Aix Authentication To An Ldap Server.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Aix Authentication To An Ldap Server.pdf as PDF for free.
More details
- Words: 5,218
- Pages: 67
IBM STG Technical Conference
IBM Systems and Technology Group Technical Conference v
New Orleans, Louisiana February 5 - 9, 2007
© 2007 IBM Corporation
IBM STG Technical Conference
AIX Authentication to an LDAP Server Session: A03 v
John Tesch, Ph.D. Consulting IT Specialist America’s Advanced Technical Support [email protected]
© 2007 IBM Corporation
IBM STG Technical Conference
Agenda LDAP user management goals and issues Introduction to AIX user management Configuring AIX for user authentication and credentials Authenticating AIX to Microsoft Windows Active Directory
3
© 2007 IBM Corporation
IBM STG Technical Conference
LDAP – What the customer is looking for! LDAP
One password access all systems
User Userdata data and and Password Password User data all in one place
4
© 2007 IBM Corporation
IBM STG Technical Conference
Today’s picture too often
File Filebased based user userdata data
Multiple Incompatible LDAP servers NIS/NIS+ Separate password for each system
Microsoft ADS Separate data each server
5
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #1: Schemas and LDAP Servers
Schema Support AIX proprietary schema RFC2307 RFC2307bis AIX extensions Solaris 9 extensions Solaris 10 extensions Novell Microsoft SFU 2.0 Microsoft SFU 3.0 Microsoft Windows 2000 V2 Person, ePerson, etc.
6
LDAP Servers ITDS – IBM Tivoli (4.1, 5, 6.0) OpenLDAP Sun One Directory Server Sun Java System Directory Server 5.2 Novell eDirectory Windows 2000 Active Directory Windows 2003 Active Directory Windows 2003 R2 ACS Netscape Directory Server -> Sun
© 2007 IBM Corporation
IBM STG Technical Conference
Schema Support Introduced in AIX Level
Schema Support AIX proprietary schema (all) RFC2307 AIX extensions RFC2307bis Solaris 9 extensions Solaris 10 extensions Novell (*?) Microsoft SFU 2.0 Microsoft SFU 3.0 Microsoft Windows 2000 V2 Person, ePerson, etc.
AIX Release AIX 4.3.3* AIX 5.1 AIX 5.2 AIX 5.3 AIX 5.3 ML3 AIX 5.3 TL5 AIX 5.3 TL6 (?) * PADL - RFC2307 ?(Planned)
*Novel MD5 – ldap_auth 7
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #2: RFC2307 An Approach for Using LDAP as a Network Information Service Category: Experimental Status: “This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind” Based somewhat on NIS Incomplete: Doesn’t cover all of AIX or Solaris attributes – Doesn’t cover netgroups and automount
Authors: L. Howard (PADL Software), M. Ansari (Sun Microsystems) Original date: March 1998 rfc2307bis-00: October 2002 expired April 2003 (No longer posted) – Added support for netgroups, automount, etc
Included with openLDAP, IBM and Sun LDAP servers Microsoft does not fully support in any release. AIX Required object classes and attributes for user login – posixaccount uid, uidnumber, gidnumber, homedirectory, loginshell, gecos, userpassword, shadowlastchange – posixgroup cn (groupname), gidnumber, memberuid (list of users uids) 8
© 2007 IBM Corporation
IBM STG Technical Conference
RFC2307 Optional attributes used by AIX login posix account – shadowmax maxage: Maximum weeks password is valid – shadowmin minage: Minimum weeks before password change – shadowexpire maxexpired: Weeks after expiration that user can change password. – shadowwarning pwdwarntime: Days before password expires that user is warned. – Good to add AIX extensions – not part of the ‘RFC definition’ hostallowedaccess hostdeniedaccess
posixgroup – no optional attributes used by AIX. – Not used: description, memberPassword
9
© 2007 IBM Corporation
IBM STG Technical Conference
AIX extensions to RFC2307 aixAuxAccount – added with AIX extensions (RFC2307AIX schema) – account_locked – admin, admgroups – Standard /etc/security/user attributes expires, flags, groups – User limits such as core, cpu data, fsize, etc, nofiles, rss, stack, – Login herald – Password restrictions: histexpire, histsize, histlist, minalpha, mindiff, minlen, minother pwdchecks, dictionlist, – Security: hostlastlogin, login, logindelay, logindisable, logininterval, loginretries, rcmds, registry, rlogin, roles, sakenabled, su sugroups sysenv, telnet, time_last_login, time_last_unsuccessful_login, tpath tty_last_login, ttys, tty_last_unsuccessful_login, umask, projects
aixAuxGroup – primary, adms, admin, dce_export, screens, projects 10
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #3 AIX extensions and LDAP Servers IBM Tivoli Directory Server – Contains RFC2307AIX schema since ITDS 4.1 – Does not include Solaris extension and there are no instructions to add this schema – Some RFC2307bis attributes must be added manually
openLDAP – May be most widely used for Linux customers – Contains RFC2307 schema, but not Solaris or AIX extensions
Sun Java System Directory Server 5.2 – Formerly Sun One – Part of the Solaris Enterprise System – Contains Solaris extensions, but not AIX extensions
Sun One Directory Server – formerly Netscape Directory Server – Available for AIX 5.2, but doesn’t contain AIX authentication extensions
Active Directory with Services for Unix – Microsoft Proprietary Schema for UNIX. and no crypt() software support – No AIX or Solaris extensions
Novell eDirectory Server – – MD5 password, pseudo RFC2307 11
© 2007 IBM Corporation
IBM STG Technical Conference
Solaris extensions and LDAP Servers RBAC-Related databases (Role Based Access Control) – usr_attr ou=People object class SolarisUserAttr – prof_attr ou=SolarisProfAttr objectclass SolarisProfAttr, SolarisExecAttr – auth_attr ou=SolarisAuthAttr objectclass SolarisAuthAttr – exec_attr ou=SolarisProfAttr objectclass SolarisProfAttr, SolarisExecAttr
Only supported on Sun LDAP servers Requires adding schema extensions on others.
12
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #4 LDAP Servers and total solution IBM Tivoli Directory Server – Best AIX solution, but Sun client support is missing
openLDAP – Good Linux solution, and base solution for all, but. – No instructions for adding AIX and Solaris Schemas
Sun Java System Directory Server 5.2 – Formerly Sun One – Best pure Sun Solution – Base RFC2307 support for AIX is a known working solution. – No instructions for adding AIX extensions
Active Directory with Services for Unix – Many companies want to use this solution because - Most Unix users also have a Windows account - IT Management sees this as easy to manage solution – Probably most incomplete Unix solution available – No AIX or Solaris extensions, but easy to setup base AIX 5.3 TL5
Novell eDirectory Server – Well liked by those few who know and like it, not very universal 13
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #5 LDAP User and Group IDs and permissions User must have same UID on all clients – File ownership and permissions – Avoid conflicts between local and LDAP users
Users must have same GID on all clients – File and program execution
Users with LDAP credentials must be in LDAP groups – Must match local and LDAP GIDs
Some OS administrative GIDs are in conflict – AIX: system=0, staff=1, bin=2, sys=3, security=7, cron=8 – Could give AIX security access to wrong users if not careful
May require that certain users be local users with local groups
14
© 2007 IBM Corporation
IBM STG Technical Conference
Basic user login – AIX 5.3 LAM Modules /usr/lib/security methods.cfg
ssh
ftp
login
SYSTEM Registry
S
1. Authentication - username - password 2. Get Credentials - UID/GID - HOME, SHELL, etc 15
TH U _A TD auth_type
PA M
in login.cfg _A UT H
Files NIS maps Kerberos Custom LDAP
PAM Modules /etc/pam.conf © 2007 IBM Corporation
IBM STG Technical Conference
AIX Loadable identification and authentication framework
16
© 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP Authentication Choices - authtype AUTH_TYPE = UNIX_AUTH User Name
crypt(passwd) Verify passwd with crypt()
LDAP
User Name and password
SSL Tunnel Verification Result
AUTH_TYPE = LDAP_AUTH 17
Verify passwd © 2007 IBM Corporation
IBM STG Technical Conference
LDAP Security Client LDAP slapd
authenticate() secldapclientd
ldap.cfg ldap.cfg ldapsslport ldapsslport Key.kdb Key.kdb
18
slapd
ssh
ftp
login
Port 389
in a Pl
xt e T
LDAP Security
en SS cr L yp te d
slapd
Port 636
© 2007 IBM Corporation
IBM STG Technical Conference
LDAP Schema
LDAP Server Choices Schemas and mapping
AIX Security Attribute username spassword id pgrp home shell
/etc/security/ldap/*.map
19
username username userpassword userpassword uid uid gid gid homedirectory homedirectory loginshell loginshell
AIX
uid uid userpassword userpassword uidnumber uidnumber gidnumber gidnumber homedirectory homedirectory loginshell loginshell
rfc2307
msSFU30Name msSFU30Name msSFU30Password msSFU30Password msSFU30UidNumber msSFU30UidNumber msSFU30GidNumber msSFU30GidNumber msSFUHomeDirectory msSFUHomeDirectory lmsSFULoginShell lmsSFULoginShell
msSFU30
© 2007 IBM Corporation
IBM STG Technical Conference
Configuring ITDS (LDAP) on AIX
mkitab
add sldapd
mksecldap –s –S <schema> /etc/passwd /etc/passwd /etc/group /etc/group /etc/security/passwd /etc/security/passwd /etc/security/user /etc/security/user ......
ldapcfg
(optional) sectoldif –S <schema>
Security Files
LDAP Schema
(User/Group information)
LDIF File dn: uid=default... uid: caleb objectClass: account objectClass: posixAccount ...
ldapmodify
Check fileset Create ldap admin Create db2 admin Run slapd daemon Set admin pwds Configure LDAP Add context DN Configure DB2 Add nisSchema.ldif Add sec.ldif
ldapadd
LDIF file removed at end 20
/etc/initab
DB2
LDAP © 2007 IBM Corporation
IBM STG Technical Conference
Checking LDAP server configuration and suffixes Use ldapsearch client to contact server and retrieve information namingcontexts – containers for information ldapsearch ..bindinfo.. bindinfo -b "" -s base "objectclass=*“ namingcontexts namingcontexts=CN=SCHEMA namingcontexts=CN=CONFIGURATION namingcontexts=CN=LOCALHOST namingcontexts=CN=PWDPOLICY namingcontexts=CN=IBMPOLICIES namingcontexts=CN=AIXDATA namingcontexts=OU=ATS,O=IBM,O=COM
LDAP
ldapsearch ..bindinfo.. -b “ou=ats,o=ibm,o-com” “(ou=*)” ou=ats,o=ibm,o=com objectclass=top objectclass=organizationalunit ou=ats 21
© 2007 IBM Corporation
IBM STG Technical Conference
Default ITDS CN=AIXDATA container Use ldapsearch client to contact server and retrieve information namingcontexts – containers for information ldapsearch –h localhost –D cn=admin –w mypwd –b “CN=AIXDATA” OU=* ou=People,cn=aixdata ou=People objectClass=organizationalUnit objectClass=top ou=Groups,cn=aixdata ou=Groups objectClass=organizationalUnit objectClass=top
LDAP
ou=System,cn=aixdata ou=System objectClass=organizationalUnit objectClass=top 22
© 2007 IBM Corporation
IBM STG Technical Conference
Migrating AIX users to LDAP server nistoldap –S <schema> NIS NISMaps Maps shadow.byname shadow.byname passwd.byuid passwd.byuid passwd.byname passwd.byname autoFS autoFS ...... NIS Maps
/etc/passwd /etc/passwd /etc/group /etc/group /etc/security/passwd /etc/security/passwd /etc/security/user /etc/security/user ......
Security Files
ldapadd
LDIF File dn: uid=caleb,ou=aixuser,cn=ibm, cn=com uid: caleb objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: aixauxaccount cn: caleb passwordchar: ! uidNumber: 210 gidNumber: 1
sectoldif –S <schema>
LDAP 23
© 2007 IBM Corporation
IBM STG Technical Conference
Checking LDAP user existence with ldapsearch If you can’t use ldapsearch to retrieve users, they won’t be able to authenticate ldapsearch -h localhost -D cn=admin -w jst4ldap -b "ou=ats,o=ibm,o=com" "(uid=test1)" uid=test1,ou=People,ou=ats,o=ibm,o=com uid=test1 objectClass=aixauxaccount objectClass=shadowaccount objectClass=posixaccount objectClass=account objectClass=ibm-securityidentities objectClass=top cn=test1 passwordchar=! uidnumber=207 gidnumber=1 homedirectory=/home/test1 loginshell=/usr/bin/ksh isadministrator=false userpassword={crypt}kYaEASzK4RyaI shadowlastchange=13006 passwordflags=ADMCHG 24
LDAP
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #6 No tools for comparing LDIF files Tools to create LDIF files from each server – AIX: nistoldif and sectoldif – Solaris: ldapaddent, LDAP to NIS+ Gateway – HP-UX: migrate_nisp_groups.pl, migrate_nisp_passwd.pl, etc. – Linux: Use PADL scriptgs – PADL: Perl scripts to migrate from flat files, NIS, etc
Base DN’s must match at the least – dn: ou=aixuser,cn=aixsecdb, cn=aixdata
But no scripts by vendors that provide comparison and differences – Same user name on two clients, but different UID – Same UID on two clients, but different user name – Different limits on different systems
You will get errors from ldapadd with some duplications 25
© 2007 IBM Corporation
IBM STG Technical Conference
Configuring AIX 5.3 TL5 clients to use LDAP 1. Contact Server: mksecldap –c
2. Server alive & valid creds 3. Namingcontext?
flags
Bind Info BaseDN Authtype Search mode SSL info proxy admin
26
ldapsearch
LDAP
ldapsearch
4. Namingcontext – Suffixes available Backup config files Get servertype from namingcontext After Get other services from namingcontext Setup Create /etc/security/ldap directory Update /etc/security/ldap/ldap.cfg Update irs.conf to nis_ldap and hosts Update netsvc.conf to hosts and nis_ldap Add LDAP to methods.cfg file (optional) chuser SYSTEM=LDAP, registry=LDAP Add secldapclientd to inittab Start client daemon secldapclientd
© 2007 IBM Corporation
IBM STG Technical Conference
Testing the client setup with lsldap The ultimate tests is “can I login as user ldaptest”, but check these lsldap
secldapclientd
dn: ou=People,ou=ats,o=ibm,o=com dn: ou=Groups,ou=ats,o=ibm,o=com dn: ou=System,ou=ats,o=ibm,o=com
ldapsearch
ldapsearch
lsldap passwd
dn: uid=default,ou=People,ou=ats,o=ibm,o=com dn: uid=test1,ou=People,ou=ats,o=ibm,o=com ...
LDAP
lsldap –a passwd test1
dn: uid=test1,ou=People,ou=ats,o=ibm,o=com uid: test1 objectClass: aixauxaccount objectClass: shadowaccount ... 27
AIX: lsldap HP: nsquery Sun: listldap © 2007 IBM Corporation
IBM STG Technical Conference
Testing the client setup with lsuser –R LDAP You can see the user attributes stored in LDAP with the AIX lsuser command lsuser -R LDAP -a id pgrp test1
secldapclientd
ldapsearch
test1 id=207 pgrp=staff # lsuser -R LDAP -a SYSTEM registry test1 test1 SYSTEM=compat registry=LDAP # lsuser -a SYSTEM registry test1 test1 SYSTEM=compat registry=files # chuser -R LDAP SYSTEM=LDAP registry=LDAP test1 # lsuser -a SYSTEM registry test1 test1 SYSTEM=LDAP registry=LDAP # lsuser -R LDAP -a SYSTEM registry test1 test1 SYSTEM=LDAP registry=LDAP 28
ldapsearch
LDAP /etc/passwd /etc/passwd /etc/group /etc/group /etc/security/passwd /etc/security/passwd /etc/security/user /etc/security/user ......
Security Files © 2007 IBM Corporation
IBM STG Technical Conference
Issue #7 Restricting users to selected clients IBM AIX extensions user attributes: – hostallowedlogin: User can only login to these hosts – hostdeniedlogin: User cannot login to these hosts chuser –R LDAP hostsallowedlogin=host1, host2, host3 – Only applicable for AIX users – Restrictions applied to each user in LDAP – Default user: SYSTEM = LDAP
Only put users in /etc/security/user you want to login – Set LDAP users SYSTEM and registry to LDAP – Leave default user: SYSTEM = compat
NIS Netgroup style login restriction – Compatible with RFC2307bis specification – Typical solution for Solaris users – Requires different setup in AIX SYSTEM = compat in /etc/user options = netgroup defined in methods.cfg LDAP stanza netgroup nis_ldap in /etc/irs.conf + in /etc/group +@netusers in /etc/passwd
29
LDAP /etc/security/user test1: admin = false SYSTEM = "LDAP" registry = LDAP
/etc/security/user /etc/security/user /usr/lib/security/methods.cfg /usr/lib/security/methods.cfg /etc/group /etc/group /etc/passwd /etc/passwd
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #8 How to handle user HOME directories local disk Local HOME directory on each client: – Unique data on each client
/home
– Not automatically created when clients are added to LDAP server Some customers use mkhome PAM module on non-IBM servers
Mount /home from NFS server for all users – Same data from any client – Easy to setup, but may need to tune NFS parameters
Automount /home as user logs in – Directory only mounted while user is logged in.
NFS
– Two LDAP automount maps supported automountmap objectclass nismap automount map – support for Netgroups
30
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #9 SSL between client and server Without SSL ldap_auth sents password in clear text Install gskit filesets and secure LDAP client and server filesets – Also need SSL and Java filesets installed – ldap.max_crypto_client.rte , etc.
