Integration of LDAP (ITDS) with AIX,Linux, and DB2

Ver 0.1

Mar 2012

SBI, IBM & TCS Confidential SBEDW Program 1

Revision History
Document Title Integration of LDAP(ITDS) with AIX, Linux and DB2
Purpose This document depicts the process for integration of AIX, Linux and DB2
for authentication.
Status Draft

Responsibility Name
Author Sonny Laskar (TCS)
Reviewed By Raj Ghose
Approved By
Distribution List

Document Version
Version Date Author Description of Change

Ver 1.0 12-03-2012 Sonny Laskar Initial Version.

SBI, IBM & TCS Confidential SBEDW Program 2

TABLE OF CONTENT

1. INTRODUCTION...................................................................................4

2. ADVANTAGES OF LDAP AUTHENTICATION............................................5

3. USER CREATION MODEL......................................................................6

4. CONFIGURATION OF AIX SERVER FOR LDAP AUTHENTICATION..............8

5. CONFIGURATION OF LINUX SERVER FOR LDAP AUTHENTICATION..........9

6. DB2 TRANSPARENT LDAP..................................................................11

7. DISABLE LDAP AUTHENTICATION.......................................................12

8. SAMPLE SCENARIOS..........................................................................13

9. List of Abbreviations......................................................................................... 15

SBI, IBM & TCS Confidential SBEDW Program 3

1. INTRODUCTION
In an enterprise setup, large number of users exists and the process of creating and managing several
instances of the same users on multiple servers at the same time is both complicated and cumbersome.
Additionally, it enforces security threats as the users might prefer reusing the same passwords across
different computers or even store them at an unsafe place. Adoption of LDAP as the backbone for
authentication serves a better role. The user management becomes a centralized process. LDAP is now
an industry standard protocol and major operating systems/Softwares support LDAP-based
authentication. Currently, we create local user/group in the operating systems itself. The proposed setup
with have all AIX and Linux Servers to be integrated with LDAP for authentication. The DB2 database will
be configured with ‘Transparent LDAP’ where the local OS is already configured with LDAP.

SBI, IBM & TCS Confidential SBEDW Program 4

2. ADVANTAGES OF LDAP AUTHENTICATION

Following are few advantages of using an LDAP Server for authentication:

 Centralized management of users.

 Easy to use and integrate with an existing setup.
 Single point of administration.
 Host-based access to individual users
 Allow only DB access and not OS access
 Use of groups to allow common privileges from OS/Database.
 The same users can be reused across different servers/environments/versions.
 Best for a heterogeneous setup having different servers and environments.

The disadvantages of using LDAP authentication are:

 High Availability of LDAP Server is very important.
 Few additional microseconds would be used during the authentication phase as the
Directory server would reside on an external server.
 If the LDAP Server resides on an external server in different network across firewall or
needs to be accessed over a slow speed network channel then the authentication might
take longer duration.

SBI, IBM & TCS Confidential SBEDW Program 5

3. USER CREATION MODEL
Unique UID/GID:
In Unix, all users/groups are identified by unique numbers called UID/GID. As a part of initial readiness,
we have to ensure that all the users/groups have the same UID/GID. This is a time-consuming process
and needs to be done prior to configuration with LDAP. After changing the user/group of users, all the
files/folders owned by the user needs to be given proper permissions. All the user/group names should
be in lowercase as it leads to problems in DB2 and Windows.

Example:
1) User XYZ has UID=10 amd GID=100
2) Ensure the user have no process with ps –ef | grep <username>
3) We need to have UID=11 and GID=101
4) Change UID=11 for XYZ
$ chuser id=11 XYZ
5) Change files owned by UID 10 to UID 11
$ find / -user 10 -exec chown XYZ {} \;
6) Change GID=101
$ Edit /etc/group and /etc/passwd properly
7) Change files owned by GID 100 to GID 101
$ find / -group 100 -exec chgrp 101 {} \;
8) Confirm with id command and checks permissions.

Dual Authentication:
Major Operating systems support dual authentication modes. Hence if the LDAP server is unavailable due
to any unscheduled downtime, then the users present in the local operating systems can be used to login
into the server. For this purpose, all the Application users are created on OS level.

Application users on OS Level:

In AIX, the method of authentication can be specified on a per user basis. However in Linux, this is a
global configuration and cannot be specified on a per user basis. Hence in AIX, all the applications will
always use local authentication and not LDAP. In Linux, we need to ensure to set the same password for
all Application users on the OS-level as well as LDAP-level.

RFC2307 Standard:
The RFC2307 standard defines the schema definition for LDAP-OS authentication. All users on LDAP to
be used for Unix-based authentication have to be created as per RFC2307 standard. Read more about
this at www.rfc-editor.org/rfc/rfc2307.txt

Crypt Encryption:
The Unix password encryption crypt will be used to store the password of all users on the LDAP server.
This is a one-way encryption.

