Netgroups are very useful to system administrators, allowing them to control login access to people or machines, to manage the configuration of a network on a role basis, and much more. If you implement a Lightweight Directory Access Protocol- (LDAP) based back end, you can also strengthen security and manageability. This article walks you through the steps to configure IBM LDAP netgroups with the Windows® Active Directory server.
You need to have a general familiarity with centralized database management, LDAP, and its configuration with the Windows Active Directory server. AIX® system administrators with beginning to intermediate skills might find this article particularly helpful.
To configure the setup outlined in this article, you need an IBM LDAP client, AIX, and a Microsoft® Windows Active Directory 2000/2003 server with the configuration for the LDAP protocol.
Netgroups are a convenient way to identify sets of hosts, people, or domains under organized names for access control (see the Netgroups sidebar). You can use netgroups to restrict access to remote login and shell. Network groups are stored in the Windows 2000/2003 Microsoft Active Directory server. You can configure Windows Active Directory server as an LDAP server for the IBM LDAP client. Users who exist under these groups can have access to the IBM LDAP client system.
For example, assume you have an LDAP server with a large number of users that is configured with several LDAP clients, and you want to allow access for LDAP clients with a certain number of users. You must make sure to define those users under the netgroups.
IBM LDAP provides support with the Windows 2000/2003 Microsoft Active Directory server with AIX 5.3 TL 05 and later. Also read Integrating AIX 5L into Heterogeneous LDAP Environments from the IBM Redbooks collection (see Resources) for all the configuration details of the IBM LDAP client with the Microsoft Active Directory server.
Perform the following steps to configure netgroups on the IBM LDAP client with Microsoft Active Directory server:
- Define the groups and users that need access to the IBM LDAP client machines
in the AIX /etc/netgroup file. The /etc/netgroup file defines the network-wide
groups. Each line in the file defines a group and is formatted as follows:
Group name (hostname, username, domain name)
Look at this example:
testgroup (znim.austin.ibm.com, user1, test) testgroup1 (, user2,)
Do not use dashes (-) in the above entries.
- Copy the /etc/netgroup map file to the Windows 2000/2003 Active Directory server.
- Use the
nis2adWindows command-line utility to migrate the group entries from the copied map file to the Active Directory server.
The syntax for the
nis2ad -y <Unix_NIS_domain> -a <windows_NIS_Domain> \ -u <username> -p <passwd> -s <server name> -m <map file>
Table 1 lists the commands to migrate the group entries.
Table 1. Migrating group entries
This command specifies the UNIX® NIS domain from where the map is migrated.
This command specifies the Windows NIS domain in the Active Directory server to which the map file is being migrated.
This command specifies the user name with the administrator privileges.
This command specifies the user's passwd.
This command specifies the file is copied from the IBM LDAP client.
- Netgroup entries will be added, as shown in Figures 1 and
2, on the Active Directory server.
Figure 1. Command prompt
Figure 2. Active directory
- On the IBM LDAP client machine, verify whether the new netgroup entries can be
accessed with the
lsldapcommand, as follows:
lsldap âa netgroup
- On the IBM LDAP client, enable the LDAP netgroups by adding the netgroup based
in the /etc/security/ldap/ldap.cfg file, as follows:
- Restart the IBM LDAP client daemon (
Secldapclntd), as follows:
- On the IBM LDAP client, add the netgroups option under the LDAP stanza in the
/usr/lib/security/methods.cfg file, as follows:
LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 options = netgroup
- Add the
netgroup nis_ldapsearch parameter in the /etc/irs.conf file, as follows:
- To authenticate the user with IBM LDAP client machine, add the user's
information to the /etc/security/user file, as follows:
user1: SYSTEM="compat" registry=compat
- On the IBM LDAP client machine, add the information for the group in the
Append the netgroup escape sequence to the end of the /etc/passwd file, as follows:
# echo "+@testgroup" >> /etc/passwd #echo "+@testgroup1" >> /etc/passwd
- On the IBM LDAP client machine, edit the /etc/group file.
Append the netgroup escape sequence to the end of the /etc/group file, as follows:
# echo "+:" >> /etc/group
- On the IBM LDAP client machine, verify whether the netgroup user information
can be retrieved properly using the
lsusercommand, and log in as a netgroup user, as follows:
# lsuser -R compat user1 user1 id=1233 pgrp=staff groups=staff home=/home/user1 shell= /usr/bin/ksh login=true ...
IBM LDAP netgroups are supported with Windows 2000/2003. Windows 2003 R2 is supported from AIX 5.3 Tl06 and later.
- Integrating AIX 5L into Heterogeneous LDAP Environments: Find out how to add AIX 5L clients to an existing LDAP authentication and user management environment from IBM Redbooks.
- "AIX 5L LDAP user management" (developerWorks, December 2006): This article provides an overview of the LDAP-related enhancements in the AIX 5L operating system V5.3 TL5 update.
- AIX and UNIX: The AIX and UNIX developerWorks zone provides a wealth of information relating to all aspects of AIX systems administration and expanding your UNIX skills.
- New to AIX and UNIX?: Visit the New to AIX and UNIX page to learn more about AIX and UNIX.
- AIX 5L™ Wiki: A collaborative environment for technical information related to AIX.
- Search the AIX and UNIX library by topic:
- Safari bookstore: Visit this e-reference library to find specific technical resources.
Get products and technologies
- IBM trial software: Build your next development project with software for download directly from developerWorks.
- Participate in the developerWorks blogs and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums: