LDAP server

Edit online

The mksecldap -s command sets up an AIX® system as an LDAP server for security authentication and data management.

Perform the following tasks:
  • Use the RFC2307AIX schema with the -S option.
  • Set the server to use Secure Sockets Layer (SSL) by using the -k option. This action requires installing the GSKit V8 fileset and the idsldap.clt_max_crypto32bit63.rte fileset for 32-bit systems or the idsldap.clt_max_crypto64bit63.rte fileset for 64-bit systems. Use the ikeyman utility to generate the key pairs for the directory server.

The LDAP user options must be set to satisfy the requirements of the evaluation. The RFC2370AIX schema defines the user attributes. Use the same values as described in BAS/EAL4+ system configuration. The Tivoli® Directory Server administrators are not forced to periodically change their passwords (for example, there is no MaxAge value for administrative passwords). Because of this, the LDAP administrative password must be changed as often as an AIX user (MaxAge = 8 (in weeks)).

In Tivoli Directory Server 6.3, the authentication failure handling does not apply to Directory Administrator or to the members of the administrative group. Password composition rules also do not apply to administrative accounts. These rules need to be enforced if Tivoli Directory Server 6.3 is used.

If the administrator does not use a common LDAP database back-end for user management, the administrator must ensure that the database that contains users credentials is maintained consistently among the different TCP Offload Engine (TOE) systems part of one network. Examples include the following:
  • /etc/group
  • /etc/passwd
  • /etc/security/.ids
  • /etc/security/.profile
  • /etc/security/environ
  • /etc/security/group
  • /etc/security/limits
  • /etc/security/passwd
  • /etc/security/user