User creation from UNIX Client:

All the Unix servers will also serve the purpose of a client to LDAP server. Because the user creation has
to be RFC2307 compliant which contains lot of parameters, hence all the users will be created using
UNIX APIs.

Access Control:

SBI, IBM & TCS Confidential SBEDW Program 6

All the users have a parameter hostsallowedlogin which has the list of hostnames where the user can
login. If this parameter is blank, then the user can login onto all AIX Servers but no Linux server. Hence
we will always specify a value for this parameter. If a user requires only database access and no OS
access , then the user will have this parameter set to the hostname of the target database server and
shell parameter set to /dev/null.

Automatic Home Directory Creation:

Since the home directory of the user will not be present on the local OS, we would configure ‘automatic
home directory’ creation on logon. This is described ahead in the configuration procedure.

Unix Password Policy:

All the users will support the password policy implemented on the servers as part of hardening.

LDAP Directory Structure:

All the Unix users will be created in ou=People,ou=OS,ou=India,dc=com directory. The Portal users
created in ou=SBIUSERS,dc=com will NOT have access to OS/Database.

SBI, IBM & TCS Confidential SBEDW Program 7

4. CONFIGURATION OF AIX SERVER FOR LDAP
AUTHENTICATION
The following steps depict how to configure an AIX Server to authenticate with an LDAP Server:
1) All the UID/GIDs should be properly set.
2) Move all the members of staff group to usr group. Change default group to usr in
/etc/security/mkuser.default as the default group is staff with GID 1 which is group bin in
Linux. Hence we would use usr group as default group.
3) Check LDAP binaries are installed with $ lslpp –l | grep -i ldap
4) Ensure that the password policy is configured in default stanza in /etc/security/user file.
5) Add the host entry for ldap server in /etc/hosts file on the AIX Server:
Eg: 10.209.12.46 ldapserver
6) Configure LDAP client using mksecldap command.
mksecldap -c -h <hostname> -a <bind user> -p <bind password> -d <bind dn>
Eg : $ mksecldap -c -h ldapserver -a cn=root -p secret -d "ou=OS,ou=India,dc=com"
7) Change hostsallowedlogin parameter to use host parameter as this parameter is also used
with Linux to check Access control in file /etc/security/ldap/2307aixuser.map. This map file
contains the mapping of AIX attribute to LDAP attribute. Linux uses “host” attribute to check
host and AIX uses “hostsallowedlogin” for the same. To resolve this dispute, we change this
mapping in AIX Servers so that AIX also checks “host” attribute. After modification
crosscheck by using grep:
$ grep -i hostsallowedlogin /etc/security/ldap/2307aixuser.map
hostsallowedlogin SEC_LIST host m na
8) Export the user/group list in RFC2307 format to be imported in LDAP using sectoldif
Eg : $ sectoldif -d "ou=OS,ou=India,dc=com" -S RFC2307AIX > user.ldif
9) Consolidate the ldif files from all servers and create a single file which can be imported in
LDAP using the LDAP Import tool.
10) Check all the users can be seen in LDAP portal.
11) Take any existing user say test which is present in LDAP and enable LDAP-based login for
user test in /etc/security/user file by updating the stanza of the test user with attributes :
SYSTEM = "LDAP”
registry = LDAP
12) Try to login with test user. If the login is successful then the integration is OK.
13) Now enable LDAP authentication on a Global level with LDAP as first method and local
authentication as second method by editing the default stanza in /etc/security/user with
attributes:
SYSTEM = "LDAP or files"
registry = LDAP
14) Set SYSTEM = "compat" for root user and registry = files for all other internal users and
Application users for which LDAP authentication will not be used.
15) Enable automatic home directory creation with the following command:
chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
16) Remove password policy for tcsadm user in /etc/security/user. This is done so that the local
password of tcsadm user does not change in future. In a scenario when LDAP is down and
we need to login to AIX servers then OS will use the local password of tcsadm user. If this
password has expired then it will not allow to login. This will done only to assist during a
crisis.
17) Use command lsldap to check connectivity with LDAP Server.

