mksecldap Command

Purpose

Sets up an AIX system as a Lightweight Directory Access Protocol (LDAP) server or client for security authentication and data management.

Syntax

To set up a server

mksecldap -s -a adminDN -p adminpasswd -S schematype [ -d baseDN ] [ -n port ] [ -k SSLkeypath ] [ -w SSLkeypasswd ] [ -x proxyDN -X proxypasswd ] [ -u NONE ] [ -v LDAPVersion ] [ -U ] [ -j <ssl|tls|ssltls|none|sslonly> ]

To set up a client

mksecldap -c -h serverlist -a bindDN -p bindpwd [ -d baseDN ] [ -n serverport ] [ -k SSLkeypath ] [ -w SSLkeypasswd ] [ -t cachetimeout ] [ -C cachesize ] [ -P NumberofThreads ] [ -T heartBeatInt ] [ -M searchMode ] [ -D defaultEntry ] [ -A authType ] [ -i databaseModule ] [ -u userlist ] [ -U ] [ -j <ssl|tls> ] [ -g [ -I domainID ]]

Description

Server Setup

Make sure that the LDAP server and the backend IBM® DB2® software are installed. You do not need to pre-configure IBM DB2 to run the mksecldap command for LDAP server setup. The following operations are performed when you run the mksecldap command to set up the server:

1. Create a DB2 instance with ldapdb2 as the default instance name.
2. If the IBM Directory Server 6.0 or later is being configured, an LDAP server instance with the default name of ldapdb2 is created. A prompt is displayed for the encryption seed to use to create the key stash files. The input encryption seed must be at least 12 characters long.
3. Create a DB2 database with ldapdb2 as the default database name. If a database exists, the mksecldap command bypasses step 1 and step 2. A database exists when the LDAP server is set up for other usage. The mksecldap command uses the existing database to store the AIX user or group data.
4. Create the base Distinguished Name (DN (suffix)) of the directory information tree (DIT). Base DN must start with either one of these attributes such as dc, o, ou, c, or cn. If base DN is not supplied from the command line, the default suffix is set to cn=aixdata and the user or group data is placed under the cn=aixdata DN. Otherwise, the mksecldap command uses the user-supplied DN specified with the -d option. Users and groups are exported to LDAP by using the sectoldif command. The following DIT is created by default:

                   <user supplied suffix>
                             |
                 --------------------------
                 |                        |
               ou=People                ou=Groups

5. If you do not specify the -u NONE flag, export the data from the security database files of the local host into the LDAP database. If you specify -u NONE, the mksecldap command does not create the ou=People and ou=Group containers as it creates normally. It does not export users and groups. Depending on the -S option, the mksecldap command exports the users or groups by using one of the following LDAP schemas:

   AIX

   AIX schema (aixaccount and aixaccessgroup object classes)

   RFC2307

   RFC 2307 schema (posixaccount, shadowaccount, and posixgroup object classes)

   RFC2307AIX

   RFC 2307 schema with full AIX support (posixaccount, shadowaccount, posixgroup, aixauxaccount, and aixauxgroup object classes).

6. Set the LDAP server administrator DN and password.
7. Set the server to listen to a specified port if the -n option is used. The default port is 389. Also, Transport Layer Security (TLS) uses this port as the default port (636 for secure socket layer (SSL)).
8. Updates the /usr/lib/security/methods.cfg file with the LDAP module configuration. If the -i option is entered from the command line, it sets an LDAPA authentication-only module and a compound load module (for example, LDAPA files when the -i files option is specified) with LDAPA serves for authentication and the database module serves for identification.
9. Create the proxy entry if the -x and -X options are specified. Create an ACL for the base DN by using the proxy entry. The default ACL can be found in the /etc/security/ldap/proxyuser.ldif.template file. The client system uses the proxy entry to bind to the server. For more information, see Client Setup section.
10. Set the server to use SSL or TLS if the -k option is specified for secure data transfer between this server and the clients. Install the GSKitv8 fileset and create an SSL or TLS key for this setup. You can install the GSKitv8 fileset after you mount the AIX® 7.3 expansion pack DVD.
11. Installs the /usr/ccs/lib/libsecldapaudit.a LDAP server plug-in. This plug-in supports AIX audit of the LDAP server.
12. Start or restart the LDAP server after all the earlier steps are complete.
13. Add the LDAP server process (slapd) to /etc/inittab file to have the LDAP server start after restart.

Note: The -U option resets a previous setup for the server configuration file. It has no effect on the database. The first time the mksecldap command runs, it saves two copies of the server configuration file in the /etc/security/ldap directory. The name of one copy of the server configuration file is appended with .save.orig and the other copy is appended with .save. During each subsequent run of the mksecldap command, only the current server configuration is saved as a .save file. The undo option restores the server configuration file with the .save copy. In AIX 5.3, it is possible to start mksecldap -s in succession to create and populate multiple suffixes. If multiple suffixes are created and populated, then the .save.orig file needs to be manually restored to revert to the initial configuration file.

