LDAP client enhancements in AIX 7

Uma Chandolu (uchandol@in.ibm.com)

AIX security developer and support specialist
IBM

29 November 2011

Jyoti B. Tenginakai (jyoti.b.t@in.ibm.com)

Software engineer
IBM
Lightweight directory access protocol (LDAP) is a subset of the x.500 directory access protocol.
LDAP maintains information of different objects and can be represented as user names, group
names, file names, and more. The LDAP protocol allows the exchange of information between
the LDAP client and LDAP server. Applications make use of the LDAP client to interact with
LDAP servers to get the information for application request. This article can be used as a quick
reference for understanding LDAP client features in AIX 6.1 and 7.1 releases.

Introduction
AIX provides LDAP as a load module starting from the AIX 4.3 release. LDAP is a connection
oriented protocol that runs on TCP/IP. This module can be configured for user and group
management on AIX systems. AIX native commands are integrated to support LDAP functionality.
The AIX LDAP client daemon, secldapclntd, makes request to the LDAP server and fetch details
based on application or command request from LDAP server. The scope of this article is to
cover the enhancements for AIX LDAP client environment from AIX 6.1 Tl06 and AIX 7.1 release
onwards. The LDAP client enhancements for AIX 6.1 Tl06 onward are:

LDAP case sensitive

LDAP alias support
LDAP cache enhancement
LDAP negative cache enhancement
Integration of Domain RBAC with LDAP

LDAP case sensitivity

Users and groups on LDAP servers are case insensitive. LDAP treats user foo, Foo and FOO as
the same users. UNIX has case sensitivity, thus all of these users are treated as different users.
Copyright IBM Corporation 2011
LDAP client enhancements in AIX 7

Trademarks
Page 1 of 6

developerWorks

ibm.com/developerWorks/

So when privileges are granted or restricted for any of the users on AIX environment, it applies to
all the users on LDAP Server. This kind of scenario sometimes causes security breach.
The AIX LDAP client is enhanced to handle this case sensitivity issue. A new configuration
parameter "caseExactAccountName" is introduced under the AIX LDAP client configuration file, /
etc/security/ldap/ldap.cfg. When this parameter is set to "yes", the LDAP client checks for an exact
match for the user name entered with the LDAP server returned results. By default, this option is
set to "no". Whenever the LDAP client configuration file is modified for the changes to take effect,
restart the LDAP client daemon.
Run the following command to restart LDAP client daemon:
#/usr/sbin/restart-secldapclntd

When the caseExactAccountName parameter is set to "yes" and the LDAP user foo exists on the
LDAP server, and an administrator or privileged user tries to create another user Foo, the mkuser
command displays the following message:
#mkuser -R LDAP Foo
3004-698 Error committing changes to "Foo".

Similarly, with lsuser command, the following message is displayed:

# lsuser -R LDAP Foo
3004-687 User "Foo does not exist.

LDAP alias support

LDAP stores information in the directory information tree (DIT) format and manages users and
groups. Sometimes users are called with multiple user names or an alias for the primary user.
LDAP stores user information in the following directory tree format:
dn:uid=foo,ou=people,cn=aixdata
uid:foo
uid:foo1
objectclass: posixaccount

is referred as the distinguished name (DN) of the user. The

relative distinguish name (RDN) of the user is uid: foo, uid : foo1. AIX native commands such
as lsuser fetch the user attributes from LDAP server by using either foo or foo1. However, AIX
login uses the distinguish name as the user. So, logging in as foo succeeds, but using foo1 fails.
AIX LDAP client is enhanced to support the LDAP alias mechanism during the user's login.
dn: uid=foo,ou=people,cn=aixdata

LDAP caching enhancement

AIX LDAP client daemon, secldapclntd, stores user and group entries retrieved from the LDAP
server in the LDAP client cache. User attributes are stored in user cache, and group attributes
LDAP client enhancements in AIX 7

Page 2 of 6

ibm.com/developerWorks/

developerWorks

are stored in group cache. Each cache entry has a time stamp. After the cache timeout, which is
configurable, the cache entry is invalidated, and a query for the user results in an LDAP query to
the LDAP server. The new result from the LDAP server is cached again for subsequent request for
application and commands on the LDAP client.
The caching mechanism has a limitation with the current implementation. When a user account is
modified or updated, the update may not be visible to an AIX system if the user is still cached with
old values. One example is a password change. Within the cache timeout window, a user may still
be allowed to log in to a system where the user cache entry is still valid using the old password,
even after the password has been changed from a different system. For the same reason, logging
in to the latter system with the new password would fail if the old password were still cached and
valid.
This limitation has been resolved by extending the caching mechanism in AIX LDAP client. A new
attribute, TO_BE_CACHED added to the LDAP user and group map files. By default the value of this
attribute is "yes", which means the user and group attributes are all cached. This can be set to
"no" for the user and group attributes that need not be cached. When a user request comes in, the
LDAP client reads the cache to see if the request can be fetched from the cache. Before that, it
scans through the user and group map files to see if the TO_BE_CACHED attribute is set to "no"
for any of the attributes. If so, it does not read the cache, it sends the request to fetch the value
from the LDAP server.

