advertisement
NIS schema (RFC 2307)
Includes posixAccount, shadowAccount, and posixGroup object class and is used by several vendors’ directory products. The NIS schema defines only a small subset of attributes that AIX uses.
NIS schema with full AIX support
Includes posixAccount, shadowAccount, and posixGroup object classes plus the
aixAusAccount and aixAusGroup object classes. The aixAusAccount and aixAuxGroup object classes provide the attributes which are used by AIX but not defined by the NIS schema. Setting up the LDAP server using NIS schema with full AIX support is recommended unless setting up an
AIX-specific schema LDAP server for compatibility with the existing LDAP servers is necessary.
All the user and group information is stored under a common AIX tree (suffix). The default suffix is
"cn=aixdata". The mksecldap command accepts a user-supplied suffix through the -d flag. If the user-supplied suffix does not have "cn=aixdata" as its first RDN (Relative Distinguished Name), the
mksecldap command prefixes the user-supplied suffix with "cn=aixdata". This AIX tree is ACL (Access
Control List) protected. A client must bind as the LDAP server administrator to be able to access the AIX tree.
The mksecldap command works even if an LDAP server has been set up for other purposes; for example, for user ID lookup information. In this case, mksecldap adds the AIX tree and populates it with the AIX security information to the existing database. This tree is ACL-protected independently from other trees. In this case, the LDAP server works as usual, in addition to serving as an AIX LDAP Security
Server.
Note: It is recommended that you back up the existing database before running the mdsecldap command to set up the security server to share the same database is recommended.
After the LDAP security information server is successfully set up, the same host must be set up as a client so that LDAP user and group management can be completed and LDAP users can log in to this server.
If the LDAP security information server setup is not successful, you can undo the setup by running the
mksecldap command with the -U flag. This restores the slapd.conf (or slapd32.conf) file to its pre-setup state. Run the mksecldap command with the -U flag after any unsuccessful setup attempt before trying to run the mksecldap command again. Otherwise, residual setup information might remain in the configuration file and cause a subsequent setup to fail. As a safety precaution, the undo option does not do anything to the database or to its data, because the database could have existed before the
mksecldap command was run. Remove any database manually if it was created by the mksecldap command. If the mksecldap command has added data to a pre-existing database, decide what steps to take to recover from a failed setup attempt.
For more information on setting up an LDAP security information server, see the mksecldap command.
Setting Up an LDAP Client
Each client must have the LDAP client package installed. If the SSL is required, the GSKit must be installed, a key must be created, and the LDAP server SSL key certificate must be added to this key.
The mksecldap command can be used to set up the client. To have this client contact the LDAP security information server, the server name must be supplied during setup. The server’s administrator DN and password are also needed for client access to the AIX tree on the server. The mksecldap command saves the server administrator DN, password, server name, AIX tree DN on the server, and the SSL key path and password to the /etc/security/ldap/ldap.cfg file.
Multiple servers can be supplied to the mksecldap command during client setup. In this case, the client contacts the servers in the supplied order and establishes connection to the first server that the client can
62
AIX 5L Version 5.2: Security Guide
advertisement
Related manuals
advertisement
Table of contents
- 9 Who Should Use This Book
- 9 Highlighting
- 9 Case-Sensitivity in AIX
- 9 ISO 9000
- 10 Related Publications
- 13 Trusted Computing Base
- 13 Installing a System with the Trusted Computing Base
- 14 Checking the Trusted Computing Base
- 14 Structure of the sysck.cfg file
- 15 Using the tcbck Command
- 17 Configuring Additional Trusted Options
- 18 Controlled Access Protection Profile and Evaluation Assurance Level 4+
- 18 CAPP/EAL4+ Compliant System Overview
- 19 Installing a CAPP/EAL4+ System
- 19 CAPP/EAL4+ Software Bundle
- 20 Physical Environment for a CAPP/EAL4+ System
- 20 Organizational Environment for a CAPP/EAL4+ System
- 21 System Configuration for a CAPP/EAL4+ System