Client Setup

Make sure that the LDAP client fileset is installed and the LDAP server is setup and is running. The mksecldap command performs the following steps during the client setup:

1. Saves the hostname of one or more LDAP servers.
2. Saves the user base DN and group base DN of the server. If -d option is not supplied from the command line, the mksecldap command searches the LDAP server for aixaccount, aixaccessgroup, posixaccount, posixgroup, and aixauxaccount object classes, and sets up the base DNs. If the server has multiple user or group bases, you must supply the -d option with a Relative Distinguished Name (RDN). The mksecldap command can setup the base DNs to the ones within that RDN.
   If the posixaccount objectclass are found during the client setup, the mksecldap command searches and saves the base DNs for the following entities from the server:

   • hosts
   • networks
   • services
   • netgroups
   • protocols
   • rpc
   • authorizations
   • roles
   • privcmds
   • privdevs
   • privfiles
   • usrkeystore
   • grpkeystore
   • efscookies
   • admkeystore
   • domains
   • domobjs
3. Determines the schema type that is used by the LDAP server. The schema types are AIX specific schema, RFC 2307 schema, RFC 2307 schema with full AIX support, or Microsoft Services for UNIX 3.0 schema. So, it sets the object classes and attribute maps in the /etc/security/ldap/ldap.cfg file. The mksecldap command does not recognize other schema types. You must setup the clients manually.

   If the Microsoft™ services for UNIX® 3.0 schema is deprecated on the Active Directory (AD) server, the Unix schema is still supported if you specify the -g flag. The -g and -I flags are added to support the AIX LDAP client for managing user and group on Microsoft Active Directory (MSAD) without Identity Management for Unix (IDMU Unix attributes plug-in), which is deprecated starting from Windows Server 2012R2.

4. Sets the SSL or TLS for secure data transfer between this host and the LDAP server. Create the client SSL or TLS key and the key password in advance. The server must be setup to use the SSL or TLS for the client SSL or TLS to work. The SSL or TLS functions requires the installation of the GSKitv8 fileset. You can install the GSKitv8 fileset after you mount the AIX 7.3 Expansion pack DVD.
5. Encrypts the bind password.
6. Saves the LDAP server bind DN and password. The DN and password pairs must exist on the LDAP server. If the bind DN and password are not given, the mksecldap command uses anonymous bind. Some of the data might not be returned from the LDAP server with anonymous bind. Before you choose an anonymous bind, contact your LDAP administrator.
7. Sets the optionally specified configuration values as defined in the client setup flags section.
8. Optionally sets the list of users or all users to use LDAP by modifying their system line in the /etc/security/user file. For more information about enabling LDAP login, see Note.
9. Starts the client daemon process (secldapclntd command).
10. Adds the client-side daemon process to the /etc/inittab file to have this daemon start after a restart.

Note: All client configuration data is saved to the /etc/security/ldap/ldap.cfg configuration file. The -U option resets a previous setup to the /etc/security/ldap/ldap.cfg file by replacing the file with the configuration that is stored in the /etc/security/ldap/ldap.cfg.save file. Setting the SYSTEM to LDAP for the default stanza of /etc/security/user allows only LDAP users to login to the system. Setting the SYSTEM to LDAP or compat allows both LDAP users and local users to login to the system.

Flags

For Server Setup

Item	Description
-a AdminDN	Specifies the LDAP server administrator DN.
-d baseDN	Specifies the suffix or base DN of the AIX subtree. The default is cn=aixdata.
-j < ssl | tls | ssltls | none | sslonly > ]	Specifies the encryption connection type that is used during the communication with the LDAP clients. The valid values are SSL, TLS, SSLTLS, and SSL only. If you specify the -k and -w flags without the -j flag, the default connection type is SSL.
-k SSLkeypath	Specifies the full path to the SSL or TLS key database of the server.
-n port	Specifies the port number that the LDAP server listens to. The default port number is 389 for non-SSL and 636 for SSL.
-p adminpasswd	Specifies the clear text password for the administrator DN.
-S schematype	Specifies the LDAP schema that is used to represent the user and group entries in the LDAP server. The valid values are AIX, RFC2307, and RFC2307AIX.
-s	Specifies that the command is being run to setup the server.
-w SSLkeypasswd	Specifies the password for the SSL or TLS key database.
-U	Specifies to undo the previous server setup to the LDAP configuration file. The database is not affected.
-u NONE	Specifies not to migrate users and groups from local system. The valid value is NONE. Any other values are ignored. When you specify the -u option, the mksecldap command does not create the ou=People and ou=Group containers, nor does it export users and groups. Th -S option is not required with this option.
-v LDAPVersion	Denotes a specific version of the LDAP server fileset to configure. The value must be in the format #.#, where # is a number. For example, 6.0. If you do not specify -v flag, the mksecldap command configures the recent version of the LDAP server fileset that is installed.
-X proxypasswd	Specifies the password for the proxy DN.
-x proxyDN	Specifies the DN of the proxy entry. The client systems and use the proxy entry to bind to this server.

