mksecldap Command

Purpose

Sets up an AIX system as a Lightweight Directory Access Protocol (LDAP) server or client for security authentication and data management.

Syntax

To set up a server

mksecldap -s -a adminDN -p adminpasswd -S schematype [ -d baseDN ] [ -n port ] [ -k SSLkeypath] [ -w SSLkeypasswd ] [ -x proxyDN -X proxypasswd ] [ -u NONE ] [-v LDAPVersion] [ -U ] [ -j <ssl|tls|ssltls|none|sslonly> ]

To set up a client

mksecldap -c -h serverlist -a bindDN -p bindpwd [ -d baseDN ] [ -n serverport ] [ -k SSLkeypath ] [ -w SSLkeypasswd ] [ -t cachetimeout ] [ -C cachesize ] [ -P NumberofThreads ] [ -T heartBeatInt ] [-M searchMode ] [ -D defaultEntry ] [ -A authType ] [ -i databaseModule ] [ -u userlist ] [ -U ] [-j <ssl|tls>]

Description

Server Setup

Make sure that the LDAP server and the back-end IBM® DB2® software are installed. You do not need to pre-configure IBM DB2 to run the mksecldap command for LDAP server setup. The following operations are performed when you run the mksecldap command to set up the server:

1. Create a DB2 instance with ldapdb2 as the default instance name.
2. If IBM Directory Server 6.0 or later is being configured, then an LDAP server instance with the default name of ldapdb2 is created. A prompt is displayed for the encryption seed to use to create the key stash files. The input encryption seed must be at least 12 characters.
3. Create a DB2 database with ldapdb2 as the default database name. If a database exists already, mksecldap bypasses the step 1 and step 2. (A database exists already when the LDAP server is set up for other usage.) The mksecldap command uses the existing database to store the AIX user/group data.
4. Create the base DN (suffix) of the directory information tree (DIT). It is required that the base DN start with one of these attributes: dc, o, ou, c, cn. If no baseDN is supplied from the command line, the default suffix is set to cn=aixdata and the user/group data is placed under the cn=aixdata DN. Otherwise, the mksecldap command uses the user-supplied DN specified with the -d option. Users and groups are exported to LDAP by using the sectoldif command. The following directory information tree (DIT) is created by default:

                   <user supplied suffix>
                             |
                 --------------------------
                 |                        |
               ou=People                ou=Groups

5. If -u NONE is not specified, then export the data from the security database files from the local host into the LDAP database. If -u NONE is specified, then mksecldap does not create the ou=People and ou=Group containers as it creates normally, nor does it export users and groups. Depending on the -S option, the mksecldap command exports users or groups by using one of the following LDAP schemas:
   • AIX: AIX schema (aixaccount and aixaccessgroup object classes)
   • RFC2307: RFC 2307 schema (posixaccount, shadowaccount, and posixgroup object classes)
   • RFC2307AIX: RFC 2307 schema with full AIX support (posixaccount, shadowaccount, posixgroup, aixauxaccount, and aixauxgroup object classes).
6. Set the LDAP server administrator DN and password.
7. Set the server to listen to a specified port if the -n option is used. The default port is 389. Also, TLS uses this port as the default port (636 for SSL).
8. Updates the /usr/lib/security/methods.cfg file with the LDAP module configuration. If the -i option is entered from the command line, it also sets an LDAPA authentication-only module and a compound load module (for example, LDAPA files when the -i files option is specified) with LDAPA serves for authentication and the databaseModule serves for identification.
9. Create the proxy entry if the -x and -X options are specified. Create an ACL for the base DN by using the proxy entry. The default ACL can be found in /etc/security/ldap/proxyuser.ldif.template. The proxy entry can be used by client systems to bind to the server (see client setup section in this file).
10. Set the server to use SSL (secure socket layer) or TLS (transport layer security) if the -k option is specified for secure data transfer between this server and the clients. Install the GSKitv8 fileset and create an SSL or TLS key for this setup. You can install the GSKitv8 fileset after you mount the AIX® 7.3 expansion pack DVD.
11. Installs the /usr/ccs/lib/libsecldapaudit.a LDAP server plug-in. This plug-in supports AIX audit of the LDAP server.
12. Start or restart the LDAP server after all the earlier steps are complete.
13. Add the LDAP server process (slapd) to /etc/inittab to have the LDAP server start after reboot.