SBI, IBM & TCS Confidential SBEDW Program 8

5. CONFIGURATION OF LINUX SERVER FOR LDAP
AUTHENTICATION
The following steps depict how to configure a Linux Server to authenticate with an LDAP Server:
1) All the UID/GIDs should be properly set.
2) Add the host entry for ldap server in /etc/hosts file on the AIX Server:
Eg: 10.209.12.46 ldapserver
3) Install the pam and nss rpms. We had installed the following:
a. pam_ldap-32bit-180-13.5.x86_64.rpm
b. pam_ldap-180-13.5.x86_64.rpm
c. nss_ldap-32bit-246-14.6.x86_64.rpm
d. nss_ldap-246-14.6.x86_64.rpm
4) Edit /etc/skel to have minimal folders/files. The /etc/skel directory contains the default
file/folders that get copied to a user’s home directory on creation. In BCU servers, it was
found to contain a lot of folders which would unnecessarily increase the inodes, so we have
decided to have /etc/skel folder with the minimal files/folers.
5) Enable LDAP Authentication using YaST as shown below:

SBI, IBM & TCS Confidential SBEDW Program 9

 Click Finish. (Use relevant values)
6) Enable checking if host login is allowed by setting “pam_check_host_attr yes” in
/etc/ldap.conf. If this parameter is set to ‘no’ then any valid LDAP user can login to that LDAP
client. This parameter enables reading the host attribute of the user to grant access to the
server.
7) The following parameters should be present in /etc/ldap.conf.Use the following grep
command and check the output matches. If not, then do the changes:
# egrep -v "^$|^#" /etc/ldap.conf
host ldapserver
base ou=OS,ou=India,dc=com
ldap_version 3
bind_policy soft
binddn cn=root
rootbinddn cn=root
pam_login_attribute uid
pam_lookup_policy yes
pam_check_host_attr yes
pam_member_attribute memberuid
pam_password crypt
ssl no
pam_filter objectclass=posixAccount
nss_map_attribute uniqueMember member
tls_checkpeer no
8) Create a file /etc/ldap.secret with the password of LDAP admin user. Set the permission to
600 with chmod command. This password is used by the LDAP client to connect to the LDAP
server during a write process eg: If the file is not present or if it contains wrong password and
a user tries to change his password then the command will fail with error “insufiicient access”.

SBI, IBM & TCS Confidential SBEDW Program 10

6. DB2 TRANSPARENT LDAP
DB2 9.7 supports the use of transparent LDAP in AIX and with Fix Pack 1, it is also supported on
Linux, HP-UX and Solaris Operating Systems. In transparent LDAP, the operating system is first
configured to authenticate against an LDAP Directory Server and the DB2 Instance is configured to
use the local OS-LDAP integration for authentication.
After the Operating System is configured to authenticate with an LDAP Server, update the variable
DB2AUTH to OSAUTHDB. As a user with SYSADM authority run db2set DB2AUTH=OSAUTHDB.
Then update DBM CFG for authentication to SERVER or SERVER_ENCRYPT or
DATA_ENCRYPT. It was observed that on Linux the group lookup was not working properly with
DB2. The following registry resolved the problem
db2set  DB2_ALTERNATE_GROUP_LOOKUP=GETGROUPLIST.
Finally restart the Instance.

The following are the advantages of Transparent LDAP over plugin-based LDAP authentication:
1) Transparent LDAP is more robust than plugin-based LDAP.
2) DB2 can use dual authentication feature of OS to have application users to still authenticate
locally thereby reducing impact during unscheduled downtime.
3) Configuring Transparent LDAP is easy compared to plugin-based LDAP.

SBI, IBM & TCS Confidential SBEDW Program 11

7. DISABLE LDAP AUTHENTICATION
If LDAP authentication needs to be completed disabled, then refer the following
steps:
1) AIX: In AIX, change the values for SYSTEM and registry in default stanza
using the values SYSTEM = "compat" and registry = files
2) Linux: Use YaST to go to LDAP Client and disable LDAP.
3) DB2: Remove the variable DB2AUTH and
DB2_ALTERNATE_GROUP_LOOKUP and restart the Instance

SBI, IBM & TCS Confidential SBEDW Program 12

SBI, IBM & TCS Confidential SBEDW Program 13
8. SAMPLE SCENARIOS
The following are few scenarios which depict the process to be followed for user
creation for system users. These are to be used for illustration purpose only. On
Unix servers, use command man tcs to get such notes.

1. Create LDAP user AMIT for TCS ETL Team member which will be used by
the ETL Admin to grant access to Datastage. The user does not need
OS/DB access.
Create the user using mkuser command and set the groups to etldev and
hostsallowedlogin to NULL and shell=/dev/null as OS/DB access is not
needed. Later the ETL Admin would grant necessary privilege from his end
to that user. Set the password of the user with passwd command. This
step will be needed whenever a new user is created. We will avoid stating
this in coming examples.
$ mkuser -R LDAP groups=etldev hostsallowedlogin=NULL shell=/dev/null
amit
$ passwd –R LDAP amit
2. Create LDAP user AMIT for TCS ETL Team member which will be used by
the ETL Admin to grant access to Datastage. The user needs DB access to
BCU database and will connect to admin node.
Create the user using mkuser command and set the groups to etldev and
hostsallowedlogin to the hostname of the server where the database
exists. In partitioned database, only allow the admin node and standby
node. If the user will use load authority to connect to all partitions then all
the servers involved in the partition setup should be allowed in
hostsallowedlogin attribute. Later the ETL Admin would grant necessary
privilege from his end to that user.
$ mkuser -R LDAP groups=etldev hostsallowedlogin=SURYAa01 amit

