AIX 5L LDAP user management

Active Directory client support

Yantian Lu (ylu@us.ibm.com), Ph.D., Software Engineer, IBM

Tom Lu works as a Software Engineer in the IBM Austin office on the AIX security team. Tom has been involved in software development for over eight years. He specializes in LDAP-related software implementation and is the key architect of LDAP-based user management facility on AIX. Tom is currently playing a key role in implementing some of the AIX security features scheduled for the next major release. You can reach him at ylu@us.ibm.com.

Ravi A. Shankar (shanravi@us.ibm.com), Software Engineer, IBM

Ravi Shankar works as a Software Engineer in the IBM Austin office as the security architect for AIX. Ravi has over 15 years of industry experience in UNIX software development and operating system internals. He has been working with IBM for more than eleven years, working on multiple projects and developing a broad understanding of UNIX operating systems. Ravi works closely to guide and manage AIX security feature implementations. You can reach him at shanravi@us.ibm.com.

Summary: Get an overview of the Lightweight Directory Access Protocol- (LDAP) related enhancements in the AIX 5L™ operating system V5.3 TL5 update. Some of the enhancements include support for Active Directory, multiple base distinguished (DN) support, and extended base DN format.

Tag this!

Date: 27 Dec 2006
Level: Intermediate
Activity: 6029 views

Introduction

Lightweight Directory Access Protocol (LDAP)-based user management is increasingly popular for the AIX 5L™ operating system. Clients typically use LDAP or LDAP with Kerberos to achieve their authentication and user management requirements. LDAP provides a central mechanism for maintaining system configuration and policy information. This lets clients configure and manage multiple systems with a single set of user identity configuration information, and it simplifies system administration. The AIX 5L LDAP client supports centralized administration of administrative databases for users, groups, and network information for systems.

Terminology

In this article, we'll use the following terms and definitions:

Table 1. Terminology

Term	Description
Active Directory services	Directory services provided by the Microsoft® Active Directory Server
AIX 5L V5.3 TL 05	AIX 5L Service Release Technology Level 05
LDAP	Lightweight Directory Access Protocol -- an open standard for a user security repository and authentication mechanism
SFU	Microsoft's Services For UNIX® software module -- provides for Active Directory configuration that is close to that of an RFC 2307-compliant LDAP server

Overview of AIX 5L LDAP user management

This section describes the AIX 5L operating system V5.3 LDAP user management features prior to the TL5 update. All of the features are described in detail in: AIX® documentation, "Configuring an AIX Client System for User Authentication and Management through LDAP" white paper, and the Integrating AIX 5L into Heterogeneous LDAP Environments IBM Redbook (see Resources).

The AIX operating system was one of the first operating systems to introduce LDAP-based user management in the 1990s. With the acceptance of Request for Comment (RFC) 2307 as a standard method of maintaining user or group information, operating systems have aligned to provide a more standardized method of directory support. AIX 5L LDAP-based user management has been transformed to adhere to the RFC 2307 standard, which enables clients to manage AIX 5L systems along with systems of other platform types that comply with RFC 2307.

Some of the highlights of AIX 5L-based LDAP user management are:

Support for a full set of AIX 5L user and group attributes

When the AIX 5L operating system platform is chosen as the LDAP server (with the included LDAP software stack on the AIX 5L media), the AIX 5L operating system supports attributes beyond RFC 2307 and provides additional controls over the user logins. The AIX 5L operating system provides a complete set of password and login controls. (Some attributes are unique to AIX 5L and are documented in the AIX 5L Version 5.3 Security guide. See Resources.)

The AIX 5L operating system enables the following databases in its LDAP implementation:

RFC 2307 specified information and other user or group information
Advanced Accounting configuration tables

Seamless integration into AIX 5L user management commands and tools

LDAP-related management can be done using the same set of commands and the System Management Interface Tool (SMIT) interfaces that clients are familiar with. The AIX 5L operating system provides interfaces to include LDAP to provide for easy configuration of LDAP clients and server configuration.

The AIX 5L operating system also provides tools for migrating configuration information from local files to LDAP databases.

Automount support

The AIX 5L operating system supports automount capability for users to establish their home directory using the Network File System (NFS).

Multi-server configuration and failover capabilities

The AIX 5L operating system can be configured to use multiple LDAP servers to retrieve configuration information and to prioritize that list of servers, providing redundant protection for the LDAP server information. If a master LDAP server fails, the AIX 5L operating system will automatically failover to another server.

