Sie sind auf Seite 1von 67

IBM STG Technical Conference

IBM Systems and Technology Group


Technical Conference
v

New Orleans, Louisiana


February 5 - 9, 2007

© 2007 IBM Corporation


IBM STG Technical Conference

AIX Authentication to an LDAP Server


Session: A03
v

John Tesch, Ph.D.


Consulting IT Specialist
America’s Advanced Technical Support
jwtesch@us.ibm.com

© 2007 IBM Corporation


IBM STG Technical Conference

Agenda

LDAP user management goals and issues

Introduction to AIX user management

Configuring AIX for user authentication and credentials

Authenticating AIX to Microsoft Windows Active


Directory

3 © 2007 IBM Corporation


IBM STG Technical Conference

LDAP – What the customer is looking for!

LDAP

One password
access User
Userdata
data
all systems and
and
Password
Password

User data all in one place


4 © 2007 IBM Corporation
IBM STG Technical Conference

File
Filebased
Today’s picture too often user
based
userdata
data

Multiple
Incompatible
LDAP servers

NIS/NIS+

Separate
password
for each
system Microsoft ADS

Separate data each server


5 © 2007 IBM Corporation
IBM STG Technical Conference
Issue #1: Schemas and LDAP Servers

Schema Support
AIX proprietary schema
RFC2307
RFC2307bis LDAP Servers
AIX extensions
Solaris 9 extensions ITDS – IBM Tivoli (4.1, 5, 6.0)
Solaris 10 extensions OpenLDAP
Novell Sun One Directory Server
Microsoft SFU 2.0 Sun Java System Directory Server 5.2
Microsoft SFU 3.0 Novell eDirectory
Microsoft Windows 2000 V2 Windows 2000 Active Directory
Person, ePerson, etc. Windows 2003 Active Directory
Windows 2003 R2 ACS
Netscape Directory Server -> Sun

6 © 2007 IBM Corporation


IBM STG Technical Conference
Schema Support Introduced in AIX Level

Schema Support
AIX Release
AIX proprietary schema (all)
RFC2307 AIX 4.3.3*
AIX extensions AIX 5.1
RFC2307bis AIX 5.2
Solaris 9 extensions AIX 5.3
Solaris 10 extensions AIX 5.3 ML3
Novell (*?) AIX 5.3 TL5
Microsoft SFU 2.0 AIX 5.3 TL6 (?)
Microsoft SFU 3.0
Microsoft Windows 2000 V2 * PADL
Person, ePerson, etc. - RFC2307
?(Planned)

*Novel MD5 – ldap_auth

7 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #2: RFC2307


An Approach for Using LDAP as a Network Information Service
Category: Experimental
Status: “This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind”
Based somewhat on NIS
Incomplete: Doesn’t cover all of AIX or Solaris attributes
– Doesn’t cover netgroups and automount
Authors: L. Howard (PADL Software), M. Ansari (Sun Microsystems)
Original date: March 1998
rfc2307bis-00: October 2002 expired April 2003 (No longer posted)
– Added support for netgroups, automount, etc
Included with openLDAP, IBM and Sun LDAP servers
Microsoft does not fully support in any release.
AIX Required object classes and attributes for user login
– posixaccount
uid, uidnumber, gidnumber, homedirectory, loginshell, gecos,
userpassword, shadowlastchange
– posixgroup
cn (groupname), gidnumber, memberuid (list of users uids)

8 © 2007 IBM Corporation


IBM STG Technical Conference

RFC2307 Optional attributes used by AIX login

posix account
– shadowmax  maxage: Maximum weeks password is valid
– shadowmin  minage: Minimum weeks before password change
– shadowexpire  maxexpired: Weeks after expiration that user can change password.
– shadowwarning  pwdwarntime: Days before password expires that user is warned.

– Good to add AIX extensions – not part of the ‘RFC definition’


hostallowedaccess
hostdeniedaccess

posixgroup
– no optional attributes used by AIX.
– Not used: description, memberPassword

9 © 2007 IBM Corporation


IBM STG Technical Conference

AIX extensions to RFC2307


aixAuxAccount – added with AIX extensions (RFC2307AIX schema)
– account_locked
– admin, admgroups
– Standard /etc/security/user attributes
expires, flags, groups
– User limits such as core, cpu data, fsize, etc, nofiles, rss, stack,
– Login herald
– Password restrictions:
histexpire, histsize, histlist, minalpha, mindiff, minlen, minother
pwdchecks, dictionlist,
– Security:
hostlastlogin, login, logindelay, logindisable, logininterval,
loginretries, rcmds, registry, rlogin, roles, sakenabled, su sugroups
sysenv, telnet, time_last_login, time_last_unsuccessful_login, tpath
tty_last_login, ttys, tty_last_unsuccessful_login, umask, projects
aixAuxGroup
– primary, adms, admin, dce_export, screens, projects

10 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #3 AIX extensions and LDAP Servers


