Planning and configuring NIS_LDAP name resolution (RFC 2307 schema)
AIX® 5.2 offers a new naming mechanism called NIS_LDAP.
The difference between the existing LDAP mechanism and the new NIS_LDAP mechanism is in the LDAP schema (the set of attributes and object classes that determine how attributes are grouped together for describing an entity). The existing LDAP mechanism works with the IBM® SecureWay Directory schema compliant LDAP server and it supports only the host naming service. The NIS_LDAP mechanism works with the RFC 2307 schema compliant LDAP server, and it supports all the NIS services: users and groups, hosts, services, protocols, networks, and netgroup. RFC 2307 defines a set of attributes and object classes that can be used to describe network information services, including users and groups.
- To configure the LDAP server, you will need to set up the LDAP server and
migrate the required data to the server.
- Use the mksecldap command to set up a server. The
nis_ldapmechanism works only with the RFC 2307 schema. While setting up the LDAP server, the mksecldap command should be invoked with either the
-S rfc2307aixoption (not the
-S aixoption, which specifies the IBM SecureWay Directory schema). By default, the mksecldap command migrates users and groups defined on the local system to the LDAP server. If you want to disable this migration, use the
mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix
This sets up an LDAP server with administrator DN being
cn=adminand password being
adminpwd. The default suffix,
cn=aixdata, is also added to the /etc/slapd32.conf file, the LDAP server configuration file.By default, the mksecldap command migrates users and groups defined on the local system to the LDAP server. If you want to disable this migration, use the
-u NONEoption, which prevents the migration of local users and groups to the LDAP server, so that you can only add NIS users and groups later.
mksecldap -s -a cn=admin -p adminpwd -u NONE
- Migrate the NIS data. Use the nistoldif command from the NIS server to migrate the NIS maps
to the LDAP server. The nistoldif command can also be used to migrate data from
flat files. Run the nistoldif command on a system that contains NIS data that needs to be migrated to the LDAP server.
nistoldif -h server1.ibm.com -a cn=admin -p adminpwd -d cn=aixdata
This migrates the NIS maps from the local system to the LDAP server,
server1.ibm.com. The NIS data is placed under the
cn=aixdataDN. You can also run the nistoldif command to migrate data from flat files on any system to the LDAP server. The flat files will be used for any maps missing from the NIS server.Note: Names are represented by the
cnattribute of the LDAP server. The
cnattribute defined by RFC 2307 is not case-sensitive. Names that differ only by case will be merged on the server. Matches are also not case-sensitive. Searching for
Tcpwould all return the protocol entry for TCP.
- Use the mksecldap command to set up a server.
- To configure the LDAP client to access names from the LDAP server, run the
mksecldap command with client setup options.
- The mksecldap command saves the LDAP server name, port, admindn,
password, and basedn to the /etc/security/ldap/ldap.cfg file, which is read by
the secldapclntd daemon at its startup time. The mksecldap
command starts the secldapclntd daemon automatically, if the setup is
See the /etc/security/ldap/ldap.cfg file in Files Reference and the secldapclntd daemon in the Commands Reference, Volume 5 for more information.
- The mksecldap command adds
nis_ldapmechanism to the /etc/netsvc.conf file and the /etc/irs.conf file so that name resolution can be directed to LDAP. You can also manually set the NSORDER environment variable to
nis_ldapto use the NIS_LDAP name resolution.
mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com
This sets up the local system to use the
server1.ibm.comLDAP server. The LDAP server administrator DN and password must be supplied for this client to authenticate to the server. The /etc/netsvc.conf and the /etc/irs.conf files are updated so that the naming resolution is resolved through NIS_LDAP.
See the /etc/netsvc.conf file format for TCP/IP or the /etc/irs.conf file format for TCP/IP in the Files Reference for more information.
- Naming resolution for users and groups is not controlled by the
/etc/netsvc.conf or /etc/irs.conf files. Rather it is
through the /etc/security/user file. To enable a LDAP user to login to an AIX system, set the user's
LDAPin the /etc/security/user file of that client system.You can run the chuser command to do this.
chuser -R LDAP SYSTEM=LDAP registry=LDAP foo
You can configure your system to allow all LDAP users to login to a system. To do so, edit the /etc/security/user file. Add
registry = filesto the root stanza. Then add
SYSTEM = LDAPand
registry = LDAPto the default stanza.
For more information on user authentication, refer to Light Directory Access Protocol in Security.
- The mksecldap command saves the LDAP server name, port, admindn, password, and basedn to the /etc/security/ldap/ldap.cfg file, which is read by the secldapclntd daemon at its startup time. The mksecldap command starts the secldapclntd daemon automatically, if the setup is successful.