How To
Summary
This document will describe the usage of LDAP base DN filters in the ldap.cfg file.
Steps
An AIX LDAP client configuration will have at least one userbasedn and one groupbasedn to tell it where to search for users and groups on the LDAP server. By default, any user or group that has its essential attributes defined will be recognized if it is found in the respective base DN's.
If you have a need to restrict which users and groups can be seen by AIX, then you can add a filter to your base DN's. The filters can be used to ensure that only users/groups that match a certain set of attributes will be allowed to be found in an LDAP query.
For example - let's say the following userbasedn is defined in ldap.cfg:
userbasedn:OU=Users,DC=Domain,DC=com
If you want to restrict it so that only users with uidnumber=2000 or with uidnumber>=5000 can be seen and log in, add this filter:
userbasedn:OU=Users,DC=Domain,DC=com??(|(uidnumber=2000)(uidnumber>=5000))
The '|' signifies the OR operation, so it will match either condition.
If you want it so that only users with uidnumber=2000 or (uidnumber>=5000 and uidnumber<=7500), use this filter:
userbasedn:OU=Users,DC=Domain,DC=com??(|(uidnumber=2000)(&(uidnumber>=5000)(uidnumber<=7500)))
There, the '&' AND operator is added in to the filter. Be sure to count and match up parentheses correctly, because an error here could cause all of the users to no longer be found.
When adding a filter to the userbasedn, any user attribute can be used. Run the 'lsldap -a passwd' or 'lsldap -a passwd <username>' command to see what attributes are defined for your users on the LDAP server.
Likewise, if you want to add a filter to your groupbasedn, any group attribute can be used. Run 'lsldap -a group' or 'lsldap -a group <group name>' to see what is defined.
One common way to implement a filter is to specify that only users which belong to certain groups are allowed access to a system. This is most easily achieved in the scenario where Windows AD is being used as the LDAP server. This is because Windows AD provides a listing of a user's group membership as a user attribute (memberOf), and only a user attribute can be used in a userbasedn filter. Typically Unix/Linux LDAP servers only define a user's group membership via a group attribute, so that can't be used in a userbasedn filter.
For example - I have a user 'nick' defined on Windows AD, so I will run the lsldap command to see the LDAP attributes associated with this user:
# lsldap -a passwd nick
Output is provided which contains this user's group membership:
memberOf: CN=ldapgrp3,OU=Groups,DC=Domain,DC=com
memberOf: CN=ldapgrp2,OU=Groups,DC=Domain,DC=com
memberOf: CN=ldapgrp1,OU=Groups,DC=Domain,DC=com
If I want to ensure that only users that belong to ldapgrp1 or ldapgrp2 are allowed access to this AIX LDAP client, I can add the following filter to my userbasedn:
??(|(memberOf=CN=ldapgrp1,OU=Groups,DC=Domain,DC=com)(memberOf=CN=ldapgrp2,OU=Groups,DC=Domain,DC=com))
If the group that you are using in the memberOf filter is a nested group, you can use the OID 1.2.840.113556.1.4.1941 to tell it to search the nested groups:
(memberOf=:1.2.840.113556.1.4.1941:=CN=ldapgrp1,OU=Groups,DC=Domain,DC=com)
If using a non-AD LDAP server and needing to control access by group membership:
Adding a userbasedn filter that utilizes a user's gidnumber could work, but is limited in that you can only control access by what a user's primary group ID number is set to.
Adding a groupbasedn filter would likely not achieve what you are wanting - if your filter only allows groups with names 'ldapgrp1' and 'ldapgrp2', for example, then those are the only LDAP groups that would be seen on the system. No other LDAP-defined groups would exist as far as AIX is able to see.
Better options in this scenario could be:
1) Utilize AIX's hostsallowedlogin / hostsdeniedlogin functionality. The LDAP server schema would need to support a 'list' attribute that could store these lists, and your user attribute map (check the file specified by userattrmappath in ldap.cfg) would need to have a proper mapping. For example, if your LDAP server schema contains an attribute called 'hostsallowed', your user attribute map would need to have this entry:
hostsallowedlogin SEC_LIST hostsallowed m na yes
Then, you can set a user's allowed login hosts with:
chuser -R LDAP hostsallowedlogin=host1,host2,host3 <username>
2) Use 'Match User' or 'Match Group' blocks in your /etc/ssh/sshd_config file. These can be used to allow ssh/sftp/scp access to certain users or groups; however it is limited in that it only applies to the sshd daemon and won't restrict other types of login like su, telnet, or ftp.
3) Turn on PAM authentication (in login.cfg and sshd_config) and utilize the pam_permission module. pam_permission will use a locally-stored file which can be maintained to allow certain users or groups. The pam.conf file would then need to be modified so that every access type (sshd, telnet, su, login, etc) has the pam_permission module added as a requisite auth type.
IMPORTANT - if turning on PAM authentication, first ensure that /etc/pam.conf contains entries for sshd - these may not be there by default:
sshd auth required pam_aix
sshd account required pam_aix
sshd password required pam_aix
sshd session required pam_aix
If these do not exist, then ssh access will be impossible once PAM is turned on. Once added and PAM is turned on, the pam_permission module can then be added:
sshd auth requisite pam_permission file=/etc/allowed found=allow
sshd auth required pam_aix
sshd account required pam_aix
sshd password required pam_aix
sshd session required pam_aix
Any file name can be used; I've chosen /etc/allowed for this example. This file can have allowed/denied users and groups added to it - check the man page for pam_permission for instructions on how to do so.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m3p000000hBBEAA2","label":"Communication Applications-\u003ELDAP"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
02 July 2025
UID
ibm17184970