Note: The -U option resets a previous setup for the server configuration file. It has no effect on the database. The first time the mksecldap command runs, it saves two copies of the server configuration file in the /etc/security/ldap directory. One is saved as the server configuration file name appended with .save.orig and the other is appended with .save. During each subsequent run of the mksecldap command, only the current server configuration is saved as a .save file. The undo option restores the server configuration file with the .save copy. In AIX 5.3, it is possible to invoke mksecldap -s in succession to create and populate multiple suffixes. If multiple suffixes are created and populated, then the .save.orig file needs to be manually restored in order to revert to the initial configuration file.

Client Setup

Make sure that the LDAP client fileset is installed and the LDAP server is setup and is running. The mksecldap command performs the following steps during client setup:

1. Saves the host name of one or more than one LDAP servers.
2. Saves the user base DN and group base DN of the server. If no -d option is supplied from command line, the mksecldap command searches the LDAP server for aixaccount, aixaccessgroup, posixaccount, posixgroup, and aixauxaccount object classes, and sets up the base DNs. If the server has multiple user or group bases, you must supply the -d option with a Relative Distinguished Name (RDN) so that the mksecldap command can setup the base DNs to the ones within that RDN.
   If the posixaccount objectclass is found during client setup, mksecldap also tries to search for base DNs for the following entities from the server and save any that are found:

   • hosts
   • networks
   • services
   • netgroups
   • protocols
   • rpc
   • authorizations
   • roles
   • privcmds
   • privdevs
   • privfiles
   • usrkeystore
   • grpkeystore
   • efscookies
   • admkeystore
   • domains
   • domobjs
3. Determines the schema type that is used by the LDAP server. The schema types are AIX specific schema, RFC 2307 schema, RFC 2307 schema with full AIX support, or Microsoft Services for UNIX 3.0 schema. Accordingly, it sets the object classes and attribute maps in the /etc/security/ldap/ldap.cfg file. The mksecldap command does not recognize other schema types, so clients must be setup manually.
4. Sets SSL or TLS for secure data transfer between this host and the LDAP server. This step requires that the client SSL or TLS key and the key password are created in advance, and the server must be setup to use SSL or TLS for the client SSL or TLS to work. SSL or TLS functionality requires the installation of the GSKitv8 fileset. You can install the GSKitv8 fileset after you mount the AIX 7.3 Expansion pack DVD.
5. Encrypts the bind password.
6. Saves the LDAP server bind DN and password. The DN and password pairs must exist on the LDAP server. If the bind DN and password are not given, mksecldap uses anonymous bind. Some of the data might not be returned from the LDAP server with anonymous bind. Consult your LDAP administrator before you choose an anonymous bind.
7. Sets the optionally specified configuration values as defined in the client setup flags section.
8. Optionally sets the list of users or all users to use LDAP by modifying their SYSTEM line in the /etc/security/user file. For more information about enabling LDAP login, see the following note.
9. Starts the client daemon process (secldapclntd).
10. Adds the client-side daemon process to /etc/inittab to have this daemon start after a reboot.

Note: All client configuration data is saved to the /etc/security/ldap/ldap.cfg configuration file. The -U option resets a previous setup to the /etc/security/ldap/ldap.cfg file by replacing the file with the configuration stored in /etc/security/ldap/ldap.cfg.save. Setting the SYSTEM to LDAP for the default stanza of /etc/security/user allows only LDAP users to login to the system. Setting the SYSTEM to LDAP or compat allows both LDAP users and local users to login to the system.