IBM Tivoli Directory Server
– Contains RFC2307AIX schema since ITDS 4.1
– Does not include Solaris extension and there are no instructions to add this schema
– Some RFC2307bis attributes must be added manually
openLDAP
– May be most widely used for Linux customers
– Contains RFC2307 schema, but not Solaris or AIX extensions
Sun Java System Directory Server 5.2 – Formerly Sun One
– Part of the Solaris Enterprise System
– Contains Solaris extensions, but not AIX extensions
Sun One Directory Server – formerly Netscape Directory Server
– Available for AIX 5.2, but doesn’t contain AIX authentication extensions
Active Directory with Services for Unix
– Microsoft Proprietary Schema for UNIX. and no crypt() software support
– No AIX or Solaris extensions
Novell eDirectory Server
– – MD5 password, pseudo RFC2307

11 © 2007 IBM Corporation


IBM STG Technical Conference

Solaris extensions and LDAP Servers

RBAC-Related databases (Role Based Access Control)


– usr_attr  ou=People object class SolarisUserAttr
– prof_attr  ou=SolarisProfAttr
objectclass SolarisProfAttr, SolarisExecAttr
– auth_attr  ou=SolarisAuthAttr
objectclass SolarisAuthAttr
– exec_attr  ou=SolarisProfAttr
objectclass SolarisProfAttr, SolarisExecAttr

Only supported on Sun LDAP servers

Requires adding schema extensions on others.

12 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #4 LDAP Servers and total solution


IBM Tivoli Directory Server
– Best AIX solution, but Sun client support is missing
openLDAP
– Good Linux solution, and base solution for all, but.
– No instructions for adding AIX and Solaris Schemas
Sun Java System Directory Server 5.2 – Formerly Sun One
– Best pure Sun Solution
– Base RFC2307 support for AIX is a known working solution.
– No instructions for adding AIX extensions
Active Directory with Services for Unix
– Many companies want to use this solution because
- Most Unix users also have a Windows account
- IT Management sees this as easy to manage solution
– Probably most incomplete Unix solution available
– No AIX or Solaris extensions, but easy to setup base AIX 5.3 TL5
Novell eDirectory Server
– Well liked by those few who know and like it, not very universal

13 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #5 LDAP User and Group IDs and permissions

User must have same UID on all clients


– File ownership and permissions
– Avoid conflicts between local and LDAP users

Users must have same GID on all clients


– File and program execution

Users with LDAP credentials must be in LDAP groups


– Must match local and LDAP GIDs

Some OS administrative GIDs are in conflict


– AIX: system=0, staff=1, bin=2, sys=3, security=7, cron=8
– Could give AIX security access to wrong users if not careful

May require that certain users be local users with local groups

14 © 2007 IBM Corporation


IBM STG Technical Conference

Basic user login – AIX 5.3


LAM Modules
/usr/lib/security Files
methods.cfg

SYSTEM NIS maps


Registry
TH
login

U
ssh

_A Kerberos
ftp

S TD auth_type
in
PA login.cfg
M Custom
1. Authentication _A
- username UT
H
- password
LDAP
2. Get Credentials
- UID/GID PAM Modules
- HOME, SHELL, etc /etc/pam.conf

15 © 2007 IBM Corporation


IBM STG Technical Conference

AIX Loadable identification and authentication framework

16 © 2007 IBM Corporation


IBM STG Technical Conference

AIX LDAP Authentication Choices - authtype


AUTH_TYPE = UNIX_AUTH
User Name

crypt(passwd)

Verify passwd with crypt()


LDAP
User Name and password
SSL Tunnel
Verification Result

AUTH_TYPE = LDAP_AUTH Verify passwd

17 © 2007 IBM Corporation


IBM STG Technical Conference

LDAP Security Client  LDAP slapd

Port 389
login

ssh slapd
ftp

ext
authenticate() in
T
a
Pl LDAP
secldapclientd Security
en SS
cr L
yp
te slapd
d
ldap.cfg
ldap.cfg
ldapsslport
ldapsslport
Key.kdb
Key.kdb Port 636

18 © 2007 IBM Corporation


IBM STG Technical Conference
LDAP Schema
LDAP Server Choices
Schemas and mapping username
username AIX
userpassword
userpassword
uid
uid
gid
gid
homedirectory
homedirectory
loginshell
loginshell
AIX Security Attribute
username
spassword
uid rfc2307
id uid
userpassword
userpassword
pgrp uidnumber
uidnumber
home gidnumber
gidnumber
homedirectory
shell homedirectory
loginshell
loginshell

msSFU30Name
msSFU30Name msSFU30
/etc/security/ldap/*.map msSFU30Password
msSFU30Password
msSFU30UidNumber
msSFU30UidNumber
msSFU30GidNumber
msSFU30GidNumber
msSFUHomeDirectory
msSFUHomeDirectory
lmsSFULoginShell
lmsSFULoginShell
19 © 2007 IBM Corporation
IBM STG Technical Conference
add
Configuring ITDS (LDAP) on AIX mkitab sldapd /etc/initab

mksecldap –s –S <schema> ldapcfg


/etc/passwd
/etc/passwd
/etc/group
/etc/group (optional)
/etc/security/passwd
/etc/security/passwd Check fileset
/etc/security/user
/etc/security/user
......
sectoldif –S <schema> Create ldap admin
Security Files Create db2 admin
Run slapd daemon
Set admin pwds
(User/Group information) Configure LDAP
LDAP Schema Add context DN
Configure DB2
LDIF File Add nisSchema.ldif
dn: uid=default... ldapmodify Add sec.ldif
uid: caleb
objectClass: account
objectClass: posixAccount ... ldapadd

