LDAP in AIX

LDAP can be implemented in AIX using IBM Directory Server software which is available in the AIX installation CDs.

Required File Sets:
ldap.server - Fileset for IBM Directory Server software.
ldap.client - Fileset for IBM Directory client library, header files, utilities.
ldap.max_crypto_server - Fileset for IBM Directory server software, encryption version; Required for SSL setup.
ldap.max_crypto_client - Fileset for IBM Directory client software, encryption version; Required for SSL setup.
gskkm.rte - Fileset for IBM GSKit software; Required for IDS v4 SSL setup.
gskak.rte - Fileset for IBM GSKit software; Required for IDS v6 SSL setup.

DB2:
DB2 database is installed by default along with the ldap.server fileset.

mksecldap command creates the default db2 instance and database while setting up the LDAP server.

Default DB2 instance created, managed by LDAP: ldapdb2
Default DB2 database created, managed by LDAP: ldapdb2

LDAP Daemons in AIX :

slapd - Server Daemon :
It runs in LDAP server, processes the requests forwarded by secldapclntd.

secldapclntd - Client Daemon :
It accepts requests from the LDAP load module, forwards the request
to the LDAP Security Information Server, and passes the result from
the server back to the LDAP load module.
This daemon reads the configuration information defined in the /etc/
security/ldap/ldap.cfg file during its startup, and authenticates to
the LDAP Security Information Server using the server administrator's
distinguished name and password, and establishes a connection between
the local host and the server.

LDAP Configuration Files:

/etc/slapd32.conf
- Server Config File

/etc/security/ldap/ldap.cfg
- Client Config File contains ldap server names,port numbers, Admin
DN, Admin DN password, SSL key/path, user/group/id Attr Map Path, user/
group cache size, cache TTL, heart beat interval, # of thread.

/usr/lib/security/methods.cfg
- Loadable module config file contains the LDAP stanza.

LDAP module entry in /usr/lib/security/methods.cfg :

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

Attribute Map Files:
These map files are used by the /usr/lib/security/LDAP module and the secldapclntd daemon for translation between AIX attribute names to

LDAP attribute names.
Each entry in a mapping file represents a translation for an attribute.

For Example, "accountlocked" user attribute in AIX is mapped to
"isaccountenabled" LDAP attribute.

# /etc/security/ldap/2307aixuser.map
# /etc/security/ldap/2307aixgroup.map
# /etc/security/ldap/idmap.map

User Attributes related to LDAP:
1. hostsallowedlogin = List of hosts where login is enabled
2. hostsdeniedlogin - List of hosts where login is disabled
3. SYSTEM = LDAP
4. registery = LDAP

Management of secldapclntd daemon:

start-secldapclntd - Starts the daemon
stop-secldapclntd - Stops the daemon
restart-secldapclntd - Restarts the daemon
ls-secldapclntd - Lists the daemon status including current server,
port number, caching status, etc.
flush-secldapclntd - Clears the cache of the daemon

Note: secldapclntd daemon is started by "mksecldap -c" command and it
gets started on boot time thru /etc/inittab entry.

LDAP Server Commands:

To setup the server,
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix

where
cn=admin is the administrator DN
pwd is the password
rfc2307aix is the schema. Other available schemas are aix and rfc2307.

This will export the locally defined users and groups to the LDAP server with RFC2307AIX schema.

To do the above task without migrating local users and groups,
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -u NONE

To undo a previous server setup,
# mksecldap -s -U

To generate/import SSL certificate,
# gsk5ikm

To export all locally defined users and groups to a ldif file,
# sectoldif -d cn=aixsecdb,cn=aixdata -S rfs2307aix > /tmp/ ldapusers.ldif

To import users and groups from ldif file to the LDAP server,
# Use ldif2db or ldapadd command

LDAP Client Commands:
To setup LDAP client without SSL,
# mksecldap -c -h servername -a adminDN -p passwd

To setup ldap client using SSL,
# mksecldap -c -h servername -a adminDN -p passwd -k /usr/ldap/etc/
mykey.kdb -p keypwd

To undo a previous client setup,
# mksecldap -c -U

DB2 commands for managing LDAP database:

To drop(delete) the ldapdb2 database:
# su - ldapdb2
$ db2 drop database ldapdb2
$ exit

To drop the ldapdb2 instance:
# /usr/lpp/db2_07_01/instance/db2idrop ldapdb2

User/Group Related Commands:

To create a LDAP user from a client:
# mkuser -R LDAP joe

To modify the authentication method to LDAP for user1:
# mkuser SYSTEM=LDAP registry=LDAP user1

To lock a LDAP user:
# chuser -R LDAP account_locked=true user2

To allow user1 to login from host1 and host2:
# chuser -R LDAP hostsallowedlogin=host1,host2 user1

To deny user1 to login from host2:
# chuser -R LDAP hostsdeniedlogin=host2 user1

To allow user1 to login from the machine with IP 192.9.200.1 :
# chuser -R LDAP hostsallowedlogin=192.9.200.1 user1

Please post your comments and questions.