Create the server SSL keyring – gsk7ikm is a graphical tool that can be used to create keyring – Bring a copy to the client
Install keyring file on server – mksecldap –k or – edit ibmslapd.conf file and restart (ibm-slapdSecurity: SSLOnly ) – Check that server is listening on port 626
Re-run mksecldap –c on client with –k file – Adds key file to ldap.cfg read by secldapclientd 31
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #10 Importance of password restrictions RFC2307 weak on password restriction – No options to add password restriction subroutine – Minimal
AIX extensions provide a full set of password restrictions – Same things available as with standard AIX security files – Character and time restrictions – Ability to include a password check method
No standard way for multi-OS environment – Possible third party solutions for changing passwords Tivoli Identity Manager
32
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #11 What users should keep using local files? How is root user treated? – No remote login allowed – SU only from selected group – Keep as local user
Security group should remain local – Group GID conflicts with a Solaris admin group – Always keep access to system if network or LDAP is down
Any other users who need access if network/LDAP down Administrative users without passwords Local users must exist in local groups LDAP users must belong to LDAP groups 33
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #12 Migrating existing users to LDAP? Make sure user exists in LDAP (covered earlier) – Extracted with sectoldif and added with ldapadd – Added with mksecldap – Check with these methods ldapsearch.. –b baseDN “(uid=testuser)” lsldap –a passwd username lsuser –R LDAP username
Change users SYSTEM and registry attributes to LDAP – If default user is set to LDAP Remove user from local files /etc/passwd, /etc/group, /etc/security/passwd, /etc/security/user – If default user is not set to LDAP Change user SYSTEM and registry to LDAP chuser –R LDAP SYSTEM=LDAP registry=LDAP username chuser SYSTEM=LDAP registry=LDAP username 34
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #13 Adding new users to LDAP? Use standard AIX commands with –R LDAP flag – mkuser –R LDAP SYSTEM=LDAP registry=LDAP id=501 martin – Check with these methods ldapsearch .. –b baseDN “(uid=testuser)” lsldap –a passwd username lsuser –R LDAP username
Create LDIF file and add with ldapadd – Extract a user from ldap with ldapsearch – ldapsearch -h host -D cn=adm -w pwd -b “basedn" "(uid=test797)" > test797p.ldif
– Extract a local file user with sectoldif – Edit with vi – Add to LDAP with ldapadd – Verify with lsldap, lsuser –R ldap, or ldapsearch
35
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #14 Redundant solutions? Redundancy options in /etc/security/user? – If LDAP fails use local
Replica LDAP servers
admin02: admin = true SYSTEM = "LDAP or (LDAP UNAVAIL AND files)" registry = LDAP
– Keeps user data in multiple locations
/etc/security/user
– Automatic synchronization – Changes made only on LDAP master – Place on different routers, etc. – Specify priority list of servers in ldap.cfg on AIX clients
Duplicate LDAP Masters – Adds ability to do updates on either server
36
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #15 ssh gotcha? After configuring a use for LDAP, ssh to box stops working? Add this line to /etc/ssh/sshd_config – UsePAM yes
Stop and restart sshd
37
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #16 Multiple groups – multiple managers? Desire is to have separate base DN for different groups – Example: – userbasedn: ou-dept1,ou=people, cn=aixdata – userbasedn: ou=dept2,ou=people, cn=aixdata
AIX 5.3 TL5 adds support for this functionality – Support for Extended Base DN format – Support for Multiple Base DN Definitions Up to ten base DNs per entity (eg:user) Restrictions on mkuser and chuser
AIX 5.3 supports LDAP proxy user – Control proxy user access with LDAP ACLs – Keeps every root user from complete access to LDAP server
38
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #17 Flexibility with PAM? Most UNIX flavors have default PAM support – Most do LDAP support through PAM modules – This makes AIX different
AIX 5.3 introduces PAM_AUTH – Configured pam.conf file – pam_aix modules included in AIX 5.3
PAM_LDAP available from PADL (not IBM) – Not supported by IBM – IBM Provides only basic AIX authentication PAM module
Possible examples – LDAP authentication only – PAM module to add HOME directory on first login to new server 39
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #18 Where to put default user? Place on local AIX client – Provides some AIX specific attributes – Does not provide all of the extensions you might expect
Place on LDAP server – Consistent for all clients – Provides less flexibility
40
© 2007 IBM Corporation
IBM STG Technical Conference
AIX Authentication to Active Directory Kerberos or LDAP authentication v Goal: Single corporate password
AIX
© 2007 IBM Corporation
IBM STG Technical Conference
Two Choices – Kerberos or LDAP Un Kerberos
Active Directory - LDAP
Support starts at AIX 5.2 ML1 Authentication only Kerberos 5 standard Very secure network traffic Key from Windows Server KDC setup on Windows Better performance Kerberos principle for each client User Kerberized r-cmds AIX KRB5A + LDAP/files LAM
Support starts at AIX 5.3 TL5 RFC2307 attribute support Non-standard schema Must secure with SSL connection Key from Windows Server ADS/SFU setup on Windows Performance because of AD issues No client specific setup Changes each release SFU -> R2 AIX LDAP LAM module
AIX Authentication using Windows Kerberos Service http://www-03.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
AIX 5.3 TL5 Active Directory White Paper http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp 42
© 2007 IBM Corporation
IBM STG Technical Conference
LDAP or KRB5ALDAP mode in /etc/security/user auth
43
LDAP mode – AIX 5.3 TL5 only /etc/security/user entry tstuser admin = false SYSTEM = LDAP registry = LDAP
cred
ADS/SFU
Kerberos Authentication mode – KRB5A and LDAP Use for Kerberos authentication only Use LDAP for user credentials auth /etc/security/user entry krbuser admin = false cred SYSTEM = KRB5ALDAP registry = LDAP
KDC
LDAP © 2007 IBM Corporation
IBM STG Technical Conference
KRB5A authentication to Microsoft Windows 2000/2003 Server
44
Requires Microsoft Windows Support tools ktpass, ldp, and setspn
KDC
Requires AIX NAS (Network Authentication Service) client software krb5.client.rte Requires compound load module support on AIX /etc/security/user SYSTEM = KRB5Afiles /usr/lib/security/methods.cfg KRB5A: program = /usr/lib/security/KRB5A options = authonly KRB5Afiles: options = db=BUILTIN,auth=KRB5A Requires host principle on Windows for every AIX client. Kerberos keytab file must be transferred to AIX client © 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP authentication to Microsoft Active Directory Windows 2000 or 2003 Server – Requires Microsoft Services for Unix – SFU provides Microsoft SFU schema (psuedo-RFC2307) – Supported SFU: SFU v 3.0+ (3.0 and 3.5)
Support starts at AIX 5.3 TL5 client – Simple mksecldap client setup Discovers SFU schema Sets up mapping to SFU schema
ADS/SFU Windows Server
userattrmappath:/etc/security/ldap/MSSFU30user.map groupattrmappath:/etc/security/ldap/MSSFU30group.map
Requires ldap_auth because of Microsoft encryption
Windows Users and groups must be enabled for Unix Support From Panel – click tab ‘enable users’
White paper to guide setup (December 2006) http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp
45
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – Starting AIX client for AD auth
Must know the following information
Check that you can retrieve the data from AD with lsldap
ldapsearch -h adhost -D cn=Adm -w admpwd -b “ou=basedn" "(uid=*)"
AIX LDAP client build tool (mksecldap –c) autodetects AD server
46
Bind DN and password on ADS with proper authority Base DN where user information is stored. Must have bos.ldap.client installed. (including max_crypto)
mksecldap -c -h adhost -a cn=Adm -p admpwd -d “cn=basedn” Schema type used by AD is queried Correct mapping files are configured
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – AIX security admin commands and AD
These commands work as expected
These commands work with restrictions
passwd and chpasswd
These commands will not operate with Active Directory
47
lsuser, chuser, rmuser, id lsgroup, chgroup, rmgroup, groups
mkuser and mkgroup AIX cannot manage features like Windows ID
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #19: AD Supports two types of group attributes
Do you leave default or change to faster option?
msSFU30PosixMember
Default support for both Windows and AIX Map file shows users SEC_LIST msSFU30PosixMember Requires full DN for all interactions Example:
m
msSFU30PosixMember: cn=user1,cn=users,dc=dept1,dc=abc,dc=com
Parsing impacts performance
msSFU30MemberUid
Requires Admin to change the map file users SEC_LIST msSFU30MemberUid Same as RFC 2307 memberUid attribute Example
m
msSFU30memberuid: user1
48
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #20: AD Supports two types of passwords
Which one do you use?
Native password
Unicodepwd: support Windows’ user authentication Same password for Windows or AIX (No synchronization needed) Password change requires SSL connection to AD and AIX APAR IY91922 Set LDAP authentication type to ldap_auth in ldap.cfg Change mapping
spassword
SEC_CHAR
unicodePwd
s
Password for Unix clients to AD interface (default in map file)
49
msSFU30Password: support UNIX crypt password AIX passwd only changes msSFU30Password Results in synchronization problem Can use unix_auth in ldap.cfg To use msSFU30Password support change AIX user map file spassword SEC_CHAR msSFU30Password
s © 2007 IBM Corporation
IBM STG Technical Conference
Microsoft Windows Server 2003 R2 Adds Identity Management for UNIX without SFU AIX supported solution expected in next AIX 5.3 TL Server for NIS Enables Active Directory domain controller to act as a master NIS server
Password Synchronization. Simplifies the process of maintaining secure passwords. User can use same password for their Windows and UNIX accounts
.
Requires an schema extension New object classes defined in a file Sch31.ldf, Located on the Windows Server 2003 R2 Installation CD
Windows Server 2003 R2 Overview Guide “With minor differences, Identity Management for UNIX is compliant with Internet Engineering Task Force (IETF) standard Request for Comments (RFC) 2307, meaning that a network's password and NIS attributes can be resolved by the Lightweight Directory Access Protocol (LDAP). “
50
© 2007 IBM Corporation
IBM STG Technical Conference
Active Directory and Unix password sync http://www.microsoft.com/technet/interopmigration/unix/sfu/psync.mspx Windows to Unix
51
© 2007 IBM Corporation
IBM STG Technical Conference
Unix to windows password synchronization Part of Microsoft Services for Unix
52
© 2007 IBM Corporation
IBM STG Technical Conference
Garner Magic Quadrant – User Provisioning Taken from Sun document Sun and IBM lead Microsoft in lower left quadrant – So why choose ADS?
53
© 2007 IBM Corporation
IBM STG Technical Conference
Commercial technology solutions Quest Software Vintela Authentication Services (VAS) – http://www.vintela.com.
Centrify DirectControl – http://www.centrify.com.
