User management is an important part of distributed computing environments. It provides the consistent authentication and authorization services necessary for universal access. For centralized security, many customers use the IBM Directory Server, a centralized security mechanism supported on AIX®. To achieve a foolproof IBM Directory Server configuration and ready it for use, you need a good understanding of Lightweight Directory Access Protocol (LDAP) concepts and configuration management.
This article provides an overview of LDAP and its architecture. It also discusses LDAP configuration and management on AIX. The article focuses on troubleshooting different types of problems while configuring the LDAP server and client. The suggestions in the troubleshooting section should be helpful to AIX administrators, technical support, and the development community.
LDAP is an industry standard protocol for accessing directory servers. IBM Directory Server needs to be configured to support user authentication through LDAP with both the AIX specific schema and the RFC 2307 schema on AIX.
LDAP is optimized for reading, browsing, and for searching directories and specialized databases storing ordered information. Many computing environments are designed to make network resources available to users from any location, such as workstations, public workstations, and the Web. IBM Directory Server can be used for user management to achieve this objective.
Figure 1 shows an overview of an LDAP configuration.
Figure 1. LDAP configuration
LDAP is a standardized protocol and specialized database for storing ordered information. When users log in, the LDAP client sends a query to the LDAP server to get the user and group information from the centralized database. DB2® is a database used for storing the user and group information. The LDAP database stores and retrieves information based on a hierarchical structure of entries, each with its own distinguishing name, type, and attributes. The attributes (properties) define acceptable values for the entry. An LDAP database can store and maintain entries for many users.
An LDAP security load module was created in AIX Version 4.3. This load module provides user authentication and centralized user and group management functions through the IBM SecureWay® Directory. A user defined on an LDAP server can be configured to log in to an LDAP client even if that user is not defined locally. The AIX LDAP load module is fully integrated with the AIX operating system.
IBM Directory Server on AIX can be configured with either:
ldapcfgcommand line tool
- The graphical version of the ldapcfg tool, called
The following file sets are required to configure IBM Directory Server:
- Install the DB2 file set db2_09_01.rte.
- Install the following file sets:
The following file sets are required for configuring the LDAP client.
Note: 61 represents version of the file set. It will vary depending upon the version you are installing.
- The system should run in 64-bit kernel mode. Use the
bootinfo -Kcommand to determine the kernel mode.
- AIX requires 64-bit hardware. Use the
bootinfo -ycommand to determine the hardware.
- A minimum of 512MB RAM is required. (For better results, use 1GB or more.)
- IBM Directory Server requires 80MB of free space in the file system where the DB2 database is to be created.
- If you plan to use the InstallShield GUI to install, be sure that you have at least 100MB of free space in the /var directory and at least 400MB in the /tmp directory.
AIX provides the
mksecldap command to set up the IBM
Directory servers and clients to exploit the servers.
mksecldap command performs the following tasks for
the new server setup:
- Creates the ldapdb2 default DB2 instance.
- Creates the ldapdb2 default DB2 database.
- Creates the AIX tree DN (suffix) under which AIX user and group is stored.
- Exports users and groups from security database files of the local host into the LDAP database.
- Sets LDAP server administrator DN and password.
- Optionally sets server to use Secure Sockets Layer (SSL) communication.
- Installs the /usr/ccs/lib/libsecldapaudit, an AIX audit plug-in for the LDAP server.
- Starts the LDAP server after all the above is done.
- Adds the LDAP server entry (slapd) to /etc/inittab for automatic restart after reboot.
mksecldap -s -a cn=admin -p passwd -S rfc2307aix
All setup information is stored in the /etc/ibmslapd.conf file.
The ldap.client file set contains the IBM Directory client libraries, header
files, and utilities. You can use the
to configure the AIX client against the IBM Directory Server, as follows:
mksecldap -c -h <LDAP Server name> -a cn=admin -p adminpwd -S rfc2307aix
You must have the IBM Directory Server administrator DN and password to configure
the AIX client. Once the AIX client is configured, the
secldapclntd daemon starts running. Once the AIX client
is configured against the IBM Directory Server, change the SYSTEM attribute in
/etc/security/user file to
LDAP OR compat or
compat or LDAP to authenticate users against the AIX
The /usr/lib/security/methods.cfg file contains the load module definition. The
mksecldap command adds the following stanza to enable
the LDAP load module during the client setup.
