Lightweight directory access protocol (LDAP) is a subset of the x.500 directory access protocol. LDAP maintains information of different objects and can be represented as user names, group names, file names, and more. The LDAP protocol allows the exchange of information between the LDAP client and LDAP server. Applications make use of the LDAP client to interact with LDAP servers to get the information for application request. This article can be used as a quick reference for understanding LDAP client features in AIX® 6.1 and 7.1 releases.

Uma Chandolu (uchandol@in.ibm.com), AIX security developer and support specialist, IBM

Photo of Uma ChandoluUma M. Chandolu works as a development support specialist on AIX. He has over 6 years of extensive hands-on experience in AIX environments and demonstrated expertise in AIX system administration and other subsystems. He has experience interfacing with customers and handling customer-critical situations. He has been recognized as an IBM developerWorks Contributing Author. You can reach him at uchandol@in.ibm.com.


developerWorks Contributing author
        level

Jyoti B. Tenginakai (jyoti.b.t@in.ibm.com), Software engineer, IBM

Photo of Jyoti B. TenginakaiJyoti Tenginakai is working in IBM India as software engineer. Jyoti comes with 7 years of experience in software industry and over five years of experience in IBM India. In her initial years of work with IBM, she worked on OpenSource components like OpenSSH and LSOF. She also worked on Trusted Execution and EFS features. She completed her bachelor's degree in electronics & communications from Visweshwaraiah Technology University.



29 November 2011

Also available in Chinese Russian

Introduction

AIX provides LDAP as a load module starting from the AIX 4.3 release. LDAP is a connection oriented protocol that runs on TCP/IP. This module can be configured for user and group management on AIX systems. AIX native commands are integrated to support LDAP functionality. The AIX LDAP client daemon, secldapclntd, makes request to the LDAP server and fetch details based on application or command request from LDAP server. The scope of this article is to cover the enhancements for AIX LDAP client environment from AIX 6.1 Tl06 and AIX 7.1 release onwards. The LDAP client enhancements for AIX 6.1 Tl06 onward are:

  • LDAP case sensitive
  • LDAP alias support
  • LDAP cache enhancement
  • LDAP negative cache enhancement
  • Integration of Domain RBAC with LDAP

LDAP case sensitivity

Users and groups on LDAP servers are case insensitive. LDAP treats user foo, Foo and FOO as the same users. UNIX® has case sensitivity, thus all of these users are treated as different users. So when privileges are granted or restricted for any of the users on AIX environment, it applies to all the users on LDAP Server. This kind of scenario sometimes causes security breach.

The AIX LDAP client is enhanced to handle this case sensitivity issue. A new configuration parameter "caseExactAccountName" is introduced under the AIX LDAP client configuration file, /etc/security/ldap/ldap.cfg. When this parameter is set to "yes", the LDAP client checks for an exact match for the user name entered with the LDAP server returned results. By default, this option is set to "no". Whenever the LDAP client configuration file is modified for the changes to take effect, restart the LDAP client daemon.

Run the following command to restart LDAP client daemon:

#/usr/sbin/restart-secldapclntd

When the caseExactAccountName parameter is set to "yes" and the LDAP user foo exists on the LDAP server, and an administrator or privileged user tries to create another user Foo, the mkuser command displays the following message:

#mkuser -R LDAP Foo       
3004-698 Error committing changes to "Foo".

Similarly, with lsuser command, the following message is displayed:

# lsuser -R LDAP Foo
3004-687 User "Foo” does not exist.

LDAP alias support

LDAP stores information in the directory information tree (DIT) format and manages users and groups. Sometimes users are called with multiple user names or an alias for the primary user.

LDAP stores user information in the following directory tree format:

dn:uid=foo,ou=people,cn=aixdata
uid:foo
uid:foo1
objectclass: posixaccount
…

dn: uid=foo,ou=people,cn=aixdata is referred as the distinguished name (DN) of the user. The relative distinguish name (RDN) of the user is uid: foo, uid : foo1. AIX native commands such as lsuser fetch the user attributes from LDAP server by using either foo or foo1. However, AIX login uses the distinguish name as the user. So, logging in as foo succeeds, but using foo1 fails. AIX LDAP client is enhanced to support the LDAP alias mechanism during the user's login.


LDAP caching enhancement

AIX LDAP client daemon, secldapclntd, stores user and group entries retrieved from the LDAP server in the LDAP client cache. User attributes are stored in user cache, and group attributes are stored in group cache. Each cache entry has a time stamp. After the cache timeout, which is configurable, the cache entry is invalidated, and a query for the user results in an LDAP query to the LDAP server. The new result from the LDAP server is cached again for subsequent request for application and commands on the LDAP client.

