mksecldap Command

Purpose

Sets up an AIX® system as an LDAP server or client for security authentication and data management.

Syntax

The syntax to set up a server is:

mksecldap -s -a adminDN -p adminpasswd -S schematype [ -d baseDN ] [ -n port ] [ -k SSLkeypath] [ -w SSLkeypasswd ] [ -x proxyDN -X proxypasswd ] [ -u NONE ] [-v LDAPVersion] [ -U ] [-j <ssl|tls|ssltls|none|sslonly>]

The syntax to set up a client is:

mksecldap -c -h serverlist -a bindDN -p bindpwd [ -d baseDN ] [ -n serverport ] [ -k SSLkeypath ] [ -w SSLkeypasswd ] [ -t cachetimeout ] [ -C cachesize ] [ -P NumberofThreads ] [ -T heartBeatInt ] [-M searchMode ] [ -D defaultEntry ] [ -A authType ] [ -i databaseModule ] [ -u userlist ] [ -U ] [-j <ssl|tls>]

Description

The mksecldap command can be used to set up IBM® Directory servers and clients for security authentication and data management.
Notes:
  1. The client (-c flag) and the server (-s flag) options cannot be used at the same time. When setting up a server, the mksecldap command might need to be run twice on that machine. Once to set up the server, and again to set up the system as a client.
  2. The name and location of the LDAP server configuration file depends on the version of LDAP software installed. Refer to the LDAP software documentation of the installed release for more information.

Server Setup

Make sure that the LDAP server and the back-end IBM DB2 software are installed. You do not need to pre-configure IBM DB2 to run the mksecldap command for LDAP server setup. When you run the mksecldap command to set up the server, the command will:
  1. Create a DB2® instance with ldapdb2 as the default instance name.
  2. If IBM Directory Server 6.0 or later is being configured then an LDAP server instance with the default name of ldapdb2 is created. A prompt is displayed for the encryption seed to use to create the key stash files. The input encryption seed must be at least 12 characters.
  3. Create a DB2 database with ldapdb2 as the default database name. If a database already exists, mksecldap will bypass the above two steps. (This is the case when the LDAP server has been set up for other usage.) The mksecldap command will use the existing database to store the AIX user/group data.
  4. Create the base DN (suffix) of the directory information tree (DIT). It is required that the base DN start with one of these attributes: dc, o, ou, c, cn. If no baseDN is supplied from the command line, the default suffix is set to cn=aixdata and the user/group data is placed under the cn=aixdata DN. Otherwise, the mksecldap command uses the user-supplied DN specified with the -d option. Users and groups will be exported to LDAP using the sectoldif command. The directory information tree (DIT) that will be created by default is shown below.
                    <user supplied suffix>
                              |
                  --------------------------
                  |                        |
                ou=People                ou=Groups
  5. If -u NONE is not specified, then export the data from the security database files from the local host into the LDAP database. If -u NONE is specified, then mksecldap does not create the ou=People and ou=Group containers as it normally would, nor does it export users and groups. Depending on the -S option, the mksecldap command exports users/groups using one of the three LDAP schemas:
    • AIX - AIX schema (aixaccount and aixaccessgroup objectclasses)
    • RFC2307 - RFC 2307 schema (posixaccount, shadowaccount, and posixgroup objectclasses)
    • RFC2307AIX - RFC 2307 schema with full AIX support (posixaccount, shadowaccount, and posixgroup objectclasses, plus the aixauxaccount and aixauxgroup object classes).
  6. Set the LDAP server administrator DN and password.
  7. Set the server to listen to a specified port if the -n option is used. The default port is 389. Also, TLS uses this port as default port (636 for SSL).
  8. Updates the /usr/lib/security/methods.cfg file with the LDAP module configuration. If the -i option is entered from the command line, it also sets a LDAPA authentication-only module and a compound loadmodule (for example, LDAPAfiles when the -i files option is specified) with LDAPA serves for authentication and the databaseModule serves for identification.
  9. Create the proxy entry if the -x and -X options are specified. Create an ACL for the base DN using the proxy entry. The default ACL can be found in /etc/security/ldap/proxyuser.ldif.template. The proxy entry can be used by client systems to bind to the server (see client setup section in this file).
  10. Set the server to use SSL (secure socket layer) or TLS (transport layer security) if the -k option is specified for secure data transfer between this server and the clients. You must install the GSKitv8 fileset and create an SSL or TLS key for this setup. You can install the GSKitv8 fileset after you mount the AIX 7.1 expansion pack DVD.
  11. Installs the /usr/ccs/lib/libsecldapaudit.a LDAP server plug-in. This plug-in supports AIX audit of the LDAP server.
  12. Start/restart the LDAP server after all the above is done.
  13. Add the LDAP server process (slapd) to /etc/inittab to have the LDAP server start after reboot.
Note: The -U option resets a previous setup for the server configuration file. It has no effect on the database. The first time the mksecldap command is run, it saves two copies of the server configuration file in the /etc/security/ldap directory. One is saved as the server configuration file name appended with .save.orig and the other is appended with .save. During each subsequent run of the mksecldap command, only the current server configuration is saved as a .save file. The undo option restores the server configuration file with the .save copy. In AIX 5.3 it is possible to invoke mksecldap -s in succession to create and populate multiple suffixes. If this has been performed then the .save.orig file will need to be manually restored in order to revert to the initial configuration file.