3. Create LDAP user AMIT for TCS Cognos Team member which will be used
by the Cognos Admin to grant access to reports. The user needs DB
access to BCU database and will connect to admin node but no OS login.
Create the user using mkuser command and set the groups to cogdev
and hostsallowedlogin to the hostname of the server where the database
exists. In partitioned database, only allow the admin node and standby
node. If the user will use load authority to connect to all partitions then all
the servers involved in the partition setup should be allowed in
hostsallowedlogin attribute. Later the Cognos Admin would grant
necessary privilege from his end to that user.
$ mkuser -R LDAP groups=cogdev
hostsallowedlogin=SURYAa01,SURYAs01,SURYAs02 shell=/dev/null amit

SBI, IBM & TCS Confidential SBEDW Program 14

4. Create LDAP user AMIT for TCS IS Team member who will have the
SYSADM Admin privilege. The user needs OS access to All AIX/Linux
Servers.
Create the user using mkuser command and set the groups to sysadm
and hostsallowedlogin to the hostname of the entire servers in the setup.
$ mkuser -R LDAP groups=sysadm hostsallowedlogin=
dprithvi01,dprithvi02,dshukraprd,dshukrastb,dbrahaspati01,dbrahaspati0
2,dshani01,dSURYAa01,dSURYAm01,dSURYAd03,dSURYAd02,dSURYAd01,
dSURYAd04,dSURYAd06,dSURYAd05,dSURYAs01,dSURYAapp01,dSURYAap
p02 amit

5. Create LDAP user AMIT for TCS DBA Team member who will have the
DBADM Admin privilege. The user needs OS access to all database
Servers.
Create the user using mkuser command and set the groups to tcsdba
and hostsallowedlogin to the hostname of all database server.
$ mkuser -R LDAP groups=tcsdba hostsallowedlogin=
dprithvi01,dprithvi02,dshukraprd,dshukrastb,dbrahaspati01,dbrahaspati0
2,dshani01,dSURYAa01,dSURYAm01,dSURYAd03,dSURYAd02,dSURYAd01,
dSURYAd04,dSURYAd06,dSURYAd05,dSURYAs01,dSURYAapp01,dSURYAap
p02 amit

6. Create LDAP user AMIT for SBI/IBM Team member who will have OS login
on a particular server with hostname TESTSVR.
$ mkuser -R LDAP hostsallowedlogin=TESTSVR amit

7. Create LDAP user AMIT for SBI/IBM Team member who needs DB access to
hostname TESTSVR but not OS access.
It the users requires only DB access and not OS access and this is true for
all the servers then set the initial shell program to /dev/null. This prevents
the user from OS access. But this will not work if the user needs OS access
on some other server.
$ mkuser -R LDAP shell=/dev/null hostsallowedlogin=TESTSVR amit

8. Create LDAP user AMIT for SBI/IBM Team member who will be a Business
user and does not need access to OS/DB and needs access to Portal only.
Such users reside outside the boundary of system users. User needs to be
created in ou=SBIUSERS.dc=com (refer chart here). Use the LDAP SOP
document for this.

9. List the attributes of a particular user amit and group testgrp:

$ lsuser -R LDAP amit
$ lsgroup -R LDAP amit

10. List a specific attribute “hostsallowedlogin” of a particular user

amit:

SBI, IBM & TCS Confidential SBEDW Program 15

 $ lsuser -R LDAP -a hostsallowedlogin amit

11. Changing a specific attribute “hostsallowedlogin” of a particular

user amit to suaryaa01,suryas01 :
$ chuser -R LDAP hostsallowedlogin=suaryaa01,suryas01 amit

12. Delete a user or group:

$ rmuser -R LDAP <username>
$ rmgroup –R LDAP <groupname>

SBI, IBM & TCS Confidential SBEDW Program 16

9. LIST OF ABBREVIATIONS
LDAP Lightweight Directory Access Protocol
LDIF LDAP Data Interchange Format
ITDS IBM Tivoli Directory Server
MSAD Microsoft Active Directory
OS Operating System
DN Distinguished Name
DBA Database Administrator
AIX Advanced Interactive eXecutive
YaST Yet another Setup Tool

SBI, IBM & TCS Confidential SBEDW Program 17