PAM-LDAP UNIX Vendor Support
This is what IBM has to say about the native capabilities to authenticate users against LDAP in the AIX Operating System: (IBM doc ID FQ122057)
“Starting at AIX 4.3.3 and continuing with AIX 5.1, AIX user authentication to an LDAP server is based on a proprietary AIX schema. This means that you can have a mixture of AIX 4.3.3 and 5.1 servers that have their user information stored in a single LDAP server, but you cannot mix this information with other servers such as Solaris, HP/UX, Linux, or AIX 5.2 and later using the open standard LDAP RFC2307 schema.
Starting with AIX 5.2, the RFC2307 schema is supported for AIX user authentication. This means that you can have AIX 5.2 users authenticating to the same LDAP server as users on Linux, Solaris, and HP/UX systems that support the RFC2307 standard. AIX 5.2 can also be setup to use the AIX proprietary schema used in AIX 4.3.3 and AIX 5.1, but you cannot mix some users between each schema.
Starting with AIX 5.3, the ability to send the password to the LDAP server and let the server do the comparison of the password. Prior to AIX 5.3, the password was always retrieved to AIX and the authentication was done on the client. Prior to 5.2, the password had to be in crypt format. In AIX 5.3 other encryptions supported by the LDAP server can now be used for user authentication. In addition, AIX 5.3 TL 6 allows users the ability to use other password algorithms on AIX, including user-installed algorithms. The algorithms provided in AIX are crypt, MD5, SHA1/256/512 and blowfish.”
Let us examine what this information really means for cross-platform enterprise LDAP authentication solutions where we need to deal with interoperability with other UNIX platforms.
According to the document, the standard LDAP RFC2307 schema is not even supported for authentication prior to version 5.2, so if we are planning to use the same user namespace across multiple platforms, we should not be planning to include any systems with versions lower than 5.2.
Also, the native LDAP client on AIX prior to version 5.3 does not allow the directory server to handle authentication. The client system will need to have the ability to read the password hash string from the user password attribute and do a comparison for user authentication. This creates a hard dependency on the specific password hashing mechanisms used by a directory to support AIX authentication. Required hashing mechanisms may not be available or could be changed in the future for a variety of reasons and it will break the ability of the client to authenticate against the directory.
The more critical issue with hash string compare approach is that client will need the ability to retrieve the password hash from the server for the user either anonymously or using a special proxy account, which cannot be tightly secured. We discuss security around this account in detail in the LDAP directory security section of this chapter.
This security issue is very similar to the problem of allowing users to read /etc/passwd on UNIX systems while storing user password hashes there, and it is not possible to restrict users on the system from reading this file. This situation exists on UNIX systems not using shadow passwords.
Let us review AIX LDAP client capabilities to perform authorization, i.e. restricting LDAP user access to only a set of specific hosts. We have a few options here:
1. Starting with AIX 5.3, netgroup support was added and can be used to restrict users to specific client hosts.
2. RFC2307AIX schema can be used. This schema allows user and group restriction based on the following attributes: hostallowedlogin and hostdeniedlogin. These attributes can be defined for each user to determine which host that user can log into.
2.It is also possible to set the default user authentication method in /etc/security/users to some method other than LDAP, and then set the individual users for which you want to use LDAP authentication by setting the SYSTEM=LDAP and registry=LDAP parameters.
Again, if we look at these options from the perspective of a multi-platform enterprise environment where we would like to achieve the ability to manage UNIX authentication and authorization centrally using an LDAP directory, the challenges become apparent.
Using the netgroups approach may be an option, but it will not be implementable across all other platforms (more information needed here to describe exactly how they work with LDAP)
Using the proprietary RFC2307AIX LDAP schema will limit the authorization capability of specific LDAP user entries only to AIX hosts, which is again not acceptable because it does not support the multi-platform requirement we set for ourselves as one of the important design goals.
Using option 3 for authorization is not a very good approach because it will require changes on individual servers for all users, which defeats the purpose of a centralized LDAP user store.
To summarize our discussion on native AIX LDAP authentication and authorization capabilities, we can conclude that AIX 5.3 and above is perfectly suitable for authentication against an LDAP server with the RFC2307 schema, but cannot natively support authorization requirements needed for coexistence with other UNIX systems.
There are multiple ways of properly handling authorization on the LDAP server level, and we discuss them in the section on selective enablement of users.
HP-UX 11i includes a native LDAP UX client capable of supporting an RFC2307 compatible LDAP server for authentication and name services.
Authorization is supported using the pam-authz login authorization module, which can be configured to authorize users based on the content of local configuration file /etc/opt/ldapux/pam_authz.policy.
Configuration options support the use of netgroups and ldap filters, which provide the necessary flexibility and ability to manage user authorization centrally.
Sun Solaris operating system contains built in LDAP client since version 2.6.
Moreover, SUN considers LDAP client and pam_LDAP and pam_nss libraries as part of the core OS. They cannot be uninstalled or replaced by third party LDAP libraries without implementing specific measures to restore system functionality in the events when new OS patch/upgrade overwrites third party libraries.
The database names in nsswitch.conf cannot be modified. The databases are fixed and components in both libc and nscd etc. rely on them.
Linux systems rely on PADL PAM-LDAP package and are fully capable of authenticating against RFC 2307 LDAP directory. Selective per host access control can be achieved using multi-value attribute within LDAP user object or with the use of netgroups.