Supported LDAP servers

AIX 5L LDAP user management could be achieved by configuring AIX 5L servers as clients to LDAP servers. AIX 5L LDAP-based user and group management supports the following types of directory servers:

IBM Tivoli® Directory Servers -- the recommended LDAP server
Non-IBM directory servers
Microsoft Active Directory server

IBM Tivoli Directory Server

It is recommended that you use IBM Tivoli Directory Server for AIX 5L LDAP user or group management. IBM Tivoli Directory Server has built-in schema support that is compliant with RFC 2307, and it provides extended AIX 5L user and group attributes. IBM Tivoli Directory Server provides for three types of user- or group- related schemas: AIX, rfc2307, and rfc2307aix.

Schema type rfc2307aix is fully compliant with RFCS 2307 specifications, so other operating systems (such as Linux) could be configured to use this information. This schema also provides for AIX 5L-specific extended information, such as additional user controls, accounting policies, and so on. It is recommended that the rfc2307aix schema type be used for user and group objects.

Use of the AIX schema type is not encouraged, unless you want a server to support systems with the AIX 5L operating system V5.1 and earlier. Operating systems other than AIX 5L might not work with IBM Tivoli Directory Server with the AIX schema type for user management.

Non-IBM directory servers

AIX 5L servers could be configured to use non-IBM LDAP servers with certain limitations. The AIX 5L operating system supports such configuration for LDAP servers that are RFC 2307 compliant, as well as otherwise. Complexity of configuration and the level of support vary and are described in detail in the following sections.

RFC 2307 compliant directory servers: The AIX 5L LDAP client can be configured to use non-IBM LDAP servers for user or group management. This is possible if the directory server supports RFC 2307 schema compliant user or group information. It is also required that these servers support LDAP Version 3 protocol.
AIX 5L clients operating against such servers will not support the full functions of user or group management. Because these servers typically will not be able to support AIX 5L-specific user or group attributes, some of the finer user controls on the AIX 5L operating system will not be possible.
RFC 2307 non-compliant directory servers: The AIX 5L operating system does not support non-RFC 2307 compliant directory servers. However, the AIX 5L operating system might be made to work with such servers if they contain the required set of attributes, as specified in RFC 2307 (assuming that the information is stored in a non-compliant fashion). In such cases, the administrator must map the custom information on the directory to RFC 2307-relevant information by creating map files on the AIX 5L client. The AIX 5L operating system provides a schema mapping mechanism for this purpose.
See "LDAP Attribute Mapping File Format" in the AIX 5L Security guide (Resources) for more information on schema file format and schema file usage.

Microsoft Active Directory

The AIX 5L LDAP client can be configured to use the Active Directory services. The Active Directory-based user and group information has evolved between the Microsoft® Windows® releases. Because of this, the administrator should read through this entire section and establish the necessary configuration on the AIX 5L LDAP client.

In the Windows 2000 and Windows 2003 releases, Active Directory technology can map user and group information into a UNIX schema type through the Windows Service For UNIX package. To enable AIX 5L clients to authenticate against the Active Directory-based information, clients must install "Windows services for UNIX" on an Active Directory services-based system, then configure the AIX 5L clients. More details about this configuration are provided later.

The AIX 5L operating system supports Active Directory services running on Windows 2000 and 2003, with Services for UNIX schema Version 3.0 and 3.5.

In the case of Windows 2003 R2-based Active Directory, there is no need for the additional Windows Services for UNIX (SFU) layer. Windows 2003 R2 UNIX supporting schema is different from those defined in Services for UNIX 3.0 and 3.5. The AIX 5L operating system requires APAR IY91514 to support Active Directory with the Windows 2003 R2 schema. To check if the APAR is installed, run this command:

# instfix -ik APAR IY91514

Due to the difference in user and group management between the AIX 5L operating system and Windows systems, not all AIX 5L commands might work when operating on Active Directory as the central LDAP server. Commands that will not work include mkuser and mkgroup. Most other user and group management commands would work, depending on the access right given to the identity that the AIX 5L operating system binds to Active Directory. These commands include:

lsuser
chuser
rmuser
lsgroup
chgroup
rmgroup
id
groups
passwd
chpasswd (unix_auth mode only)

Configuring AIX 5L client to use Windows server

The AIX 5L operating system supports two user authentication mechanisms against Windows servers: LDAP authentication and Kerberos authentication. With either mechanism, the AIX 5L operating system supports user identification through LDAP protocol against Active Directory, with no requirement for a corresponding user account on the AIX 5L operating system.

