Agenda
LDAP
One password
access User
Userdata
data
all systems and
and
Password
Password
File
Filebased
Today’s picture too often user
based
userdata
data
Multiple
Incompatible
LDAP servers
NIS/NIS+
Separate
password
for each
system Microsoft ADS
Schema Support
AIX proprietary schema
RFC2307
RFC2307bis LDAP Servers
AIX extensions
Solaris 9 extensions ITDS – IBM Tivoli (4.1, 5, 6.0)
Solaris 10 extensions OpenLDAP
Novell Sun One Directory Server
Microsoft SFU 2.0 Sun Java System Directory Server 5.2
Microsoft SFU 3.0 Novell eDirectory
Microsoft Windows 2000 V2 Windows 2000 Active Directory
Person, ePerson, etc. Windows 2003 Active Directory
Windows 2003 R2 ACS
Netscape Directory Server -> Sun
Schema Support
AIX Release
AIX proprietary schema (all)
RFC2307 AIX 4.3.3*
AIX extensions AIX 5.1
RFC2307bis AIX 5.2
Solaris 9 extensions AIX 5.3
Solaris 10 extensions AIX 5.3 ML3
Novell (*?) AIX 5.3 TL5
Microsoft SFU 2.0 AIX 5.3 TL6 (?)
Microsoft SFU 3.0
Microsoft Windows 2000 V2 * PADL
Person, ePerson, etc. - RFC2307
?(Planned)
posix account
– shadowmax maxage: Maximum weeks password is valid
– shadowmin minage: Minimum weeks before password change
– shadowexpire maxexpired: Weeks after expiration that user can change password.
– shadowwarning pwdwarntime: Days before password expires that user is warned.
posixgroup
– no optional attributes used by AIX.
– Not used: description, memberPassword
May require that certain users be local users with local groups
U
ssh
_A Kerberos
ftp
S TD auth_type
in
PA login.cfg
M Custom
1. Authentication _A
- username UT
H
- password
LDAP
2. Get Credentials
- UID/GID PAM Modules
- HOME, SHELL, etc /etc/pam.conf
crypt(passwd)
Port 389
login
ssh slapd
ftp
ext
authenticate() in
T
a
Pl LDAP
secldapclientd Security
en SS
cr L
yp
te slapd
d
ldap.cfg
ldap.cfg
ldapsslport
ldapsslport
Key.kdb
Key.kdb Port 636
msSFU30Name
msSFU30Name msSFU30
/etc/security/ldap/*.map msSFU30Password
msSFU30Password
msSFU30UidNumber
msSFU30UidNumber
msSFU30GidNumber
msSFU30GidNumber
msSFUHomeDirectory
msSFUHomeDirectory
lmsSFULoginShell
lmsSFULoginShell
19 © 2007 IBM Corporation
IBM STG Technical Conference
add
Configuring ITDS (LDAP) on AIX mkitab sldapd /etc/initab
ldapsearch ..bindinfo..
bindinfo -b "" -s base "objectclass=*“ namingcontexts
namingcontexts=CN=SCHEMA
namingcontexts=CN=CONFIGURATION
namingcontexts=CN=LOCALHOST
namingcontexts=CN=PWDPOLICY
namingcontexts=CN=IBMPOLICIES
namingcontexts=CN=AIXDATA
namingcontexts=OU=ATS,O=IBM,O=COM
LDAP
ou=People,cn=aixdata
ou=People
objectClass=organizationalUnit
objectClass=top
ou=Groups,cn=aixdata
ou=Groups LDAP
objectClass=organizationalUnit
objectClass=top
ou=System,cn=aixdata
ou=System
objectClass=organizationalUnit
objectClass=top
NIS ldapadd
NISMaps
Maps
shadow.byname
shadow.byname
passwd.byuid
passwd.byuid
passwd.byname
LDIF File
passwd.byname dn: uid=caleb,ou=aixuser,cn=ibm, cn=com
autoFS
autoFS uid: caleb
...... NIS Maps objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: aixauxaccount
cn: caleb
passwordchar: !
uidNumber: 210
gidNumber: 1
/etc/passwd
/etc/passwd
/etc/group
/etc/group
/etc/security/passwd
/etc/security/passwd
/etc/security/user
/etc/security/user
...... sectoldif –S <schema>
Security Files
LDAP
23 © 2007 IBM Corporation
IBM STG Technical Conference
uid=test1,ou=People,ou=ats,o=ibm,o=com
uid=test1
objectClass=aixauxaccount
objectClass=shadowaccount
objectClass=posixaccount
objectClass=account
objectClass=ibm-securityidentities
objectClass=top
cn=test1 LDAP
passwordchar=!
uidnumber=207
gidnumber=1
homedirectory=/home/test1
loginshell=/usr/bin/ksh
isadministrator=false
userpassword={crypt}kYaEASzK4RyaI
shadowlastchange=13006
passwordflags=ADMCHG
dn: ou=People,ou=ats,o=ibm,o=com
dn: ou=Groups,ou=ats,o=ibm,o=com
dn: ou=System,ou=ats,o=ibm,o=com ldapsearch
lsldap passwd
dn: uid=default,ou=People,ou=ats,o=ibm,o=com
dn: uid=test1,ou=People,ou=ats,o=ibm,o=com ... LDAP
ldapsearch
# lsuser -R LDAP -a SYSTEM registry test1
test1 SYSTEM=compat registry=LDAP
Install gskit filesets and secure LDAP client and server filesets
– Also need SSL and Java filesets installed
– ldap.max_crypto_client.rte , etc.
Possible examples
– LDAP authentication only
– PAM module to add HOME directory on first login to new server
v
Goal: Single corporate password
AIX
Un
SYSTEM = KRB5Afiles
/usr/lib/security/methods.cfg
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
Check that you can retrieve the data from AD with lsldap
ldapsearch -h adhost -D cn=Adm -w admpwd -b “ou=basedn" "(uid=*)"
msSFU30PosixMember
Default support for both Windows and AIX
Map file shows
users SEC_LIST msSFU30PosixMember m
Requires full DN for all interactions
Example:
msSFU30PosixMember: cn=user1,cn=users,dc=dept1,dc=abc,dc=com
Parsing impacts performance
msSFU30MemberUid
Requires Admin to change the map file
users SEC_LIST msSFU30MemberUid m
Same as RFC 2307 memberUid attribute
Example
msSFU30memberuid: user1
Native password
Unicodepwd: support Windows’ user authentication
Same password for Windows or AIX (No synchronization needed)
Password change requires SSL connection to AD
and AIX APAR IY91922
Password Synchronization.
Simplifies the process of maintaining secure passwords.
User can use same password for their Windows and UNIX accounts .
Centrify DirectControl
– http://www.centrify.com.
Computer Associates
/etc/security/ldap/sfu20user.map
/etc/security/ldap/sfu20group.map
/etc/security/ldap/sfu30user.map
/etc/security/ldap/sfu30group.map
RFC2307 based
shadowlastchanged, shadowmax, shadowmin
shadowexpire and shadowwarning
Summary
AIX security solution with LDAP has matured
AIX 5.3 TL5 adds important new features