AIX Restrict Server Login via LDAP aixauxaccount objectClass and hostsallowedlogin Attribute

• Updated March 17, 2019


It is possible to restrict AIX server login via LDAP by using the aixauxaccount objectClass and hostsallowedlogin attribute.

Each LDAP user that you want to restrict login access to should have the aixauxaccount objectClass so the hostsallowedlogin attribute becomes available to that LDAP user.

Be aware: this solution does not scale well. If a new client server comes online it will need to be added to every LDAP user who requires access. This can of course be scripted, but a more scalable solution is to use LDAP groups to restrict server login.

Nevertheless, continue reading for setup instructions

The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).

Client Server Setup

It is assumed the client server can already talk to the LDAP server.

The only necessary change on each client server is to uncomment the hostsdeniedlogin and hostsallowedlogin lines at the bottom of /etc/security/ldap/2307user.map so it looks like the following:

# Optional attributes to control whether user is allowed/denied
# log in to the host systems. These two attributes are not
# defined in RFC 2307.
hostsdeniedlogin    SEC_LIST    hostsdeniedlogin    m   na
hostsallowedlogin   SEC_LIST    hostsallowedlogin   m   na

It may be necessary to restart the LDAP service by running restart-secldapclntd.

LDAP Server Setup

On the LDAP server, add the aixauxaccount objectClass to the user entry then add the hostsallowedlogin attribute.

The hostsallowedlogin attribute will accept host FQDNs and short names. Multiple hosts can be separated by a comma. In addition, the hostsallowedlogin attribute will accept network subnets.

hostsallowedlogin does not accept * as a wildcard. Leave hostsallowedlogin blank to allow access to everything.

There is also a hostsdeniedlogin attribute.

Here are additional LDAP host access controls.

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: About to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Looking to start investing some of your saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of $100 or more you will receive free stock(s). The promotions are always changing, so be sure to click the link to see the latest.

Thanks for reading and take care.