Client Setup

Make sure that the LDAP client fileset is installed and the LDAP server has been setup and is running. The mksecldap command performs the following steps during client setup:
  1. Saves the LDAP server(s)' host name.
  2. Saves the user base DN and group base DN of the server. If no -d option is supplied from command line, the mksecldap command searches the LDAP server for aixaccount, aixaccessgroup, posixaccount, posixgroup, and aixauxaccount objectclasses, and sets up the base DNs accordingly. If the server has multiple user or group bases, you must supply the -d option with a Relative Distinguished Name (RDN) so that the mksecldap command can setup the base DNs to the ones within that RDN.
    If the posixaccount objectclass is found during client setup, mksecldap will also try to search for base DNs for the following entities from the server and save any that are found:
    • hosts
    • networks
    • services
    • netgroups
    • protocols
    • rpc
    • authorizations
    • roles
    • privcmds
    • privdevs
    • privfiles
    • usrkeystore
    • grpkeystore
    • efscookies
    • admkeystore
    • domains
    • domobjs
  3. Determines the schema type used by the LDAP server - AIX specific schema, RFC 2307 schema, RFC 2307 schema with full AIX support, or Microsoft Services for UNIX 3.0 schema. It sets the objectclasses and attribute maps in the /etc/security/ldap/ldap.cfg file accordingly. The mksecldap command does not recognize other schema types, so clients must be setup manually.
  4. Sets SSL or TLS for secure data transfer between this host and the LDAP server. This step requires that the client SSL or TLS key and the key password are created in advance, and the server must be setup to use SSL or TLS for the client SSL or TLS to work. SSL or TLS functionality requires the installation of the GSKitv8 fileset. You can install the GSKitv8 fileset after you mount the AIX 7.1 Expansion pack DVD.
  5. Encrypts the bind password.
  6. Saves the LDAP server bind DN and password. The DN/password pair must exist on the LDAP server. If the bind DN and password are not given, mksecldap uses anonymous bind. Some of the data might not be returned from the LDAP server with anonymous bind. Consult your LDAP administrator before you choose anonymous bind.
  7. Sets the optionally specified configuration values as defined in the client setup flags section.
  8. Optionally sets the list of users or all users to use LDAP by modifying their SYSTEM line in the /etc/security/user file. For more information on enabling LDAP login, see the following note.
  9. Starts the client daemon process (secldapclntd).
  10. Adds the client side daemon process to /etc/inittab to have this daemon start after a reboot.
Note: All client configuration data is saved to the /etc/security/ldap/ldap.cfg configuration file. The -U option resets a previous setup to the /etc/security/ldap/ldap.cfg file by replacing the file with the configuration stored in /etc/security/ldap/ldap.cfg.save. Setting the SYSTEM to LDAP for the default stanza of /etc/security/user only allows LDAP users to login to the system. Setting the SYSTEM to LDAP or compat allows both LDAP users and local users to login to the system.