- 28 Login Control
- 28 Setting Up Login Controls
- 29 Changing the Welcome Message on the Login Screen
- 29 Changing the Login Screen for the Common Desktop Environment
- 29 Setting up System Default Login Parameters
- 29 Securing Unattended Terminals
- 29 Enforcing Automatic Logoff
- 31 Managing X11 and CDE Concerns
- 31 Removing the /etc/rc.dt File
- 31 Preventing Unauthorized Monitoring of Remote X Server
- 31 Enabling and Disabling Access Control
- 31 Disabling User Permissions to Run the xhost Command
- 33 Root Account
- 33 Disabling Direct root Login
- 34 Administrative Roles
- 34 Roles Overview
- 34 Setting Up and Maintaining Roles Using SMIT
- 35 Understanding Authorizations
- 38 User Accounts
- 38 Recommended User Attributes
- 39 User Account Control
- 40 Login User IDs
- 40 Strengthening User Security with Access Control Lists
- 40 PATH Environment Variable
- 41 Set Up Anonymous FTP with a Secure User Account
- 44 System Special User Accounts
- 44 Removing Unnecessary Default User Accounts
- 45 Access Control Lists
- 46 Using setuid and setgid Programs
- 47 Base Permissions
- 47 Extended Permissions
- 48 Access Control List Example
- 49 Access Authorization
- 50 Passwords
- 50 Establishing Good Passwords
- 51 Using the /etc/passwd File
- 52 Using the /etc/passwd File and Network Environments
- 52 Hiding User Names and Passwords
- 52 Setting Recommended Password Options
- 54 Extending Password Restrictions
- 55 User Authentication
- 55 Login User IDs
- 55 Disk Quota System Overview
- 55 Understanding the Disk Quota System
- 56 Recovering from Over-Quota Conditions
- 56 Setting Up the Disk Quota System
- 59 Auditing Subsystem
- 59 Detecting Events
- 59 Collecting Event Information
- 60 Processing the Audit Trail Information
- 60 Event Selection
- 61 Auditing Subsystem Configuration
- 61 Collecting Auditing Subsystem Information
- 61 Audit Logging
- 62 Audit Record Format
- 62 Audit Logger Configuration
- 62 Selecting Audit Events
- 62 Kernel Audit Trail Modes
- 64 Processing Audit Records
- 65 Using the Audit Susbystem for a Quick Security Check
- 65 Setting Up Auditing
- 66 Selecting Audit Events
- 67 Selecting Audit Classes
- 67 Selecting an Audit Data-Collection Method
- 67 Example of Real-Time File Modification Monitoring
- 68 Example of a Generic Audit Log Scenario
- 71 Setting Up an LDAP Security Information Server
- 72 Setting Up an LDAP Client
- 73 LDAP User Management
- 74 LDAP Host Access Control
- 74 LDAP Security Information Server Auditing
- 75 LDAP Commands
- 75 The mksecldap Command
- 78 The secldapclntd Daemon
- 79 LDAP Management Commands
- 81 The ldap.cfg File Format
- 82 Mapping File Format for LDAP Attributes
- 83 Related Information
- 85 IBM 4758 Model 2 Cryptographic Coprocessor
- 85 Verifying the IBM 4758 Model 2 Cryptographic Coprocessor for use with the PKCS #11 Subsystem
- 86 PKCS #11 Subsystem Configuration
- 86 Initializing the Token
- 86 Setting the Security Officer PIN
- 86 Initializing the User PIN
- 87 Setting the PKCS #11 Function Control Vector
- 87 PKCS #11 Usage
- 89 Overview of Certificate Authentication Service
- 90 Certificates
- 91 Keystores
- 91 Implementation of Certificate Authentication Service
- 91 Creating PKI User Accounts
- 92 Server Implementation
- 93 Client Implementation
- 101 Planning for Certificate Authentication Service
- 101 Certificate Considerations
- 101 Keystore Considerations
- 102 User Registry Considerations
- 102 Configuration Considerations
- 102 Security Considerations
- 103 Other Certificate Authentication Service Considerations
- 103 Packaging of Certificate Authentication Service
- 104 Installing and Configuring Certificate Authentication Service
- 104 Install and Configure the LDAP Server
- 107 Install and Configure Certificate Authentication Service Server
- 107 Configure LDAP For Certificate Authentication Service Server
- 109 Configure Certificate Authentication Service Client
- 113 Administration Configuration Examples
- 117 PAM Library
- 118 PAM Modules
- 119 PAM Configuration File
- 120 Adding a PAM Module
- 120 Changing the /etc/pam.conf
- 121 Enabling PAM Debug
- 121 Integrating PAM in AIX
- 121 PAM Module
- 122 pam_aix Module
- 126 Using OpenSSH with PAM
- 131 Operating System-Specific Security
- 131 Network Access Control
- 132 Network Auditing
- 132 Trusted Path, Trusted Shell, and Secure Attention Key (SAK)
- 133 TCP/IP Command Security
- 134 Remote Command Execution Access (/etc/hosts.equiv)
- 135 Restricted File Transfer Program Users (/etc/ftpusers)
- 135 Trusted Processes
- 136 Network Trusted Computing Base
- 137 Data Security and Information Protection