Flags

For Server Setup

Item	Description
-a AdminDN	Specifies the LDAP server administrator DN.
-d baseDN	Specifies the suffix or base DN of the AIX subtree. The default is cn=aixdata.
-j <ssl|tls|ssltls|none|sslonly>]	Specifies the encryption connection type that is used during the communication with the LDAP clients. Valid values are SSL, TLS, SSLTLS, and SSLONLY. If the -k and -w flags are specified without the -j flag, the default connection type is SSL.
-k SSLkeypath	Specifies the full path to the SSL or TLS key database of the server.
-n port	Specifies the port number that the LDAP server listens to. The default is 389 for non-SSL and 636 for SSL.
-p adminpasswd	Specifies the clear text password for the administrator DN.
-S schematype	Specifies the LDAP schema that is used to represent user/group entries in the LDAP server. Valid values are AIX, RFC2307, and RFC2307AIX.
-s	Indicates that the command is being run to setup the server.
-w SSLkeypasswd	Specifies the password for the SSL or TLS key database.
-U	Specifies to undo the previous server setup to the LDAP configuration file. The database is not affected.
-u NONE	Specifies not to migrate users and groups from local system. The only valid value is NONE. Any other values are ignored. When this option is used, mksecldap does not create the ou=People and ou=Group containers as it normally would, nor does it export users and groups. No -S option is required with this option.
-v LDAPVersion	Denotes a specific version of the LDAP server fileset to configure. The value must be in the format #.# where # is a number. For example, 6.0. If not specified, the mksecldap command configures the most recent version of the LDAP server fileset that is installed.
-X proxypasswd	Specifies the password for the proxy DN.
-x proxyDN	Specifies the DN of the proxy entry. This entry can be used by client systems to bind to this server.

For Client Setup

Item	Description
-a bindDN	Specifies the DN to bind to the LDAP server. The DN must exist on the LDAP server. If authtype is unix_auth, bindDN must have read access to the userPassword field on the LDAP server. Without the -a option, mksecldap configures anonymous bind. Note: Some of the data might not be retrieved from the LDAP server with anonymous bind. Consult your LDAP server administrator about using anonymous bind.
-A authType	Specifies the authentication mechanism that is used to authenticate users. The valid values are unix_auth and ldap_auth. The default is unix_auth. The values are defined as follows: unix_auth - Retrieve user password from LDAP and perform authentication locally. ldap_auth - Bind to an LDAP server, sending a password in clear text, for authentication. Note: When using ldap_auth type authentication, the use of SSL or TLS is recommended since during authentication passwords are sent in clear text to the LDAP server.
-c	This option indicates that the command is being run to setup the client.
-C Cachsize	Specifies the maximum number of user entries that can be used in the client-side daemon cache. The valid value is in the range 100-65536 for user cache. The default is 1000. The valid range for the group cache is 10-65536. The default value is 100. If you set the user cache entry in the start-secldapclntd command, by using the -C option, the group cache is set to 10% of the user cache.
-D defaultEntryLocation	Specifies the location of the default entry. Valid values are ldap and local. The default is ldap. The values are defined as follows: ldap - Use the default entry in LDAP for all attribute default values. local - Use the default stanza from local /etc/security/user file for all attribute default values.
-d baseDN	Specifies the base DN for the mksecldap command to search for the user base DN and group base DN. If not specified from the command line, the entire database is searched.
-h serverlist	Specifies a comma-separated list of hostnames (server and backup servers).
-i databaseModule	Specifies the configuration of LDAP as the authentication-only module (LDAPA) of a compound load module. The databaseModule option specifies the database module of the compound load module.
-j <ssl|tls>	Specifies the encryption connection type that is used during the communication with the LDAP server. Valid values are SSL and TLS. If the -k and -w flags are specified without the -j flag, the default connection type is SSL.
-k SSLkeypath	Specifies the full path to the client SSL or TLS key database.
-M searchMode	Specifies the set of user and group attributes to be retrieved. Valid values are ALL and OS. The default is ALL. The values are defined as follows: ALL - Retrieve all attributes of an entry. OS - Retrieve only the operating system required attributes of an entry. A non-OS attribute like telephone number, binary images are not returned. Note: Use OS only when entries have many non-OS required attributes or attributes with large value. For example, binary data, to reduce sorting effort by the LDAP server.
-n serverport	Specifies the port number that the LDAP server is listening to.
-p bindpasswd	Specifies the clear text password for the bindDN used to bind to the LDAP server.
-P NumberofThreads	Specifies the number of threads that the client-side daemon uses. the valid values are 1-256. The default value is 10.
-t cachetimeout	Specifies the maximum time length that a cache entry expires. Valid values are 60-3600 seconds. The default is 300 seconds. Set this value to 0 to disable caching. Note: The cachetimeout attribute is used to set up values for the usercachetimeout and groupcachetimeout attributes. Starting with AIX 7.3, the cachetimeout attribute is deprecated. You can use the usercachetimeout and groupcachetimeout attributes instead.
-T heartBeatInt	Specifies the time interval of heartbeat between this client and the LDAP server. Valid values are 60-3600 seconds. The default is 300.
-u userlist	Specifies the comma-separated list of user names to enable for LDAP authentication. The registry and SYSTEM attributes of this list of users are set to use LDAP. Specify ALL to enable all users on the client. Note: Alternatively, the SYSTEM attribute in the default stanza of /etc/security/user can be set to LDAP, allowing only LDAP users to log in. Setting the SYSTEM attribute to LDAP or compat allows both LDAP users and local users to log in to the system.
-U	Specifies to undo the previous client setup to the LDAP client configuration file.
-w SSLkeyfilepath	Specifies the password for the client SSL or TLS key database.