Flags

For Server Setup

Item Description
-a AdminDN Specifies the LDAP server administrator DN.
-d baseDN Specifies the suffix or base DN of the AIX subtree. The default is cn=aixdata.
-j <ssl|tls|ssltls|none|sslonly>] Specifies the encryption connection type that is used during the communication with the LDAP clients. Valid values are SSL, TLS, SSLTLS, and SSLONLY. If the -k and -w flags are specified without the -j flag, the default connection type is SSL.
-k SSLkeypath Specifies the full path to the SSL or TLS key database of the server.
-n port Specifies the port number that the LDAP server listens to. Default is 389 for non-SSL and 636 for SSL.
-p adminpasswd Specifies the clear text password for the administrator DN.
-S schematype Specifies the LDAP schema used to represent user/group entries in the LDAP server. Valid values are AIX, RFC2307, and RFC2307AIX.
-s Indicates that the command is being run to setup the server.
-w SSLkeypasswd Specifies the password for the SSL or TLS key database.
-U Specifies to undo the previous server setup to the LDAP configuration file. The database is not affected.
-u NONE Specifies not to migrate users and groups from local system. The only valid value is NONE. Any other values are ignored. When this option is used, mksecldap does not create the ou=People and ou=Group containers as it normally would, nor does it export users and groups. No -S option is required with this option.
-v LDAPVersion Denotes a specific version of the LDAP server fileset to configure. The value must be in the format #.# where # is a number. For example, 6.0. If not specified, the mksecldap command configures the most recent version of the LDAP server fileset that is installed.
-X proxypasswd Specifies the password for the proxy DN.
-x proxyDN Specifies the DN of the proxy entry. This entry can be used by client systems to bind to this server.

For Client Setup

Item Description
-a bindDN Specifies the DN to bind to the LDAP server. The DN must exist on the LDAP server. If authtype is unix_auth, bindDN must have read access to the userPassword field on the LDAP server. Without the -a option, mksecldap configures anonymous bind.
Note: Some of the data might not be retrieved from the LDAP server with anonymous bind. Consult your LDAP server administrator about using anonymous bind.
-A authType Specifies the authentication mechanism used to authenticate users. Valid values are unix_auth and ldap_auth. The default is unix_auth. The values are defined as follows:
  • unix_auth - Retrieve user password from LDAP and perform authentication locally.
  • ldap_auth - Bind to LDAP server, sending password in clear text, for authentication.
Note: When using ldap_auth type authentication, the use of SSL or TLS is strongly recommended since during authentication passwords will be sent in clear text to the LDAP server.
-i databaseModule Specifies the configuration of LDAP as the authentication-only module (LDAPA) of a compound loadmodule. The databaseModule option specifies the database module of the compound loadmodule.
-j <ssl|tls> Specifies the encryption connection type that is used during the communication with the LDAP server. Valid values are SSL and TLS. If the -k and -w flags are specified without the -j flag, the default connection type is SSL.
-c Indicates the command is being run to setup the client.
-C Cachsize Specifies the maximum number of user entries that can be used in the client-side daemon cache. Valid value is in the range 100-65536 for user cache. The default is 1000. The valid range for the group cache is 10-65536. The default value is 100. If you set the user cache entry in the start-secldapclntd command, by using the -C option, the group cache is set to 10% of the user cache.
-D defaultEntryLocation Specifies the location of the default entry. Valid values are ldap and local. The default is ldap. The values are defined as follows:
  • ldap - Use the default entry in LDAP for all attribute default values.
  • local - Use the default stanza from local /etc/security/user file for all attribute default values.
-d baseDN Specifies the base DN for the mksecldap command to search for the user base DN and group base DN. If not specified from the command line, the entire database is searched.
-h serverlist Specifies a comma separated list of hostnames (server and backup servers).
-k SSLkeypath Specifies the full path to the client SSL or TLS key database.
-M searchMode Specifies the set of user and group attributes to be retrieved. Valid values are ALL and OS. The default is ALL. The values are defined as follows:
  • ALL - Retrieve all attributes of an entry.
  • OS - Retrieve only the operating system required attributes of an entry. Non-OS attributes like telephone number, binary images etc. will not be returned.
Note: Use OS only when entries have many non-OS required attributes or attributes with large value, e.g. binary data, to reduce sorting effort by the LDAP server.
-n serverport Specifies the port number that the LDAP server is listening to.
-p bindpasswd Specifies the clear text password for the bindDN used to bind to the LDAP server.
-P NumberofThreads Specifies the number of threads that the client side daemon uses. Valid values are 1-256. The default value is 10.
-t Cachetimeout Specifies the maximum time length that a cache entry expires. Valid values are 60-3600 seconds. The default is 300 seconds. Set this value to 0 to disable caching.
-T heartBeatInt Specifies the time interval of heartbeat between this client and the LDAP server. Valid values are 60-3600 seconds. Default is 300.
-u userlist Specifies the comma separated list of user names to enable for LDAP authentication. These users will have their registry and SYSTEM attributes set to use LDAP. Specify ALL to enable all users on the client.
Note: Alternatively, the SYSTEM attribute in the default stanza of /etc/security/user can be set to LDAP, allowing only LDAP users to log in. Setting the SYSTEM attribute to LDAP or compat allows both LDAP users and local users to log in to the system.
-w SSLkeyfilepath Specifies the password for the client SSL or TLS key database.
-U Specifies to undo the previous client setup to the LDAP client configuration file.