Centeris Likewise Identity 3.0 – http://www.centeris.com/
Computer Associates PAM LDAP modules – available at http://www.padl.com
54
© 2007 IBM Corporation
IBM STG Technical Conference
Commercial technology solutions IBM Tivoli Access Manager for Operating Systems – http://www-306.ibm.com/software/tivoli/products/access-mgr-operating-sys/ – Audit and Intrusion Protection – Best practice security templates
IBM Tivoli Identity Manager – http://www.centrify.com. – Policy based user management solution – Automatic synchronization of user data from different repositories
Both also use LDAP
55
© 2007 IBM Corporation
IBM STG Technical Conference
Microsoft SFU User Based Schema SFU 2.0 schema msSFUPosixAccount required: cn Optional: description, gecos, gidNumber, loginShell, msSFUHomeDirectory, msSFUName, msSFUPassword, posixMemberOf, uid, uidNumber
msSFUShadowAccount msSFUName, shadowWarning, shadowMax, shadowMin, ...
msSFUPosixGroup cn, GidNumber, MemberUid, msSFUName, msSFUPassword, PosixMember, ...
SFU 3.0 and SFU 3.5 msSFU30PosixAccount msSFU30Gecos, msSFU30GidNumber, msSFU30HomeDirectory, msSFU30Password ...
msSFU30ShadowAccount msSFU30ShadowWarning, msSFU30ShadowExpire, ...
msSFU30PosixGroup msSFU30MemberUid, msSFU30PosixMember, ... 56
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – AIX AD Client support details
AIX maps AIX security attributes names to AD custom names
AIX LDAP client build tool (mksecldap –c) autodetects AD server
57
/etc/security/ldap/sfu20user.map /etc/security/ldap/sfu20group.map /etc/security/ldap/sfu30user.map /etc/security/ldap/sfu30group.map
Schema type used by AD is retrieved during setup Correct mapping files are supplied & configured Requires APAR to support password changes from AIX
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – SFU Map file example
AIX maps AIX security attributes names to AD custom names /etc/security/ldap/sfu30user.map username id pgrp home shell gecos spassword lastupdate maxage minage maxexpired pwdwarntime
SEC_CHAR SEC_INT SEC_CHAR SEC_CHAR SEC_CHAR SEC_CHAR SEC_CHAR SEC_INT SEC_INT SEC_INT SEC_INT SEC_INT
msSFU30Name s msSFU30UidNumber s msSFU30GidNumber s msSFU30HomeDirectory s msSFU30LoginShell s msSFU30Gecos s msSFU30Password s msSFU30ShadowLastChange s msSFU30ShadowMax s msSFU30ShadowMin s msSFU30ShadowExpire s msSFU30ShadowWarning s
#spassword SEC_CHAR #unsuccessful_login_count SEC_INT #time_last_unsuccessful_login SEC_INT 58
unicodePwd s badPwdCount s badPasswordTime s © 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP client tools AIX LDAP client programs ldapsearch ldapadd ldapmodify ldapmodrdn ldapdelete ldapcfg ldif2db db2ldif
search LDAP server for entry add an entry to the LDAP server modify an LDAP entry modify an LDAP RDN entry delete an LDAP entry configure LDAP server Add LDIF file directly to DB2 database Extract LDIF information from DB2
AIX security client tools lsldap mksecldap secldapclientd Tools sectoldif nistoldif secldifconf
59
command tool to retrieve LDAP entries Configure LDAP server and AIX client for AIX user authentication/identification LDAP Security client daemon ls-secldapclntd, flush-secldapclntd, restart-secldapclntd stop-secldapclntd, start-secldapclntd Tool to convert user information to LDIF Tool to convert NIS information to LDIF Convert from one schema to another
© 2007 IBM Corporation
IBM STG Technical Conference
Password restriction options
RFC2307 based shadowlastchanged, shadowmax, shadowmin shadowexpire and shadowwarning
AIX schema extension based isaccountenabled, passworddictfiles, timeexpirelockout, passwordflags, passwordhistexpire, passwordhistsized, passwordhistlist, passwordmaxrepeatedchars, passwordminimalphachars, passwordmindiffchars, passwordminlength, passwordminotherchars, passwordcheckmethods
60
© 2007 IBM Corporation
IBM STG Technical Conference
Summary
61
AIX security solution with LDAP has matured AIX 5.3 TL5 adds important new features Mixing Solaris, HP/UX, AIX, Linux and Windows is complex Other vendors are no better off, just different There is no one standard for LDAP authentication RFC 2307 is experimental RFC Widely adapted including netgroup and automount extensions All vendors provide slightly different extensions interpretation Two methods for AIX authentication against Microsoft ADS Kerberos and LDAP Support for Microsoft Windows Server 2000/2003 Support for Microsoft Windows Server 2003 R2 soon Many issues remain in providing a cross vendor solution Only plug and play solutions are commercial AIX only solution with ITDS is trivial to implement © 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP References AIX 5.2 white papers on LDAP authentication – http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html – http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.html – www.ibm.com/servers/aix/whitepapers/ldap_naming.pdf –
http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp
– – – – – –
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security /kerberos_auth_only_load_module.htm http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security /kerberos_questions_troubleshooting.htm http://www-03.ibm.com/systems/p/library/wp_aix_lit.html http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf
Kerberos authentication against windows:
– http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
AIX 5.2 Docs for LDAP
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/ldap_exploitation.htm
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/nisplus/migrating.htm
AIX 5L LDAP exploitation documentation – http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/admnconc/ldap_exploit.htm
– http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds5/secldapclntd.htm
62
© 2007 IBM Corporation
IBM STG Technical Conference
IBM Redbooks on Security and Authentication http://www.redbooks.ibm.com Integrating AIX into heterogeneous LDAP Environments SG24-7165 – Coming soon to a Wiki near you
AIX 5.2 Security Supplement SG24-6066-00 Understanding LDAP SG24-4986 LDAP Implementation Cookbook - SG24-5110 Using LDAP for Directory Integration SG24-6163 AIX 4.3.3 Differences Guide – SG242014.html – Describes first AIX LDAP authentication AIX 5L Differences Guides AIX 5L Differences Guide Version 5.3 Edition SG24-7463 AIX 4.3 Elements of Security – SG24-5962 Elements of Security: AIX 4.1 – SG24-4433 AIX Security Tools: pSeries, SP & eCluster 1600 – SG24-5971 Managing AIX Server Farms – SG24-6606
63
© 2007 IBM Corporation
IBM STG Technical Conference
IBM General Security References pSeries Security – http://www.ibm.com/eserver/pseries/security IBM Security Solutions: – http://www.ibm.com/security AIX Virtual Public Networks – http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/index.html IBM Developerworks Kerberos Overview – http://www-106.ibm/developerworks/library/it-kerbero.html Developerworks security collection – http://www-106.ibm.com/developerworks/security/ Developerworks security projects – http://www-106.ibm.com/developerworks/views/security/projects.jsp IBM LDAP Schema – www.ibm.com/servers/eserver/iseries/ldap/schema
64
© 2007 IBM Corporation
IBM STG Technical Conference
Key HP/UX, Solaris and Linux LDAP Auth sites PADL Migration tools –
http://www.padl.com/OSS/MigrationTools.html
–
http://www.padl.com/OSS/pam_ldap.html
DataConv: LDAP migration tools –
http://dataconv.org/apps_ldap.html
Solaris 10 General LDAP –
http://docs.sun.com/app/docs/doc/816-4556/6maort2t4?q=automount&a=view
Sun Java System Directory Server 5.2 –
http://www.sun.com/software/products/directory_srvr/home_directory.xml
Sun One Directory Server – formerly Netscape –
http://docs.sun.com/app/docs/doc/816-6703-10
Sun Blueprints: –
LDAP in the Solaris™ Operating Environment:
–
Deploying Secure Directory Services
–
http://safari.oreilly.com/0131456938
LDAP HP-UX – NIS/LDAP Gateway and LDAP-UX Client Services –
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA
– http://docs.hp.com/en/internet.html
LDAP-UX Client Services with Microsoft Windows 2000/2003 – 65
http://docs.hp.com/en/J4269-90049/index.html – LDAP-UX Client services and ADS © 2007 IBM Corporation
IBM STG Technical Conference
Microsoft SFU links Microsoft Services for Windows download – http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx.
UNIX Interoperability in Windows Server 2003 R2 – http://www.microsoft.com/technet/community/events/windows2003srvR2/add-52.mspx
Windows Security and Directory Services for UNIX Guide v1.0 –
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/00wsdsu.mspx
– http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx
Password synchronization – http://www.microsoft.com/technet/interopmigration/unix/sfu/psync.mspx
66
© 2007 IBM Corporation
IBM STG Technical Conference
Other LDAP References OpenLDAP – http://www.openldap.org
LDAP related RFCs –
http://www.ietf.org/rfc/rfc2307.txt – LDAP mapping of NIS
– www.imc.org/rfc2251 - LDAP version 3 protocols – www.imc.org/rfc2559 - LDAPv2 Protocols – www.imc.org/rfc2587 - LDAPv2 Schema – www.imc.org/rfc1777 - LDAP – rfc1823 - LDAP programming interface – rfc1960 - LDAP Search Filters – rfc1779 - Distinguished Names
HP RFC2307-bis automount schemas – http://docs.hp.com/en/J4269-90064/ch04s02.html
The Moron’s guide to Kerberos – http://www.isi.edu/~brian/security/kerberos.html 67
© 2007 IBM Corporation
IBM Systems and Technology Group Technical Conference v
New Orleans, Louisiana February 5 - 9, 2007
© 2007 IBM Corporation
IBM STG Technical Conference
AIX Authentication to an LDAP Server Session: A03 v
John Tesch, Ph.D. Consulting IT Specialist America’s Advanced Technical Support [email protected]
© 2007 IBM Corporation
IBM STG Technical Conference
Agenda LDAP user management goals and issues Introduction to AIX user management Configuring AIX for user authentication and credentials Authenticating AIX to Microsoft Windows Active Directory
3
© 2007 IBM Corporation
IBM STG Technical Conference
LDAP – What the customer is looking for! LDAP
One password access all systems
User Userdata data and and Password Password User data all in one place
4
© 2007 IBM Corporation
IBM STG Technical Conference
Today’s picture too often
File Filebased based user userdata data
Multiple Incompatible LDAP servers NIS/NIS+ Separate password for each system
Microsoft ADS Separate data each server
5
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #1: Schemas and LDAP Servers
Schema Support AIX proprietary schema RFC2307 RFC2307bis AIX extensions Solaris 9 extensions Solaris 10 extensions Novell Microsoft SFU 2.0 Microsoft SFU 3.0 Microsoft Windows 2000 V2 Person, ePerson, etc.
