P. 1
LDAP Enhancements 2006

LDAP Enhancements 2006

|Views: 2|Likes:
Published by sherifdba

More info:

Published by: sherifdba on Mar 06, 2014
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/06/2014

pdf

text

original

AIX Security Development

AIX LDAP Authentication and Identification Enhancements for AIX ML05

© 2006 IBM Corporation

AIX Security Development

Pre 5.3/ML05 Support For LDAP Based Authentication
Many OS tables could be managed through LDAP server – Users, groups, network tables, accounting etc – Multiple clients use the same configuration information. Features of LDAP user management on AIX – RFC 2307 based implementation • Compatible with any RFC2307 LDAP server – Even if the server is based off another platform. – Fault tolerant: Client switchover to another server – Server based authentication – Host login controls

2

© 2006 IBM Corporation

1

AIX Security Development

AIX 53 ML05 LDAP enhancements
Support For Extended Base DN Format

Support For Multiple Base DN Definitions

AIX LDAP Client Support Against Microsoft Active Directory

3

© 2006 IBM Corporation

AIX Security Development

Extended Base DN Format
AIX now supports base DNs in these format:
userbasedn: ou=people, cn=aixdata userbasedn: ou=people, cn=aixdata?scope userbasedn: ou=people, cn=aixdata?scope?filter

Where scope is one, sub, base Filter is of simple format:
– – – (attribute=value) (&(attribute=value)(attribute=value)) (|(attribute=value)(attribute=value))

4

© 2006 IBM Corporation

2

AIX Security Development

AIX 53 ML05 LDAP enhancements
Support For Extended Base DN Format

Support For Multiple Base DN Definitions
AIX LDAP Client Support Against Microsoft Active Directory

5

© 2006 IBM Corporation

AIX Security Development

Multiple Base DN Support
Can distribute User and Group information in the server
– Can specify multiple base DNs for users and groups in /etc/security/ldap/ldap.cfg – Example:
• userbasedn: ou=dept1,ou=people, cn=aixdata • userbasedn:ou=dept2,ou=people, cn=aixdata

AIX will accept up to ten base DNs per entity (eg:user)
– Search / modification is done in the order specified, and the first match is returned/modified – New entries only added to the first base DN by mkuser / mkgroup

6

© 2006 IBM Corporation

3

AIX Security Development

AIX 53 ML05 LDAP enhancements
Support For Extended Base DN Format

Support For Multiple Base DN Definitions

AIX LDAP Client Support Against Microsoft Active Directory

7

© 2006 IBM Corporation

AIX Security Development

AIX LDAP Client Support For Active Directory
Enable AIX client to use Active Directory LDAP – Support Active Directory (AD) similar to any RFC 2307 compliant LDAP servers Transparent to administrators and users – Hide all implementation details – Use mksecldap to configure AIX client to operate with AD
• Just as will be done for any other LDAP server
• mksecldap –c –h <AD server> -a cn=administrator,cn=users,dc=austin,dc=ibm,dc=com –p pwd –d cn=users,dc=austin,dc=ibm,dc=com

8

© 2006 IBM Corporation

4

AIX Security Development

AIX AD Client support: Details
AIX maps AIX security attribute names to AD custom names – /etc/security/ldap/sfu30user.map – /etc/security/ldap/sfu30group.map AIX LDAP client tool mksecldap will autodetect AD server – schema type used by AD is queried and configure AIX with the corresponding attribute maps.

9

© 2006 IBM Corporation

AIX Security Development

AIX Requirements on Active Directory Configuration
AD for Windows 2000/2003 AD must have Unix schema installed. – Schema can be installed from MS Service for Unix (SFU). Support SFU

v 3.0+ (3.0 and 3.5)

Windows Users and groups should be enabled for Unix support.

10

© 2006 IBM Corporation

5

AIX Security Development

AIX Commands
These commands work against Active Directory:

– lsuser, chuser, rmuser, passwd*, chpasswd*, lsgroup, chgroup, rmgroup, id, groups
These commands will not operate with Active Directory:

– mkuser, mkgroup

11

© 2006 IBM Corporation

AIX Security Development

Group Support for both AD group attributes
AD Supports two types of group attributes
– msSFU30PosixMember & msSFU30MemberUid

Default support for msSFU30PosixMember
– For msSFU30MemberUid, Admin needs to change the map file

Name msSFU30PosixMember

Comments -Requires full DN -Example: -msSFU30PosixMember: cn=user1,cn=users, dc=fvt,dc=austin,dc=ibm,dc=com

msSFU30MemberUid

–Same as RFC 2307 memberUid attribute –Example: •msSFU30memberuid: user1

12

© 2006 IBM Corporation

6

AIX Security Development

Limitations/Issues

13

© 2006 IBM Corporation

AIX Security Development

Issue: Password Synchronization Issue
Password change from AIX could lead to synchronization issues

– Mainly because AD supports 2 passwords
• Native password
– Unicodepwd: support windows’ user authentication

• And a password for Unix clients to AD interface
– msSFU30Password: support UNIX crypt password

14

© 2006 IBM Corporation

7

AIX Security Development

Issue: Password continued
– – – AIX using Unicodepwd password: No sync issue Same password for Windows or AIX. Password change requires SSL connection How to use Unicodepwd from AIX: Set LDAP authentication type to ldap_auth

15

© 2006 IBM Corporation

AIX Security Development

Issue: Password continued
– – – –

AIX using msSFU30Password password Password change from AIX will change only msSFU30Password and not Unicodepwd Hence User will use different passwords for Windows and AIX logins How to use msSFU30Password from AIX: Set LDAP authentication type to unix_auth Change the map file /etc/security/ldap/sfu30user.map
Map AIX password to msSFU30Password

16

© 2006 IBM Corporation

8

AIX Security Development

AIX Security References
AIX online publications
– http://www.ibm.com/servers/aix – Technical ‘Redbooks’ PDF/HTML available at http://www.redbooks.ibm.com • SG24-5962-00 AIX 4.3 Elements of Security • SG24-5971-00 Additional AIX Security Tools • SG24-7463-00 AIX 5L Differences Guide Version 5.3 Edition

pSeries Security
– http://www.ibm.com/eserver/pseries/security

HMC Security:
– http://www.ibm.com/servers/eserver/pseries/hardware/whitepapers/hmc_securi ty.pdf

IBM Security
– http://www.ibm.com/security

Security Information by email.
– https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

IBM Security Response Alerts
– security-alert@austin.ibm.com
17 © 2006 IBM Corporation

AIX Security Development

AIX Security References: contd..
AIX LDAP integration : Redbook
– http://www.redbooks.ibm.com/redpieces/pdfs/sg247165.pdf

AIX LDAP Configuration
– Server • http://www-1.ibm.com/servers/aix/whitepapers/ldap_server.html – Client • http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.pdf

AIX Virus Scan Software
– http://www-1.ibm.com/servers/eserver/pseries/security/feature/antivirus.html

SSH DeveloperWorks Articles
– http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html – http://www-106.ibm.com/developerworks/eserver/articles/openssh_updated.html

Service Update Management Assistant(SUMA): tool to monitor for security PTFs. : http://www-03.ibm.com/servers/aix/whitepapers/suma.pdf

AIX user management using Kerberos server
– http://www-03.ibm.com/systems/p/library/wp_aix_lit.html – http://www.ibm.com/servers/aix/whitepapers/aix_kerberos.pdf – http://www.ibm.com/servers/aix/whitepapers/aix_kerberos2.pdf
18 © 2006 IBM Corporation

9

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->