IBM Support

LDAP Login Control Automation

General Page

If your organization uses LDAP for user authentication, you can be faced with the challenge of managing which users are allowed to log in to which servers. This LDAP login control automation service provides a new LDAP-based software solution for centralized management of host access control that uses your existing LDAP server solution. 
The Center for Internet Security (CIS) recommends Access Control Management as one of 18 actions for thwarting the most pervasive attacks [1]. 
CIS recommends that organizations "Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software"[2].  "Some users have access to enterprise assets or data that they do not need for their role; this (excessive access) might be due to an immature process that gives all users all access, or lingering access as users change roles within the enterprise over time"[2].  CIS recommends that have users obtain access only to the "data or enterprise assets appropriate for their role, ..."[2].
This solution is one of several security measures to be implemented in a Zero Trust architecture.  The Cybersecurity & Infrastructure Security Agency (CISA) recommends that federal agencies "ensure and enforce user and entity access to the right resources at the right time for the right purpose without granting excessive access"  in their transition to Zero Trust architecture [3].
Technical Details
  • The “login pass” construct defines a type of access.  For example, the command, “mkpass DB2”, creates the “DB2” login pass that is used to provide user access to “DB2” systems.
  • Users are provided access by assigning login passes to their LDAP user account.  For example, the command, “chuserpass user1 DB2”, allows the user, “user1” to access any host that corresponds to a host group that authorizes the “DB2” login pass.
  • The “host group” construct defines a group of hosts, and the login passes that authorize access to the hosts.  For example, the command, “mkhostgroup DB2_hosts –h vm1,vm2 –p DB2”, creates a host group called DB2_hosts that consists of two hosts, vm1 and vm2.  This host group also allows users to log in to the two hosts that have the “DB2” login pass.
  • This solution provides excellent auditability of the configured access control.  Consider the following command that queries the access control configured for the host, vm1:
    # lshost vm1
    vm1:
         hostgroups=DB2_hosts,PROD_hosts
         ibm-loginpass=DB2,AIX_ADMIN
         users=user1,user2,aixAdmin1,aixAdmin2
    #
    • The hostgroups attribute indicates that vm1 is a DB2 system in the Production environment
    • The ibm-loginpass attribute indicates that users with the DB2 and AIX_ADMIN pass assigned to them would be allowed access to the system
    • The users, user1, user2, aixAdmin1, and aixAdmin2 can login to vm1.
  • For AIX, the provided ldappassd daemon keeps secldapclntd in sync with all access control configured on the LDAP Server.
  • For Linux, the provided ldappassd daemon keeps SSSD in sync with all access control configured on the LDAP Server.
  • This solution supports IBM Security Directory Server and Microsoft Active Directory.  More LDAP server support can be provided.

Common Use Cases
  • An AIX or Linux organization that would like to move away from managing login control locally on each individual host and would also like to adopt an LDAP-based solution for centralized user, group, and password management
  • An AIX or Linux organization that would like to add centralized host access control to their existing LDAP-based solution that provides centralized user, group, and password management

Engagement Process
  • Consultant arranges prep call to discuss requirements, scheduling, and agenda
  • Consultant works with client to configure solution in client proof-of-concept environment
  • Consultant works with client to verify the host control functions that are most important to the client
  • Consultant provides presentations to facilitate knowledge transfer

Deliverables
  1. Presentation Slides – an electronic copy of presentation slides
  2. Configuration documents – an electronic copy of configuration documents
  3. Software package – provides the login policy management toolsets and login control automation subsystem

References
  1. Center for Internet Security - CIS Critical Security Controls FAQ.
    https://www.cisecurity.org/controls/cis-controls-faq/
  2. Center for Internet Security.  (2021).  CIS Controls v8 Guide, p. 24
  3. CISA.  Zero Trust Maturity Model v2.0, p.13.  (April 2023).
    https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf
For questions, please contact AIX/Linux Security consultant, Stephen Dominguez, at email

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"ARM Category":[{"code":"a8m0z0000001hq4AAA","label":"User and Group Management"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
10 July 2024

UID

ibm16592521

Page Feedback