LDAP Enhancements 2006
Transcript of LDAP Enhancements 2006
-
1AIX Security Development
2006 IBM Corporation
AIX LDAP Authentication and Identification Enhancements for AIX ML05
AIX Security Development
2006 IBM Corporation2
Pre 5.3/ML05 Support For LDAP Based Authentication
Many OS tables could be managed through LDAP server Users, groups, network tables, accounting etc
Multiple clients use the same configuration information.
Features of LDAP user management on AIX RFC 2307 based implementation
Compatible with any RFC2307 LDAP server Even if the server is based off another platform.
Fault tolerant: Client switchover to another server
Server based authentication
Host login controls
-
2AIX Security Development
2006 IBM Corporation3
AIX 53 ML05 LDAP enhancements
Support For Extended Base DN Format
Support For Multiple Base DN Definitions
AIX LDAP Client Support Against Microsoft Active Directory
AIX Security Development
2006 IBM Corporation4
Extended Base DN Format
AIX now supports base DNs in these format: userbasedn: ou=people, cn=aixdata userbasedn: ou=people, cn=aixdata?scope userbasedn: ou=people, cn=aixdata?scope?filter
Where scope is one, sub, baseFilter is of simple format:
(attribute=value) (&(attribute=value)(attribute=value)) (|(attribute=value)(attribute=value))
-
3AIX Security Development
2006 IBM Corporation5
AIX 53 ML05 LDAP enhancements
Support For Extended Base DN Format
Support For Multiple Base DN Definitions
AIX LDAP Client Support Against Microsoft Active Directory
AIX Security Development
2006 IBM Corporation6
Multiple Base DN Support
Can distribute User and Group information in the server Can specify multiple base DNs for users and groups in
/etc/security/ldap/ldap.cfg
Example: userbasedn: ou=dept1,ou=people, cn=aixdata userbasedn:ou=dept2,ou=people, cn=aixdata
AIX will accept up to ten base DNs per entity (eg:user) Search / modification is done in the order specified, and the first match
is returned/modified
New entries only added to the first base DN by mkuser / mkgroup
-
4AIX Security Development
2006 IBM Corporation7
AIX 53 ML05 LDAP enhancements
Support For Extended Base DN Format
Support For Multiple Base DN Definitions
AIX LDAP Client Support Against Microsoft Active Directory
AIX Security Development
2006 IBM Corporation8
AIX LDAP Client Support For Active Directory
Enable AIX client to use Active Directory LDAP Support Active Directory (AD) similar to any RFC 2307
compliant LDAP servers
Transparent to administrators and users Hide all implementation details
Use mksecldap to configure AIX client to operate with AD Just as will be done for any other LDAP server mksecldap c h -a
cn=administrator,cn=users,dc=austin,dc=ibm,dc=com p pwd d cn=users,dc=austin,dc=ibm,dc=com
-
5AIX Security Development
2006 IBM Corporation9
AIX AD Client support: Details
AIX maps AIX security attribute names to AD custom names /etc/security/ldap/sfu30user.map
/etc/security/ldap/sfu30group.map
AIX LDAP client tool mksecldap will autodetect AD server schema type used by AD is queried and configure AIX with the
corresponding attribute maps.
AIX Security Development
2006 IBM Corporation10
AIX Requirements on Active Directory Configuration
AD for Windows 2000/2003 AD must have Unix schema installed.
Schema can be installed from MS Service for Unix (SFU).
Support SFU v 3.0+ (3.0 and 3.5) Windows Users and groups should be enabled for Unix
support.
-
6AIX Security Development
2006 IBM Corporation11
AIX Commands
These commands work against Active Directory: lsuser, chuser, rmuser, passwd*, chpasswd*, lsgroup,
chgroup, rmgroup, id, groups
These commands will not operate with Active Directory: mkuser, mkgroup
AIX Security Development
2006 IBM Corporation12
Group Support for both AD group attributes AD Supports two types of group attributes
msSFU30PosixMember & msSFU30MemberUid
Default support for msSFU30PosixMember For msSFU30MemberUid, Admin needs to change the map file
Same as RFC 2307 memberUid attributeExample:
msSFU30memberuid: user1
msSFU30MemberUid
-Requires full DN-Example:
-msSFU30PosixMember: cn=user1,cn=users, dc=fvt,dc=austin,dc=ibm,dc=com
msSFU30PosixMember
CommentsName
-
7AIX Security Development
2006 IBM Corporation13
Limitations/Issues
AIX Security Development
2006 IBM Corporation14
Issue: Password Synchronization Issue
Password change from AIX could lead to synchronization issues
Mainly because AD supports 2 passwords Native password
Unicodepwd: support windows user authentication
And a password for Unix clients to AD interface msSFU30Password: support UNIX crypt password
-
8AIX Security Development
2006 IBM Corporation15
Issue: Password continued
AIX using Unicodepwd password: No sync issue Same password for Windows or AIX.
Password change requires SSL connection
How to use Unicodepwd from AIX: Set LDAP authentication type to ldap_auth
AIX Security Development
2006 IBM Corporation16
Issue: Password continued
AIX using msSFU30Password password Password change from AIX will change only
msSFU30Password and not Unicodepwd
Hence User will use different passwords for Windows and AIX logins
How to use msSFU30Password from AIX: Set LDAP authentication type to unix_auth
Change the map file /etc/security/ldap/sfu30user.map Map AIX password to msSFU30Password
-
9AIX Security Development
2006 IBM Corporation17
AIX Security ReferencesAIX Security References AIX online publications
http://www.ibm.com/servers/aix Technical Redbooks PDF/HTML available at http://www.redbooks.ibm.com
SG24-5962-00 AIX 4.3 Elements of Security SG24-5971-00 Additional AIX Security Tools SG24-7463-00 AIX 5L Differences Guide Version 5.3 Edition
pSeries Security http://www.ibm.com/eserver/pseries/security
HMC Security: http://www.ibm.com/servers/eserver/pseries/hardware/whitepapers/hmc_securi
ty.pdf
IBM Security http://www.ibm.com/security
Security Information by email. https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
IBM Security Response Alerts [email protected]
AIX Security Development
2006 IBM Corporation18
AIX Security References: contd..AIX Security References: contd.. AIX LDAP integration : Redbook
http://www.redbooks.ibm.com/redpieces/pdfs/sg247165.pdf
AIX LDAP Configuration Server
http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html Client
http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.pdf AIX Virus Scan Software
http://www-1.ibm.com/servers/eserver/pseries/security/feature/antivirus.html
SSH DeveloperWorks Articles http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html http://www-106.ibm.com/developerworks/eserver/articles/openssh_updated.html
Service Update Management Assistant(SUMA): tool to monitor for security PTFs. : http://www-03.ibm.com/servers/aix/whitepapers/suma.pdf
AIX user management using Kerberos server http://www-03.ibm.com/systems/p/library/wp_aix_lit.html http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf