AIX Restrict Server Login via LDAP Groups

Monday, January 28, 2013

The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).

Prerequisites

It is assumed the client server can already talk to the LDAP server.

For this to work, each LDAP user needs to have the memberOf attribute in their LDAP user entry. This attribute will not be there in two situations:

  1. The LDAP user does not belong to any LDAP groups
  2. The MemberOf Plugin is not enabled on the LDAP server

Enable the MemberOf Plugin

The following instructions apply to Red Hat Directory Server 9 (389 Directory Server should also apply):

  1. Log into the Identity Management Console
  2. In the Servers and Applications tab, expand the instance
  3. Expand Server Group
  4. Double click on Directory Server
  5. Click the Configuration tab
  6. Expand Plug-ins
  7. Scroll down to and click the MemberOf Plugin
  8. Click the Enable plug-in checkbox
  9. Click the Advanced button in the lower right
  10. Find the memberofgroupattr and change it to uniqueMember
  11. Click OK
  12. Click Save
  13. Restart the Directory Server for the changes to take effect

Even though the plug-in is enabled, existing LDAP users still will not have the memberOf attribute applied to their LDAP user entry if they currently belong to any LDAP groups.

To fix this, run the following script (be sure to change the $INSTANCE variable and the base DN to match your own LDAP server):

/usr/lib64/dirsrv/slapd-$INSTANCE/fixup-memberof.pl -D "cn=Directory Manager" -w - -b "dc=example,dc=com"

Client Server Setup

The following must be done on any client server you want to restrict access to via LDAP groups.

Open /etc/security/ldap/ldap.cfg and find the userbasedn: line. The userbasedn: line should look similar to the following:

userbasedn: ou=People,dc=example,dc=com

To retrict access so only users in the admin LDAP group can login, append the following line to the line immediately above:

??(memberOf=cn=admin,ou=Groups,dc=example,dc=com)

The userbasedn: line should now look like the following:

userbasedn: ou=People,dc=example,dc=com??(memberOf=cn=admin,ou=Groups,dc=example,dc=com)

Anything after the ?? follows the standard LDAP query syntax, so if you want to restrict access so only users in the admin OR manager LDAP groups can login, append the following to the line immediately above:

??(|(memberOf=cn=admin,ou=Groups,dc=example,dc=com)(memberOf=cn=manager,ou=Groups,dc=example,dc=com))

The userbasedn: line should now look like the following:

userbasedn: ou=People,dc=example,dc=com??(|(memberOf=cn=admin,ou=Groups,dc=example,dc=com)(memberOf=cn=manager,ou=Groups,dc=example,dc=com))

The following shorthand can also be used assuming the groupbasedn: line in /etc/security/ldap/ldap.cfg points to ou=Groups,dc=example,dc=com:

userbasedn: ou=People,dc=example,dc=com??(|(memberOf=cn=admin,*)(memberOf=cn=manager,*))

Be sure to restart the service by running restart-secldapclntd after any changes.



comments powered by Disqus