Before configuring the AIX 5L operating system, you must take these steps on the Windows server side:

Active Directory must have the UNIX support schema installed.
Active Directory must contain users that are UNIX enabled.
For Kerberos authentication, a host principle must be created on the Windows server.

For details on installing schemas to Active Directory and enabling Active Directory users with UNIX support, consult the related Microsoft documentation.

For LDAP authentication, administrators can use the mksecldap command to configure the AIX 5L LDAP client against an Active Directory server, just as they would do against the IBM Tivoli Directory Server. The mksecldap command queries the server, discovers that the remote server is Active Directory-based, and configures the AIX 5L operating system accordingly.

For Kerberos authentication, Kerberos must be configured in addition to LDAP.

The following sections describe detailed configuration steps on LDAP authentication and Kerberos authentication against Windows servers.

Configuring AIX 5L to work with Active Directory using unix_auth mode

# mksecldap -c -h <Active Directory hostname> -a
<cn=binduser,cn=users,dc=ADdomain,dc=abc,dc=com> -p <password>

Where:

Active Directory hostname is your Windows Active Directory server.
cn=binduser,cn=users,dc=ADdomain,dc=abc,dc=com is a sample bind credential. It can be a user account defined in Active Directory. This user must have read access to users' UNIX password from Active Directory for authentication to be successful, and it must also have write access to users' UNIX password to Active Directory for users to change their password.
password is the password of the above binduser account.

This configures the AIX 5L operating system to work with the Active Directory server specified. Authentication mode will be set to unix_auth. The secldapclntd daemon will bind to Active Directory using the cn=binduser,cn=users,dc=ADdomain,dc=abc,dc=comcn identity. You can replace cn=binduser,cn=users,dc=ADdomain,dc=abc,dc=comcn with another valid user defined in your Active Directory. This Windows user account should only be used by UNIX client systems to bind to the Active Directory server.

After the mksecldap command successfully returns, check the /etc/security/ldap/ldap.cfg file to make sure that the userbasedn and groupbasedn point to the base distinguished name (DN) that you prefer. By default, mksecldap saves the first base DN found from Active Directory with valid users and groups, and it saves the base DNs to the /etc/security/ldap/ldap.cfg file.

If the majority of your users and groups reside in the cn=users container, for example, and the userbasedn and groupbasedn point to elsewhere, manually correct userbasedn and groupbasedn. After saving the change to the /etc/security/ldap/ldap.cfg file, restart the secldapclntd daemon for the change to take effect, as follows.

# restart-secldapclntd

The AIX 5L operating system also supports multiple base DNs. Multiple base DN support provides more information.

To verify that the AIX 5L LDAP client is configured correctly, run the lsuser command to list a user defined in Active Directory:

# lsuser –R LDAP <username>

where username should be a valid user defined in Active Directory.

To allow a Windows user to log in to the AIX 5L operating system, the administrator needs to set the user's SYSTEM and registry attributes correctly by running the following command on the AIX 5L operating system:

# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo

where foo is an example user defined in Active Directory. Once the change is made, user foo can log in to the AIX 5L operating system.

Note that Windows 2000 and 2003 servers set the UNIX password for a UNIX-enabled user when their Windows password is changed. The user can log in to the AIX 5L operating system using that password until the password is changed from AIX 5L operating system. Window 2003 R2, at the time of this writing, does not set the UNIX password when the Windows password is changed. In such cases, the root user must run the passwd command from the AIX 5L operating system to set the UNIX password for the Windows user in order for them to log in to AIX.

It could be cumbersome to enable every user if all of the Windows users are to be allowed to log in to the AIX 5L operating system. In such cases, the administrator can manually edit the /etc/security/user file and set the SYSTEM and registry attributes of the default stanza to LDAP. If the default stanza does not have the attributes, add them. The modified default stanza would look like:

default:
	...
	SYSTEM = "LDAP"
	registry = LDAP
	...

If the default stanza is changed to LDAP, those locally defined users might not be able to log in to the AIX 5L operating system unless their SYSTEM is set to compat and registry set to files. The administrator must identify these accounts and run the following command on each user to make the change.

# chuser SYSTEM=compat registry=files <local user>

Configure AIX 5L to work with Active Directory using ldap_auth authentication mode

# mksecldap -c -h <Active Directory hostname> -a
<cn=binduser,cn=users,dc=ADdomain,dc=abc,dc=com> -p <password> -A ldap_auth

Where:

Active Directory hostname is your Windows Active Directory server.
cn=binduser,cn=users,dc=ADdomain,dc=abc,dc=com is a sample bind credential. It can be a user account defined in Active Directory.
password is the password of the above binduser account.

