LDAP user management

Edit online

You can manage users and groups on an LDAP security information server from any LDAP client by using high-level commands.

You can manage users and groups on an LDAP security information server by using LDAP and other authentication load modules such as DCE, NIS, and KRB5 by using high-level commands and the-R flag. For more information about the -R flag, refer to each of the user or group management commands.

To enable a user to authenticate through LDAP, run the chuser command to change the user's SYSTEM attribute value to LDAP. By setting the SYSTEM attribute value according to the defined syntax, a user can be authenticated through more than one load module such as compat and LDAP. For more information on setting users' authentication methods, see the User authentication topic and the SYSTEM attribute syntax that is defined in the /etc/security/user file.

A user can become an LDAP user at client setup time by running the mksecldap command with the -u flag as shown in one of the following forms:

  • mksecldap -c -u user1,user2,...

    Where the user1, user2,... parameter is a list of users. The users in this list can be either locally defined or remote LDAP-defined users. The SYSTEM attribute is set to LDAP in each of the users' stanzas in the /etc/security/user file. Such users can only be authenticated through LDAP. The users in this list must exist on the LDAP security information server; otherwise, they cannot log in from this host. Run the chuser command to modify the SYSTEM attribute and allow authentication through multiple methods such as local and LDAP.

  • mksecldap -c -u ALL

    This command sets the SYSTEM attribute to LDAP in each user's stanza in the /etc/security/user file for all locally defined users. All such users only authenticate through LDAP. The locally defined users must exist on the LDAP security information server; otherwise they can not log in from this host. A user that is defined on the LDAP server but not defined locally cannot log in from this host. To allow a remote LDAP-defined user to log in from this host, run the chuser command to set the SYSTEM attribute to LDAP for that user.

Alternatively, you can enable all LDAP users, whether they are defined locally or not, to authenticate through LDAP on a local host by modifying the "default" stanza of the /etc/security/user file to use "LDAP" as its value. All users that do not have a value defined for their SYSTEM attribute must use the value defined in the default stanza. For example, if the default stanza has "SYSTEM = "compat"", changing it to "SYSTEM = "compat OR LDAP"" allows authentication of all LDAP users either through AIX® or LDAP. Changing the default stanza to "SYSTEM = "LDAP"" enables these users to authenticate exclusively through LDAP. Users who have a SYSTEM attribute value defined are not affected by the default stanza.