LDIF file removed at end DB2 LDAP


20 © 2007 IBM Corporation
IBM STG Technical Conference

Checking LDAP server configuration and suffixes


Use ldapsearch client to contact server and retrieve information
namingcontexts – containers for information

ldapsearch ..bindinfo..
bindinfo -b "" -s base "objectclass=*“ namingcontexts

namingcontexts=CN=SCHEMA
namingcontexts=CN=CONFIGURATION
namingcontexts=CN=LOCALHOST
namingcontexts=CN=PWDPOLICY
namingcontexts=CN=IBMPOLICIES
namingcontexts=CN=AIXDATA
namingcontexts=OU=ATS,O=IBM,O=COM
LDAP

ldapsearch ..bindinfo.. -b “ou=ats,o=ibm,o-com” “(ou=*)”


ou=ats,o=ibm,o=com
objectclass=top
objectclass=organizationalunit
ou=ats

21 © 2007 IBM Corporation


IBM STG Technical Conference

Default ITDS CN=AIXDATA container


Use ldapsearch client to contact server and retrieve information
namingcontexts – containers for information
ldapsearch –h localhost –D cn=admin –w mypwd –b “CN=AIXDATA” OU=*

ou=People,cn=aixdata
ou=People
objectClass=organizationalUnit
objectClass=top

ou=Groups,cn=aixdata
ou=Groups LDAP
objectClass=organizationalUnit
objectClass=top

ou=System,cn=aixdata
ou=System
objectClass=organizationalUnit
objectClass=top

22 © 2007 IBM Corporation


IBM STG Technical Conference

Migrating AIX users to LDAP server


nistoldap –S <schema>

NIS ldapadd
NISMaps
Maps
shadow.byname
shadow.byname
passwd.byuid
passwd.byuid
passwd.byname
LDIF File
passwd.byname dn: uid=caleb,ou=aixuser,cn=ibm, cn=com
autoFS
autoFS uid: caleb
...... NIS Maps objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: aixauxaccount
cn: caleb
passwordchar: !
uidNumber: 210
gidNumber: 1
/etc/passwd
/etc/passwd
/etc/group
/etc/group
/etc/security/passwd
/etc/security/passwd
/etc/security/user
/etc/security/user
...... sectoldif –S <schema>
Security Files
LDAP
23 © 2007 IBM Corporation
IBM STG Technical Conference

Checking LDAP user existence with ldapsearch


If you can’t use ldapsearch to retrieve users, they won’t be able to authenticate

ldapsearch -h localhost -D cn=admin -w jst4ldap -b "ou=ats,o=ibm,o=com" "(uid=test1)"

uid=test1,ou=People,ou=ats,o=ibm,o=com
uid=test1
objectClass=aixauxaccount
objectClass=shadowaccount
objectClass=posixaccount
objectClass=account
objectClass=ibm-securityidentities
objectClass=top
cn=test1 LDAP
passwordchar=!
uidnumber=207
gidnumber=1
homedirectory=/home/test1
loginshell=/usr/bin/ksh
isadministrator=false
userpassword={crypt}kYaEASzK4RyaI
shadowlastchange=13006
passwordflags=ADMCHG

24 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #6 No tools for comparing LDIF files

Tools to create LDIF files from each server


– AIX: nistoldif and sectoldif
– Solaris: ldapaddent, LDAP to NIS+ Gateway
– HP-UX: migrate_nisp_groups.pl, migrate_nisp_passwd.pl, etc.
– Linux: Use PADL scriptgs
– PADL: Perl scripts to migrate from flat files, NIS, etc

Base DN’s must match at the least


– dn: ou=aixuser,cn=aixsecdb, cn=aixdata

But no scripts by vendors that provide comparison and differences


– Same user name on two clients, but different UID
– Same UID on two clients, but different user name
– Different limits on different systems

You will get errors from ldapadd with some duplications


25 © 2007 IBM Corporation
IBM STG Technical Conference

Configuring AIX 5.3 TL5 clients to use LDAP

1. Contact Server: ldapsearch


mksecldap –c
2. Server alive & valid creds LDAP
3. Namingcontext? ldapsearch

flags 4. Namingcontext – Suffixes available

 Backup config files


 Get servertype from namingcontext
 Get other services from namingcontext
After
 Create /etc/security/ldap directory Setup
Bind Info  Update /etc/security/ldap/ldap.cfg
BaseDN  Update irs.conf to nis_ldap and hosts
Authtype  Update netsvc.conf to hosts and nis_ldap
 Add LDAP to methods.cfg file
Search mode
 (optional) chuser SYSTEM=LDAP, registry=LDAP
SSL info  Add secldapclientd to inittab
proxy admin  Start client daemon secldapclientd

