LDAP client enhancements in AIX 7
AIX provides LDAP as a load module starting from the AIX 4.3 release. LDAP is a connection oriented protocol that runs on TCP/IP. This module can be configured for user and group management on AIX systems. AIX native commands are integrated to support LDAP functionality. The AIX LDAP client daemon, secldapclntd, makes request to the LDAP server and fetch details based on application or command request from LDAP server. The scope of this article is to cover the enhancements for AIX LDAP client environment from AIX 6.1 Tl06 and AIX 7.1 release onwards. The LDAP client enhancements for AIX 6.1 Tl06 onward are:
- LDAP case sensitive
- LDAP alias support
- LDAP cache enhancement
- LDAP negative cache enhancement
- Integration of Domain RBAC with LDAP
LDAP case sensitivity
Users and groups on LDAP servers are case insensitive. LDAP treats user foo, Foo and FOO as the same users. UNIX® has case sensitivity, thus all of these users are treated as different users. So when privileges are granted or restricted for any of the users on AIX environment, it applies to all the users on LDAP Server. This kind of scenario sometimes causes security breach.
The AIX LDAP client is enhanced to handle this case sensitivity issue. A new configuration parameter "caseExactAccountName" is introduced under the AIX LDAP client configuration file, /etc/security/ldap/ldap.cfg. When this parameter is set to "yes", the LDAP client checks for an exact match for the user name entered with the LDAP server returned results. By default, this option is set to "no". Whenever the LDAP client configuration file is modified for the changes to take effect, restart the LDAP client daemon.
Run the following command to restart LDAP client daemon:
When the caseExactAccountName parameter is set to "yes" and the LDAP user foo exists on the LDAP server, and an administrator or privileged user tries to create another user Foo, the mkuser command displays the following message:
#mkuser -R LDAP Foo 3004-698 Error committing changes to "Foo".
Similarly, with lsuser command, the following message is displayed:
# lsuser -R LDAP Foo 3004-687 User "Foo” does not exist.
LDAP alias support
LDAP stores information in the directory information tree (DIT) format and manages users and groups. Sometimes users are called with multiple user names or an alias for the primary user.
LDAP stores user information in the following directory tree format:
dn:uid=foo,ou=people,cn=aixdata uid:foo uid:foo1 objectclass: posixaccount …
dn: uid=foo,ou=people,cn=aixdata is referred as the
distinguished name (DN) of the user. The relative distinguish name (RDN) of the user
uid: foo, uid : foo1. AIX native commands such as
lsuser fetch the user attributes from LDAP server by using either
foo1. However, AIX login
uses the distinguish name as the user. So, logging in as foo succeeds, but using foo1
fails. AIX LDAP client is enhanced to support the LDAP alias mechanism during the user's login.
LDAP caching enhancement
AIX LDAP client daemon, secldapclntd, stores user and group entries retrieved from the LDAP server in the LDAP client cache. User attributes are stored in user cache, and group attributes are stored in group cache. Each cache entry has a time stamp. After the cache timeout, which is configurable, the cache entry is invalidated, and a query for the user results in an LDAP query to the LDAP server. The new result from the LDAP server is cached again for subsequent request for application and commands on the LDAP client.
The caching mechanism has a limitation with the current implementation. When a user account is modified or updated, the update may not be visible to an AIX system if the user is still cached with old values. One example is a password change. Within the cache timeout window, a user may still be allowed to log in to a system where the user cache entry is still valid using the old password, even after the password has been changed from a different system. For the same reason, logging in to the latter system with the new password would fail if the old password were still cached and valid.
This limitation has been resolved by extending the caching mechanism in AIX LDAP
client. A new attribute,
TO_BE_CACHED added to the LDAP
user and group map files. By default the value of this attribute is "yes", which means
the user and group attributes are all cached. This can be set to "no" for the user and
group attributes that need not be cached. When a user request comes in, the LDAP
client reads the cache to see if the request can be fetched from the cache. Before
that, it scans through the user and group map files to see if the TO_BE_CACHED
attribute is set to "no" for any of the attributes. If so, it does not read the cache,
it sends the request to fetch the value from the LDAP server.