To verify that the AIX 5L operating system is configured correctly, run the lsuser command to list a user defined in Active Directory:

# lsuser -R LDAP <username>

where username should be a valid user defined in Active Directory.

NOTE: If you have not installed APAR IY91514 (see Microsoft Active Directory to learn how to check whether the APAR is installed), the AIX 5L spassword attribute might not be mapped to the correct Active Directory password attribute. This could result in authentication failure even with the correct password. Follow these steps to correct the mapping:

Edit the /etc/security/ldap/sfu30user.map file, find the line starting with the word spassword, for example,
spassword SEC_CHAR msSFU30Password s
and replace the msSFU30Password with unicodePwd. Though msSFU30Password is shown in the above example, it could be something else.
The line becomes:
spassword SEC_CHAR unicodePwd s
Save the file.
Restart the secldapclntd daemon to make the above change take effect:
# restart-secldapclntd

To allow a Windows user to log in to the AIX 5L operating system, the administrator needs to set the user's SYSTEM and registry attributes on the AIX 5L operating system correctly by running the following command on the AIX 5L operating system:

# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo

where foo is an example user defined in Active Directory.

Once the change is made, user foo can log in to the AIX 5L operating system with their Windows password.

It could be cumbersome to do the above for every user if all of the Windows users are to be allowed to log in to AIX 5L operating system. In such cases, the administrator can manually edit the /etc/security/user file and set the SYSTEM and registry attributes of the default stanza to LDAP. If the default stanza does not have the attributes, add them. The default stanza would look like:

 
default:
	 ...
	 SYSTEM = "LDAP"
	 registry = LDAP
	 ...

If the default stanza is changed to LDAP, those locally defined users might not be able to log in to the AIX 5L operating system unless their SYSTEM is set to compat and registry set to files. The administrator needs to identify these accounts and run the following command on each user to make the change.

# chuser SYSTEM=compat registry=files <local user>

The AIX 5L operating system passwd command supports changing Windows users unicodePwd password. Windows Active Directory requires that password changes through LDAP be done through a secure connection. See the "Integrating AIX into Heterogeneous LDAP Environments" Redbook (in Resources) for details on configuring SSL on AIX 5L operating system to work with Active Directory. The AIX 5L operating system also requires APAR IY91922 to change the unicodePwd password. To check if the APAR is installed, run this command:

# instfix -ik APAR IY91922

Configure the AIX 5L operating system to use Kerberos authentication against Windows Key Distribution Center
In addition to authenticating users through LDAP, AIX 5L supports authentication against Windows through the Kerberos protocol. The advantage of using Kerberos is the enhanced security by eliminating password transfer over the wire. The combination of Kerberos and LDAP enables user authentication using Kerberos against Windows Key Distribution Center (KDC), while user identification through LDAP is against Active Directory. Since user information is pulled from Active Directory, there is no need to create corresponding user identity on the AIX 5L operating system. Such configuration requires the creation of a KRB5ALDAP compound loadmodule on the AIX 5L operating system. Follow the steps below to configure the AIX 5L operating system.

Install the Network Authentication Services (NAS) filesets.
The following NAS filesets, from the AIX 5L Expansion Pack CDs, must be installed:
- krb5.client
- krb5.lic

Configure the AIX 5L operating system to work with Windows KDC.

Run the configure.krb5 command.

/usr/krb5/sbin/config.krb5 -C -r <Windows domain name> -d <DNS domain> -c
<Windows server name> -s <Windows server name>

For example:

# /usr/krb5/sbin/config.krb5 -C -r ADDOMAIN.ABC.COM -d abc.com -c 
win2003.abc.com -s win2003.abc.com 
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.

Windows KDC requires all capital letters for the Kerberos realm name. The settings will be saved to the /etc/krb5/krb5.conf file.

Windows supports des-cbc-md5 and des-cbc-crc encryptions only. Edit the libdefaults stanza of the /etc/krb5/krb5.conf file to remove all other encryption mechanisms, so the stanza would look like:

 
[libdefaults]
      default_realm = ADDOMAIN.ABC.COM
      default_keytab_name = FILE:/etc/krb5/krb5.keytab
      default_tkt_enctypes = des-cbc-md5 des-cbc-crc
      default_tgs_enctypes = des-cbc-md5 des-cbc-crc

Synchronize the clocks between AIX and the Windows server.