26 © 2007 IBM Corporation


IBM STG Technical Conference

Testing the client setup with lsldap


The ultimate tests is “can I login as user ldaptest”, but check these

lsldap secldapclientd ldapsearch

dn: ou=People,ou=ats,o=ibm,o=com
dn: ou=Groups,ou=ats,o=ibm,o=com
dn: ou=System,ou=ats,o=ibm,o=com ldapsearch

lsldap passwd

dn: uid=default,ou=People,ou=ats,o=ibm,o=com
dn: uid=test1,ou=People,ou=ats,o=ibm,o=com ... LDAP

lsldap –a passwd test1

dn: uid=test1,ou=People,ou=ats,o=ibm,o=com AIX: lsldap


uid: test1 HP: nsquery
objectClass: aixauxaccount Sun: listldap
objectClass: shadowaccount ...
27 © 2007 IBM Corporation
IBM STG Technical Conference

Testing the client setup with lsuser –R LDAP


You can see the user attributes stored in LDAP with the AIX lsuser command

lsuser -R LDAP -a id pgrp test1 secldapclientd ldapsearch


test1 id=207 pgrp=staff

ldapsearch
# lsuser -R LDAP -a SYSTEM registry test1
test1 SYSTEM=compat registry=LDAP

# lsuser -a SYSTEM registry test1


test1 SYSTEM=compat registry=files LDAP

# chuser -R LDAP SYSTEM=LDAP


registry=LDAP test1 /etc/passwd
/etc/passwd
# lsuser -a SYSTEM registry test1 /etc/group
/etc/group
/etc/security/passwd
/etc/security/passwd
test1 SYSTEM=LDAP registry=LDAP /etc/security/user
/etc/security/user
# lsuser -R LDAP -a SYSTEM registry test1 ......
test1 SYSTEM=LDAP registry=LDAP Security Files
28 © 2007 IBM Corporation
IBM STG Technical Conference

Issue #7 Restricting users to selected clients

 IBM AIX extensions user attributes:


– hostallowedlogin: User can only login to these hosts
– hostdeniedlogin: User cannot login to these hosts
chuser –R LDAP hostsallowedlogin=host1, host2, host3
– Only applicable for AIX users
LDAP
– Restrictions applied to each user in LDAP
/etc/security/user
– Default user: SYSTEM = LDAP

 Only put users in /etc/security/user you want to login test1:


– Set LDAP users SYSTEM and registry to LDAP admin = false
– Leave default user: SYSTEM = compat SYSTEM = "LDAP"
registry = LDAP
 NIS Netgroup style login restriction
– Compatible with RFC2307bis specification
– Typical solution for Solaris users
– Requires different setup in AIX
SYSTEM = compat in /etc/user /etc/security/user
/etc/security/user
/usr/lib/security/methods.cfg
/usr/lib/security/methods.cfg
options = netgroup defined in methods.cfg LDAP stanza
/etc/group
/etc/group
netgroup nis_ldap in /etc/irs.conf
/etc/passwd
/etc/passwd
+ in /etc/group
+@netusers in /etc/passwd

29 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #8 How to handle user HOME directories


local disk
Local HOME directory on each client:
– Unique data on each client /home
– Not automatically created when clients are added to LDAP server
Some customers use mkhome PAM module on non-IBM servers

Mount /home from NFS server for all users


– Same data from any client
– Easy to setup, but may need to tune NFS parameters

Automount /home as user logs in


– Directory only mounted while user is logged in. NFS
– Two LDAP automount maps supported
automountmap objectclass
nismap automount map – support for Netgroups

30 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #9 SSL between client and server


Without SSL ldap_auth sents password in clear text

Install gskit filesets and secure LDAP client and server filesets
– Also need SSL and Java filesets installed
– ldap.max_crypto_client.rte , etc.

Create the server SSL keyring


– gsk7ikm is a graphical tool that can be used to create keyring
– Bring a copy to the client

Install keyring file on server


– mksecldap –k <filename> or
– edit ibmslapd.conf file and restart (ibm-slapdSecurity: SSLOnly )
– Check that server is listening on port 626

Re-run mksecldap –c on client with –k <key.kdb> file


– Adds key file to ldap.cfg read by secldapclientd

31 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #10 Importance of password restrictions

RFC2307 weak on password restriction


– No options to add password restriction subroutine
– Minimal

AIX extensions provide a full set of password restrictions


– Same things available as with standard AIX security files
– Character and time restrictions
– Ability to include a password check method

No standard way for multi-OS environment


– Possible third party solutions for changing passwords
Tivoli Identity Manager

32 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #11 What users should keep using local files?

How is root user treated?


– No remote login allowed
– SU only from selected group
– Keep as local user

Security group should remain local


– Group GID conflicts with a Solaris admin group
– Always keep access to system if network or LDAP is down

Any other users who need access if network/LDAP down

Administrative users without passwords

Local users must exist in local groups


LDAP users must belong to LDAP groups

33 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #12 Migrating existing users to LDAP?