Security

A user with the aix.security.ldap authorization is authorized to use this command.

Examples

  1. To setup an LDAP server of RFC2307AIX specific schema for users and groups, enter:
    mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix
    This sets up an LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is exported from local files to the default cn=aixdata suffix using RFC2307AIX schema.
  2. To setup an LDAP server with a baseDN other than the default and with SSL secure communication , enter:
    mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 -k /usr/ldap/serverkey.kdb
     -w keypwd 
    This sets up an LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is exported from local files to the o=mycompany,c=us suffix using RFC2307 schema. The LDAP server uses SSL communications by using the key stored at /usr/ldap/serverkey.kdb. The password to the key, keypwd, must also be supplied.
  3. To setup an LDAP server of RFC2307AIX schema type and create a proxy account, enter:
    mksecldap -s -a cn=admin -p adminpwd -d c=us -S rfc2307aix -x cn=proxy,c=us -X proxypwd
    This sets up an LDAP server with LDAP server administrator DN being cn=admin, password being adminpwd. User and group data is exported from local files to the c=us suffix using RFC2307AIX schema. A proxy identity is setup with DN being cn=proxy,c=us and password proxypwd. The ACL specified in /etc/security/ldap/proxy.ldif.template will also have been applied on the server for the cn=proxy,c=us DN.
  4. To undo a previous server setup:
    mksecldap -s -U 
    This undoes the previous setup to the server configuration file. Note, for safety reasons, this does not remove any database entries or database created by a previous setup. One has to remove the database entries/database manually if they are not needed anymore.
  5. To setup a client to use the server1.ibm.com and server2.ibm.com LDAP servers, enter:
    mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com
    The LDAP server administrator DN and password is supplied for this client to authenticate to the server. The mksecldap command contacts the LDAP server for schema type used, and sets up the client accordingly. Without the -d option from the command line, the entire server DIT is searched for the user base DN and the group base DN.
  6. To setup the client to talk to the server3.ibm.com LDAP server using SSL, enter:
    mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us 
    -k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2 
    This sets up an LDAP client similar to case 3, but with SSL communication. The mksecldap command searches the o=mycompany,c=us RDN for user base DN and group base DN. Account user1 and user2 are configured to authenticate through LDAP.
    Note: The -u ALL option enables all LDAP users to login to this client.
  7. To setup a client to talk to server4.ibm.com and use ldap_auth authentication with a proxy bind, enter:
    mksecldap -c -a cn=proxy,c=us -p proxypwd -h server4.ibm.com -A ldap_auth
    This sets up an LDAP client to bind to the LDAP server with the cn=proxy,c=us DN. Because the administrator DN is not used, the access granted to the client is dependent on the ACL setup on the LDAP server for the cn=proxy,c=us DN. The client is also setup to use ldap_auth-type authentication which sends passwords in clear text to the LDAP server for comparison.
    Note: When using ldap_auth-type authentication, the use of SSL or TLS is strongly recommended because during authentication passwords will be sent in clear text to the LDAP server.
  8. To undo a previous client setup, enter:
    mksecldap -c -U
    This undoes the previous setup to the /etc/security/ldap/ldap.cfg file. This does not remove the SYSTEM=LDAP and registry=LDAP entries from the /etc/security/user file.
  9. To setup a client using LDAP as authentication-only module, and using files for user identification, enter:
    mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com -i files -A ldap_auth
    This sets up an LDAPAfiles compound loadmodule, where the module LDAPA is used for user authentication and files is used for user identification. Authentication is set to ldap_auth.

Files Accessed

Item Description
Mode File
r /etc/passwd
r /etc/group
r /etc/security/passwd
r /etc/security/limits
r /etc/security/user (on the server)
rw /etc/security/user (on the clients)
r /etc/security/environ
r /etc/security/user.roles
r /etc/security/lastlog
r /etc/security/smitacl.user
r /etc/security/mac_user
r /etc/security/group
r /etc/security/smitacl.group
r /etc/security/roles
rw /etc/security/login.cfg (on the server)
rw /etc/slapd32.conf (on the server)
rw /etc/security/ldap/ldap.cfg (on the client)