How to configure LDAPA (LDAP authentication only mode)

Answer

How to Configure LDAPA (authentication only mode)

Background
AIX introduced LDAP integrated login starting with AIX 4.3.3. The AIX LDAP login feature allows centralized user and group management on an LDAP server. Since the LDAP load module provides both authentication and identification, all LDAP users and groups had to reside on the LDAP server. There may be times when authentication only mode is desired, which can be achieved using the LDAPA load module in AIX 6.1 TL4 and later. Authentication only mode allows for local user and group management but authentication will be done via an LDAP server.

AIX Software Requirements

• The AIX OS must be at 6.1 TL4 or later
• Any known AIX LDAP login patches should be applied as well
• IBM Tivoli Directory Server (ITDS) LDAP client software v6.3 or later
• IBM LDAP software can be found here: http://www-01.ibm.com/support/docview.wss?uid=swg27009778

Overview of LDAPA
A basic understanding of LDAPA mechanism will be helpful prior to configuring it. LDAPA uses the AIX secldapclntd daemon to make LDAP calls to LDAP server(s) specified in the /etc/security/ldap/ldap.cfg file. When LDAPA authentication occurs, here is what will take place under the covers:

• Send an LDAP search to LDAP server to find AIX username based on ldap.cfg and user map file
• If the user is found on LDAP, send an LDAP BIND to authenticate the user

Configuration Details
1. Install LDAP client software on AIX
Install ITDS LDAP client software.
The fileset names are:

• idsldap.clt32bit63.rte
• idsldap.clt64bit63.rte
• There may be newer versions of the LDAP software, so your filesets might look like this:
• idsldap.clt32bit64.rte
• idsldap.clt64bit64.rte

2. Create LDAP links

• For ITDS v6.3, run the following commands:

# cd /opt/IBM/ldap/V6.3/bin
# ./idslink -i -g -l 64 -f
# ./idslink -i -g -l 32 -f
• For ITDS v6.x, replace v6.3 in above with v6.x.

3. Find one AIX username and corresponding LDAP user entry to configure and test with

• In this example, my local AIX username is “tuvo”.
• The “tuvo” entry exists in /etc/passwd:
• # grep tuvo /etc/passwd
• tuvo:!:226:1::/home/tuvo:/usr/bin/ksh
• The corresponding LDAP user entry resides on Windows ADS, and it looks like this from an ldapsearch:
• dn: CN=Tu Vo,CN=Users,DC=netcads,DC=austin,DC=ibm,DC=com
• objectClass: top
• objectClass: person
• objectClass: organizationalPerson
• objectClass: user
• cn: Tu Vo
• distinguishedName: CN=Tu Vo,CN=Users,DC=netcads,DC=austin,DC=ibm,DC=com
• instanceType: 4
• whenCreated: 20100804211402.0Z
• whenChanged: 20100804211402.0Z
• uSNCreated: 69646
• uSNChanged: 69647
• name: Tu vo
• objectGUID:: /3Ds60oFKE+DuCOIkBCjkw==
• userAccountControl: 546
• badPwdCount: 0
• codePage: 0
• countryCode: 0
• badPasswordTime: 0
• lastLogoff: 0
• lastLogon: 0
• pwdLastSet: 0
• primaryGroupID: 513
• objectSid:: AQUAAAAAAAUVAAAAxSnbLxA2dLOQyZoKcAQAAA==
• accountExpires: 9223372036854775807
• logonCount: 0
• sAMAccountName: tuvo
• sAMAccountType: 805306368
• objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=netcads,DC=austin,DC=ibm,DC=com

4. Gather LDAP server information and use ldapsearch to send a test query

• We’ll need some information from LDAP server side to properly set up AIX LDAPA. Here are the required attributes:
• LDAP server host name or IP
• In this example, the server name is “netcads”
• An LDAP bind/admin DN and password capable of searching for users on the LDAP server
• In this example, the bindDN is “cn=admin” and the bind password is “secret”
• The user base DN, i.e. the LDAP tree suffix where the user entries can be found on the server
• Use the user entry you found earlier to find the user base DN
• In this example, the user base DN will be “CN=Users,DC=netcads,DC=austin,DC=ibm,DC=com”
• Determine which user attribute in the LDAP user entry will map to the AIX username
• In this example, as seen in Step 3, the “sAMAccountName” name will designate the AIX username

We now have enough information to query the LDAP server to see if we can successfully search for the test user entry using the ‘ldapsearch’ command below:
# ldapsearch -h <servername> -D <bindDN> -w <bindPwd> -b <basedn> -s <scope> <filter>

Using the details in this example, the ldapsearch command would look like this:
# ldapsearch -h netcads -D cn=admin -w secret -b CN=Users,DC=netcads,DC=austin,DC=ibm,DC=com -s sub sAMAccountName=tuvo

If ‘ldapsearch’ works, the output should look similar to the user entry shown in Step 3 above.
If ‘ldapsearch’ fails, you may have to get some assistance from the LDAP admin to debug the problem before continuing.

