Sets up an AIX® system as an LDAP server or client for security authentication and data management.
The syntax to set up a server is:
mksecldap -s -a adminDN -p adminpasswd -S schematype [ -d baseDN ] [ -n port ] [ -k SSLkeypath] [ -w SSLkeypasswd ] [ -x proxyDN -X proxypasswd ] [ -u NONE ] [-v LDAPVersion] [ -U ] [-j < ssl|tls|ssltls|none|sslonly>]
The syntax to set up a client is:
mksecldap -c -h serverlist -a bindDN -p bindpwd [ -d baseDN ] [ -n serverport ] [ -k SSLkeypath ] [ -w SSLkeypasswd ] [ -t cachetimeout ] [ -C cachesize ] [ -P NumberofThreads ] [ -T heartBeatInt ] [-M searchMode ] [ -D defaultEntry ] [ -A authType ] [ -i databaseModule ] [ -u userlist ] [ -U ] [-j <ssl|tls>]
Server Setup
<user supplied suffix>
|
--------------------------
| |
ou=People ou=Groups
Client Setup
For Server Setup
Item | Description |
---|---|
-a AdminDN | Specifies the LDAP server administrator DN. |
-d baseDN | Specifies the suffix or base DN of the AIX subtree. The default is cn=aixdata. |
-j < ssl|tls|ssltls|none|sslonly>] | Specifics the encryption connection type that is used during the communication with the LDAP clients. Valid values are SSL, TLS, SSLTLS, and SSLONLY. If the -k and -w flags are specified without the -j flag, the default connection type is SSL. |
-k SSLkeypath | Specifies the full path to the SSL or TLS key database of the server. |
-n port | Specifies the port number that the LDAP server listens to. Default is 389 for non-SSL and 636 for SSL. |
-p adminpasswd | Specifies the clear text password for the administrator DN. |
-S schematype | Specifies the LDAP schema used to represent user/group entries in the LDAP server. Valid values are AIX, RFC2307, and RFC2307AIX. |
-s | Indicates that the command is being run to setup the server. |
-w SSLkeypasswd | Specifies the password for the SSL or TLS key. |
-U | Specifies to undo the previous server setup to the LDAP configuration file. The database is not affected. |
-u NONE | Specifies not to migrate users and groups from local system. The only valid value is NONE. Any other values are ignored. When this option is used, mksecldap does not create the ou=People and ou=Group containers as it normally would, nor does it export users and groups. No -S option is required with this option. |
-v LDAPVersion | Denotes a specific version of the LDAP server fileset to configure. The value must be in the format #.# where # is a number. For example, 6.0. If not specified, the mksecldap command configures the most recent version of the LDAP server fileset that is installed. |
-X proxypasswd | Specifies the password for the proxy DN. |
-x proxyDN | Specifies the DN of the proxy entry. This entry can be used by client systems to bind to this server. |
For Client Setup
Item | Description |
---|---|
-a bindDN | Specifies the DN to bind to the LDAP server.
The DN must exist on the LDAP server. If authtype is unix_auth, bindDN
must have read access to the userPassword field on the LDAP server.
Without the -a option, mksecldap configures anonymous bind.
Note: Some of the data might not be retrieved from the LDAP server
with anonymous bind. Consult your LDAP server administrator about
using anonymous bind.
|
-A authType | Specifies the authentication mechanism used
to authenticate users. Valid values are unix_auth and ldap_auth.
The default is unix_auth. The values are defined as follows:
Note: When using ldap_auth type authentication, the use
of SSL or TLS is strongly recommended since during authentication
passwords will be sent in clear text to the LDAP server.
|
-i databaseModule | Specifies the configuration of LDAP as the authentication-only module (LDAPA) of a compound loadmodule. The databaseModule option specifies the database module of the compound loadmodule. |
-j <ssl|tls> | Specifics the encryption connection type that is used during the communication with the LDAP server. Valid values are SSL and TLS. If the -k and -w flags are specified without the -j flag, the default connection type is SSL. |
-c | Indicates the command is being run to setup the client. |
-C Cachsize | Specifies the maximum number of user entries used in the client side daemon cache. Valid values are 100-10,000 for user cache. The default value is 1,000. The group cache is 10% of that of user cache. |
-D defaultEntryLocation | Specifies the location of the default entry.
Valid values are ldap and local. The default is ldap.