For Client Setup

Item	Description
-a bindDN	Specifies the DN to bind to the LDAP server. The DN must exist on the LDAP server. If the authtype is unix_auth, the bindDN variable must have read access to the password field of the user on the LDAP server. Without the -a option, the mksecldap command configures the anonymous bind. Note: Some of the data might not be retrieved from the LDAP server with anonymous bind. For more information about using anonymous bind, contact your LDAP server administrator.
-A authType	Specifies the authentication mechanism that is used to authenticate users. The valid values are unix_auth and ldap_auth. The default value is unix_auth. The following are the definitions of the values: unix_auth Retrieves user password from the LDAP server and performs authentication locally. ldap_auth Binds to an LDAP server. Sends a password in clear text, for authentication. Note: Use SSL or TLS when using the ldap_auth type authentication as during authentication, passwords are sent in clear text to the LDAP server.
-c	Indicates that the command is being run to setup the client.
-C Cachsize	Specifies the maximum number of user entries that can be used in the client-side daemon cache. The valid value ranges from 100 to 65536 for user cache. The default value is 1000. For the group cache, the valid ranges from 100 to 65536. The default value is 1000. If you set the user cache entry in the start-secldapclntd command by using the -C option, the group cache is set to 10% of the user cache.
-D defaultEntryLocation	Specifies the location of the default entry. The valid values are ldap and local. The default value is ldap. The following are the definitions of the values: ldap Use the default entry in LDAP for all attribute default values. local Use the default stanza from local /etc/security/user file for all attribute default values.
-d baseDN	Specifies the base DN for the mksecldap command to search for the user base DN and group base DN. If you do not specify from the command line, the entire database is searched.
-g	Specifies to enable the idgeneration feature that generates the user ID (UID) or group ID (GID) when the Microsoft active directory is used as LDAP server.
-h serverlist	Specifies a comma-separated list of hostnames (server and backup servers).
-I domainID	Specifies the domain identifier that you must use for generating the UID or GID, when the -g flag is set. The range for the domainID value is 1-99. The default value of the domainID is 1. This facilitates unique IDs across the domains. Note: During the client configuration, if you do not set the -I flag with the -g flag, the default value of 1 is used for the domainID. A unique domainID value must be assigned for every configured AD domain. The unique domainID of an AD domain must be the same across the client configuration to ensure the uniqueness of the generated UID or GID across the AD domains.
-i databaseModule	Specifies the configuration of LDAP as the authentication-only module (LDAPA) of a compound load module. The databaseModule option specifies the database module of the compound load module.
-j < ssl | tls >	Specifies the encryption connection type that is used during the communication with the LDAP server. Valid values are SSL and TLS. If the -k and -w flags are specified without the -j flag, the default connection type is SSL.
-k SSLkeypath	Specifies the full path to the client SSL or TLS key database.
-M searchMode	Specifies the set of user and group attributes to be retrieved. The valid values are ALL and OS. The default value is ALL. The following are the definitions of the values: ALL Retrieves all attributes of an entry. OS Retrieves only the operating system required attributes of an entry. A non-OS attribute like telephone number, binary images are not returned. Note: Use OS only when the entries have many non-OS required attributes or attributes with large value. For example, binary data, to reduce sorting effort by the LDAP server.
-n serverport	Specifies the port number that the LDAP server is listening to.
-p bindpasswd	Specifies the clear text password for the bindDN used to bind to the LDAP server.
-P NumberofThreads	Specifies the number of threads that the client-side daemon uses. The valid values range from 1 to 256. The default value is 10.
-t cachetimeout	Specifies the maximum time length that a cache entry expires. The valid values range from 60 to 3600 seconds. The default value is 300 seconds. Set this value to 0 to disable caching. Note: The cachetimeout attribute is used to set up values for the usercachetimeout and groupcachetimeout attributes. Starting with AIX 7.3, the cachetimeout attribute is deprecated. You can use the usercachetimeout and groupcachetimeout attributes instead.
-T heartBeatInt	Specifies the time interval of heartbeat between this client and the LDAP server. The valid values range from 60 to 3600 seconds. The default value is 300.
-u userlist	Specifies the comma-separated list of usernames to enable for LDAP authentication. The registry and system attributes of this list of users are set to use the LDAP server. Specify ALL to enable the users on the client. Note: The system attribute in the default stanza of the /etc/security/user file can be set to LDAP server to allow only the LDAP users to log in. If the system attribute is set to LDAP or compat, it allows LDAP users and local users to log in to the system.
-U	Specifies to undo the previous client setup to the LDAP client configuration file.
-w SSLkeyfilepath	Specifies the password for the client SSL or TLS key database.

