ThorneLabs

AIX Restrict Server Login via LDAP Groups

• Updated January 10, 2019


If you are working with AIX 6.1 systems and need to restrict server login via LDAP groups, read through the following post.

The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).

Prerequisites

It is assumed the client server can already talk to the LDAP server.

For this to work, each LDAP user needs to have the memberOf attribute in their LDAP user entry. This attribute will not be there in two situations:

  1. The LDAP user does not belong to any LDAP groups
  2. The MemberOf Plugin is not enabled on the LDAP server

Enable the MemberOf Plugin

The following instructions apply to Red Hat Directory Server 9 (389 Directory Server should also apply):

  1. Log in to the Identity Management Console
  2. In the Servers and Applications tab, expand the instance
  3. Expand Server Group
  4. Double click on Directory Server
  5. Click the Configuration tab
  6. Expand Plug-ins
  7. Scroll down to and click the MemberOf Plugin
  8. Click the Enable plug-in checkbox
  9. Click the Advanced button in the lower right
  10. Find the memberofgroupattr and change it to uniqueMember
  11. Click OK
  12. Click Save
  13. Restart the Directory Server for the changes to take effect

Even though the plug-in is enabled, existing LDAP users still will not have the memberOf attribute applied to their LDAP user entry if they currently belong to any LDAP groups.

To fix this, run the following script (be sure to change the $INSTANCE variable and the base DN to match your own LDAP server):

/usr/lib64/dirsrv/slapd-$INSTANCE/fixup-memberof.pl -D "cn=Directory Manager" -w - -b "dc=example,dc=com"

Client Server Setup

The following must be done on any client server you want to restrict access to via LDAP groups.

Open /etc/security/ldap/ldap.cfg and find the userbasedn: line. The userbasedn: line should look similar to the following:

userbasedn: ou=People,dc=example,dc=com

To restrict access so only users in the admin LDAP group can login, append the following line to the line immediately above:

??(memberOf=cn=admin,ou=Groups,dc=example,dc=com)

The userbasedn: line should now look like the following:

userbasedn: ou=People,dc=example,dc=com??(memberOf=cn=admin,ou=Groups,dc=example,dc=com)

Anything after the ?? follows the standard LDAP query syntax, so if you want to restrict access so only users in the admin OR manager LDAP groups can login, append the following to the line immediately above:

??(|(memberOf=cn=admin,ou=Groups,dc=example,dc=com)(memberOf=cn=manager,ou=Groups,dc=example,dc=com))

The userbasedn: line should now look like the following:

userbasedn: ou=People,dc=example,dc=com??(|(memberOf=cn=admin,ou=Groups,dc=example,dc=com)(memberOf=cn=manager,ou=Groups,dc=example,dc=com))

The following shorthand can also be used assuming the groupbasedn: line in /etc/security/ldap/ldap.cfg points to ou=Groups,dc=example,dc=com:

userbasedn: ou=People,dc=example,dc=com??(|(memberOf=cn=admin,*)(memberOf=cn=manager,*))

Be sure to restart the service by running restart-secldapclntd after any changes.

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided affiliate links. I will receive a referral payment from any of the services you sign-up for.

Get faster shipping and more with Amazon Prime: About to order something from Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.

Thanks for reading and take care.