Many AIX clients make use of AIX’s built-in LDAP support to manage and authenticate users and feedback shows they like the solution. The AIX LDAP solution includes the LDAP server and the LDAP client, both of which come with the OS without the need for separate license. Today, with the single password per user requirement by various compliance standard, we see more clients are going for the LDAP solution.
In a centralized user management scheme like LDAP, maintaining login control is crucial to prevent unauthorized login to systems and to protect your data and resources. Several existing login control mechanisms are available for AIX, each with its own pros and cons:
- Hostsallowedlogin/hostsdeniedlogin - a pair of AIX user attributes that allows the administrator to specify which hosts a user can or cannot login. This mechanism is very effective with small AIX deployment. However, it won’t scale well with large deployments.
- Netgroup – Netgroup is from the days of NIS, but still some clients are using it for login control today. This mechanism is insecure and has performance issues.
- SSH – SSH allows define of list of users/groups that are allowed login. This mechanism works well, but it is for SSH only and it also requires per server configuration locally on each server.
- PAM – Similarly to SSH, the PAM mechanism does not scale well and it is application specific and server specific.
The Login Control Automation Solution
To overcome the shortcomings of the existing login control mechanisms, IBM Lab Services has developed a login control automation solution. This solution allows administrators to define login policies on a LDAP server once, and the policies are honored by all AIX servers that are LDAP clients.
Imaging that a person is planning international travel and is issued visas. When entering a country, her visa is checked and verified at customs and she is allowed entry only if she holds the correct visa. The new login control automation works the same way as this travel example. An LDAP user will be issued login passes, and servers enforce the checking of the login passes. Only the users with the correct login pass are allowed login to the system.
The administrator can manage login policies by:
- Define login passes
- Define host groups
- Assign hosts and login passes to host groups
- Assign login passes to users
- List users who are allowed to login to a particular host
- List hosts a user is allowed to login
A login control automation subsystem on AIX server side will periodically check the login policies defined in LDAP. When it detects an update to the policy that is related to the local server, the service will re-sync the policy using what is pulled back from LDAP. This occurs automatically without the need for administrator involvement.
Advantages of this solution
This login control automation solution offers several advantages:
- Centrally defines and manages login policies
- Eliminates the excess work of logging on to each server and tuning settings
- Creates consistent policies on host and host groups
- Implements at the system level so it’s effective to the OS as well as applications
- Facilitates tracking on who is allowed login to which server
Who will benefit from this solution
Several types of clients would benefit from the LDAP solution, including:
- Clients who run LDAP authentication with no login control in place
- Clients who use some form of login control but with issues
- Clients with login control but would like to pursuit a more efficient mechanism
Regardless if your organization has login control in place, it is recommended that you try this login control automation solution. You will be surprised how easy it is to manage the login policies and how effective the policies work. It will save you time and effort.
IBM Lab Services is ready to help
If your organization needs some kind of login control, and you are interested in learning more about this login control automation solution, please reach out to IBM Lab Services. IBM Lab Service can provide the software package and assist you with set up and configuration of the solution.