LDAP: program = /usr/lib/security/LDAP program_64 = /usr/lib/security/LDAP64
The /etc/security/ldap/ldap.cfg file on the client machine has configuration
information for the
secldapclntd client daemon. This
configuration file contains information about the IBM Directory Server name,
binddn, and password information. The file is
automatically updated by the
mksecldap command during
AIX client setup.
auth_type attribute in the
/etc/security/ldap/ldap.cfg file specifies where the user needs to be
authenticated. If the
auth_type attribute is
UNIX_AUTH, then the user is authenticated at the client
system. If it is
ldap_auth, then the user is
authenticated on IBM Directory Server.
The IBM Directory Server and client can be configured with SSL. This avoids the transfer of data in the clear-text format over the network. It encrypts the information and then sends it over the network. IBM Directory Server encrypts the user's password information, and then sends it over the network when SSL is configured.
The following file sets are required to enable the server and client encryption support:
For initial server setup, run the following command:
mksecldap -s -a cn=admin -p pwd -S rfc2307aix -k usr/ldap/etc/mykey.kdb -w keypwd
where mykey.kdb is the key database, and keypwd is the password to the key database.
For servers that are configured and running, run:
mksecldap -s -a cn=admin -p pwd -S rfc2307aix -n NONE -k /usr/ldap/etc/mykey.kdb -w keypwd
For initial client setup, run:
mksecldap -c -h <ldapserver name> -a cn=admin -p adminpwd -k /usr/ldap/key.kdb -w keypwd
Frequently used commands on the AIX LDAP client system are listed in Table 1 below.
Table 1. Frequently used commands
|/usr/sbin/start-secldapclntd||Starts the |
|/usr/sbin/stop-secldapclntd||Stops the |
|/usr/sbin/restart-secldapclntd||Stops the currently running |
|/usr/sbin/ls-secldapclntd||Lists the |
|/usr/sbin/flush-secldapclntd||Clears the cache of the |
|mkuser -R LDAP <username>||Creates users from the LDAP client.|
This section includes several typical problems, followed by suggested solutions.
The LDAP server starts in configuration only mode while restarting the LDAP server or doing LDAP server configuration returns the following error: "Failed to initialize be_config. Error encountered. Server starting in configuration only mode."
- Confirm whether the server started in configuration only mode by using the
following command, or look at /var/ldap/ibmslapd.log for this information.
# ldapsearch -h teak01.upt -b "" -s base objectclass=* | grep config ibm-slapdisconfigurationmode=TRUE
- Sometimes the DB2 license key was not registered properly. This is one of
the main reasons for this problem. The license key has to be registered, as
follows, to resolve this problem:
- Log in as a user with root authority.
- Register the DB2 product license key:
#/usr/opt/db2_08_01/adm /db2licm -a /usr/ldap/etc/ldap-custom-db2ese.lic #/usr/opt/db2_08_01/adm /db2licm -a /usr/ldap/etc/db2wsue.lic
- If the above step doesn't resolve the problem, clean up the LDAP server configuration and export LDAP_DBG=1 before doing the LDAP server configuration again. The /var/ldap/dbg.out, /var/ldap/dbg.log, and /var/ldap/ibmslapd.log files should have required diagnostic information to debug this problem further.
Cannot log in to the system with LDAP user after successful Directory Server configuration.
Make sure there are no errors in the following areas, which can lead to a false impression about the existence of a particular LDAP user.
