Setting up an IBM Security Directory Server

Edit online

To set up a system as an LDAP security information server that serves authentication, user, and group information through LDAP, you must first install the LDAP server and client packages.

If the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) support is required, you must also install the Global Security Kit Version 8 (GSKitV8) package for the IBM Security Directory Server version 6.4. The system administrator must create a key database by using the GSKit key management command. You can use either the gsk8capicmd or gsk8capicmd_64 command that is available with the GSKitV8 package. For more information about configuring the LDAP server to use SSL, see the Secure Communication with SSL topic.

You must set up the LDAP server before setting up the client. To install and set up the LDAP server, complete the following steps.
  1. Install the GSKit-related filesets as the root user.
    1. Mount the AIX 7.2 expansion pack DVD.
    2. Change the directory to the GSKit fileset location.
      cd <mount_point>/installp/ppc
  2. Run the installp command to install all of the GSKit packages.
    • To install the GSKit 64-bit packages, enter the following commands: 
      installp -acXgYd . GSKit8.gskcrypt64.ppc.rte
installp -acXgYd . GSKit8.gskssl64.ppc.rte
    • To install the GSKit 32-bit packages, enter the following commands:
      installp -acXgYd . GSKit8.gskcrypt32.ppc.rte
installp -acXgYd . GSKit8.gskssl32.ppc.rte
      Note: You can also use SMIT or SMITTY to install the GSKit filesets from the DVD.
  3. Install the IBM Db2 Database Version 10.5.
    1. Mount the second volume (volume 2 of 2) of the AIX 7.2 DVD.
    2. Change the directory to the IBM Db2 Database Version 10.5 location.
      cd <mount_point>/ismp/ppc/db2_10_05*
    3. Open the setupaix.bin file to install the Db2 server on the /opt/IBM/db2/V10.5 folder and add it to the Vital Product Database (VPD). Adding the Db2 server to the VPD allows the lslpp command to list the Db2 server. If you do not have a graphical user interface (GUI), you can use the db2_install command to install the Db2 server. 
      ./db2_install
Choose either the default installation folder, /opt/IBM/db2/V10.5,
 or provide a custom folder on the same system.
Choose SERVER as the Db2 product that needs to be installed. 
Choose NO for the Db2 pureScale feature.
    4. Apply the IBM Db2 Database Version 10.5 license. You must be in the <mount_point>/ismp/ppc/db2_10_05* path and execute the following command:
      db2_installation_folder>/adm/db2licm -a ./db2/license/db2ese_t.lic
  4. Install the idsldap client and the server filesets as the root user.
    1. Mount the second volume (volume 2 of 2) of the AIX 7.2 DVD.
    2. Run the idsLicense command.
      cd <mount_point>/license
./idsLicense
  5. If you agree to accept the terms in the software license agreement, enter the number 1 from the following list of available options:
    1: To accept the license agreement.
2: To decline the license agreement and exit the installation. 
3: To print the license agreement. 
4: To read non-IBM terms in the license agreement. 
99: To go back to the previous screen.

    On accepting the terms in the software license agreement, a LAPID file and a license folder are created in the IBM Security Directory Server installation location. The license folder contains the IBM Security Directory Server license files in all of the supported languages.

  6. Determine the IBM Security Directory Server idsldap client packages that you need to install.
    • For non-SSL LDAP client and server functionality, install the following filesets:
      • idsldap.license64
      • idsldap.cltbase64
      • idsldap.clt32bit64
      • idsldap.clt64bit64
      • idsldap.cltjava64
      • idsldap.msg64.en_US
      • idsldap.srvbase64bit64
      • idsldap.srv64bit64
      • idsldap.srvproxy64bit64
    • For SSL LDAP client and server functionality, install the following filesets:
      • idsldap.license64
      • idsldap.cltbase64
      • idsldap.clt32bit64
      • idsldap.clt64bit64
      • idsldap.clt_max_crypto32bit64
      • idsldap.clt_max_crypto64bit64
      • idsldap.cltjava64
      • idsldap.msg64.en_US
      • idsldap.srvbase64bit64
      • idsldap.srv64bit64
      • idsldap.srvproxy64bit64
      • idsldap.srv_max_cryptobase64bit64
        Note: SSL functionality requires the installation of GSKitv8 filesets.
    • To obtain the IBM Security Directory Server Web Administration Tool, install the following filesets:
      • idsldap.webadmin64
      • idsldap.webadmin_max_crypto64 (SSL enabled)

    When you install the IBM Security Directory Server Web Administration Tool, only the IDSWebApp.war file in the /opt/IBM/ldap/V6.4/idstools/ folder. You must have a supported level of the WebSphere Application Server in which you can deploy the WAR file. For more information about deploying the Web Administration Tool, refer to the Manual deployment of Web Administration Tool topic.