Make sure user exists in LDAP (covered earlier)
– Extracted with sectoldif and added with ldapadd
– Added with mksecldap
– Check with these methods
ldapsearch.. –b baseDN “(uid=testuser)”
lsldap –a passwd username
lsuser –R LDAP username

Change users SYSTEM and registry attributes to LDAP


– If default user is set to LDAP
Remove user from local files
/etc/passwd, /etc/group, /etc/security/passwd, /etc/security/user
– If default user is not set to LDAP
Change user SYSTEM and registry to LDAP
chuser –R LDAP SYSTEM=LDAP registry=LDAP username
chuser SYSTEM=LDAP registry=LDAP username
34 © 2007 IBM Corporation
IBM STG Technical Conference

Issue #13 Adding new users to LDAP?


Use standard AIX commands with –R LDAP flag
– mkuser –R LDAP SYSTEM=LDAP registry=LDAP id=501 martin
– Check with these methods
ldapsearch .. –b baseDN “(uid=testuser)”
lsldap –a passwd username
lsuser –R LDAP username

Create LDIF file and add with ldapadd


– Extract a user from ldap with ldapsearch
– ldapsearch -h host -D cn=adm -w pwd -b “basedn" "(uid=test797)" > test797p.ldif

– Extract a local file user with sectoldif


– Edit with vi
– Add to LDAP with ldapadd
– Verify with lsldap, lsuser –R ldap, or ldapsearch

35 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #14 Redundant solutions?

Redundancy options in /etc/security/user?


– If LDAP fails use local admin02:
admin = true
SYSTEM = "LDAP or (LDAP UNAVAIL AND files)"
registry = LDAP
Replica LDAP servers
/etc/security/user
– Keeps user data in multiple locations
– Automatic synchronization
– Changes made only on LDAP master
– Place on different routers, etc.
– Specify priority list of servers in ldap.cfg on AIX clients

Duplicate LDAP Masters


– Adds ability to do updates on either server

36 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #15 ssh gotcha?

After configuring a use for LDAP, ssh to box stops working?

Add this line to /etc/ssh/sshd_config


– UsePAM yes

Stop and restart sshd

37 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #16 Multiple groups – multiple managers?

Desire is to have separate base DN for different groups


– Example:
– userbasedn: ou-dept1,ou=people, cn=aixdata
– userbasedn: ou=dept2,ou=people, cn=aixdata

AIX 5.3 TL5 adds support for this functionality


– Support for Extended Base DN format
– Support for Multiple Base DN Definitions
Up to ten base DNs per entity (eg:user)
Restrictions on mkuser and chuser

AIX 5.3 supports LDAP proxy user


– Control proxy user access with LDAP ACLs
– Keeps every root user from complete access to LDAP server

38 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #17 Flexibility with PAM?

Most UNIX flavors have default PAM support


– Most do LDAP support through PAM modules
– This makes AIX different

AIX 5.3 introduces PAM_AUTH


– Configured pam.conf file
– pam_aix modules included in AIX 5.3

PAM_LDAP available from PADL (not IBM)


– Not supported by IBM
– IBM Provides only basic AIX authentication PAM module

Possible examples
– LDAP authentication only
– PAM module to add HOME directory on first login to new server

39 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #18 Where to put default user?

Place on local AIX client


– Provides some AIX specific attributes
– Does not provide all of the extensions you might expect

Place on LDAP server


– Consistent for all clients
– Provides less flexibility

40 © 2007 IBM Corporation


IBM STG Technical Conference

AIX Authentication to Active Directory


Kerberos or LDAP authentication

v
Goal: Single corporate password

AIX

© 2007 IBM Corporation


IBM STG Technical Conference

Two Choices – Kerberos or LDAP

Un

Kerberos Active Directory - LDAP


Support starts at AIX 5.2 ML1 Support starts at AIX 5.3 TL5
Authentication only RFC2307 attribute support
Kerberos 5 standard Non-standard schema
Very secure network traffic Must secure with SSL connection
Key from Windows Server Key from Windows Server
KDC setup on Windows ADS/SFU setup on Windows
Better performance Performance because of AD issues
Kerberos principle for each client No client specific setup
User Kerberized r-cmds Changes each release SFU -> R2
AIX KRB5A + LDAP/files LAM AIX LDAP LAM module
AIX Authentication using Windows Kerberos Service
http://www-03.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
AIX 5.3 TL5 Active Directory White Paper
http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp
42 © 2007 IBM Corporation
IBM STG Technical Conference

LDAP or KRB5ALDAP mode in /etc/security/user


auth
 LDAP mode – AIX 5.3 TL5 only
 /etc/security/user entry cred
tstuser
admin = false
SYSTEM = LDAP
ADS/SFU
registry = LDAP

 Kerberos Authentication mode – KRB5A and LDAP


 Use for Kerberos authentication only

 Use LDAP for user credentials auth


 /etc/security/user entry
KDC
krbuser
admin = false cred
SYSTEM = KRB5ALDAP
registry = LDAP
LDAP

43 © 2007 IBM Corporation


IBM STG Technical Conference

KRB5A authentication to Microsoft Windows 2000/2003 Server


 Requires Microsoft Windows Support tools
 ktpass, ldp, and setspn
KDC
 Requires AIX NAS (Network Authentication Service) client software
 krb5.client.rte

 Requires compound load module support on AIX


 /etc/security/user

SYSTEM = KRB5Afiles
 /usr/lib/security/methods.cfg

KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A

 Requires host principle on Windows for every AIX client.


