This paper focuses on configuring AIX® systems as clients of directory servers, both IBM Directory servers and third party LDAP (Lightweight Directory Access Protocol) servers, to provide readers with a complete picture of how to configure and exploit the AIX LDAP security solution. A separate paper discusses how to configure the IBM Directory server for user authentication in AIX1.
AIX first implemented a LDAP security load module in version 4.32. The implementation worked well in a uniform AIX environment. However, users have found it hard to configure AIX systems to work with third party LDAP servers. This shortcoming is primarily the result of the proprietary schema used by AIX1.
Since AIX 5L™ version 5.2, AIX supports the schema defined in RFC 2307 which is widely used among IBM peers and which is becoming the industry standard for network entities. The schema defines attributes and object classes for such entities as users, groups, networks, services, hosts, protocols, rpc, etc.3. The RFC 2307 schema is often referred to as the nisSchema. Both of these terms are used interchangeably in this paper.
Client support for the nisSchema in AIX is part of Configurable Schema Support Mechanism (CSSM), which is a bigger effort to support arbitrary schema. With CSSM, AIX systems can be configured to support LDAP directory servers using any schema. At present, CSSM is implemented for users and groups only.
Configuring AIX to do naming lookup through LDAP for network entities, including users and groups, is also implemented in AIX 5L v5.2. However, this paper deals only with issues related to user authentication and user/group management through LDAP. Naming lookup services for other network entities is addressed in a separate paper4.
This paper addresses only client configuration. Section 2 introduces the major components and their functionality in an AIX LDAPclient system. Section 3 gives step-by-step instruction on configuring an AIX client system. In Section 4, detailed behaviors and new features of the AIX LDAP client, including CSSM are presented and discussed. System management in respect of the LDAP load module and detailed steps to enable LDAP user authentication are given in Section 5.
1 Configuring an IBM Directory Server for User Authentication and Management in AIX—published as a companion white paper.
2 AIX v4.3 Documentation: System Management Guide: Operating System and Devices: LDAP Exploitation of the Security Subsystem.
http://publib.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/toc.htm3 RFC 2307: An approach for using LDAP as a network information service.
http://www.ietf.org/rfc/rfc2307.txt