  7. Run the following commands to install the IBM Directory Server idsldap client packages.
    • To install one or more of the IBM Security Directory Server idsldap client packages, run the following commands:
      cd <mount_point>/installp/ppc/
installp -acXgYd . <package_names>
    • To install all of the IBM Security Directory Server packages from the current path, run the following command:
      installp -acXgYd . idsldap
  8. Verify whether the IBM Security Directory Server installation was successful by using the system generated installation summary.
    Note: You can also use SMIT or SMITTY to install the identified filesets and packages from the DVD.
  9. To configure the server, run the mksecldap command by replacing the values according to your environment:
    mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix

The mksecldap command establishes the LDAP server and its back-end database that is named, ldapdb2, populates the LDAP server with the user and group information from the local host, and sets the LDAP server administrator distinguished name (DN) and password. Optionally, it can set up SSL for client and server communication. The mksecldap command also adds an entry into the /etc/inittab file to start the LDAP server at every restart. For more information about the mksecldap command, see the mksecldap topic.

AIX® users and groups are stored in the LDAP server by using one of the following schemas:
AIX schema
Includes aixAccount and aixAccessGroup object class. This schema offers a full set of attributes for AIX users and groups.
RFC 2307 schema
Includes posixAccount, shadowAccount, and posixGroup object class and is used by the directory products of several vendors. The RFC 2307 schema defines only a small subset of attributes that AIX uses.
RFC2307AIX schema
Includes posixAccount, shadowAccount, and posixGroup object classes plus the aixAuxAccount and aixAuxGroup object classes. The aixAuxAccount and aixAuxGroup object classes provide the attributes that are used by AIX but not defined by the RFC 2307 schema.

Using the RFC2307AIX schema type for users and groups is highly recommended. The RFC2037AIX schema type is fully compliant to RFC 2307 with extra attributes to support more AIX user management functionality. An IBM® Tivoli® Directory Server server with RFC2307AIX schema configuration not only supports AIX LDAP clients, but also other RFC 2307 compliant UNIX and Linux® LDAP clients.

All of the user and group information is stored under a common AIX tree (suffix). The default suffix is "cn=aixdata". The mksecldap command accepts a user-supplied suffix through the -d flag. The name for the subtrees to be created for the user, group, ID, and so on, is controlled by the sectoldif.cfg configuration file. Refer to the sectoldif.cfg file for more information.

The AIX tree is ACL (Access Control List) protected. The default ACL grants administrative privilege only to the entity specified as the administrator with the -a command option. Additional privilege can be granted to a proxy identity if the -x and -X command options are used. Use of these options creates the proxy identity and configure access privilege as defined in the /etc/security/ldap/proxy.ldif.template file. Creating a proxy identity allows LDAP clients to bind to the server without the use of the administrator identity, which restricts client administrator privileges on the LDAP server.

You can run the mksecldap command on an LDAP server that is set up for other purposes; for example, for user ID lookup information. In this example, mksecldap adds the AIX tree and populates it with the AIX security information to the existing LDAP server. This tree is ACL-protected independently from other existing trees.
Note: You should back up the existing LDAP server before you run the mksecldap command and expand the server to an AIX security information server.

After the LDAP security information server is successfully set up, you can set up the same host as a client to manage the LDAP users and groups and allow LDAP users to log on to this server.

If the LDAP security information server setup is not successful, you can undo the setup by running the mksecldap command with the -U flag. This restores the ibmslapd.conf, slapd.conf or slapd32.conf file to its pre-setup state. Run the mksecldap command with the -U flag after any unsuccessful setup attempt before trying to run the mksecldap command again. Otherwise, residual setup information might remain in the configuration file and cause a subsequent setup to fail. As a safety precaution, the undo option does not do anything to the database or to its data, because the database could have existed before the mksecldap command was run. Remove any database manually if it was created by the mksecldap command. If the mksecldap command has added data to a pre-existing database, decide what steps to take to recover from a failed setup attempt.