The values are defined as follows:
|
-d baseDN | Specifies the base DN for the mksecldap command to search for the user base DN and group base DN. If not specified from the command line, the entire database is searched. |
-h serverlist | Specifies a comma separated list of hostnames (server and backup servers). |
-k SSLkeypath | Specifies the full path to the client SSL or TLS key. |
-M searchMode | Specifies the set of user and group attributes
to be retrieved. Valid values are ALL and OS. The default
is ALL. The values are defined as follows:
Note: Use OS only when entries have many non-OS required attributes
or attributes with large value, e.g. binary data, to reduce sorting
effort by the LDAP server.
|
-n serverport | Specifies the port number that the LDAP server is listening to. |
-p bindpasswd | Specifies the clear text password for the bindDN used to bind to the LDAP server. |
-P NumberofTreads | Specifies the number of threads the client side daemon uses. Valid values are 1-1,000. The default is 10. |
-t Cachetimeout | Specifies the maximum time length that a cache entry expires. Valid values are 60-3,600 seconds. The default is 300 seconds. Set this value to 0 to disable caching. |
-T heartBeatInt | Specifies the time interval of heartbeat between this client and the LDAP server. Valid values are 60-3,600 seconds. Default is 300. |
-u userlist | Specifies the comma separated list of user names to enable
for LDAP authentication. These users will have their registry and
SYSTEM attributes set to use LDAP. Specify ALL to enable all
users on the client. Note: Alternatively, the SYSTEM attribute in
the default stanza of /etc/security/user can be set to LDAP,
allowing only LDAP users to log in. Setting the SYSTEM attribute to
LDAP or compat allows both LDAP users and local users to log in to
the system.
|
-w SSLkeyfilepath | Specifies the password for the client SSL or TLS key. |
-U | Specifies to undo the previous client setup to the LDAP client configuration file. |
A user with the aix.security.ldap authorization is authorized to use this command.
mksecldap -s -a cn=admin -p adminpwd -S rfc2307aix
This
sets up a LDAP server with LDAP server administrator DN being cn=admin,
password being adminpwd. User and group data is exported from
local files to the default cn=aixdata suffix using RFC2307AIX
schema.mksecldap -s -a cn=admin -p adminpwd -d o=mycompany,c=us -S rfc2307 \ -k /usr/ldap/serverkey.kdb
-w keypwd
This sets up a LDAP server with LDAP server
administrator DN being cn=admin, password being adminpwd.
User and group data is exported from local files to the o=mycompany,c=us suffix
using RFC2307 schema. The LDAP server uses SSL communications by using
the key stored at /usr/ldap/serverkey.kdb. The password to
the key, keypwd, must also be supplied. mksecldap -s -a cn=admin -p adminpwd -d c=us -S rfc2307aix -x cn=proxy,c=us -X proxypwd
This
sets up a LDAP server with LDAP server administrator DN being cn=admin,
password being adminpwd. User and group data is exported from
local files to the c=us suffix using RFC2307AIX schema. A proxy
identity is setup with DN being cn=proxy,c=us and password proxypwd.
The ACL specified in /etc/security/ldap/proxy.ldif.template will
also have been applied on the server for the cn=proxy,c=us DN.mksecldap -s -U
This
undoes the previous setup to the server configuration file. Note,
for safety reasons, this does not remove any database entries or database
created by a previous setup. One has to remove the database entries/database
manually if they are not needed any more.mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com,server2.ibm.com
The
LDAP server administrator DN and password is supplied for this client
to authenticate to the server. The mksecldap command contacts
the LDAP server for schema type used, and sets up the client accordingly.
Without the -d option from the command line, the entire server
DIT is searched for the user base DN and the group base DN.mksecldap -c -a cn=admin -p adminpwd -h server3.ibm.com -d o=mycompany,c=us
-k /usr/ldap/clientkey.kdb -w keypwd -u user1,user2
This
sets up a LDAP client similar to case 3, but with SSL communication.
The mksecldap command searches the o=mycompany,c=us RDN for user base
DN and group base DN. Account user1 and user2 are configured to authenticate
through LDAP. mksecldap -c -a cn=proxy,c=us -p proxypwd -h server4.ibm.com -A ldap_auth
This
sets up an LDAP client to bind to the LDAP server with the cn=proxy,c=us DN.
Because the administrator DN is not used, the access granted to the
client is dependent on the ACL setup on the LDAP server for the cn=proxy,c=us DN.
The client is also setup to use ldap_auth-type authentication
which sends passwords in clear text to the LDAP server for comparison. mksecldap -c -U
This
undoes the previous setup to the /etc/security/ldap/ldap.cfg file.
This does not remove the SYSTEM=LDAP and registry=LDAP entries
from the /etc/security/user file.mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com -i files -A ldap_auth
This
sets up a LDAPAfiles compound loadmodule, where the module LDAPA is
used for user authentication and files is used for user identification.
Authentication is set to ldap_auth.Item | Description |
---|---|
Mode | File |
r | /etc/passwd |
r | /etc/group |
r | /etc/security/passwd |
r | /etc/security/limits |
r | /etc/security/user (on the server) |
rw | /etc/security/user (on the clients) |
r | /etc/security/environ |
r | /etc/security/user.roles |
r | /etc/security/lastlog |
r | /etc/security/smitacl.user |
r | /etc/security/mac_user |
r | /etc/security/group |
r | /etc/security/smitacl.group |
r | /etc/security/roles |
rw | /etc/security/login.cfg (on the server) |
rw | /etc/slapd32.conf (on the server) |
rw | /etc/security/ldap/ldap.cfg (on the client) |