- 138 User Based TCP Port Access Control with Discretionary Access Control for Internet Ports
- 138 Access control for TCP based services
- 139 Privileged Ports for Running Local Services
- 141 Identifying Network Services with Open Communication Ports
- 143 Identifying TCP and UDP Sockets
- 145 IP Security Overview
- 145 IP Security and the Operating System
- 146 IP Security Features
- 147 Security Associations
- 147 Tunnels and Key Management
- 148 Native Filtering Capability
- 149 Digital Certificate Support
- 149 Virtual Private Networks and IP Security
- 150 Installing the IP Security Feature
- 150 Loading IP Security
- 151 Planning IP Security Configuration
- 151 Hardware Acceleration
- 152 Tunnels Versus Filters
- 153 Tunnels and Security Associations
- 154 Tunnel Considerations
- 157 Using IKE with DHCP or Dynamically Assigned Addresses
- 159 Configuring Internet Key Exchange Tunnels
- 159 Using Web-based System Manager to Configure IKE Tunnels
- 161 Using the SMIT Interface for IKE Tunnel Configuration
- 161 Command Line Interface for IKE Tunnel Configuration
- 164 IKE Tunnel Configuration Scenarios
- 165 Working with Digital Certificates and the Key Manager
- 165 Format of Digital Certificates
- 166 Security Considerations for Digital Certificates
- 167 Certificate Revocation Lists (CRLs)
- 167 Uses for Digital Certificates in Internet Applications
- 168 Digital Certificates and Certificate Requests
- 168 The Key Manager Tool
- 175 Configuring Manual Tunnels
- 175 Setting Up Tunnels and Filters
- 175 Creating a Manual Tunnel on the First Host
- 176 Creating a Manual Tunnel on the Second Host
- 178 Setting Up Filters
- 178 Static Filter Rules
- 181 Autogenerated Filter Rules and User Specified Filter Rules
- 182 Predefined Filter Rules
- 182 Subnet Masks
- 183 Host-Firewall-Host Configuration
- 184 Logging Facilities
- 186 Labels in Field Entries
- 188 IP Security Problem Determination
- 188 Troubleshooting Manual Tunnel Errors
- 189 Troubleshooting IKE Tunnel Errors
- 195 Tracing Facilities
- 195 ipsecstat
- 197 IP Security Reference
- 197 List of Commands
- 197 List of Methods
- 199 Operating System Security Mechanisms
- 201 NIS+ Security Mechanisms
- 202 NIS+ Principals
- 202 NIS+ Security Levels
- 204 NIS+ Authentication and Credentials
- 204 User and Machine Credentials
- 204 DES versus Local Credentials
- 206 NIS+ Authorization and Access
- 206 Authorization Classes
- 208 NIS+ Access Rights
- 210 NIS+ Security and Administrative Rights
- 211 NIS+ Security Reference
- 213 NFS Authentication
- 213 Public Key Cryptography for Secure NFS
- 214 NFS Authentication Requirements
- 214 NFS Authentication Process
- 215 Naming Network Entities for DES Authentication
- 216 The /etc/publickey File
- 216 Booting Considerations of Public Key Systems
- 216 Performance Considerations of Secure NFS
- 217 Checklist for Administering Secure NFS
- 217 Configuring Secure NFS
- 218 Exporting a File System Using Secure NFS
- 219 Mounting a File System Using Secure NFS
- 221 Managing Multiple User Registries
- 221 Current Approaches
- 222 Using Enterprise Identity Mapping
- 223 Understanding the Secure Remote Commands
- 224 System Configuration
- 224 Kerberos Version 5 User Validation
- 224 DCE Configuration
- 225 Local Configuration
- 225 Related Information
- 225 Authenticating to AIX Using Kerberos
- 225 Installing and Configuring the System for Kerberos Integrated Login Using KRB5
- 229 Installing and Configuring the System for Kerberos Integrated Login Using KRB5A
- 230 KRB5A Authentication Load Module Questions and Troubleshooting Information
- 230 How do I Configure an AIX Kerberos Client that Authenticates Against an Active Directory Server KDC
- 231 How do I Modify AIX Configuration for Kerberos Integrated Login
- 232 How do I Create an AIX User for Kerberos Integrated Login with the KRB5A Load Module
- 232 How do I Create Kerberos Principals on Active Directory
- 232 How do I Change the Password of Kerberos Authenticated User
- 232 How do I Remove a Kerberos Authenticated User
- 232 How do I Migrate an AIX User to a Kerberos Authenticated User
- 232 What do I do if the Password is Forgotten
- 232 What is the Purpose of the auth_name and auth_domain Attributes
- 233 Can a Kerberos-Authenticated User Become Authenticated Using Standard AIX Authentication
- 233 Do I Need to Set up Kerberos Server (KDC) on AIX When Using a Windows 2000 Active Directory Server
- 233 AIX Does not Accept my Password
- 233 Cannot Log Into the System
- 239 Security Web Sites
- 239 Security Mailing Lists
- 239 Security Online References
- 256 Trademarks