- During client configuration, using
mksecldap -u <userlist>specifies a comma-separated list of usernames or ALL to enable all users on the client. This means SYSTEM and registry attributes of the users is set to LDAP.
mksecldap -c -h monster -a cn=admin -p adminpwd -u user1,user2
-uflag ensures that
user2users can be used as LDAP users on the client machine, but this flag does not add any users in the LDAP server database. Login is successful for these users if they are added to LDAP using
mkuser -R LDAP <user name>or while doing server configuration, as follows:
mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix
All the local users will be added to LDAP in this case. As
user2are local users, they will be automatically added into the LDAP database.
- Verify that Directory Server is up and running. The
ibmslapdprocesses should be running:
# ps -eaf |grep ibm ldap 278760 1 0 Jan 14 - 0:08 /usr/ldap//bin/ibmdiradm -l ldap 434392 1 2 Jan 14 - 339:44 ibmslapd -f/etc/ibmslapd.conf
- Verify whether the LDAP client is up and running. The
secldapclntdprocess should be running:
# ps -eaf |grep -i secldap root 393408 1 0 Jan 14 - 0:15 /usr/sbin/secldapclntd root 725062 692358 0 03:20:38 pts/0 0:00 grep -i secldap
- Verify whether that user exists on the server:
# lsuser -R LDAP usr_3112 usr_3112 id=3112 pgrp=gp_3112 groups=gp_3112,gp_3118,gp_3124 home=/tmp shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=KRB5LDAP OR compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
- Verify the user's registry and SYSTEM attributes. Both of them
should be set to LDAP.
lsuser -a registry SYSTEM username
- Verify whether the LDAP stanza is added into /usr/lib/security/methods.cfg:
# grep -p LDAP /usr/lib/security/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64
What is required to migrate all the AIX users as LDAP authenticated users? Does
mksecldap allow a user to migrate a specific set of AIX
users while doing server configuration?
No. By default,
mksecldap migrates all AIX
users as LDAP authenticated users while doing server configuration.
If you do not want to migrate any AIX users as LDAP users, run the
mksecldap command with
#mksecldap -s -a cn=admin -p adminpwd -s rfc2307aix -u NONE
mkuser command might return the following error
# mkuser -R LDAP test 3004-686 Group "staff" does not exist. 3004-703 Check "/usr/lib/security/mkuser.default" file.
If the LDAP client and NIS client are configured on the same machine, then users are not able to create users from the AIX LDAP client. They get the above error message. You can rectify this problem by installing APAR IY90556.
mksecldap allow a user to migrate a specific set
of AIX users while doing server configuration?
mksecldap does not support migrating a
specific set of users as LDAP users while doing server configuration. To handle
this requirement, run the
mksecldap command so that no
AIX user is migrated, and create the required users with
mkuser -R LDAP later.
It's important to note that the
while doing server configuration, only accepts NONE as an argument and any other
argument is ignored.
mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix -u user1,user2
All local users are exported in this case.
This is broken down into three problems.
/usr/sbin/mksecldap -c -h batonrouge05.upt.austin.ibm.com -a cn=admin -p passw0rd
"Cannot find users from all base DN
client setup failed."
The client setup basically does the ldapsearch to see if there are any users added to the LDAP server already. The configuration fails if it does not find any users in LDAP. At least one user should be added to LDAP to overcome this problem.
The following ldif file should be added to LDAP DIT using the
dn: ou=People,cn=admin ou: People objectClass: organizationalUnit dn: uid=testuser,ou=People,cn=admin uid: testuser objectClass: aixauxaccount objectClass: shadowaccount objectClass: posixaccount objectClass: account objectClass: ibm-securityidentities objectclass: top cn: testuser passwordchar: * uidnumber: 203 gidnumber: 203 homedirectory: /home/testuser loginshell: /usr/bin/ksh isadministrator: false
mksecldap -c -h batonrouge05.upt.austin.ibm.com -a cn=admin -p passw0rd
"Cannot find the group base DN from the LDAP server.
Client setup failed."
The group base DN should be present in the LDAP DIT before configuring the client. The above failure is due to non-existence of a group base DN. A group needs to be added to resolve this problem.