 Kerberos keytab file must be transferred to AIX client

44 © 2007 IBM Corporation


IBM STG Technical Conference

AIX LDAP authentication to Microsoft Active Directory


Windows 2000 or 2003 Server
– Requires Microsoft Services for Unix
– SFU provides Microsoft SFU schema (psuedo-RFC2307)
– Supported SFU: SFU v 3.0+ (3.0 and 3.5)
ADS/SFU
Support starts at AIX 5.3 TL5 client
– Simple mksecldap client setup Windows Server
 Discovers SFU schema
 Sets up mapping to SFU schema
userattrmappath:/etc/security/ldap/MSSFU30user.map
groupattrmappath:/etc/security/ldap/MSSFU30group.map

Requires ldap_auth because of Microsoft encryption

Windows Users and groups must be enabled for Unix Support


 From Panel – click tab ‘enable users’

White paper to guide setup (December 2006)


http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp

45 © 2007 IBM Corporation


IBM STG Technical Conference

AIX 5.3 TL5 – Starting AIX client for AD auth

 Must know the following information

 Bind DN and password on ADS with proper authority


 Base DN where user information is stored.
 Must have bos.ldap.client installed. (including max_crypto)

 Check that you can retrieve the data from AD with lsldap
 ldapsearch -h adhost -D cn=Adm -w admpwd -b “ou=basedn" "(uid=*)"

 AIX LDAP client build tool (mksecldap –c) autodetects AD server

 mksecldap -c -h adhost -a cn=Adm -p admpwd -d “cn=basedn”


 Schema type used by AD is queried
 Correct mapping files are configured

46 © 2007 IBM Corporation


IBM STG Technical Conference

AIX 5.3 TL5 – AIX security admin commands and AD

 These commands work as expected


 lsuser, chuser, rmuser, id
 lsgroup, chgroup, rmgroup, groups

 These commands work with restrictions


 passwd and chpasswd

 These commands will not operate with Active Directory


 mkuser and mkgroup
 AIX cannot manage features like Windows ID

47 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #19: AD Supports two types of group attributes


 Do you leave default or change to faster option?

 msSFU30PosixMember
 Default support for both Windows and AIX
 Map file shows
 users SEC_LIST msSFU30PosixMember m
 Requires full DN for all interactions
 Example:
msSFU30PosixMember: cn=user1,cn=users,dc=dept1,dc=abc,dc=com
 Parsing impacts performance

 msSFU30MemberUid
 Requires Admin to change the map file
 users SEC_LIST msSFU30MemberUid m
 Same as RFC 2307 memberUid attribute
 Example
msSFU30memberuid: user1

48 © 2007 IBM Corporation


IBM STG Technical Conference

Issue #20: AD Supports two types of passwords


 Which one do you use?

 Native password
 Unicodepwd: support Windows’ user authentication
 Same password for Windows or AIX (No synchronization needed)
 Password change requires SSL connection to AD
 and AIX APAR IY91922

 Set LDAP authentication type to ldap_auth in ldap.cfg


 Change mapping
 spassword SEC_CHAR unicodePwd s

 Password for Unix clients to AD interface (default in map file)


 msSFU30Password: support UNIX crypt password
 AIX passwd only changes msSFU30Password
 Results in synchronization problem

 Can use unix_auth in ldap.cfg


 To use msSFU30Password support change AIX user map file
 spassword SEC_CHAR msSFU30Password s

49 © 2007 IBM Corporation


IBM STG Technical Conference

Microsoft Windows Server 2003 R2


Adds Identity Management for UNIX without SFU

AIX supported solution expected in next AIX 5.3 TL

Server for NIS


Enables Active Directory domain controller to act as a master NIS server

Password Synchronization.
Simplifies the process of maintaining secure passwords.
User can use same password for their Windows and UNIX accounts .

Requires an schema extension


New object classes defined in a file Sch31.ldf,
Located on the Windows Server 2003 R2 Installation CD

Windows Server 2003 R2 Overview Guide


“With minor differences, Identity Management for UNIX is compliant with Internet Engineering Task
Force (IETF) standard Request for Comments (RFC) 2307, meaning that a network's password and NIS
attributes can be resolved by the Lightweight Directory Access Protocol (LDAP). “

50 © 2007 IBM Corporation


IBM STG Technical Conference

Active Directory and Unix password sync


http://www.microsoft.com/technet/interopmigration/unix/sfu/psync.mspx
Windows to Unix

51 © 2007 IBM Corporation


IBM STG Technical Conference

Unix to windows password synchronization


Part of Microsoft Services for Unix

52 © 2007 IBM Corporation


IBM STG Technical Conference

Garner Magic Quadrant – User Provisioning

Taken from Sun document

Sun and IBM lead

Microsoft in lower left quadrant


– So why choose ADS?

53 © 2007 IBM Corporation


IBM STG Technical Conference

Commercial technology solutions

 Quest Software Vintela Authentication Services (VAS)


– http://www.vintela.com.

 Centrify DirectControl
– http://www.centrify.com.