LDAP negative cache enhancement

Another enhancement to the AIX LDAP secldapclntd daemon is the secldapclntd client daemon
caches user and group entries retrieved from the LDAP server. If a request comes in for user
or group information, and that entry does not exist on the LDAP server, the server sends the
appropriate non-existing information to the client and caches the information. If users request the
same non-existing information instead of going to the server, the information is checked in the
cache information and displayed to the user. This improves the performance if the same nonexisting user or group information is queried. This concept is described as Negative Caching
mechanism in AIX LDAP client.

Integration of Domain RBAC into LDAP

In AIX 6.1 Tl07 and AIX 7.1 Tl02 releases and on, the LDAP client is enhanced to support Domain
RBAC integration with LDAP server. The LDAP client fetches Domain RBAC information from the
LDAP server and downloads it to the AIX kernel to take control over the resources on the system.
The Domain RBAC commands and LDAP client commands are enhanced to support Domain
RBAC functionality with LDAP server.
To configure the Domain RBAC database on an LDAP server, follow these steps:
1. Load the Domain RBAC schema to an LDAP server using ldapadd command. The Domain
RBAC schema is shipped with AIX 6.1 Tl07 and AIX 7.1 Tl02 server. The schema file for
the Tivoli Directory Server is /etc/security/ldap/sec.ldif. Domain RBAC database can be
configured on Microsoft Windows AD server, as well.
LDAP client enhancements in AIX 7

Page 3 of 6

developerWorks

ibm.com/developerWorks/

If LDAP server is a Microsoft Windows AD server, use the /etc/security/ldap/

aixSchemaForAD.ldif file. The syntax is:
ldapadd h <ldap servername> -D <bindn> -w <bind password> -i
<schema file> -c v

This command loads the Domain RBAC schema to the LDAP server.
2. Convert the Domain RBAC database into LDIF format. The existing rbactoldif command is
enhanced to convert the Domain RBAC database into LDIF format.
The following command converts the Domain RBAC database into LDIF format and exports it
to the /tmp/domain.ldif file.
rbactoldif -d <basedn> -s eo

>> /tmp/domain.ldif

3. Export the domain RBAC database LDIF file to LDAP server using ldapadd command:
ldapadd -h <ldapservername> -D <binddn> -w <bind password > -i
/tmp/domain.ldif -v

4. Reconfigure the LDAP client with the mksecldap command to populate the Domain RBAC
tree entries to LDAP client configuration file /etc/security/ldap/ldap.cfg:
#mksecldap -c h <LDAP server> -a <bind dn> -p <bind passwd> -S
rfc2307aix

5. Make sure that the domain suffixes are loaded into LDAP server by verifying lsldap command.
Type the following command to check the suffixes on the LDAP server:
#lsldap

This command lists the domain RBAC suffixes along with the other suffixes.
6. Add the following stanza's in the /etc/nscontrol.conf file of LDAP client system to get Domain
RBAC information from the LDAP server with AIX native commands:
domains:
secorder = LDAP,files
domobjs:
secorder = LDAP,files

7. Load the Domain RBAC tables into AIX LDAP client kernel using setkst command.
Use the following command to load tables into the kernel:
#setkst

8. Make sure that domain and domain object suffixes are configured properly. The existing
commands, like mkdom, lsdom, chdom, rmdom, and setsecattr, are used with R LDAP
option to manage domains and domain objects on an LDAP server.
mkdom R LDAP <domain name>

setsecattr R LDAP o domains=<domain name> objtype=file <object name>

LDAP client enhancements in AIX 7

Page 4 of 6

ibm.com/developerWorks/

developerWorks

Resources
Learn
LDAP configuration and management (developerWorks May 2007) is a quick reference for
IBM Directory Server configuration management on AIX
The Understanding LDAP - Design and Implementation Redbook helps you create a
foundation of LDAP skills, as well as install and configure the IBM Directory Server.
Introduction to Domain RBAC (developerWorks September 2011) provides data in simplified
terms for using Domain RBAC to gain granular access on resources and objects.
AIX Security Guide provides information about the various security features in AIX 7.1
Get products and technologies
Try out IBM software for free. Download a trial version, log into an online trial, work with a
product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM
product trials.
Discuss

Follow developerWorks on Twitter.

Participate in developerWorks blogs and get involved in the developerWorks community.
Get involved in the My developerWorks community.
Participate in the AIX and UNIX forums:
AIX Forum
AIX Forum for developers
Cluster Systems Management
Performance Tools Forum
Virtualization Forum
More AIX and UNIX Forums

LDAP client enhancements in AIX 7

Page 5 of 6

developerWorks

ibm.com/developerWorks/

About the authors

Uma Chandolu
Uma M. Chandolu works as a development support specialist on AIX. He has over
6 years of extensive hands-on experience in AIX environments and demonstrated
expertise in AIX system administration and other subsystems. He has experience
interfacing with customers and handling customer-critical situations. He has been
recognized as an IBM developerWorks Contributing Author. You can reach him at
uchandol@in.ibm.com.

Jyoti B. Tenginakai
Jyoti Tenginakai is working in IBM India as software engineer. Jyoti comes with 7
years of experience in software industry and over five years of experience in IBM
India. In her initial years of work with IBM, she worked on OpenSource components
like OpenSSH and LSOF. She also worked on Trusted Execution and EFS features.
She completed her bachelor's degree in electronics & communications from
Visweshwaraiah Technology University.
Copyright IBM Corporation 2011
(www.ibm.com/legal/copytrade.shtml)
Trademarks
(www.ibm.com/developerworks/ibm/trademarks/)

LDAP client enhancements in AIX 7

Page 6 of 6