If you are working with AIX 6.1 systems and need to restrict server login via LDAP groups, read through the following post.
The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).
Prerequisites
It is assumed the client server can already talk to the LDAP server.
For this to work, each LDAP user needs to have the memberOf attribute in their LDAP user entry. This attribute will not be there in two situations:
- The LDAP user does not belong to any LDAP groups
- The MemberOf Plugin is not enabled on the LDAP server
Enable the MemberOf Plugin
The following instructions apply to Red Hat Directory Server 9 (389 Directory Server should also apply):
- Log in to the Identity Management Console
- In the Servers and Applications tab, expand the instance
- Expand Server Group
- Double click on Directory Server
- Click the Configuration tab
- Expand Plug-ins
- Scroll down to and click the MemberOf Plugin
- Click the Enable plug-in checkbox
- Click the Advanced button in the lower right
- Find the memberofgroupattr and change it to uniqueMember
- Click OK
- Click Save
- Restart the Directory Server for the changes to take effect
Even though the plug-in is enabled, existing LDAP users still will not have the memberOf attribute applied to their LDAP user entry if they currently belong to any LDAP groups.
To fix this, run the following script (be sure to change the $INSTANCE variable and the base DN to match your own LDAP server):
/usr/lib64/dirsrv/slapd-$INSTANCE/fixup-memberof.pl -D "cn=Directory Manager" -w - -b "dc=example,dc=com"
Client Server Setup
The following must be done on any client server you want to restrict access to via LDAP groups.
Open /etc/security/ldap/ldap.cfg and find the userbasedn: line. The userbasedn: line should look similar to the following:
userbasedn: ou=People,dc=example,dc=com
To restrict access so only users in the admin LDAP group can login, append the following line to the line immediately above:
??(memberOf=cn=admin,ou=Groups,dc=example,dc=com)
The userbasedn: line should now look like the following:
userbasedn: ou=People,dc=example,dc=com??(memberOf=cn=admin,ou=Groups,dc=example,dc=com)
Anything after the ?? follows the standard LDAP query syntax, so if you want to restrict access so only users in the admin OR manager LDAP groups can login, append the following to the line immediately above:
??(|(memberOf=cn=admin,ou=Groups,dc=example,dc=com)(memberOf=cn=manager,ou=Groups,dc=example,dc=com))
The userbasedn: line should now look like the following:
userbasedn: ou=People,dc=example,dc=com??(|(memberOf=cn=admin,ou=Groups,dc=example,dc=com)(memberOf=cn=manager,ou=Groups,dc=example,dc=com))
The following shorthand can also be used assuming the groupbasedn: line in /etc/security/ldap/ldap.cfg points to ou=Groups,dc=example,dc=com:
userbasedn: ou=People,dc=example,dc=com??(|(memberOf=cn=admin,*)(memberOf=cn=manager,*))
Be sure to restart the service by running restart-secldapclntd
after any changes.