 Centeris Likewise Identity 3.0


– http://www.centeris.com/

 Computer Associates

 PAM LDAP modules


– available at http://www.padl.com

54 © 2007 IBM Corporation


IBM STG Technical Conference

Commercial technology solutions

 IBM Tivoli Access Manager for Operating Systems


– http://www-306.ibm.com/software/tivoli/products/access-mgr-operating-sys/
– Audit and Intrusion Protection
– Best practice security templates

 IBM Tivoli Identity Manager


– http://www.centrify.com.
– Policy based user management solution
– Automatic synchronization of user data from different repositories

 Both also use LDAP

55 © 2007 IBM Corporation


IBM STG Technical Conference

Microsoft SFU User Based Schema

SFU 2.0 schema


msSFUPosixAccount
required: cn
Optional: description, gecos, gidNumber, loginShell,
msSFUHomeDirectory, msSFUName, msSFUPassword, posixMemberOf,
uid, uidNumber
msSFUShadowAccount
msSFUName, shadowWarning, shadowMax, shadowMin, ...
msSFUPosixGroup
cn, GidNumber, MemberUid, msSFUName, msSFUPassword,
PosixMember, ...

SFU 3.0 and SFU 3.5


msSFU30PosixAccount
msSFU30Gecos, msSFU30GidNumber, msSFU30HomeDirectory,
msSFU30Password ...
msSFU30ShadowAccount
msSFU30ShadowWarning, msSFU30ShadowExpire, ...
msSFU30PosixGroup
msSFU30MemberUid, msSFU30PosixMember, ...
56 © 2007 IBM Corporation
IBM STG Technical Conference

AIX 5.3 TL5 – AIX AD Client support details

 AIX maps AIX security attributes names to AD custom names

 /etc/security/ldap/sfu20user.map
 /etc/security/ldap/sfu20group.map
 /etc/security/ldap/sfu30user.map
 /etc/security/ldap/sfu30group.map

 AIX LDAP client build tool (mksecldap –c) autodetects AD server

 Schema type used by AD is retrieved during setup


 Correct mapping files are supplied & configured
 Requires APAR to support password changes from AIX

57 © 2007 IBM Corporation


IBM STG Technical Conference

AIX 5.3 TL5 – SFU Map file example

 AIX maps AIX security attributes names to AD custom names


/etc/security/ldap/sfu30user.map

username SEC_CHAR msSFU30Name s


id SEC_INT msSFU30UidNumber s
pgrp SEC_CHAR msSFU30GidNumber s
home SEC_CHAR msSFU30HomeDirectory s
shell SEC_CHAR msSFU30LoginShell s
gecos SEC_CHAR msSFU30Gecos s
spassword SEC_CHAR msSFU30Password s
lastupdate SEC_INT msSFU30ShadowLastChange s
maxage SEC_INT msSFU30ShadowMax s
minage SEC_INT msSFU30ShadowMin s
maxexpired SEC_INT msSFU30ShadowExpire s
pwdwarntime SEC_INT msSFU30ShadowWarning s

#spassword SEC_CHAR unicodePwd s


#unsuccessful_login_count SEC_INT badPwdCount s
#time_last_unsuccessful_login SEC_INT badPasswordTime s

58 © 2007 IBM Corporation


IBM STG Technical Conference

AIX LDAP client tools


AIX LDAP client programs
ldapsearch search LDAP server for entry
ldapadd add an entry to the LDAP server
ldapmodify modify an LDAP entry
ldapmodrdn modify an LDAP RDN entry
ldapdelete delete an LDAP entry
ldapcfg configure LDAP server
ldif2db Add LDIF file directly to DB2 database
db2ldif Extract LDIF information from DB2

AIX security client tools


lsldap command tool to retrieve LDAP entries
mksecldap Configure LDAP server and AIX client for AIX user
authentication/identification
secldapclientd LDAP Security client daemon
Tools ls-secldapclntd, flush-secldapclntd, restart-secldapclntd
stop-secldapclntd, start-secldapclntd
sectoldif Tool to convert user information to LDIF
nistoldif Tool to convert NIS information to LDIF
secldifconf Convert from one schema to another

59 © 2007 IBM Corporation


IBM STG Technical Conference

Password restriction options

 RFC2307 based
shadowlastchanged, shadowmax, shadowmin
shadowexpire and shadowwarning

 AIX schema extension based


isaccountenabled, passworddictfiles, timeexpirelockout, passwordflags,
passwordhistexpire, passwordhistsized, passwordhistlist,
passwordmaxrepeatedchars, passwordminimalphachars,
passwordmindiffchars, passwordminlength, passwordminotherchars,
passwordcheckmethods

60 © 2007 IBM Corporation


IBM STG Technical Conference

Summary
 AIX security solution with LDAP has matured
 AIX 5.3 TL5 adds important new features