The caching mechanism has a limitation with the current implementation. When a user account is modified or updated, the update may not be visible to an AIX system if the user is still cached with old values. One example is a password change. Within the cache timeout window, a user may still be allowed to log in to a system where the user cache entry is still valid using the old password, even after the password has been changed from a different system. For the same reason, logging in to the latter system with the new password would fail if the old password were still cached and valid.

This limitation has been resolved by extending the caching mechanism in AIX LDAP client. A new attribute, TO_BE_CACHED added to the LDAP user and group map files. By default the value of this attribute is "yes", which means the user and group attributes are all cached. This can be set to "no" for the user and group attributes that need not be cached. When a user request comes in, the LDAP client reads the cache to see if the request can be fetched from the cache. Before that, it scans through the user and group map files to see if the TO_BE_CACHED attribute is set to "no" for any of the attributes. If so, it does not read the cache, it sends the request to fetch the value from the LDAP server.


LDAP negative cache enhancement

Another enhancement to the AIX LDAP secldapclntd daemon is the secldapclntd client daemon caches user and group entries retrieved from the LDAP server. If a request comes in for user or group information, and that entry does not exist on the LDAP server, the server sends the appropriate non-existing information to the client and caches the information. If users request the same non-existing information instead of going to the server, the information is checked in the cache information and displayed to the user. This improves the performance if the same non-existing user or group information is queried. This concept is described as Negative Caching mechanism in AIX LDAP client.


Integration of Domain RBAC into LDAP

In AIX 6.1 Tl07 and AIX 7.1 Tl02 releases and on, the LDAP client is enhanced to support Domain RBAC integration with LDAP server. The LDAP client fetches Domain RBAC information from the LDAP server and downloads it to the AIX kernel to take control over the resources on the system. The Domain RBAC commands and LDAP client commands are enhanced to support Domain RBAC functionality with LDAP server.

To configure the Domain RBAC database on an LDAP server, follow these steps:

  1. Load the Domain RBAC schema to an LDAP server using ldapadd command. The Domain RBAC schema is shipped with AIX 6.1 Tl07 and AIX 7.1 Tl02 server. The schema file for the Tivoli Directory Server is /etc/security/ldap/sec.ldif. Domain RBAC database can be configured on Microsoft® Windows AD server, as well.

    If LDAP server is a Microsoft Windows AD server, use the /etc/security/ldap/aixSchemaForAD.ldif file. The syntax is:

        ldapadd –h <ldap servername> -D <bindn> -w <bind password> -i
        <schema file> -c –v

    This command loads the Domain RBAC schema to the LDAP server.

  2. Convert the Domain RBAC database into LDIF format. The existing rbactoldif command is enhanced to convert the Domain RBAC database into LDIF format.

    The following command converts the Domain RBAC database into LDIF format and exports it to the /tmp/domain.ldif file.

        rbactoldif -d <basedn> -s eo  >> /tmp/domain.ldif
  3. Export the domain RBAC database LDIF file to LDAP server using ldapadd command:
    ldapadd -h <ldapservername> -D <binddn> -w <bind password > -i
        /tmp/domain.ldif -v
  4. Reconfigure the LDAP client with the mksecldap command to populate the Domain RBAC tree entries to LDAP client configuration file /etc/security/ldap/ldap.cfg:
    #mksecldap -c –h <LDAP server> -a <bind dn> -p <bind passwd> -S
        rfc2307aix
  5. Make sure that the domain suffixes are loaded into LDAP server by verifying lsldap command.

    Type the following command to check the suffixes on the LDAP server:

    #lsldap

    This command lists the domain RBAC suffixes along with the other suffixes.

  6. Add the following stanza's in the /etc/nscontrol.conf file of LDAP client system to get Domain RBAC information from the LDAP server with AIX native commands:
    domains:
    	secorder = LDAP,files
    domobjs:
    	secorder = LDAP,files
  7. Load the Domain RBAC tables into AIX LDAP client kernel using setkst command.

    Use the following command to load tables into the kernel:

    #setkst
  8. Make sure that domain and domain object suffixes are configured properly. The existing commands, like mkdom, lsdom, chdom, rmdom, and setsecattr, are used with –R LDAP option to manage domains and domain objects on an LDAP server.
    mkdom –R LDAP <domain name>

    setsecattr –R LDAP –o domains=<domain name> objtype=file <object name>

Resources

Learn

Get products and technologies

  • Try out IBM software for free. Download a trial version, log into an online trial, work with a product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM product trials.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=777102
ArticleTitle=LDAP client enhancements in AIX 7
publish-date=11292011