Run the /usr/krb5/bin/kinit command with a valid Windows user and verify that the command returns successfully. Also verify that the /usr/krb5/bin/klist command displays the user's Kerberos credentials, as follows.

# /usr/krb5/bin/kinit foo 
Password for foo@ADDOMAIN.ABC.COM:  <enter password>
# /usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  foo@ADDOMAIN.ABC.COM

Valid starting     Expires            Service principal
11/27/06 15:33:55  11/28/06 01:33:28  krbtgt/ADDOMAIN.ABC.COM@ADDOMAIN.ABC.COM
        Renew until 11/28/06 15:33:55
#

Configure AIX 5L LDAP to use Active Directory.
Follow the instructions in "Configuring AIX 5L to work with Active Directory using unix_auth mode" above to configure the AIX 5L LDAP to use Active Directory with the mksecldap command. Do not set the SYSTEM and registry attributes for users, and do not modify the default stanza of the /etc/security/user file.

Create the KRB5ALDAP compound loadmodule.

Manually append the following lines to the /usr/lib/security/methods.cfg file.

KRB5A:
             program = /usr/lib/security/KRB5A
             options = authonly
             
KRB5ALDAP:
             options = db=LDAP,auth=KRB5A

Alternatively, if TGT verification is not required, the compound loadmodule can be set, as follows. In such cases, you can skip steps 5 and 6, and go to step 7 directly.

     
KRB5A:
              program = /usr/lib/security/KRB5A
              options = tgt_verify=no
 
KRB5ALDAP:
              options = db=LDAP,auth=KRB5A

Create an AIX 5L host principal on the Windows server.
1. Create a user account on Windows server. Make the AIX 5L host name the user name, for example, aixhost.
2. Map the account to the AIX 5L host principal by running the ktpass command on the Windows server, and output the keytab of the ktpass command to a file.
ktpass – princ host/aixhost.ibmabc.com@ADDOMAIN.ABC.COM –mapuser aixhost –pass password –out aixhost.keytab
Copy the aixhost.keytab file to the AIX system, and add the key to the AIX keytab using the ktutil tool.
# /usr/krb5/sbin/ktutil ktutil: rkt aixhost.keytab ktutil: wkt /etc/krb5/krb5.keytab ktutil: q
Enable Windows users to log in to the AIX 5L operating system.
To allow a Windows user to log in to the AIX 5L operating system using the KRB5ALDAP mechanism, the administrator needs to enable the user by running the following command on the AIX 5L operating system:
# chuser -R KRB5ALDAP SYSTEM=KRB5ALDAP registry=KRB5ALDAP foo
where foo is an example user.

Once the change is made, Windows users can log in to the AIX 5L operating system with their Windows password. There is no need to create corresponding users on the AIX 5L operating system. The user's identification information is pulled from Windows Active Directory.

It could be cumbersome to do the above for every user if all of the Windows users are to be allowed to log in to the AIX 5L operating system. In such cases, the administrator can manually edit the /etc/security/user file and set the SYSTEM and registry attributes of the default stanza to KRB5ALDAP. If the default stanza does not have the attributes, add them. The default stanza might look like:
default: ... SYSTEM = KRB5ALDAP registry = KRB5ALDAP ...
If the default stanza is changed to KRB5ALDAP, those locally defined users might not be able to log in to the AIX 5L operating system unless their SYSTEM is set to compat and registry set to files. The administrator needs to identify these accounts and run the following command on each user to make the change.
# chuser SYSTEM=compat registry=files <local user>

Users will not be able to log in to the AIX 5L operating system with their old unix_auth mode LDAP password after the KRB5ALDAP mechanism is configured. On the other hand, users can continue to log in to the AIX 5L operating system with the same password if ldap_auth mode was used. This is because ldap_auth makes use of the Windows password itself, while unix_auth mode use a different password.

Considerations specific to Active Directory

This section briefly describes some of the issues you might encounter when using Microsoft Active Directory as the LDAP server for AIX 5L clients.

Support for multiple passwords in Active Directory
It has been observed that Active Directory supports four distinct password attributes in its databases for users:

userPassword
unixUserPassword
msSFU30Password
unicodePwd

Hence, password management on the AIX 5L operating system could be a problem in regards to Active Directory. Which attribute clients should use regarding password management is not very clear. AIX 5L LDAP attribute mapping capability enables clients to study this aspect and customize the password management according to their needs.

