advertisement
NIS schema (RFC 2307)
Includes posixAccount, shadowAccount, and posixGroup object class and is used by several vendors’ directory products. The NIS schema defines only a small subset of attributes that AIX uses.
NIS schema with full AIX support
Includes posixAccount, shadowAccount, and posixGroup object classes plus the
aixAusAccount and aixAusGroup object classes. The aixAusAccount and aixAuxGroup object classes provide the attributes which are used by AIX but not defined by the NIS schema. Setting up the LDAP server using NIS schema with full AIX support is recommended unless setting up an
AIX-specific schema LDAP server for compatibility with the existing LDAP servers is necessary.
All the user and group information is stored under a common AIX tree (suffix). The default suffix is
"cn=aixdata". The mksecldap command accepts a user-supplied suffix through the -d flag. If the user-supplied suffix does not have "cn=aixdata" as its first RDN (Relative Distinguished Name), the
mksecldap command prefixes the user-supplied suffix with "cn=aixdata". This AIX tree is ACL (Access
Control List) protected. A client must bind as the LDAP server administrator to be able to access the AIX tree.
The mksecldap command works even if an LDAP server has been set up for other purposes; for example, for user ID lookup information. In this case, mksecldap adds the AIX tree and populates it with the AIX security information to the existing database. This tree is ACL-protected independently from other trees. In this case, the LDAP server works as usual, in addition to serving as an AIX LDAP Security
Server.
Note: It is recommended that you back up the existing database before running the mdsecldap command to set up the security server to share the same database is recommended.
After the LDAP security information server is successfully set up, the same host must be set up as a client so that LDAP user and group management can be completed and LDAP users can log in to this server.
If the LDAP security information server setup is not successful, you can undo the setup by running the
mksecldap command with the -U flag. This restores the slapd.conf (or slapd32.conf) file to its pre-setup state. Run the mksecldap command with the -U flag after any unsuccessful setup attempt before trying to run the mksecldap command again. Otherwise, residual setup information might remain in the configuration file and cause a subsequent setup to fail. As a safety precaution, the undo option does not do anything to the database or to its data, because the database could have existed before the
mksecldap command was run. Remove any database manually if it was created by the mksecldap command. If the mksecldap command has added data to a pre-existing database, decide what steps to take to recover from a failed setup attempt.
For more information on setting up an LDAP security information server, see the mksecldap command.
Setting Up an LDAP Client
Each client must have the LDAP client package installed. If the SSL is required, the GSKit must be installed, a key must be created, and the LDAP server SSL key certificate must be added to this key.
The mksecldap command can be used to set up the client. To have this client contact the LDAP security information server, the server name must be supplied during setup. The server’s administrator DN and password are also needed for client access to the AIX tree on the server. The mksecldap command saves the server administrator DN, password, server name, AIX tree DN on the server, and the SSL key path and password to the /etc/security/ldap/ldap.cfg file.
Multiple servers can be supplied to the mksecldap command during client setup. In this case, the client contacts the servers in the supplied order and establishes connection to the first server that the client can
62
AIX 5L Version 5.2: Security Guide
advertisement
Related manuals
advertisement