6
LDAP Servers ITDS – IBM Tivoli (4.1, 5, 6.0) OpenLDAP Sun One Directory Server Sun Java System Directory Server 5.2 Novell eDirectory Windows 2000 Active Directory Windows 2003 Active Directory Windows 2003 R2 ACS Netscape Directory Server -> Sun
© 2007 IBM Corporation
IBM STG Technical Conference
Schema Support Introduced in AIX Level
Schema Support AIX proprietary schema (all) RFC2307 AIX extensions RFC2307bis Solaris 9 extensions Solaris 10 extensions Novell (*?) Microsoft SFU 2.0 Microsoft SFU 3.0 Microsoft Windows 2000 V2 Person, ePerson, etc.
AIX Release AIX 4.3.3* AIX 5.1 AIX 5.2 AIX 5.3 AIX 5.3 ML3 AIX 5.3 TL5 AIX 5.3 TL6 (?) * PADL - RFC2307 ?(Planned)
*Novel MD5 – ldap_auth 7
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #2: RFC2307 An Approach for Using LDAP as a Network Information Service Category: Experimental Status: “This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind” Based somewhat on NIS Incomplete: Doesn’t cover all of AIX or Solaris attributes – Doesn’t cover netgroups and automount
Authors: L. Howard (PADL Software), M. Ansari (Sun Microsystems) Original date: March 1998 rfc2307bis-00: October 2002 expired April 2003 (No longer posted) – Added support for netgroups, automount, etc
Included with openLDAP, IBM and Sun LDAP servers Microsoft does not fully support in any release. AIX Required object classes and attributes for user login – posixaccount uid, uidnumber, gidnumber, homedirectory, loginshell, gecos, userpassword, shadowlastchange – posixgroup cn (groupname), gidnumber, memberuid (list of users uids) 8
© 2007 IBM Corporation
IBM STG Technical Conference
RFC2307 Optional attributes used by AIX login posix account – shadowmax maxage: Maximum weeks password is valid – shadowmin minage: Minimum weeks before password change – shadowexpire maxexpired: Weeks after expiration that user can change password. – shadowwarning pwdwarntime: Days before password expires that user is warned. – Good to add AIX extensions – not part of the ‘RFC definition’ hostallowedaccess hostdeniedaccess
posixgroup – no optional attributes used by AIX. – Not used: description, memberPassword
9
© 2007 IBM Corporation
IBM STG Technical Conference
AIX extensions to RFC2307 aixAuxAccount – added with AIX extensions (RFC2307AIX schema) – account_locked – admin, admgroups – Standard /etc/security/user attributes expires, flags, groups – User limits such as core, cpu data, fsize, etc, nofiles, rss, stack, – Login herald – Password restrictions: histexpire, histsize, histlist, minalpha, mindiff, minlen, minother pwdchecks, dictionlist, – Security: hostlastlogin, login, logindelay, logindisable, logininterval, loginretries, rcmds, registry, rlogin, roles, sakenabled, su sugroups sysenv, telnet, time_last_login, time_last_unsuccessful_login, tpath tty_last_login, ttys, tty_last_unsuccessful_login, umask, projects
aixAuxGroup – primary, adms, admin, dce_export, screens, projects 10
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #3 AIX extensions and LDAP Servers IBM Tivoli Directory Server – Contains RFC2307AIX schema since ITDS 4.1 – Does not include Solaris extension and there are no instructions to add this schema – Some RFC2307bis attributes must be added manually
openLDAP – May be most widely used for Linux customers – Contains RFC2307 schema, but not Solaris or AIX extensions
Sun Java System Directory Server 5.2 – Formerly Sun One – Part of the Solaris Enterprise System – Contains Solaris extensions, but not AIX extensions
Sun One Directory Server – formerly Netscape Directory Server – Available for AIX 5.2, but doesn’t contain AIX authentication extensions
Active Directory with Services for Unix – Microsoft Proprietary Schema for UNIX. and no crypt() software support – No AIX or Solaris extensions
Novell eDirectory Server – – MD5 password, pseudo RFC2307 11
© 2007 IBM Corporation
IBM STG Technical Conference
Solaris extensions and LDAP Servers RBAC-Related databases (Role Based Access Control) – usr_attr ou=People object class SolarisUserAttr – prof_attr ou=SolarisProfAttr objectclass SolarisProfAttr, SolarisExecAttr – auth_attr ou=SolarisAuthAttr objectclass SolarisAuthAttr – exec_attr ou=SolarisProfAttr objectclass SolarisProfAttr, SolarisExecAttr
Only supported on Sun LDAP servers Requires adding schema extensions on others.
12
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #4 LDAP Servers and total solution IBM Tivoli Directory Server – Best AIX solution, but Sun client support is missing
openLDAP – Good Linux solution, and base solution for all, but. – No instructions for adding AIX and Solaris Schemas
Sun Java System Directory Server 5.2 – Formerly Sun One – Best pure Sun Solution – Base RFC2307 support for AIX is a known working solution. – No instructions for adding AIX extensions
Active Directory with Services for Unix – Many companies want to use this solution because - Most Unix users also have a Windows account - IT Management sees this as easy to manage solution – Probably most incomplete Unix solution available – No AIX or Solaris extensions, but easy to setup base AIX 5.3 TL5
Novell eDirectory Server – Well liked by those few who know and like it, not very universal 13
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #5 LDAP User and Group IDs and permissions User must have same UID on all clients – File ownership and permissions – Avoid conflicts between local and LDAP users
Users must have same GID on all clients – File and program execution
Users with LDAP credentials must be in LDAP groups – Must match local and LDAP GIDs
Some OS administrative GIDs are in conflict – AIX: system=0, staff=1, bin=2, sys=3, security=7, cron=8 – Could give AIX security access to wrong users if not careful
May require that certain users be local users with local groups
14
© 2007 IBM Corporation
IBM STG Technical Conference
Basic user login – AIX 5.3 LAM Modules /usr/lib/security methods.cfg
ssh
ftp
login
SYSTEM Registry
S
1. Authentication - username - password 2. Get Credentials - UID/GID - HOME, SHELL, etc 15
TH U _A TD auth_type
PA M
in login.cfg _A UT H
Files NIS maps Kerberos Custom LDAP
PAM Modules /etc/pam.conf © 2007 IBM Corporation
IBM STG Technical Conference
AIX Loadable identification and authentication framework
16
© 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP Authentication Choices - authtype AUTH_TYPE = UNIX_AUTH User Name
crypt(passwd) Verify passwd with crypt()
LDAP
User Name and password
SSL Tunnel Verification Result
AUTH_TYPE = LDAP_AUTH 17
Verify passwd © 2007 IBM Corporation
IBM STG Technical Conference
LDAP Security Client LDAP slapd
authenticate() secldapclientd
ldap.cfg ldap.cfg ldapsslport ldapsslport Key.kdb Key.kdb
18
slapd
ssh
ftp
login
Port 389
in a Pl
xt e T
LDAP Security
en SS cr L yp te d
slapd
Port 636
© 2007 IBM Corporation
IBM STG Technical Conference
LDAP Schema
LDAP Server Choices Schemas and mapping
AIX Security Attribute username spassword id pgrp home shell
/etc/security/ldap/*.map
19
username username userpassword userpassword uid uid gid gid homedirectory homedirectory loginshell loginshell
AIX
uid uid userpassword userpassword uidnumber uidnumber gidnumber gidnumber homedirectory homedirectory loginshell loginshell
rfc2307
msSFU30Name msSFU30Name msSFU30Password msSFU30Password msSFU30UidNumber msSFU30UidNumber msSFU30GidNumber msSFU30GidNumber msSFUHomeDirectory msSFUHomeDirectory lmsSFULoginShell lmsSFULoginShell
msSFU30
© 2007 IBM Corporation
IBM STG Technical Conference
Configuring ITDS (LDAP) on AIX
mkitab
add sldapd
mksecldap –s –S <schema> /etc/passwd /etc/passwd /etc/group /etc/group /etc/security/passwd /etc/security/passwd /etc/security/user /etc/security/user ......
ldapcfg
(optional) sectoldif –S <schema>
Security Files
LDAP Schema
(User/Group information)
LDIF File dn: uid=default... uid: caleb objectClass: account objectClass: posixAccount ...