The AIX 5L operating system supports two authentication mechanisms: unix_auth and ldap_auth. Some possible password management strategies for these modes of authentication are:

unix_auth mode authentication

With unix_auth mode of AIX 5L authentication, the password in Active Directory is required to be in crypt format. During authentication, the crypted password is retrieved from Active Directory and compared to the crypted form of the password entered by the user. By default, the AIX 5L operating system uses the msSFU30Password attribute in Active Directory operating on Windows 2000 and 2003, and the userPassword attribute on Windows 2003 R2.

If a different password is to be used, the administrator needs to do it manually by modifying the /etc/security/ldap/sfu30user.map file (or /etc/security/ldap/sfur2user.map if Active Directory is running on Windows 2003 R2). Find the line that starts with the word spassword and change the third field of the line to the desired Active Directory password attribute name. See "LDAP Attribute Mapping File Format" in the AIX 5L Security guide for more information. Run the mksecldap command to configure the AIX 5L LDAP client after the change. Or, if the AIX 5L client is already configured, run the restart-secldapclntd command to restart the secldapclntd daemon to absorb the change.

In this mode of authentication, the AIX 5L client cannot use the unicodePwd attribute because it is in unicode format, not the crypt format that is required by unix_auth authentication mode.

A disadvantage of using unix_auth authentication mode is that passwords for AIX 5L and Windows systems could end up being different. This happens if the user changes the password from the AIX 5L client. Though users can use the passwd command from the AIX 5L client to reset their password to be the same as the Windows password, the AIX 5L client does not support automatically changing the Windows password when a user changes their password from the AIX 5L operating system.

ldap_auth authentication mode

With ldap_auth mode, the AIX 5L operating system authenticates a user by an LDAP bind operation to the server with the user's identity and the supplied password. To achieve this type of Active Directory server-based authentication, the AIX 5L password must be mapped to Active Directory's unicodePwd attribute. When configuring AIX 5L LDAP with ldap_auth mode, mksecldap maps the password attribute to Active Directory's unicodePwd attribute. This feature requires APAR IY91514; if it is not installed, see the Microsoft Active Directory to manually change the password mapping.

The unicodePwd attribute is used when users log in to Windows systems. By mapping AIX 5 L passwords to unicodePwd, users defined in Active Directory can log in to Windows systems and AIX 5L systems using the same password. The AIX 5L operating system only supports using unicodePwd in ldap_auth mode. This would also allow users to change passwords from AIX 5L systems and the change will be in effect across AIX 5L and Windows systems.

Group management using Active Directory group attribute
Similar to password issues, Microsoft's Services for UNIX defines multiple group member-related attributes:

memberUid
msSFU30MemberUid
msSFU30PosixMember

The memberUid and msSFU30MemeberUid attributes accept user account names, while msSFU30PosixMember accepts only full DN. For example, for a user account, foo (with last name bar), defined in Active Directory:

memberUid: foo
msSFU30MemberUid: foo
msSFU30PosixMember: cn=foo bar,cn=users,dc=ADdomain,dc=abc,dc=com

The AIX 5L LDAP client can be configured to use any of these attributes. Discuss which attributes to use with your Active Directory administrator. It is recommended that the memberUid or msSFU30MemberUid be used in favor of msSFU30PosixMember, since the former will save storage and network traffic with increased performance. By default, mksecldap configures the AIX 5L LDAP client to use the msSFU30PosixMember attribute against Active Directory running on Windows 2000 and 2003, and the memberUid attribute against Active Directory running on Windows 2003 R2. Selection is due to the Active Directory behavior -- it selects that corresponding attribute when adding a user to a group from Windows. Your organization strategy might require the use of a non-default group member attribute for supporting multiple platforms.

As in the case of passwords, the AIX 5L administrator can configure the LDAP client to use a different group member attribute. You can change the mapping by manually editing the group mapping file. The group mapping file is /etc/security/ldap/sfu30group.map for Active Directory running on Windows 2000 and 2003, and /etc/security/ldap/sfur2group.map for Active Directory running on Windows 2003 R2. Find the line that starts with the word "users", and replace the third field with the desired attribute name for group members. See "LDAP Attribute Mapping File Format" in the AIX 5L Security guide for more information.

Execute the mksecldap command to configure the AIX 5L LDAP client after the change. Or, if the AIX 5L client is already configured, run the restart-secldapclntd command to restart the secldapclntd daemon to absorb the change.

Multiple organizational units
Active Directory supports user information being distributed across different subtrees. Most Active Directory users are defined in the cn=users,... subtree, but some might be defined elsewhere. It is also possible for the Active Directory server to have multiple organizational units defined, with each containing a set of users. The multiple base DN support feature of the AIX 5L operating system could be used to configure against such an Active Directory server. Continue on to the next section for more information about this feature.

