Integration of Microsoft Windows Active Directory server as a pass-through authentication server to IBM Tivoli Directory Server

Comments

Overview

In a heterogeneous environment, centralization of users and groups is a tedious task. Deploying users and groups, and their attributes on the same server and managing them from heterogeneous clients is always a difficult task for an administrator. When users need to be granted access on the client system, the user credentials can be validated either at the server level or at the client level. In a heterogeneous environment, all clients might not be able to understand the server’s password encryption algorithm for validation of user's credentials. So, server should validate the user credentials and grant access to users on clients based on the client’s capabilities.

IBM AIX LDAP is capable of handling several AIX security features. These security features provides fine granular control of access on the client system. However, these features might not work on all the clients in a heterogeneous environment. This article explains a pass-through authentication mechanism, which allows AIX users to authenticate to the AIX partitions using their windows login password.

Figure 1 depicts integration of Windows AD server as a pass-through authentication server for IBM Tivoli Directory Server.

Figure 1. Integration of Windows AD Server as pass-through authentication server
Integration of Windows AD Server as pass-through authentication server
Integration of Windows AD Server as pass-through authentication server

When AIX LDAP client makes a request to the IBM Tivoli Directory Server for user validation, the server forwards the user credentials to the Windows AD server for authentication. After the user has been authenticated on the Windows AD server, based on the Windows AD server response, Tivoli Directory Server grants access to the user on the AIX LDAP client.

Advantages of pass-through authentication:

  • Simplifies password management
  • Users can log in with the same password on Windows clients and AIX clients.
  • User authentication is handled by Windows server while user identification is handled by IBM Tivoli Directory Server.

Configuration of LDAP pass-through authentication server
Perform the following steps to configure LDAP pass-through authentication server.

  1. Configure the AIX LDAP server and the AIX LDAP client.
    Note: This article does not show the steps to configure AIX LDAP client and server. Refer to the Resources section for LDAP configuration.
  2. Store users, groups, and passwords on the Windows AD server.
  3. Enable pass-through authentication on the IBM LDAP server.
  4. Set ibm-slapdPtaEnable to true in the ibmslpad.conf file. By default, the value will be set to false. The value can be set using the ldapmodify command as well. Refer to the command in the following figure to make changes in the ldap configuration file.
  1. Modify the pass-through authentication dn to map attribute between Windows AD Server and Tivoli Directory Server. These changes will get updated in the ibmslapd.conf file.
  1. Restart the IBM Tivoli Directory Server LDAP server process for the changes to be effective. Use the commands specified in the following figure to restart the LDAP server process
  1. Create a user on the LDAP server without defining password for that user. The user can be created using the mkuser command from the AIX LDAP client or by using the ldapadd command.
  1. Create a user on the Microsoft Windows AD server with a password.
  1. Map the user’s given name on the Windows AD server with the user name on the AIX LDAP server.
  1. Verify the user login from the AIX LDAP client.

Note: Make sure that on the LDAP client, the ldap_auth authentication type is configured. With the unix_auth authentication mechanism, users cannot log in to the AIX LDAP client.

Conclusion

Pass-through authentication mechanism enables the server to redirect the user authentication requests to pass-through authentication Server to validate the user credentials before granting access on the client systems. This provides single password policy, so that users do not need to remember multiple passwords.

References


Downloadable resources


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=1009524
ArticleTitle=Integration of Microsoft Windows Active Directory server as a pass-through authentication server to IBM Tivoli Directory Server
publish-date=07102015