ldapmodify
Check fileset Create ldap admin Create db2 admin Run slapd daemon Set admin pwds Configure LDAP Add context DN Configure DB2 Add nisSchema.ldif Add sec.ldif
ldapadd
LDIF file removed at end 20
/etc/initab
DB2
LDAP © 2007 IBM Corporation
IBM STG Technical Conference
Checking LDAP server configuration and suffixes Use ldapsearch client to contact server and retrieve information namingcontexts – containers for information ldapsearch ..bindinfo.. bindinfo -b "" -s base "objectclass=*“ namingcontexts namingcontexts=CN=SCHEMA namingcontexts=CN=CONFIGURATION namingcontexts=CN=LOCALHOST namingcontexts=CN=PWDPOLICY namingcontexts=CN=IBMPOLICIES namingcontexts=CN=AIXDATA namingcontexts=OU=ATS,O=IBM,O=COM
LDAP
ldapsearch ..bindinfo.. -b “ou=ats,o=ibm,o-com” “(ou=*)” ou=ats,o=ibm,o=com objectclass=top objectclass=organizationalunit ou=ats 21
© 2007 IBM Corporation
IBM STG Technical Conference
Default ITDS CN=AIXDATA container Use ldapsearch client to contact server and retrieve information namingcontexts – containers for information ldapsearch –h localhost –D cn=admin –w mypwd –b “CN=AIXDATA” OU=* ou=People,cn=aixdata ou=People objectClass=organizationalUnit objectClass=top ou=Groups,cn=aixdata ou=Groups objectClass=organizationalUnit objectClass=top
LDAP
ou=System,cn=aixdata ou=System objectClass=organizationalUnit objectClass=top 22
© 2007 IBM Corporation
IBM STG Technical Conference
Migrating AIX users to LDAP server nistoldap –S <schema> NIS NISMaps Maps shadow.byname shadow.byname passwd.byuid passwd.byuid passwd.byname passwd.byname autoFS autoFS ...... NIS Maps
/etc/passwd /etc/passwd /etc/group /etc/group /etc/security/passwd /etc/security/passwd /etc/security/user /etc/security/user ......
Security Files
ldapadd
LDIF File dn: uid=caleb,ou=aixuser,cn=ibm, cn=com uid: caleb objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: aixauxaccount cn: caleb passwordchar: ! uidNumber: 210 gidNumber: 1
sectoldif –S <schema>
LDAP 23
© 2007 IBM Corporation
IBM STG Technical Conference
Checking LDAP user existence with ldapsearch If you can’t use ldapsearch to retrieve users, they won’t be able to authenticate ldapsearch -h localhost -D cn=admin -w jst4ldap -b "ou=ats,o=ibm,o=com" "(uid=test1)" uid=test1,ou=People,ou=ats,o=ibm,o=com uid=test1 objectClass=aixauxaccount objectClass=shadowaccount objectClass=posixaccount objectClass=account objectClass=ibm-securityidentities objectClass=top cn=test1 passwordchar=! uidnumber=207 gidnumber=1 homedirectory=/home/test1 loginshell=/usr/bin/ksh isadministrator=false userpassword={crypt}kYaEASzK4RyaI shadowlastchange=13006 passwordflags=ADMCHG 24
LDAP
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #6 No tools for comparing LDIF files Tools to create LDIF files from each server – AIX: nistoldif and sectoldif – Solaris: ldapaddent, LDAP to NIS+ Gateway – HP-UX: migrate_nisp_groups.pl, migrate_nisp_passwd.pl, etc. – Linux: Use PADL scriptgs – PADL: Perl scripts to migrate from flat files, NIS, etc
Base DN’s must match at the least – dn: ou=aixuser,cn=aixsecdb, cn=aixdata
But no scripts by vendors that provide comparison and differences – Same user name on two clients, but different UID – Same UID on two clients, but different user name – Different limits on different systems
You will get errors from ldapadd with some duplications 25
© 2007 IBM Corporation
IBM STG Technical Conference
Configuring AIX 5.3 TL5 clients to use LDAP 1. Contact Server: mksecldap –c
2. Server alive & valid creds 3. Namingcontext?
flags
Bind Info BaseDN Authtype Search mode SSL info proxy admin
26
ldapsearch
LDAP
ldapsearch
4. Namingcontext – Suffixes available Backup config files Get servertype from namingcontext After Get other services from namingcontext Setup Create /etc/security/ldap directory Update /etc/security/ldap/ldap.cfg Update irs.conf to nis_ldap and hosts Update netsvc.conf to hosts and nis_ldap Add LDAP to methods.cfg file (optional) chuser SYSTEM=LDAP, registry=LDAP Add secldapclientd to inittab Start client daemon secldapclientd
© 2007 IBM Corporation
IBM STG Technical Conference
Testing the client setup with lsldap The ultimate tests is “can I login as user ldaptest”, but check these lsldap
secldapclientd
dn: ou=People,ou=ats,o=ibm,o=com dn: ou=Groups,ou=ats,o=ibm,o=com dn: ou=System,ou=ats,o=ibm,o=com
ldapsearch
ldapsearch
lsldap passwd
dn: uid=default,ou=People,ou=ats,o=ibm,o=com dn: uid=test1,ou=People,ou=ats,o=ibm,o=com ...
LDAP
lsldap –a passwd test1
dn: uid=test1,ou=People,ou=ats,o=ibm,o=com uid: test1 objectClass: aixauxaccount objectClass: shadowaccount ... 27
AIX: lsldap HP: nsquery Sun: listldap © 2007 IBM Corporation
IBM STG Technical Conference
Testing the client setup with lsuser –R LDAP You can see the user attributes stored in LDAP with the AIX lsuser command lsuser -R LDAP -a id pgrp test1
secldapclientd
ldapsearch
test1 id=207 pgrp=staff # lsuser -R LDAP -a SYSTEM registry test1 test1 SYSTEM=compat registry=LDAP # lsuser -a SYSTEM registry test1 test1 SYSTEM=compat registry=files # chuser -R LDAP SYSTEM=LDAP registry=LDAP test1 # lsuser -a SYSTEM registry test1 test1 SYSTEM=LDAP registry=LDAP # lsuser -R LDAP -a SYSTEM registry test1 test1 SYSTEM=LDAP registry=LDAP 28
ldapsearch
LDAP /etc/passwd /etc/passwd /etc/group /etc/group /etc/security/passwd /etc/security/passwd /etc/security/user /etc/security/user ......
Security Files © 2007 IBM Corporation
IBM STG Technical Conference
Issue #7 Restricting users to selected clients IBM AIX extensions user attributes: – hostallowedlogin: User can only login to these hosts – hostdeniedlogin: User cannot login to these hosts chuser –R LDAP hostsallowedlogin=host1, host2, host3 – Only applicable for AIX users – Restrictions applied to each user in LDAP – Default user: SYSTEM = LDAP
Only put users in /etc/security/user you want to login – Set LDAP users SYSTEM and registry to LDAP – Leave default user: SYSTEM = compat
NIS Netgroup style login restriction – Compatible with RFC2307bis specification – Typical solution for Solaris users – Requires different setup in AIX SYSTEM = compat in /etc/user options = netgroup defined in methods.cfg LDAP stanza netgroup nis_ldap in /etc/irs.conf + in /etc/group +@netusers in /etc/passwd
29
LDAP /etc/security/user test1: admin = false SYSTEM = "LDAP" registry = LDAP
/etc/security/user /etc/security/user /usr/lib/security/methods.cfg /usr/lib/security/methods.cfg /etc/group /etc/group /etc/passwd /etc/passwd
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #8 How to handle user HOME directories local disk Local HOME directory on each client: – Unique data on each client
/home
– Not automatically created when clients are added to LDAP server Some customers use mkhome PAM module on non-IBM servers
Mount /home from NFS server for all users – Same data from any client – Easy to setup, but may need to tune NFS parameters
Automount /home as user logs in – Directory only mounted while user is logged in.
NFS
– Two LDAP automount maps supported automountmap objectclass nismap automount map – support for Netgroups
30
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #9 SSL between client and server Without SSL ldap_auth sents password in clear text Install gskit filesets and secure LDAP client and server filesets – Also need SSL and Java filesets installed – ldap.max_crypto_client.rte , etc.
