Steps for client installation and configuration

This chapter takes you through the basic setup steps that are applicable to all LDAP servers. The following steps include the things that you need to do to have a working client server:

1. Plan for the installation and configuration.

Prior to starting the installation, we recommend that you read the planning chapter and this chapter completely to understand what features you can implement and what restrictions may be caused by your choice of things like the LDAP server, base DN, and schema.

2. Install the AIX 5L LDAP client software.

Install the AIX 5L LDAP client as described in 4.2.1, “AIX 5L LDAP client software installation” on page 105. The LDAP client file set, ldap.client, and subsequent software are available on the AIX 5L product media. Make sure that you have installed the file sets necessary to have all of the security that your plan calls for.

3. Make sure that you have a working LDAP server.

Before installing the client make sure that you have a working LDAP server and that you have a bind DN with the appropriate permissions configured on that server. You will need the bind DN of an administrative account or a proxy account on the LDAP server, the password for that account when setting up the client, and the base DN for the user and group information stored on that server.

4. Perform basic client configuration with mksecldap.

Do the initial configuration using the mksecldap command, as described in 4.2, “Installation and basic client configuration” on page 105. This creates the configuration file and starts the AIX 5L LDAP client daemon secldapclntd that controls all communications from this client to and from the LDAP server. This will also automatically add the LDAP LAM entry to the

/usr/lib/security/methods.cfg, as described in 4.2.5, “LDAP authentication module enablement” on page 111.

5. Test the client connection with the LDAP server.

Before setting up users, encryption, or customizing the configuration, make sure that your LDAP client can talk to the server. This will make sure that you can retrieve information from the LDAP server and that you have correctly configured the DN and password. This is easily done with the lsldap and ldapsearch commands.

6. Enable a test user for LDAP authentication.

If possible use a user that is already in the LDAP directory with a known password. To enable a test user such as user test1, change the SYSTEM and registry attributes for that user to LDAP in the /etc/security/user. If the user previously exists on the client, this can be done with the chuser command, as shown here:

# chuser -R LDAP SYSTEM=LDAP registry=LDAP test1

This will create the user stanza in /etc/security/user, but will not create a HOME directory for the user, so you can add that with:

# mkdir /home/test1

# chown test1 /home/test1

# chmod 755 /home/test1

Test to make sure this user can log in using the password stored on the LDAP server. The SYSTEM=LDAP and registry=LDAP will make sure that LDAP is used instead of local files.

7. Advanced configuration.

Once you have confirmed that you have communications and can

authenticate a single user you know that you have a working LDAP server. If it does not work, then you may need to do some advanced configuration of the /etc/security/ldap/ldap.cfg file using the information described in 4.2.3,

“AIX 5L LDAP client daemon” on page 108. If you are using a nonstandard schema, you will also have to create custom map files, as described in 4.3.6,

“Object class and attribute name mapping” on page 131.

8. Configure root and other administrative users for local file authentication.

Before setting the default user stanza to use LDAP, set specific users to use local files for authentication. Make sure to include the root user in this list, and if you do not allow root login, make sure to include at least one user that can su to root. Once again, you can make this change with the chuser command, as shown here:

# chuser registry=files SYSTEM=compat root

9. Make sure that users are populated in the LDAP directory.

Before setting the default user stanza to use LDAP, make sure that you have users populated in LDAP. You can use ldapsearch to do this, but perhaps the easiest way is to simply use lsuser, as shown here.

# lsuser -R LDAP -a id pgrp SYSTEM registry ALL

10.Set the default user stanza in /etc/security/user to use LDAP.

Once you are sure that LDAP is configured properly and that you have populated users into the LDAP directory, then set the default user to use LDAP, as described in 4.2.6, “Update default stanza in /etc/security/user” on

page 112. This will insure that you can log in to the AIX client with any user in the LDAP directory that is not restricted.

11.Test that you can log in using the users defined in LDAP.

Once again, confirm that you can log in to the AIX client using one of the LDAP users. If that user was previously on the AIX client, you may need to change the user’s SYSTEM and registry attribute to LDAP, or remove that user from the local files. If that user is not on the local system, you will get an error that no HOME directory exists.

12.Test that the AIX client user management commands work.

If you have set up the proper permissions, you should be able to add users to the LDAP directory using the mkuser command, change user information with the chuser command, and change the user’s password with the AIX client passwd command. This is described in 6.4, “Working with the AIX 5L clients”

on page 204.

13.Configure SSL for security between the client and server.

Once you have a working configuration, it is important that you make it secure. The easiest way to do this is by setting up SSL between the client and the server. This is described in 4.3.1, “Configuring SSL” on page 113. One other method of security that you may want to configure is an initial bind by the client to the server using Kerberos.

14.Set up user access restriction.

Without restrictions, any user in the LDAP server can log in to the AIX client.

For this reason, it is important to set up some type of user restrictions, as described in 3.5.6, “User login restriction” on page 91. Details for restricting using NIS netgroups are described in 4.3.4, “Restricting user access using netgroups” on page 123.

15.Set up methods to handle the user’s HOME directories.

When the default user is set to LDAP, there is not an automatic method to create users the first time someone logs in. There are a number of ways to create the user’s home directory, and in this chapter we describe using automount in Example 4.3.5 on page 127

16.Tune the LDAP client.

Once you have everything working, tune the secldapclntd daemon caching parameters, as described in 4.3.3, “AIX 5L LDAP client tuning” on page 122.

Follow the steps in the rest of this chapter to set up your first client.