5. Configure AIX methods.cfg file with LDAPA module
Next we need to add the LDAPA load module into the methods.cfg file.
Previously, the methods.cfg file resides under /usr/lib/security/methods.
Recent AIX updates have created a link from /usr/lib/security/methods.cfg to /etc/methods.cfg.

Edit the methods.cfg file and add the following entries exactly as shown:
LDAPA:
      program = /usr/lib/security/LDAP
      program_64 =/usr/lib/security/LDAP64
      options = authonly

LDAPAfiles:
      options = auth=LDAPA,db=BUILTIN

6. Select the appropriate user and group map files and modify as needed
The LDAP user and group map files reside in /etc/security/ldap.
If your LDAP server is AIX, you will use the rfc2307aix user and group map files.
If your LDAP server is Windows, use the sfur2 user and group map files.
If your LDAP server is standard RFC2307 (Novell, OpenLDAP, Solaris, etc.), use the rfc2307 user and group map files.

In this example, the LDAP server is Windows ADS, so the sfur2user.map and sfur2group.map files will be used. To avoid losing customized data in the map files after an OS upgrade, make a copy of them and use the copied version instead:
# cd /etc/security/ldap
# cp sfur2user.map myuser.map
# cp sfur2group.map mygroup.map

LDAPA will only use the user map file, but the group map file also needs to be specified in ldap.cfg otherwise secldapclntd won’t start.

Look at the user map file and note the “username” entry.
For the sfur2user.map file, the username entry may look like this:
username        SEC_CHAR        uid                     s       na      yes

This specifies that AIX will look for a “uid” attribute on LDAP server to map to the AIX username. From Step 3 and 4 above, this will need to change from “uid” to “sAMAccountName”.

Edit the custom user map file -- which is myuser.map in this example -- and change the username entry to this:
username        SEC_CHAR        sAMAccountName                     s       na      yes

Based on your existing LDAP user entries, you may find that the mapping is already correct and this change is not required.

7. Manually configure the ldap.cfg file
The /etc/security/ldap/ldap.cfg file will prescibe which LDAP server(s) to contact, using what credentials, where to find users, etc. For complete documentation of this file, see the link below:
https://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.files/ldap.cfg.htm

We will only enter the minimum values needed to configure a working LDAPA system. Any parameters not explicitly set will revert to their default values as documented in the ldap.cfg man page above.

For this example, the ldap.cfg file will look like this:
ldapservers:netcads
binddn:cn=admin
bindpwd:secret
authtype:ldap_auth
userbasedn:CN=Users,DC=netcads,DC=austin,DC=ibm,DC=com
userattrmappath:/etc/security/ldap/myuser.map
groupattrmappath:/etc/security/ldap/mygroup.map
userclasses:user

All attributes above should be familiar to you based on what has been done so far.
The two new attributes are “authtype” and “userclasses”.

“authtype” must be set to ldap_auth so that the password comparison will be done on the LDAP server using an LDAP bind.

“useclasses” describes what objectclass a valid user will belong to. The user entry will have an objectclass associated with it, as seen from Step 3 above. Typically for Unix, the objectclass is “posixaccount” while the objectclass is “user” for Windows.

When AIX sends a search to find the LDAP user “tuvo”, it will use this filter based on the above configuration files:
(&(objectclass=user)(sAMAccountName=tuvo))

The objectclass=user came from the “user” field in ldap.cfg while the “sAMAccountName=tuvo” came from the user map file.

8. Test current configuration to verify that AIX can find the LDAP user
Start the secldapclntd:
# start-secldapclntd
List LDAP user through AIX ‘lsldap’ command:
# lsldap -a passwd tuvo

If it works, you should see the user entry on LDAP for “tuvo” user. It will look similar to the ldapsearch shown in Step 3.

9. Configure a user for LDAPA and test
Add an explicit user entry to the /etc/security/user file, like this:
tuvo:
       SYSTEM = LDAPAfiles
       registry = LDAPAfiles

Confirm that SYSTEM and registry have been set to LDAPAfiles via ‘lsuser’ command:
# lsuser -a SYSTEM registry tuvo
tuvo SYSTEM=LDAPAfiles registry=LDAPAfiles

Try to login as the LDAPA user and use the LDAP server side password to confirm that LDAP authentication-only mode is working. If you tried with ssh and it failed, try using telnet to see if you get a more descriptive error message.

10. Finalizing the setup
After successfully testing the feature, add this entry to /etc/inittab to start secldapclntd upon reboot:
ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd  > /dev/console 2>&1

If the majority of users will be using LDAP authentication, then apply the SYSTEM and registry settings to the default stanza in the /etc/security/user file.

Please contact IBM AIX Support if you have further questions or suggestions.