Using LDAPA authentication-only mode

Edit online

The LDAP module is a full-function module that supports both user authentication and user identification. The LDAPA module provides authentication-only mode. The LDAPA module is like the LDAP module, but you can specify to use the authentication-only mode.

In authentication-only mode, the LDAPA module must be combined with another database module to form a compound module rather than a stand-alone module. The LDAPA module performs user authentication while the second module performs identification. This combined module is called a compound module. You must define users in both the LDAP server and the database server for this compound module.

With the LDAPA module, the group information comes from the database server. For example, in the case of the LDAPA files, the group information comes from the local /etc/group file. If some of your LDAP users belong only to LDAP groups, you must create corresponding LDAP groups on the database server before you configure the LDAPA files module. By creating this corresponding group, you can avoid the case where an LDAPA files user cannot resolve its group setting because the group setting does not exist on the database server.

Note: The LDAPA module does not support creating and removing users. To create an LDAPA files user, the system administrator must create an LDAP user using the LDAP module and then create the same user locally. Then make the user an LDAPA files user by setting the user's SYSTEM and registry to LDAPAfiles using the chuser command.

To configure LDAP in authentication-only mode using the LDAPA module, use the mksecldap command with the -i <databaseModule> option. This command creates an LDAPA module with options = authonly set and an LDAPA <databaseModule> compound load module.

For example, to configure LDAP in authentication-only mode and to use local files for the database module, use the following example:

mksecldap -c –h <ldap server> -a <binddn> -p <bind password> -i files

The /usr/lib/security/methods.cfg file is updated with the following: 

LDAPA:
        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64
        options = authonly

LDAP:
        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64

LDAPAfiles:
        options = db=BUILTIN,auth=LDAPA

In the LDAPA stanza, the options = authonly setting indicates to set the LDAPA module to authentication-only mode. The LDAPAfiles stanza defines the compound load module.

The LDAP module is retained for resolving non-user/group data, like RBAC. The LDAP module can still be used as a stand-alone authentication module independent of the LDAPA module.