LDAP negative cache enhancement
Another enhancement to the AIX LDAP secldapclntd daemon is the secldapclntd client daemon caches user and group entries retrieved from the LDAP server. If a request comes in for user or group information, and that entry does not exist on the LDAP server, the server sends the appropriate non-existing information to the client and caches the information. If users request the same non-existing information instead of going to the server, the information is checked in the cache information and displayed to the user. This improves the performance if the same non-existing user or group information is queried. This concept is described as Negative Caching mechanism in AIX LDAP client.
Integration of Domain RBAC into LDAP
In AIX 6.1 Tl07 and AIX 7.1 Tl02 releases and on, the LDAP client is enhanced to support Domain RBAC integration with LDAP server. The LDAP client fetches Domain RBAC information from the LDAP server and downloads it to the AIX kernel to take control over the resources on the system. The Domain RBAC commands and LDAP client commands are enhanced to support Domain RBAC functionality with LDAP server.
To configure the Domain RBAC database on an LDAP server, follow these steps:
- Load the Domain RBAC schema to an LDAP server using ldapadd command. The Domain RBAC
schema is shipped with AIX 6.1 Tl07 and AIX 7.1 Tl02 server. The schema file for
the Tivoli Directory Server is /etc/security/ldap/sec.ldif. Domain RBAC database
can be configured on Microsoft® Windows AD server, as well.
If LDAP server is a Microsoft Windows AD server, use the /etc/security/ldap/aixSchemaForAD.ldif file. The syntax is:
ldapadd –h <ldap servername> -D <bindn> -w <bind password> -i <schema file> -c –v
This command loads the Domain RBAC schema to the LDAP server.
- Convert the Domain RBAC database into LDIF format. The existing rbactoldif command is
enhanced to convert the Domain RBAC database into LDIF format.
The following command converts the Domain RBAC database into LDIF format and exports it to the /tmp/domain.ldif file.
rbactoldif -d <basedn> -s eo >> /tmp/domain.ldif
- Export the domain RBAC database LDIF file to LDAP server using ldapadd command:
ldapadd -h <ldapservername> -D <binddn> -w <bind password > -i /tmp/domain.ldif -v
- Reconfigure the LDAP client with the mksecldap command to populate the Domain RBAC tree
entries to LDAP client configuration file /etc/security/ldap/ldap.cfg:
#mksecldap -c –h <LDAP server> -a <bind dn> -p <bind passwd> -S rfc2307aix
- Make sure that the domain suffixes are loaded into LDAP server by verifying lsldap
Type the following command to check the suffixes on the LDAP server:
This command lists the domain RBAC suffixes along with the other suffixes.
- Add the following stanza's in the /etc/nscontrol.conf file of LDAP client system to
get Domain RBAC information from the LDAP server with AIX native commands:
domains: secorder = LDAP,files domobjs: secorder = LDAP,files
Load the Domain RBAC tables into AIX LDAP client kernel using setkst command.
Use the following command to load tables into the kernel:
- Make sure that domain and domain object suffixes are configured properly. The existing
commands, like mkdom, lsdom, chdom, rmdom, and setsecattr, are used with –R LDAP
option to manage domains and domain objects on an LDAP server.
mkdom –R LDAP <domain name>
setsecattr –R LDAP –o domains=<domain name> objtype=file <object name>
- LDAP configuration and management (developerWorks May 2007) is a quick reference for IBM Directory Server configuration management on AIX
- The Understanding LDAP - Design and Implementation Redbook helps you create a foundation of LDAP skills, as well as install and configure the IBM Directory Server.
- Introduction to Domain RBAC (developerWorks September 2011) provides data in simplified terms for using Domain RBAC to gain granular access on resources and objects.
- AIX Security Guide provides information about the various security features in AIX 7.1
- Try out IBM software for free. Download a trial version, log into an online trial, work with a product in a sandbox environment, or access it through the cloud. Choose from over 100 IBM product trials.