Multiple base DN support

Previous to the AIX 5L TL5 update, LDAP user management supported one base DN. For example, you could specify only a single user base DN in /etc/security/ldap/ldap.cfg. In the case of multiple subtrees, the userbasedn attribute must point to a common parent of the subtrees for all of the users to be visible to the AIX 5L operating system. This required that all subtrees are all under the same suffix, since there is no common parent between suffixes.

The AIX 5L Version 5.3 TL 5 update implements support for multiple base DNs. Up to 10 base DNs for each entity can be specified in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order they appear in the /etc/security/ldap/ldap.cfg file. An operation by AIX 5L commands is performed according to the priority of the base DNs.

A query operation, such as the lsuser command, will be done to the base DNs according to their priority until a matching account is found.
A failure is returned if all of the base DNs are searched without finding a match. Querying for ALL will result in all of the accounts from every base DN being returned.
Modification operations, such as the chuser command, will be done to the first matching account.
Delete operations, such as the rmuser command, will be done to the first matching account.
Creation operations, such as the mkuser command, will be done only to the first base DN. The AIX 5L operating system does not support creating accounts to other base DNs.
The AIX 5L LDAP client does not support creating users and groups in Active Directory.

It is the directory server administrator's responsibility to maintain a collision-free account database. If there are multiple definitions of the same account, each under a different subtree, only the first account will be visible to the AIX 5L operating system. A search operation will return only the first matching account. Similarly, a modification or a delete operation will be done only to the first matching account.

The mksecldap command, when used to configure an LDAP client, will find the base DN and will save it to the /etc/security/ldap/ldap.cfg file. In the case of multiple base DNs available on the LDAP server for an entity, mksecldap randomly uses any one of them. For the AIX 5L LDAP client to work with multiple base DNs, you need to manually edit the /etc/security/ldap/ldap.cfg file after mksecldap has been executed successfully to configure the AIX 5L LDAP client. Find the appropriate base DN definition in the file and add the additional base DNs desired. The AIX 5L LDAP client supports up to 10 base DNs for each entity; any additional base DNs will be ignored.

The following example shows two user base DNs in /etc/security/ldap/ldap.cfg.

userbasedn: CN=Users,DC=ADdomain,DC=abc,DC=com 
userbasedn: OU=sales,OU=DomainControllers,DC=ADdomain,DC=abc,DC=com

The AIX 5L client also supports a user-defined filter and search scope for each base DN. A base DN can have its own filter and scope, which might be different from its peer base DNs. Filters could be used to define the set of accounts that will be visible to the AIX 5L operating system. Only those accounts that satisfy the filter will be visible to the AIX 5L operating system.

The next section provides more information on the multiple base DN format and filter format.

Extended base DN format

The AIX 5L operating system V5.3 at the TL5 update level and later also supports the extended base DN format for associating customized filter and scope fields with each base DN, with fields being separated by a "?" character. The scope and filter attributes are optional. The following base DN formats are supported in AIX 5L:

userbasedn: ou=people, cn=aixdata
userbasedn: ou=people, cn=aixdata?scope
userbasedn: ou=people, cn=aixdata??filter
userbasedn: ou=people, cn=aixdata?scope?filter

The first format represents the default format used by the secldapclntd daemon. The second and third formats allow limiting of a search by using a scope attribute or a filter attribute, respectively. The fourth format allows both a scope and a filter.

The scope attribute accepts the following values:

sub
one
base

If the scope field is not specified, it defaults to sub.

The filter attribute allows further limiting of the entries defined in the LDAP server. You can use this filter to make only users with certain properties visible to the system. The following shows a few valid filter formats, where attribute is the name of an LDAP attribute, and value specifies the search criteria. Value can be a wild card "*".

(attribute=value)
(&(attribute=value)(attribute=value))
(|(attribute=value)(attribute=value))

Appendix A. Service for UNIX 3.0 and 3.5 schema mappings

The following are user and group attribute mapping files for Active Directory running on Windows 2000 and 2003 servers with Microsoft Service for UNIX Version 3.0 or 3.5 installed. The mapping files are shipped with the AIX 5L V5.3 TL5 update.