The following ldif file should be added to the LDAP DIT using the
dn: ou=Groups,cn=admin ou: Groups objectClass: organizationalUnit dn: cn=testgrp,ou=Groups,cn=admin cn: testgrp objectclass: aixauxgroup objectclass: posixgroup objectclass: top gidnumber: 203 memberuid: testuser isadministrator: false
Creating a user with
mkuser when the
server is configured with
-u NONE and the client has
been successfully configured.
# mkuser -R LDAP id=1000 pgrp=grp_2000 groups="grp_2006,grp_2012" usr_1000 Group "staff" does not exist. Check "/usr/lib/security/mkuser.default" file.
mkuser command has a legacy behavior of checking
the defaults first, even if it is not going to use them. It fails, since a group
called staff does not exist.
All the problems in this section will be resolved in one shot if you add the following ldif file to LDAP.
dn: ou=Groups,cn=admin ou: Groups objectClass: organizationalUnit dn: cn=staff,ou=Groups,cn=admin cn: staff objectclass: aixauxgroup objectclass: posixgroup objectclass: top gidnumber: 203 memberuid: testuser isadministrator: false dn: ou=People,cn=admin ou: People objectClass: organizationalUnit dn: uid=testuser,ou=People,cn=admin uid: testuser objectClass: aixauxaccount objectClass: shadowaccount objectClass: posixaccount objectClass: account objectClass: ibm-securityidentities objectclass: top cn: testuser passwordchar: * uidnumber: 203 gidnumber: 203 homedirectory: /home/testuser loginshell: /usr/bin/ksh isadministrator: false
The ldif file can be added to the LDAP server, as follows:
#/usr/bin/ldapadd -D $ADMIN_DN -w $ADMIN_DN_PASSWD -f <ldif file>
The base DN of a configured LDAP server must be used in the ldif file. Otherwise, this ldif file cannot be successfully added.
- Understanding LDAP - Design and Implementation: This IBM Redbooks publication will help you create a foundation of LDAP skills, as well as install and configure the IBM Directory Server.
Tivoli® Directory Server Administration Guide: This guide contains the information that
you need to administer the IBM Tivoli Directory Server.
- Read the following IBM Redbooks:
- Check out other articles and tutorials written
by Uma Chandolu:
- AIX and
The AIX and UNIX developerWorks zone provides a wealth of information relating to
all aspects of AIX systems administration and expanding your UNIX skills.
- New to AIX and UNIX?:
Visit the New to AIX and UNIX page to learn more about AIX and UNIX.
- AIX 5L™ Wiki:
A collaborative environment for technical information related to AIX.
- Search the AIX and UNIX library by topic:
- System administration
- Application development
- Tools and utilities
- Java™ technology
- Open source
- Safari bookstore:
Visit this e-reference library to find specific technical resources.
- developerWorks technical events and webcasts:
Stay current with developerWorks technical events and webcasts.
- Podcasts: Tune in and
catch up with IBM technical experts.
Get products and technologies
- IBM trial software:
Build your next development project with software for download directly from
- Participate in the
and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums:
- AIX 5L -- technical forum
- AIX for Developers Forum
- Cluster Systems Management
- IBM Support Assistant
- Performance Tools -- technical
- Virtualization -- technical
- More AIX and UNIX forums
Uma M. Chandolu works as a Development Support Specialist on AIX. He is currently Team lead of AIX Security Development Support team at IBM Bangalore. He has five years of extensive hands-on experience in AIX environments, and demonstrated expertise in AIX system administration and other subsystems. He has experience interfacing with customers and handling customer-critical situations. He has been recognized as "IBM Developerworks Contributing Author". You can reach him at email@example.com
Ravi K. Kovvila is a technical lead for the AIX and UNIX Product Testing team at the IBM India Systems and Technology Lab. He has worked for IBM for the past seven years. His current activities include AIX system test deliverables, customer interfacing, test design, reviews, and inspection and technical vitality initiatives. His areas of expertise comprise AIX security (LDAP and Kerberos), NFS, NIS, and WebSphere®MQ series integrator. You can contact him at firstname.lastname@example.org.