LDAP Enhancements 2006

1AIX Security Development

2006 IBM Corporation

AIX LDAP Authentication and Identification Enhancements for AIX ML05

AIX Security Development

2006 IBM Corporation2

Pre 5.3/ML05 Support For LDAP Based Authentication

Many OS tables could be managed through LDAP server Users, groups, network tables, accounting etc

Multiple clients use the same configuration information.

Features of LDAP user management on AIX RFC 2307 based implementation

Compatible with any RFC2307 LDAP server Even if the server is based off another platform.

Fault tolerant: Client switchover to another server

Server based authentication

Host login controls



AIX 53 ML05 LDAP enhancements

Support For Extended Base DN Format

Support For Multiple Base DN Definitions

AIX LDAP Client Support Against Microsoft Active Directory



Extended Base DN Format

AIX now supports base DNs in these format: userbasedn: ou=people, cn=aixdata userbasedn: ou=people, cn=aixdata?scope userbasedn: ou=people, cn=aixdata?scope?filter

Where scope is one, sub, baseFilter is of simple format:

(attribute=value) (&(attribute=value)(attribute=value)) (|(attribute=value)(attribute=value))









Multiple Base DN Support

Can distribute User and Group information in the server Can specify multiple base DNs for users and groups in

/etc/security/ldap/ldap.cfg

Example: userbasedn: ou=dept1,ou=people, cn=aixdata userbasedn:ou=dept2,ou=people, cn=aixdata

AIX will accept up to ten base DNs per entity (eg:user) Search / modification is done in the order specified, and the first match

is returned/modified

New entries only added to the first base DN by mkuser / mkgroup









AIX LDAP Client Support For Active Directory

Enable AIX client to use Active Directory LDAP Support Active Directory (AD) similar to any RFC 2307

compliant LDAP servers

Transparent to administrators and users Hide all implementation details

Use mksecldap to configure AIX client to operate with AD Just as will be done for any other LDAP server mksecldap c h -a

cn=administrator,cn=users,dc=austin,dc=ibm,dc=com p pwd d cn=users,dc=austin,dc=ibm,dc=com



AIX AD Client support: Details

AIX maps AIX security attribute names to AD custom names /etc/security/ldap/sfu30user.map

/etc/security/ldap/sfu30group.map

AIX LDAP client tool mksecldap will autodetect AD server schema type used by AD is queried and configure AIX with the

corresponding attribute maps.



AIX Requirements on Active Directory Configuration

AD for Windows 2000/2003 AD must have Unix schema installed.

Schema can be installed from MS Service for Unix (SFU).

Support SFU v 3.0+ (3.0 and 3.5) Windows Users and groups should be enabled for Unix

support.



AIX Commands

These commands work against Active Directory: lsuser, chuser, rmuser, passwd*, chpasswd*, lsgroup,

chgroup, rmgroup, id, groups

These commands will not operate with Active Directory: mkuser, mkgroup



Group Support for both AD group attributes AD Supports two types of group attributes

msSFU30PosixMember & msSFU30MemberUid

Default support for msSFU30PosixMember For msSFU30MemberUid, Admin needs to change the map file

Same as RFC 2307 memberUid attributeExample:

msSFU30memberuid: user1

msSFU30MemberUid

-Requires full DN-Example:

-msSFU30PosixMember: cn=user1,cn=users, dc=fvt,dc=austin,dc=ibm,dc=com

msSFU30PosixMember

CommentsName



Limitations/Issues



Issue: Password Synchronization Issue

Password change from AIX could lead to synchronization issues

Mainly because AD supports 2 passwords Native password

Unicodepwd: support windows user authentication

And a password for Unix clients to AD interface msSFU30Password: support UNIX crypt password



Issue: Password continued

AIX using Unicodepwd password: No sync issue Same password for Windows or AIX.

Password change requires SSL connection

How to use Unicodepwd from AIX: Set LDAP authentication type to ldap_auth



Issue: Password continued

AIX using msSFU30Password password Password change from AIX will change only

msSFU30Password and not Unicodepwd

Hence User will use different passwords for Windows and AIX logins

How to use msSFU30Password from AIX: Set LDAP authentication type to unix_auth

Change the map file /etc/security/ldap/sfu30user.map Map AIX password to msSFU30Password



AIX Security ReferencesAIX Security References AIX online publications

http://www.ibm.com/servers/aix Technical Redbooks PDF/HTML available at http://www.redbooks.ibm.com

SG24-5962-00 AIX 4.3 Elements of Security SG24-5971-00 Additional AIX Security Tools SG24-7463-00 AIX 5L Differences Guide Version 5.3 Edition

pSeries Security http://www.ibm.com/eserver/pseries/security

HMC Security: http://www.ibm.com/servers/eserver/pseries/hardware/whitepapers/hmc_securi

ty.pdf

IBM Security http://www.ibm.com/security

Security Information by email. https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

IBM Security Response Alerts [email protected]



AIX Security References: contd..AIX Security References: contd.. AIX LDAP integration : Redbook

http://www.redbooks.ibm.com/redpieces/pdfs/sg247165.pdf

AIX LDAP Configuration Server

http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html Client

http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.pdf AIX Virus Scan Software

http://www-1.ibm.com/servers/eserver/pseries/security/feature/antivirus.html

SSH DeveloperWorks Articles http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html http://www-106.ibm.com/developerworks/eserver/articles/openssh_updated.html

Service Update Management Assistant(SUMA): tool to monitor for security PTFs. : http://www-03.ibm.com/servers/aix/whitepapers/suma.pdf

AIX user management using Kerberos server http://www-03.ibm.com/systems/p/library/wp_aix_lit.html http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf

LDAP Enhancements 2006

Documents

Transcript of LDAP Enhancements 2006