Planning and configuring NIS_LDAP name resolution (RFC 2307 schema)

AIX® 5.2 offers a new naming mechanism called NIS_LDAP.

The difference between the existing LDAP mechanism and the new NIS_LDAP mechanism is in the LDAP schema (the set of attributes and object classes that determine how attributes are grouped together for describing an entity). The existing LDAP mechanism works with the IBM® SecureWay Directory schema compliant LDAP server and it supports only the host naming service. The NIS_LDAP mechanism works with the RFC 2307 schema compliant LDAP server, and it supports all the NIS services: users and groups, hosts, services, protocols, networks, and netgroup. RFC 2307 defines a set of attributes and object classes that can be used to describe network information services, including users and groups.

  • To configure the LDAP server, you will need to set up the LDAP server and migrate the required data to the server.
    1. Use the mksecldap command to set up a server.
      The nis_ldap mechanism works only with the RFC 2307 schema. While setting up the LDAP server, the mksecldap command should be invoked with either the -S rfc2307 or -S rfc2307aix option (not the -S aix option, which specifies the IBM SecureWay Directory schema). By default, the mksecldap command migrates users and groups defined on the local system to the LDAP server. If you want to disable this migration, use the -u NONE option.
      mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix 

      This sets up an LDAP server with administrator DN being cn=admin and password being adminpwd. The default suffix, cn=aixdata, is also added to the /etc/slapd32.conf file, the LDAP server configuration file.

      By default, the mksecldap command migrates users and groups defined on the local system to the LDAP server. If you want to disable this migration, use the -u NONE option, which prevents the migration of local users and groups to the LDAP server, so that you can only add NIS users and groups later.
      mksecldap -s -a cn=admin -p adminpwd -u NONE
    2. Migrate the NIS data. Use the nistoldif command from the NIS server to migrate the NIS maps to the LDAP server. The nistoldif command can also be used to migrate data from flat files.
      Run the nistoldif command on a system that contains NIS data that needs to be migrated to the LDAP server.
      nistoldif -h -a cn=admin -p adminpwd -d cn=aixdata

      This migrates the NIS maps from the local system to the LDAP server, The NIS data is placed under the cn=aixdata DN. You can also run the nistoldif command to migrate data from flat files on any system to the LDAP server. The flat files will be used for any maps missing from the NIS server.

      Note: Names are represented by the cn attribute of the LDAP server. The cn attribute defined by RFC 2307 is not case-sensitive. Names that differ only by case will be merged on the server. Matches are also not case-sensitive. Searching for TCP, tcp, or Tcp would all return the protocol entry for TCP.
  • To configure the LDAP client to access names from the LDAP server, run the mksecldap command with client setup options.
    1. The mksecldap command saves the LDAP server name, port, admindn, password, and basedn to the /etc/security/ldap/ldap.cfg file, which is read by the secldapclntd daemon at its startup time. The mksecldap command starts the secldapclntd daemon automatically, if the setup is successful.

      See the /etc/security/ldap/ldap.cfg file in Files Reference and the secldapclntd daemon in the Commands Reference, Volume 5 for more information.

    2. The mksecldap command adds nis_ldap mechanism to the /etc/netsvc.conf file and the /etc/irs.conf file so that name resolution can be directed to LDAP. You can also manually set the NSORDER environment variable to nis_ldap to use the NIS_LDAP name resolution.
      mksecldap -c -a cn=admin -p adminpwd -h

      This sets up the local system to use the LDAP server. The LDAP server administrator DN and password must be supplied for this client to authenticate to the server. The /etc/netsvc.conf and the /etc/irs.conf files are updated so that the naming resolution is resolved through NIS_LDAP.

      See the /etc/netsvc.conf file format for TCP/IP or the /etc/irs.conf file format for TCP/IP in the Files Reference for more information.

    3. Naming resolution for users and groups is not controlled by the /etc/netsvc.conf or /etc/irs.conf files. Rather it is through the /etc/security/user file. To enable a LDAP user to login to an AIX system, set the user's SYSTEM and registry variables to LDAP in the /etc/security/user file of that client system.
      You can run the chuser command to do this.
      chuser -R LDAP SYSTEM=LDAP registry=LDAP foo

      You can configure your system to allow all LDAP users to login to a system. To do so, edit the /etc/security/user file. Add registry = files to the root stanza. Then add SYSTEM = LDAP and registry = LDAP to the default stanza.

      For more information on user authentication, refer to Light Directory Access Protocol in Security.