Security

You must have the aix.security.ldap authorization to use this command.

Examples

1. To setup an LDAP server of RFC2307 AIX specific schema for users and groups, enter the following command:

   mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix

   This command sets up an LDAP server with the LDAP server administrator DN being cn=admin and the password is adminpwd. The user and group data is exported from the local files to the default cn=aixdata suffix by using the RFC2307AIX schema.
2. To setup an LDAP server with a base DN other than the default and with SSL secure communication, enter the following command:

   mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 -k /usr/ldap/serverkey.kdb
    -w keypwd 

   This command sets up an LDAP server with LDAP server administrator DN being cn=admin and the password is adminpwd. The user and group data is exported from local files to the o=mycompany, c=us suffix by using the RFC2307 schema. The LDAP server uses SSL communications by using the key that is stored at /usr/ldap/serverkey.kdb file. Supply the password to the key, keypwd.

3. To setup an LDAP server of RFC2307AIX schema type and create a proxy account, enter the following command:

   mksecldap -s -a cn=admin -p adminpwd -d c=us -S rfc2307aix -x cn=proxy,c=us -X proxypwd

   This command sets up an LDAP server with LDAP server administrator DN being cn=admin and the password is adminpwd. The user and group data is exported from local files to the c=us suffix by using the RFC2307AIX schema. A proxy identity is setup with DN being cn=proxy, c=us, and password proxypwd. The ACL specified in the /etc/security/ldap/proxy.ldif.template file is applied on the server for the cn=proxy and c=us DN.

4. To undo a previous server setup, enter the following command:

   mksecldap -s -U 

   This command undoes the previous setup to the server configuration file.

   Note: For safety purpose, this command does not remove any database entries or database that is created in a previous setup. Remove the database entries or the database manually if they are not required.
5. To setup a client to use the server1.ibm.com and server2.ibm.com LDAP servers, enter the following command:

   mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com

   The LDAP server administrator DN and password is supplied for this client to authenticate to the server. The mksecldap command contacts the LDAP server for schema type that is used, and sets up the client. Without the -d option from the command line, the entire server DIT is searched for the user base DN and the group base DN.

6. To setup the client to talk to the server3.ibm.com LDAP server by using SSL, enter the following command:

   mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us 
   -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2 

   This command sets up an LDAP client similar to example 3, but with SSL communication. The mksecldap command searches the o=mycompany, c=us RDN for user base DN and group base DN. Account user1 and user2 are configured to authenticate through LDAP.

   Note: The -u ALL option enables LDAP users to login to this client.
7. To setup a client to talk to server4.ibm.com and use ldap_auth authentication with a proxy bind, enter the following command:

   mksecldap -c -a cn=proxy,c=us -p proxypwd -h server4.ibm.com -A ldap_auth

   This command sets up an LDAP client to bind to the LDAP server with the cn=proxy, c=us DN. As the administrator DN is not used, the access that is granted to the client depends on the ACL setup on the LDAP server for the cn=proxy, c=us DN. The client is setup to use the ldap_auth-type authentication that sends passwords in clear text to the LDAP server for comparison.

   Note: Use the SSL or TLS when you use the ldap_auth-type authentication. During authentication, passwords are sent in clear text to the LDAP server.
8. To undo a previous client setup, enter the following command:

   mksecldap -c -U

   This command undoes the previous setup to the /etc/security/ldap/ldap.cfg file. This command does not remove the SYSTEM=LDAP and registry=LDAP entries from the /etc/security/user file.

9. To setup a client by using LDAP as an authentication-only module, and by using files for user identification, enter the following command:

   mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com -i files -A ldap_auth

   This command sets up an LDAPA files compound load module, where the module LDAPA is used for user authentication and files are used for user identification. The authentication is set to ldap_auth.

10. To configure a client with the default domainID 1, enter the following command:

    mksecldap -c -a cn=admin -p adminpwd -h server1.in.ibm.com -d o=mycompany,c=us -A ldap_auth -g

    
11. To configure a client with the explicit domainID 11, enter the following command:

    mksecldap -c -a cn=admin -p adminpwd -h server1.in.ibm.com -d o=mycompany,c=us -g -I 11

    

Files Accessed