Configuring an IBM Directory Server for User Authentication and Management in AIX

LDAP, Lightweight Directory Access Protocol, is optimized for reading, browsing and searching directories. It was originally developed as a lightweight front-end to the X.500 Directory Access Protocol and is becoming the industry standard protocol for accessing directory servers.

A LDAP security load module was created in AIX® Version 4.3. This load module provides user authentication and centralized user and group management functionality through IBM SecureWay® Directory. A user defined on a LDAP server can be configured to login to a LDAP client even if that user is not defined locally. The AIX LDAP load module is fully integrated with AIX operating system. High level commands can be used to manage users and groups—creating/deleting LDAP users, changing user and group attribute values, changing the user password, etc.¹, ².

AIX was among the first few operating systems to exploit LDAP for user authentication, and because there was not a well defined industry standard at the time of the implementation, the LDAP solution was solely designed for a homogeneous AIX environment. As a result, users may find it difficult to integrate AIX LDAP (AIX 5L™ Version 5.1 and AIX Version 4.3) with LDAP solutions from other vendors.

The inoperability is due to the difference in LDAP schema—the set of LDAP attributes and objectclasses. On the server side, the AIX LDAP user and group data may not be correctly interpreted by non-AIX systems, and on the client side, AIX can not correctly interpret data obtained from a LDAP server which uses non-AIX specific schema.

AIX has improved its LDAP implementation in the AIX 5L Version 5.2 release by supporting the use of IBM Directory servers with user and group schema as defined in RFC 2307³. This schema is widely used by many vendors. It also supports a combination of RFC 2307 schema plus AIX schema, which provides full functionality support for AIX client systems. The goal of this paper is to provide details about configuring IBM Directory server to support user authentication through LDAP with both the AIX specific schema and the RFC 2307 schema.

On the client side, AIX 5L v5.2 ships an improved LDAP load module which provides great flexibility in schema tolerance and high inter-operability with non-IBM directories. This new load module is fully backward compatible with the earlier version. Configuration of AIX client systems to exploit LDAP servers for user authentication and management is dealt with in a separate paper⁴.