AIX Restrict Server Login via LDAP aixauxaccount objectClass and hostsallowedlogin Attribute

• Updated March 17, 2019

It is possible to restrict AIX server login via LDAP by using the aixauxaccount objectClass and hostsallowedlogin attribute.

Each LDAP user that you want to restrict login access to should have the aixauxaccount objectClass so the hostsallowedlogin attribute becomes available to that LDAP user.

Be aware: this solution does not scale well. If a new client server comes online it will need to be added to every LDAP user who requires access. This can of course be scripted, but a more scalable solution is to use LDAP groups to restrict server login.

Nevertheless, continue reading for setup instructions

The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).

Client Server Setup

It is assumed the client server can already talk to the LDAP server.

The only necessary change on each client server is to uncomment the hostsdeniedlogin and hostsallowedlogin lines at the bottom of /etc/security/ldap/ so it looks like the following:

# Optional attributes to control whether user is allowed/denied
# log in to the host systems. These two attributes are not
# defined in RFC 2307.
hostsdeniedlogin    SEC_LIST    hostsdeniedlogin    m   na
hostsallowedlogin   SEC_LIST    hostsallowedlogin   m   na

It may be necessary to restart the LDAP service by running restart-secldapclntd.

LDAP Server Setup

On the LDAP server, add the aixauxaccount objectClass to the user entry then add the hostsallowedlogin attribute.

The hostsallowedlogin attribute will accept host FQDNs and short names. Multiple hosts can be separated by a comma. In addition, the hostsallowedlogin attribute will accept network subnets.

hostsallowedlogin does not accept * as a wildcard. Leave hostsallowedlogin blank to allow access to everything.

There is also a hostsdeniedlogin attribute.

Here are additional LDAP host access controls.