Security

A user with the aix.security.ldap authorization is authorized to use this command.

Examples

1. To setup an LDAP server of RFC2307AIX specific schema for users and groups, enter the following command:

   mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix

   This command sets up an LDAP server with LDAP server administrator DN being cn=admin and the password being adminpwd. User and group data is exported from local files to the default cn=aixdata suffix by using RFC2307AIX schema.

2. To setup an LDAP server with a baseDN other than the default and with SSL secure communication, enter the following command:

   mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 -k /usr/ldap/serverkey.kdb
    -w keypwd 

   This command sets up an LDAP server with LDAP server administrator DN being cn=admin and the password being adminpwd. User and group data is exported from local files to the o=mycompany, c=us suffix by using RFC2307 schema. The LDAP server uses SSL communications by using the key that is stored at /usr/ldap/serverkey.kdb. The password to the key, keypwd, must also be supplied.

3. To setup an LDAP server of RFC2307AIX schema type and create a proxy account, enter the following command:

   mksecldap -s -a cn=admin -p adminpwd -d c=us -S rfc2307aix -x cn=proxy,c=us -X proxypwd

   This command sets up an LDAP server with LDAP server administrator DN being cn=admin and the password being adminpwd. User and group data is exported from local files to the c=us suffix by using RFC2307AIX schema. A proxy identity is setup with DN being cn=proxy, c=us, and password proxypwd. The ACL specified in /etc/security/ldap/proxy.ldif.template is applied also on the server for the cn=proxy, c=us DN.

4. To undo a previous server setup:

   mksecldap -s -U 

   This command undoes the previous setup to the server configuration file. Note, for safety reasons, this command does not remove any database entries or database that is created by a previous setup. One has to remove the database entries or the database manually if they are not needed anymore.

5. To setup a client to use the server1.ibm.com and server2.ibm.com LDAP servers, enter the following command:

   mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com

   The LDAP server administrator DN and password is supplied for this client to authenticate to the server. The mksecldap command contacts the LDAP server for schema type that is used, and sets up the client. Without the -d option from the command line, the entire server DIT is searched for the user base DN and the group base DN.

6. To setup the client to talk to the server3.ibm.com LDAP server by using SSL, enter the following command:

   mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us 
   -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2 

   This command sets up an LDAP client similar to case 3, but with SSL communication. The mksecldap command searches the o=mycompany, c=us RDN for user base DN and group base DN. Account user1 and user2 are configured to authenticate through LDAP.

   Note: The -u ALL option enables all LDAP users to login to this client.
7. To setup a client to talk to server4.ibm.com and use ldap_auth authentication with a proxy bind, enter the following command:

   mksecldap -c -a cn=proxy,c=us -p proxypwd -h server4.ibm.com -A ldap_auth

   This command sets up an LDAP client to bind to the LDAP server with the cn=proxy, c=us DN. Because the administrator DN is not used, the access that is granted to the client depends on the ACL setup on the LDAP server for the cn=proxy, c=us DN. The client is also setup to use ldap_auth-type authentication that sends passwords in clear text to the LDAP server for comparison.

   Note: When using ldap_auth-type authentication, the use of SSL or TLS is recommended because during authentication passwords are sent in clear text to the LDAP server.
8. To undo a previous client setup, enter the following command:

   mksecldap -c -U

   This command undoes the previous setup to the /etc/security/ldap/ldap.cfg file. This command does not remove the SYSTEM=LDAP and registry=LDAP entries from the /etc/security/user file.

9. To setup a client by using LDAP as an authentication-only module, and by using files for user identification, enter the following command:

   mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com -i files -A ldap_auth

   This command sets up an LDAPA files compound load module, where the module LDAPA is used for user authentication and files is used for user identification. Authentication is set to ldap_auth.

Files Accessed