Create the server SSL keyring – gsk7ikm is a graphical tool that can be used to create keyring – Bring a copy to the client
Install keyring file on server – mksecldap –k
Re-run mksecldap –c on client with –k
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #10 Importance of password restrictions RFC2307 weak on password restriction – No options to add password restriction subroutine – Minimal
AIX extensions provide a full set of password restrictions – Same things available as with standard AIX security files – Character and time restrictions – Ability to include a password check method
No standard way for multi-OS environment – Possible third party solutions for changing passwords Tivoli Identity Manager
32
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #11 What users should keep using local files? How is root user treated? – No remote login allowed – SU only from selected group – Keep as local user
Security group should remain local – Group GID conflicts with a Solaris admin group – Always keep access to system if network or LDAP is down
Any other users who need access if network/LDAP down Administrative users without passwords Local users must exist in local groups LDAP users must belong to LDAP groups 33
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #12 Migrating existing users to LDAP? Make sure user exists in LDAP (covered earlier) – Extracted with sectoldif and added with ldapadd – Added with mksecldap – Check with these methods ldapsearch.. –b baseDN “(uid=testuser)” lsldap –a passwd username lsuser –R LDAP username
Change users SYSTEM and registry attributes to LDAP – If default user is set to LDAP Remove user from local files /etc/passwd, /etc/group, /etc/security/passwd, /etc/security/user – If default user is not set to LDAP Change user SYSTEM and registry to LDAP chuser –R LDAP SYSTEM=LDAP registry=LDAP username chuser SYSTEM=LDAP registry=LDAP username 34
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #13 Adding new users to LDAP? Use standard AIX commands with –R LDAP flag – mkuser –R LDAP SYSTEM=LDAP registry=LDAP id=501 martin – Check with these methods ldapsearch .. –b baseDN “(uid=testuser)” lsldap –a passwd username lsuser –R LDAP username
Create LDIF file and add with ldapadd – Extract a user from ldap with ldapsearch – ldapsearch -h host -D cn=adm -w pwd -b “basedn" "(uid=test797)" > test797p.ldif
– Extract a local file user with sectoldif – Edit with vi – Add to LDAP with ldapadd – Verify with lsldap, lsuser –R ldap, or ldapsearch
35
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #14 Redundant solutions? Redundancy options in /etc/security/user? – If LDAP fails use local
Replica LDAP servers
admin02: admin = true SYSTEM = "LDAP or (LDAP UNAVAIL AND files)" registry = LDAP
– Keeps user data in multiple locations
/etc/security/user
– Automatic synchronization – Changes made only on LDAP master – Place on different routers, etc. – Specify priority list of servers in ldap.cfg on AIX clients
Duplicate LDAP Masters – Adds ability to do updates on either server
36
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #15 ssh gotcha? After configuring a use for LDAP, ssh to box stops working? Add this line to /etc/ssh/sshd_config – UsePAM yes
Stop and restart sshd
37
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #16 Multiple groups – multiple managers? Desire is to have separate base DN for different groups – Example: – userbasedn: ou-dept1,ou=people, cn=aixdata – userbasedn: ou=dept2,ou=people, cn=aixdata
AIX 5.3 TL5 adds support for this functionality – Support for Extended Base DN format – Support for Multiple Base DN Definitions Up to ten base DNs per entity (eg:user) Restrictions on mkuser and chuser
AIX 5.3 supports LDAP proxy user – Control proxy user access with LDAP ACLs – Keeps every root user from complete access to LDAP server
38
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #17 Flexibility with PAM? Most UNIX flavors have default PAM support – Most do LDAP support through PAM modules – This makes AIX different
AIX 5.3 introduces PAM_AUTH – Configured pam.conf file – pam_aix modules included in AIX 5.3
PAM_LDAP available from PADL (not IBM) – Not supported by IBM – IBM Provides only basic AIX authentication PAM module
Possible examples – LDAP authentication only – PAM module to add HOME directory on first login to new server 39
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #18 Where to put default user? Place on local AIX client – Provides some AIX specific attributes – Does not provide all of the extensions you might expect
Place on LDAP server – Consistent for all clients – Provides less flexibility
40
© 2007 IBM Corporation
IBM STG Technical Conference
AIX Authentication to Active Directory Kerberos or LDAP authentication v Goal: Single corporate password
AIX
© 2007 IBM Corporation
IBM STG Technical Conference
Two Choices – Kerberos or LDAP Un Kerberos
Active Directory - LDAP
Support starts at AIX 5.2 ML1 Authentication only Kerberos 5 standard Very secure network traffic Key from Windows Server KDC setup on Windows Better performance Kerberos principle for each client User Kerberized r-cmds AIX KRB5A + LDAP/files LAM
Support starts at AIX 5.3 TL5 RFC2307 attribute support Non-standard schema Must secure with SSL connection Key from Windows Server ADS/SFU setup on Windows Performance because of AD issues No client specific setup Changes each release SFU -> R2 AIX LDAP LAM module
AIX Authentication using Windows Kerberos Service http://www-03.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
AIX 5.3 TL5 Active Directory White Paper http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp 42
© 2007 IBM Corporation
IBM STG Technical Conference
LDAP or KRB5ALDAP mode in /etc/security/user auth
43
LDAP mode – AIX 5.3 TL5 only /etc/security/user entry tstuser admin = false SYSTEM = LDAP registry = LDAP
cred
ADS/SFU
Kerberos Authentication mode – KRB5A and LDAP Use for Kerberos authentication only Use LDAP for user credentials auth /etc/security/user entry krbuser admin = false cred SYSTEM = KRB5ALDAP registry = LDAP
KDC
LDAP © 2007 IBM Corporation
IBM STG Technical Conference
KRB5A authentication to Microsoft Windows 2000/2003 Server
44
Requires Microsoft Windows Support tools ktpass, ldp, and setspn
KDC
Requires AIX NAS (Network Authentication Service) client software krb5.client.rte Requires compound load module support on AIX /etc/security/user SYSTEM = KRB5Afiles /usr/lib/security/methods.cfg KRB5A: program = /usr/lib/security/KRB5A options = authonly KRB5Afiles: options = db=BUILTIN,auth=KRB5A Requires host principle on Windows for every AIX client. Kerberos keytab file must be transferred to AIX client © 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP authentication to Microsoft Active Directory Windows 2000 or 2003 Server – Requires Microsoft Services for Unix – SFU provides Microsoft SFU schema (psuedo-RFC2307) – Supported SFU: SFU v 3.0+ (3.0 and 3.5)
Support starts at AIX 5.3 TL5 client – Simple mksecldap client setup Discovers SFU schema Sets up mapping to SFU schema
ADS/SFU Windows Server
userattrmappath:/etc/security/ldap/MSSFU30user.map groupattrmappath:/etc/security/ldap/MSSFU30group.map
Requires ldap_auth because of Microsoft encryption
Windows Users and groups must be enabled for Unix Support From Panel – click tab ‘enable users’
White paper to guide setup (December 2006) http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp
45
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – Starting AIX client for AD auth
Must know the following information
Check that you can retrieve the data from AD with lsldap
ldapsearch -h adhost -D cn=Adm -w admpwd -b “ou=basedn" "(uid=*)"
AIX LDAP client build tool (mksecldap –c) autodetects AD server
46
Bind DN and password on ADS with proper authority Base DN where user information is stored. Must have bos.ldap.client installed. (including max_crypto)
mksecldap -c -h adhost -a cn=Adm -p admpwd -d “cn=basedn” Schema type used by AD is queried Correct mapping files are configured
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – AIX security admin commands and AD
These commands work as expected
These commands work with restrictions
passwd and chpasswd
These commands will not operate with Active Directory
47
lsuser, chuser, rmuser, id lsgroup, chgroup, rmgroup, groups
mkuser and mkgroup AIX cannot manage features like Windows ID
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #19: AD Supports two types of group attributes
Do you leave default or change to faster option?
msSFU30PosixMember
Default support for both Windows and AIX Map file shows users SEC_LIST msSFU30PosixMember Requires full DN for all interactions Example:
m
msSFU30PosixMember: cn=user1,cn=users,dc=dept1,dc=abc,dc=com
Parsing impacts performance
msSFU30MemberUid
Requires Admin to change the map file users SEC_LIST msSFU30MemberUid Same as RFC 2307 memberUid attribute Example
m
msSFU30memberuid: user1
48
© 2007 IBM Corporation
IBM STG Technical Conference
Issue #20: AD Supports two types of passwords
Which one do you use?
Native password
Unicodepwd: support Windows’ user authentication Same password for Windows or AIX (No synchronization needed) Password change requires SSL connection to AD and AIX APAR IY91922 Set LDAP authentication type to ldap_auth in ldap.cfg Change mapping
spassword
SEC_CHAR
unicodePwd
s
Password for Unix clients to AD interface (default in map file)
49
msSFU30Password: support UNIX crypt password AIX passwd only changes msSFU30Password Results in synchronization problem Can use unix_auth in ldap.cfg To use msSFU30Password support change AIX user map file spassword SEC_CHAR msSFU30Password
s © 2007 IBM Corporation
IBM STG Technical Conference
Microsoft Windows Server 2003 R2 Adds Identity Management for UNIX without SFU AIX supported solution expected in next AIX 5.3 TL Server for NIS Enables Active Directory domain controller to act as a master NIS server
Password Synchronization. Simplifies the process of maintaining secure passwords. User can use same password for their Windows and UNIX accounts
.
Requires an schema extension New object classes defined in a file Sch31.ldf, Located on the Windows Server 2003 R2 Installation CD
Windows Server 2003 R2 Overview Guide “With minor differences, Identity Management for UNIX is compliant with Internet Engineering Task Force (IETF) standard Request for Comments (RFC) 2307, meaning that a network's password and NIS attributes can be resolved by the Lightweight Directory Access Protocol (LDAP). “
50
© 2007 IBM Corporation
IBM STG Technical Conference
Active Directory and Unix password sync http://www.microsoft.com/technet/interopmigration/unix/sfu/psync.mspx Windows to Unix
51
© 2007 IBM Corporation
IBM STG Technical Conference
Unix to windows password synchronization Part of Microsoft Services for Unix
52
© 2007 IBM Corporation
IBM STG Technical Conference
Garner Magic Quadrant – User Provisioning Taken from Sun document Sun and IBM lead Microsoft in lower left quadrant – So why choose ADS?
53
© 2007 IBM Corporation
IBM STG Technical Conference
Commercial technology solutions Quest Software Vintela Authentication Services (VAS) – http://www.vintela.com.
Centrify DirectControl – http://www.centrify.com.
Centeris Likewise Identity 3.0 – http://www.centeris.com/
Computer Associates PAM LDAP modules – available at http://www.padl.com
54
© 2007 IBM Corporation
IBM STG Technical Conference
Commercial technology solutions IBM Tivoli Access Manager for Operating Systems – http://www-306.ibm.com/software/tivoli/products/access-mgr-operating-sys/ – Audit and Intrusion Protection – Best practice security templates
IBM Tivoli Identity Manager – http://www.centrify.com. – Policy based user management solution – Automatic synchronization of user data from different repositories
Both also use LDAP
55
© 2007 IBM Corporation
IBM STG Technical Conference
Microsoft SFU User Based Schema SFU 2.0 schema msSFUPosixAccount required: cn Optional: description, gecos, gidNumber, loginShell, msSFUHomeDirectory, msSFUName, msSFUPassword, posixMemberOf, uid, uidNumber
msSFUShadowAccount msSFUName, shadowWarning, shadowMax, shadowMin, ...
msSFUPosixGroup cn, GidNumber, MemberUid, msSFUName, msSFUPassword, PosixMember, ...