 Mixing Solaris, HP/UX, AIX, Linux and Windows is complex

 Other vendors are no better off, just different

 There is no one standard for LDAP authentication


 RFC 2307 is experimental RFC

 Widely adapted including netgroup and automount extensions

 All vendors provide slightly different extensions interpretation

 Two methods for AIX authentication against Microsoft ADS


 Kerberos and LDAP

 Support for Microsoft Windows Server 2000/2003

 Support for Microsoft Windows Server 2003 R2 soon

 Many issues remain in providing a cross vendor solution


 Only plug and play solutions are commercial

 AIX only solution with ITDS is trivial to implement

61 © 2007 IBM Corporation


IBM STG Technical Conference

AIX LDAP References


AIX 5.2 white papers on LDAP authentication
– http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html
– http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.html
– www.ibm.com/servers/aix/whitepapers/ldap_naming.pdf
– http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp
Kerberos authentication against windows:
– http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security
– /kerberos_auth_only_load_module.htm
– http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security
– /kerberos_questions_troubleshooting.htm
– http://www-03.ibm.com/systems/p/library/wp_aix_lit.html
– http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf
– http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
AIX 5.2 Docs for LDAP
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/ldap_exploitation.htm
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/nisplus/migrating.htm
AIX 5L LDAP exploitation documentation
– http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/admnconc/ldap_exploit.htm
– http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds5/secldapclntd.htm

62 © 2007 IBM Corporation


IBM STG Technical Conference

IBM Redbooks on Security and Authentication


http://www.redbooks.ibm.com

Integrating AIX into heterogeneous LDAP Environments SG24-7165


– Coming soon to a Wiki near you
AIX 5.2 Security Supplement SG24-6066-00
Understanding LDAP SG24-4986
LDAP Implementation Cookbook - SG24-5110
Using LDAP for Directory Integration SG24-6163
AIX 4.3.3 Differences Guide – SG242014.html
– Describes first AIX LDAP authentication
AIX 5L Differences Guides
AIX 5L Differences Guide Version 5.3 Edition SG24-7463
AIX 4.3 Elements of Security – SG24-5962
Elements of Security: AIX 4.1 – SG24-4433
AIX Security Tools: pSeries, SP & eCluster 1600 – SG24-5971
Managing AIX Server Farms – SG24-6606

63 © 2007 IBM Corporation


IBM STG Technical Conference

IBM General Security References


pSeries Security
– http://www.ibm.com/eserver/pseries/security
IBM Security Solutions:
– http://www.ibm.com/security
AIX Virtual Public Networks
– http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/index.html
IBM Developerworks Kerberos Overview
– http://www-106.ibm/developerworks/library/it-kerbero.html
Developerworks security collection
– http://www-106.ibm.com/developerworks/security/
Developerworks security projects
– http://www-106.ibm.com/developerworks/views/security/projects.jsp
IBM LDAP Schema
– www.ibm.com/servers/eserver/iseries/ldap/schema

64 © 2007 IBM Corporation


IBM STG Technical Conference

Key HP/UX, Solaris and Linux LDAP Auth sites


PADL Migration tools
– http://www.padl.com/OSS/MigrationTools.html
– http://www.padl.com/OSS/pam_ldap.html
DataConv: LDAP migration tools
– http://dataconv.org/apps_ldap.html
Solaris 10 General LDAP
– http://docs.sun.com/app/docs/doc/816-4556/6maort2t4?q=automount&a=view
Sun Java System Directory Server 5.2
– http://www.sun.com/software/products/directory_srvr/home_directory.xml
Sun One Directory Server – formerly Netscape
– http://docs.sun.com/app/docs/doc/816-6703-10
Sun Blueprints:
– LDAP in the Solaris™ Operating Environment:
– Deploying Secure Directory Services
– http://safari.oreilly.com/0131456938
 LDAP HP-UX – NIS/LDAP Gateway and LDAP-UX Client Services
– http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA
– http://docs.hp.com/en/internet.html
LDAP-UX Client Services with Microsoft Windows 2000/2003
– http://docs.hp.com/en/J4269-90049/index.html – LDAP-UX Client services and ADS

65 © 2007 IBM Corporation


IBM STG Technical Conference

Microsoft SFU links

 Microsoft Services for Windows download


– http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx.
 UNIX Interoperability in Windows Server 2003 R2
– http://www.microsoft.com/technet/community/events/windows2003srvR2/add-52.mspx
 Windows Security and Directory Services for UNIX Guide v1.0
– http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/00wsdsu.mspx
– http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx
 Password synchronization
– http://www.microsoft.com/technet/interopmigration/unix/sfu/psync.mspx

66 © 2007 IBM Corporation


IBM STG Technical Conference

Other LDAP References


OpenLDAP
– http://www.openldap.org

LDAP related RFCs


– http://www.ietf.org/rfc/rfc2307.txt – LDAP mapping of NIS
– www.imc.org/rfc2251 - LDAP version 3 protocols
– www.imc.org/rfc2559 - LDAPv2 Protocols
– www.imc.org/rfc2587 - LDAPv2 Schema
– www.imc.org/rfc1777 - LDAP
– rfc1823 - LDAP programming interface
– rfc1960 - LDAP Search Filters
– rfc1779 - Distinguished Names
HP RFC2307-bis automount schemas
– http://docs.hp.com/en/J4269-90064/ch04s02.html
The Moron’s guide to Kerberos
– http://www.isi.edu/~brian/security/kerberos.html

67 © 2007 IBM Corporation