Table 2. /etc/security/ldap/sfu30user.map

username	SEC_CHAR	msSFU30Name	s
id	SEC_INT	msSFU30UidNumber	s
pgrp	SEC_CHAR	msSFU30GidNumber	s
home	SEC_CHAR	msSFU30HomeDirectory	s
shell	SEC_CHAR	msSFU30LoginShell	s
gecos	SEC_CHAR	msSFU30Gecos	s
spassword	SEC_CHAR	msSFU30Password	s
lastupdate	SEC_INT	msSFU30ShadowLastChange	s
maxage	SEC_INT	msSFU30ShadowMax	s
minage	SEC_INT	msSFU30ShadowMin	s
maxexpired	SEC_INT	msSFU30ShadowExpire	s
pwdwarntime	SEC_INT	msSFU30ShadowWarning	s
#spassword	SEC_CHAR	unicodePwd	s

The last commented line shows the password mapping for ldap_auth authentication mode.

Table 3. /etc/security/ldap/sfu30group.map

groupname	msSFU30Name	msSFU30Name	s
id	SEC_INT	msSFU30GidNumber	s
users	SEC_LIST	msSFU30PosixMember	s
#users	SEC_LIST	msSFU30MemberUid	s

The last commented line shows the alternative group member attribute mapping.

Appendix B. Windows 2003 R2 schema mappings

The following are user and group attribute mapping files for Active Directory running on Windows 2003 R2 with Windows R2 schema. These mappings are for reference only and are subject to change when being shipped.

Table 4. User attribute mappings for Windows 2003 R2 schema

username	SEC_CHAR	uid	s
id	SEC_INT	uidNumber	s
pgrp	SEC_CHAR	gidNumber	s
home	SEC_CHAR	unixhomeDirectory	s
shell	SEC_CHAR	loginShell	s
gecos	SEC_CHAR	gecos	s
spassword	SEC_CHAR	userPassword	s
lastupdate	SEC_INT	shadowLastChange	s
maxage	SEC_INT	shadowMax	s
minage	SEC_INT	shadowMin	s
maxexpired	SEC_INT	shadowExpire	s
pwdwarntime	SEC_INT	shadowWarning	s
#spassword	SEC_CHAR	unixuserPassword	s
#spassword	SEC_CHAR	unicodePwd	s

Table 5. Group attribute mappings for Windows 2003 R2 schema

groupname	SEC_CHAR	cn	s
id	SEC_INT	gidNumber	s
users	SEC_LIST	memberUid	s

Appendix C. Important APARs

IY91514: This APAR is required for the AIX 5L operating system to work with Active Directory running on Windows 2003 R2 with the new UNIX schema.
IY91922: Support password change with ldap_auth mode. Windows Active Directory requires that password change through LDAP must be done through a secure connection. Please see the Integrating AIX into Heterogeneous LDAP Environments IBM Redbook (see Resources) for information on configuring SSL on the AIX 5L operating system to work with Active Directory.

Resources

Learn

AIX 5L Version 5.3 Security: This guide provides information on file, system, and network security.
Integrating AIX into Heterogeneous LDAP Environments : This IBM Redbook provides sample integration scenarios for migrating AIX 5L users from traditional local file authentication to an LDAP server, or for adding new AIX 5L boxes to an environment where there are users already defined.
Configure the AIX 5L operating system for Kerberos-based authentication using Windows Kerberos Service: Read this white paper to learn about using Kerberos as an alternative authentication mechanism to AIX using Windows 2000 or 2003 server Kerberos Service.
Configuring an AIX 5L client system for user authentication and management through LDAP: Read this paper about configuring AIX systems as clients of directory servers, both IBM Directory servers and third party LDAP (Lightweight Directory Access Protocol) servers, for a complete picture of how to configure and exploit the AIX LDAP security solution.
AIX® and UNIX: Visit the developerWorks AIX and UNIX zone to expand your UNIX skills.
New to AIX and UNIX: Visit the New to AIX and UNIX page to learn more about AIX and UNIX.
AIX 5L Wiki: A collaborative environment for technical information related to AIX.
developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
Search the AIX and UNIX library by topic:
Technology bookstore: Browse this site for books and other technical topics.
Podcasts: Tune in and catch up with IBM technical experts.

Get products and technologies

IBM trial software: Build your next development project with software for download directly from developerWorks.

Discuss

Participate in the AIX and UNIX forums:
Participate in the developerWorks blogs and get involved in the developerWorks community.

About the authors

Comments (Undergoing maintenance)

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=AIX and UNIX

ArticleID=185908

ArticleTitle=AIX 5L LDAP user management

publish-date=12272006

author1-email=ylu@us.ibm.com

author1-email-cc=mmccrary@us.ibm.com

author2-email=shanravi@us.ibm.com

author2-email-cc=mmccrary@us.ibm.com