SFU 3.0 and SFU 3.5 msSFU30PosixAccount msSFU30Gecos, msSFU30GidNumber, msSFU30HomeDirectory, msSFU30Password ...
msSFU30ShadowAccount msSFU30ShadowWarning, msSFU30ShadowExpire, ...
msSFU30PosixGroup msSFU30MemberUid, msSFU30PosixMember, ... 56
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – AIX AD Client support details
AIX maps AIX security attributes names to AD custom names
AIX LDAP client build tool (mksecldap –c) autodetects AD server
57
/etc/security/ldap/sfu20user.map /etc/security/ldap/sfu20group.map /etc/security/ldap/sfu30user.map /etc/security/ldap/sfu30group.map
Schema type used by AD is retrieved during setup Correct mapping files are supplied & configured Requires APAR to support password changes from AIX
© 2007 IBM Corporation
IBM STG Technical Conference
AIX 5.3 TL5 – SFU Map file example
AIX maps AIX security attributes names to AD custom names /etc/security/ldap/sfu30user.map username id pgrp home shell gecos spassword lastupdate maxage minage maxexpired pwdwarntime
SEC_CHAR SEC_INT SEC_CHAR SEC_CHAR SEC_CHAR SEC_CHAR SEC_CHAR SEC_INT SEC_INT SEC_INT SEC_INT SEC_INT
msSFU30Name s msSFU30UidNumber s msSFU30GidNumber s msSFU30HomeDirectory s msSFU30LoginShell s msSFU30Gecos s msSFU30Password s msSFU30ShadowLastChange s msSFU30ShadowMax s msSFU30ShadowMin s msSFU30ShadowExpire s msSFU30ShadowWarning s
#spassword SEC_CHAR #unsuccessful_login_count SEC_INT #time_last_unsuccessful_login SEC_INT 58
unicodePwd s badPwdCount s badPasswordTime s © 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP client tools AIX LDAP client programs ldapsearch ldapadd ldapmodify ldapmodrdn ldapdelete ldapcfg ldif2db db2ldif
search LDAP server for entry add an entry to the LDAP server modify an LDAP entry modify an LDAP RDN entry delete an LDAP entry configure LDAP server Add LDIF file directly to DB2 database Extract LDIF information from DB2
AIX security client tools lsldap mksecldap secldapclientd Tools sectoldif nistoldif secldifconf
59
command tool to retrieve LDAP entries Configure LDAP server and AIX client for AIX user authentication/identification LDAP Security client daemon ls-secldapclntd, flush-secldapclntd, restart-secldapclntd stop-secldapclntd, start-secldapclntd Tool to convert user information to LDIF Tool to convert NIS information to LDIF Convert from one schema to another
© 2007 IBM Corporation
IBM STG Technical Conference
Password restriction options
RFC2307 based shadowlastchanged, shadowmax, shadowmin shadowexpire and shadowwarning
AIX schema extension based isaccountenabled, passworddictfiles, timeexpirelockout, passwordflags, passwordhistexpire, passwordhistsized, passwordhistlist, passwordmaxrepeatedchars, passwordminimalphachars, passwordmindiffchars, passwordminlength, passwordminotherchars, passwordcheckmethods
60
© 2007 IBM Corporation
IBM STG Technical Conference
Summary
61
AIX security solution with LDAP has matured AIX 5.3 TL5 adds important new features Mixing Solaris, HP/UX, AIX, Linux and Windows is complex Other vendors are no better off, just different There is no one standard for LDAP authentication RFC 2307 is experimental RFC Widely adapted including netgroup and automount extensions All vendors provide slightly different extensions interpretation Two methods for AIX authentication against Microsoft ADS Kerberos and LDAP Support for Microsoft Windows Server 2000/2003 Support for Microsoft Windows Server 2003 R2 soon Many issues remain in providing a cross vendor solution Only plug and play solutions are commercial AIX only solution with ITDS is trivial to implement © 2007 IBM Corporation
IBM STG Technical Conference
AIX LDAP References AIX 5.2 white papers on LDAP authentication – http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html – http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.html – www.ibm.com/servers/aix/whitepapers/ldap_naming.pdf –
http://www-128.ibm.com/developerworks/aix/library/au-aixadsupport.html?ca=dgr-lnxw97AIXclientsupp
– – – – – –
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security /kerberos_auth_only_load_module.htm http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security /kerberos_questions_troubleshooting.htm http://www-03.ibm.com/systems/p/library/wp_aix_lit.html http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf
Kerberos authentication against windows:
– http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
AIX 5.2 Docs for LDAP
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/ldap_exploitation.htm
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/nisplus/migrating.htm
AIX 5L LDAP exploitation documentation – http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/admnconc/ldap_exploit.htm
– http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds5/secldapclntd.htm
62
© 2007 IBM Corporation
IBM STG Technical Conference
IBM Redbooks on Security and Authentication http://www.redbooks.ibm.com Integrating AIX into heterogeneous LDAP Environments SG24-7165 – Coming soon to a Wiki near you
AIX 5.2 Security Supplement SG24-6066-00 Understanding LDAP SG24-4986 LDAP Implementation Cookbook - SG24-5110 Using LDAP for Directory Integration SG24-6163 AIX 4.3.3 Differences Guide – SG242014.html – Describes first AIX LDAP authentication AIX 5L Differences Guides AIX 5L Differences Guide Version 5.3 Edition SG24-7463 AIX 4.3 Elements of Security – SG24-5962 Elements of Security: AIX 4.1 – SG24-4433 AIX Security Tools: pSeries, SP & eCluster 1600 – SG24-5971 Managing AIX Server Farms – SG24-6606
63
© 2007 IBM Corporation
IBM STG Technical Conference
IBM General Security References pSeries Security – http://www.ibm.com/eserver/pseries/security IBM Security Solutions: – http://www.ibm.com/security AIX Virtual Public Networks – http://www-1.ibm.com/servers/aix/products/ibmsw/security/vpn/index.html IBM Developerworks Kerberos Overview – http://www-106.ibm/developerworks/library/it-kerbero.html Developerworks security collection – http://www-106.ibm.com/developerworks/security/ Developerworks security projects – http://www-106.ibm.com/developerworks/views/security/projects.jsp IBM LDAP Schema – www.ibm.com/servers/eserver/iseries/ldap/schema
64
© 2007 IBM Corporation
IBM STG Technical Conference
Key HP/UX, Solaris and Linux LDAP Auth sites PADL Migration tools –
http://www.padl.com/OSS/MigrationTools.html
–
http://www.padl.com/OSS/pam_ldap.html
DataConv: LDAP migration tools –
http://dataconv.org/apps_ldap.html
Solaris 10 General LDAP –
http://docs.sun.com/app/docs/doc/816-4556/6maort2t4?q=automount&a=view
Sun Java System Directory Server 5.2 –
http://www.sun.com/software/products/directory_srvr/home_directory.xml
Sun One Directory Server – formerly Netscape –
http://docs.sun.com/app/docs/doc/816-6703-10
Sun Blueprints: –
LDAP in the Solaris™ Operating Environment:
–
Deploying Secure Directory Services
–
http://safari.oreilly.com/0131456938
LDAP HP-UX – NIS/LDAP Gateway and LDAP-UX Client Services –
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA
– http://docs.hp.com/en/internet.html
LDAP-UX Client Services with Microsoft Windows 2000/2003 – 65
http://docs.hp.com/en/J4269-90049/index.html – LDAP-UX Client services and ADS © 2007 IBM Corporation
IBM STG Technical Conference
Microsoft SFU links Microsoft Services for Windows download – http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx.
UNIX Interoperability in Windows Server 2003 R2 – http://www.microsoft.com/technet/community/events/windows2003srvR2/add-52.mspx
Windows Security and Directory Services for UNIX Guide v1.0 –
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/00wsdsu.mspx
– http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx
Password synchronization – http://www.microsoft.com/technet/interopmigration/unix/sfu/psync.mspx
66
© 2007 IBM Corporation
IBM STG Technical Conference
Other LDAP References OpenLDAP – http://www.openldap.org
LDAP related RFCs –
http://www.ietf.org/rfc/rfc2307.txt – LDAP mapping of NIS
– www.imc.org/rfc2251 - LDAP version 3 protocols – www.imc.org/rfc2559 - LDAPv2 Protocols – www.imc.org/rfc2587 - LDAPv2 Schema – www.imc.org/rfc1777 - LDAP – rfc1823 - LDAP programming interface – rfc1960 - LDAP Search Filters – rfc1779 - Distinguished Names
HP RFC2307-bis automount schemas – http://docs.hp.com/en/J4269-90064/ch04s02.html
The Moron’s guide to Kerberos – http://www.isi.edu/~brian/security/kerberos.html 67
© 2007 IBM Corporation
Related Documents
Aix Authentication To An Ldap Server.pdf
October 2019 18
Ldap
June 2020 12
Ldap
November 2019 9
Authentication
May 2020 21
Aix
April 2020 12More Documents from ""
Portugal- Under The Blue Sky
May 2020 7
Clasificacionenterobacterias
November 2019 16
