
Page 1 of 6
developerWorks
ibm.com/developerWorks/
So when privileges are granted or restricted for any of the users on AIX environment, it applies to
all the users on LDAP Server. This kind of scenario sometimes causes security breach.
The AIX LDAP client is enhanced to handle this case sensitivity issue. A new configuration
parameter "caseExactAccountName" is introduced under the AIX LDAP client configuration file, /
etc/security/ldap/ldap.cfg. When this parameter is set to "yes", the LDAP client checks for an exact
match for the user name entered with the LDAP server returned results. By default, this option is
set to "no". Whenever the LDAP client configuration file is modified for the changes to take effect,
restart the LDAP client daemon.
Run the following command to restart LDAP client daemon:
#/usr/sbin/restart-secldapclntd
When the caseExactAccountName parameter is set to "yes" and the LDAP user foo exists on the
LDAP server, and an administrator or privileged user tries to create another user Foo, the mkuser
command displays the following message:
#mkuser -R LDAP Foo
3004-698 Error committing changes to "Foo".
Page 2 of 6
ibm.com/developerWorks/
developerWorks
are stored in group cache. Each cache entry has a time stamp. After the cache timeout, which is
configurable, the cache entry is invalidated, and a query for the user results in an LDAP query to
the LDAP server. The new result from the LDAP server is cached again for subsequent request for
application and commands on the LDAP client.
The caching mechanism has a limitation with the current implementation. When a user account is
modified or updated, the update may not be visible to an AIX system if the user is still cached with
old values. One example is a password change. Within the cache timeout window, a user may still
be allowed to log in to a system where the user cache entry is still valid using the old password,
even after the password has been changed from a different system. For the same reason, logging
in to the latter system with the new password would fail if the old password were still cached and
valid.
This limitation has been resolved by extending the caching mechanism in AIX LDAP client. A new
attribute, TO_BE_CACHED added to the LDAP user and group map files. By default the value of this
attribute is "yes", which means the user and group attributes are all cached. This can be set to
"no" for the user and group attributes that need not be cached. When a user request comes in, the
LDAP client reads the cache to see if the request can be fetched from the cache. Before that, it
scans through the user and group map files to see if the TO_BE_CACHED attribute is set to "no"
for any of the attributes. If so, it does not read the cache, it sends the request to fetch the value
from the LDAP server.
Page 3 of 6
developerWorks
ibm.com/developerWorks/
This command loads the Domain RBAC schema to the LDAP server.
2. Convert the Domain RBAC database into LDIF format. The existing rbactoldif command is
enhanced to convert the Domain RBAC database into LDIF format.
The following command converts the Domain RBAC database into LDIF format and exports it
to the /tmp/domain.ldif file.
rbactoldif -d <basedn> -s eo
>> /tmp/domain.ldif
3. Export the domain RBAC database LDIF file to LDAP server using ldapadd command:
ldapadd -h <ldapservername> -D <binddn> -w <bind password > -i
/tmp/domain.ldif -v
4. Reconfigure the LDAP client with the mksecldap command to populate the Domain RBAC
tree entries to LDAP client configuration file /etc/security/ldap/ldap.cfg:
#mksecldap -c h <LDAP server> -a <bind dn> -p <bind passwd> -S
rfc2307aix
5. Make sure that the domain suffixes are loaded into LDAP server by verifying lsldap command.
Type the following command to check the suffixes on the LDAP server:
#lsldap
This command lists the domain RBAC suffixes along with the other suffixes.
6. Add the following stanza's in the /etc/nscontrol.conf file of LDAP client system to get Domain
RBAC information from the LDAP server with AIX native commands:
domains:
secorder = LDAP,files
domobjs:
secorder = LDAP,files
7. Load the Domain RBAC tables into AIX LDAP client kernel using setkst command.
Use the following command to load tables into the kernel:
#setkst
8. Make sure that domain and domain object suffixes are configured properly. The existing
commands, like mkdom, lsdom, chdom, rmdom, and setsecattr, are used with R LDAP
option to manage domains and domain objects on an LDAP server.
mkdom R LDAP <domain name>
Page 4 of 6
ibm.com/developerWorks/
developerWorks
Resources
Learn
LDAP configuration and management (developerWorks May 2007) is a quick reference for
IBM Directory Server configuration management on AIX
The Understanding LDAP - Design and Implementation Redbook helps you create a
foundation of LDAP skills, as well as install and configure the IBM Directory Server.
Introduction to Domain RBAC (developerWorks September 2011) provides data in simplified
terms for using Domain RBAC to gain granular access on resources and objects.
AIX Security Guide provides information about the various security features in AIX 7.1
Get products and technologies
Try out IBM software for free. Download a trial version, log into an online trial, work with a
product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM
product trials.
Discuss
Page 5 of 6
developerWorks
ibm.com/developerWorks/
Jyoti B. Tenginakai
Jyoti Tenginakai is working in IBM India as software engineer. Jyoti comes with 7
years of experience in software industry and over five years of experience in IBM
India. In her initial years of work with IBM, she worked on OpenSource components
like OpenSSH and LSOF. She also worked on Trusted Execution and EFS features.
She completed her bachelor's degree in electronics & communications from
Visweshwaraiah Technology University.
Copyright IBM Corporation 2011
(www.ibm.com/legal/copytrade.shtml)
Trademarks
(www.ibm.com/developerworks/ibm/trademarks/)
Page 6 of 6