Configure IBM LDAP netgroups with Windows Active Directory server

Netgroups create network-wide groups, and you can use them to provide special permissions to those groups. Users configured under netgroups can have different privileges compared to other users. This article explains how to configure netgroups on the IBM Lightweight Directory Access Protocol (LDAP) client (AIX®) with Microsoft Active Directory server.

Share:

Uma Chandolu (uchandol@in.ibm.com), Software Engineer, IBM

Photo of Uma ChandoluUma M. Chandolu works as a Software Engineer for IBM on the AIX Development Support Security team in Austin, Texas. He has two years of extensive hands-on experience in AIX security environments, and is one of the focal points in the AIX support security area. He has demonstrated expertise in AIX LDAP client administration and other subsystems. He has experience interfacing with customers and handling customer critical situations. You can reach him at uchandol@in.ibm.com.


developerWorks Professional author
        level

10 April 2007

Also available in Russian

Introduction

Netgroups are very useful to system administrators, allowing them to control login access to people or machines, to manage the configuration of a network on a role basis, and much more. If you implement a Lightweight Directory Access Protocol- (LDAP) based back end, you can also strengthen security and manageability. This article walks you through the steps to configure IBM LDAP netgroups with the Windows® Active Directory server.

You need to have a general familiarity with centralized database management, LDAP, and its configuration with the Windows Active Directory server. AIX® system administrators with beginning to intermediate skills might find this article particularly helpful.

System requirements

To configure the setup outlined in this article, you need an IBM LDAP client, AIX, and a Microsoft® Windows Active Directory 2000/2003 server with the configuration for the LDAP protocol.

Netgroups

Netgroups are a convenient way to identify sets of hosts, people, or domains under organized names for access control (see the Netgroups sidebar). You can use netgroups to restrict access to remote login and shell. Network groups are stored in the Windows 2000/2003 Microsoft Active Directory server. You can configure Windows Active Directory server as an LDAP server for the IBM LDAP client. Users who exist under these groups can have access to the IBM LDAP client system.

For example, assume you have an LDAP server with a large number of users that is configured with several LDAP clients, and you want to allow access for LDAP clients with a certain number of users. You must make sure to define those users under the netgroups.

IBM LDAP provides support with the Windows 2000/2003 Microsoft Active Directory server with AIX 5.3 TL 05 and later. Also read Integrating AIX 5L into Heterogeneous LDAP Environments from the IBM Redbooks collection (see Resources) for all the configuration details of the IBM LDAP client with the Microsoft Active Directory server.

Configuration

Perform the following steps to configure netgroups on the IBM LDAP client with Microsoft Active Directory server:

  1. Define the groups and users that need access to the IBM LDAP client machines in the AIX /etc/netgroup file. The /etc/netgroup file defines the network-wide groups. Each line in the file defines a group and is formatted as follows:

    Group name (hostname, username, domain name)

    Look at this example:

    testgroup (znim.austin.ibm.com, user1, test)
     testgroup1 (, user2,)

    Do not use dashes (-) in the above entries.

  2. Copy the /etc/netgroup map file to the Windows 2000/2003 Active Directory server.
  3. Use the nis2ad Windows command-line utility to migrate the group entries from the copied map file to the Active Directory server.

    The syntax for the nis2ad is:

    nis2ad -y <Unix_NIS_domain> -a <windows_NIS_Domain> \
          -u <username> -p <passwd> -s <server name>
        -m <map file>

    Table 1 lists the commands to migrate the group entries.


    Table 1. Migrating group entries
    CommandDescription
    Unix_NIS_domainThis command specifies the UNIX® NIS domain from where the map is migrated.
    windows_NIS_DomainThis command specifies the Windows NIS domain in the Active Directory server to which the map file is being migrated.
    usernameThis command specifies the user name with the administrator privileges.
    passwdThis command specifies the user's passwd.
    mapfileThis command specifies the file is copied from the IBM LDAP client.
  4. Netgroup entries will be added, as shown in Figures 1 and 2, on the Active Directory server.
    Figure 1. Command prompt
    Figure 2. Active directory
  5. On the IBM LDAP client machine, verify whether the new netgroup entries can be accessed with the lsldap command, as follows:
    lsldap –a netgroup
  6. On the IBM LDAP client, enable the LDAP netgroups by adding the netgroup based in the /etc/security/ldap/ldap.cfg file, as follows:
    netgroupbasedn:CN=netgroup,CN=ztrans,CN=DefaultMigrationContainer30,DC=
         ztrans,DC=in,DC=ibm,DC=com
  7. Restart the IBM LDAP client daemon (Secldapclntd), as follows:
    /usr/sbin/restart-secldapclntd
  8. On the IBM LDAP client, add the netgroups option under the LDAP stanza in the /usr/lib/security/methods.cfg file, as follows:
    LDAP: 
    program = /usr/lib/security/LDAP
    program_64 =/usr/lib/security/LDAP64
    options = netgroup
  9. Add the netgroup nis_ldap search parameter in the /etc/irs.conf file, as follows:
    netgroup nis_ldap
  10. To authenticate the user with IBM LDAP client machine, add the user's information to the /etc/security/user file, as follows:
    user1:
    	SYSTEM="compat"
    	registry=compat
  11. On the IBM LDAP client machine, add the information for the group in the /etc/passwd file.

    Append the netgroup escape sequence to the end of the /etc/passwd file, as follows:

    # echo "+@testgroup" >> /etc/passwd
    #echo "+@testgroup1" >> /etc/passwd
  12. On the IBM LDAP client machine, edit the /etc/group file.

    Append the netgroup escape sequence to the end of the /etc/group file, as follows:

    # echo "+:" >> /etc/group

  13. On the IBM LDAP client machine, verify whether the netgroup user information can be retrieved properly using the lsuser command, and log in as a netgroup user, as follows:

    # lsuser -R compat user1
    user1 id=1233 pgrp=staff groups=staff home=/home/user1 shell=
         /usr/bin/ksh login=true ...

IBM LDAP netgroups are supported with Windows 2000/2003. Windows 2003 R2 is supported from AIX 5.3 Tl06 and later.

Resources

Learn

Get products and technologies

  • IBM trial software: Build your next development project with software for download directly from developerWorks.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=208245
ArticleTitle=Configure IBM LDAP netgroups with Windows Active Directory server
publish-date=04102007