SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


aixldapad
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

aixldapad [2013/02/02 20:43] (current)
sjoerd created
Line 1: Line 1:
 += AIX LDAP on AD
 +As a counterfeit on [[aixldapedirectory]] this article will explain everything if you don't want to authenticate on eDirectory but on Active Directory. The AIX level will be the same, the AD will be a Windows 2008 AD and is installed as described in [[adldapforlinux|here]].
  
 += Install LDAP Client on AIX
 +== Requisites
 +
 +The LDAP client has a few requisites which you need to install:
 +* bos.loc.iso.en_US
 +* xlC.rte at level 8
 +This is how you install them through [[aixnim]]
 +<​code>​
 +root@lpar1:/​home/​root>​lslpp -L | grep bos.loc
 +root@lpar1:/​home/​root>​lslpp -L | grep xlC
 +  xlC.aix50.rte ​             8.0.0.0 ​   C     ​F ​   C Set ++ Runtime for AIX 5.0
 +  xlC.cpp ​                   6.0.0.0 ​   C     ​F ​   C for AIX Preprocessor
 +  xlC.rte ​                   8.0.0.0 ​   C     ​F ​   C Set ++ Runtime
 +root@lpar1:/​home/​root>​nimclient -o allocate -a lpp_source=lpp_5300_06_07
 +root@lpar1:/​home/​root>​nimclient -o cust -a lpp_source=lpp_5300_06_07 -a filesets=bos.loc.iso.en_US
 +
 ++-----------------------------------------------------------------------------+
 +                    Pre-installation Verification...
 ++-----------------------------------------------------------------------------+
 +Verifying selections...done
 +Verifying requisites...done
 +Results...
 +
 +SUCCESSES
 +---------
 +  Filesets listed in this section passed pre-installation verification
 +  and will be installed.
 +
 +  Selected Filesets
 +  -----------------
 +  bos.loc.iso.en_US 5.3.0.0 ​                  # Base System Locale ISO Code ...
 +
 +...<​cut>​...
 +
 +Installation Summary
 +--------------------
 +Name                        Level           ​Part ​       Event       ​Result
 +-------------------------------------------------------------------------------
 +bos.loc.iso.en_US ​          ​5.3.0.0 ​        ​USR ​        ​APPLY ​      ​SUCCESS
 +</​code>​
 +
 +== Install LDAP
 +The LDAP client is not installed by default, so you have to install the files from the CD set you get with AIX. If you have a LDAP client it's probably the client for AIX 5.2, while I the idsldap client prefer which was originally created for AIX 6.1. Below you'll see the version I installed:
 +<​code>​
 +SUCCESSES
 +---------
 +  Filesets listed in this section passed pre-installation verification
 +  and will be installed.
 +
 +  Selected Filesets
 +  -----------------
 +  idsldap.clt32bit61.rte 6.1.0.17 ​            # Directory Server - 32 bit Cl...
 +  idsldap.cltbase61.adt 6.1.0.17 ​             # Directory Server - Base Client
 +  idsldap.cltbase61.rte 6.1.0.17 ​             # Directory Server - Base Client
 +
 +  << End of Success Section >>
 +</​code>​
 +<​code>​
 +root@lpar1:/​tmp/​sft/​ldap>​lslpp -L | grep ldap
 +  idsldap.clt32bit61.rte ​   6.1.0.17 ​   C     ​F ​   Directory Server - 32 bit
 +  idsldap.cltbase61.adt ​    ​6.1.0.17 ​   C     ​F ​   Directory Server - Base Client
 +  idsldap.cltbase61.rte ​    ​6.1.0.17 ​   C     ​F ​   Directory Server - Base Client
 +</​code>​
 +
 +=== Test LDAP Client
 +You can do a ldapsearch to check ldap connectivity:​
 +<​code>​
 +root@lpar1:/​opt/​IBM/​ldap/​V6.1/​bin>​./​ldapsearch -h 10.10.10.101 -D sa_ldap@adldaptest.local -w ? -b OU=Internet,​DC=adldaptest,​DC=local uid=sjoerd
 +Enter password ==>
 +CN=Sjoerd Hooft,​OU=Internet,​DC=adldaptest,​DC=local
 +objectClass=top
 +objectClass=person
 +objectClass=organizationalPerson
 +objectClass=user
 +cn=Sjoerd Hooft
 +sn=Hooft
 +givenName=Sjoerd
 +distinguishedName=CN=Sjoerd Hooft,​OU=Internet,​DC=adldaptest,​DC=local
 +instanceType=4
 +whenCreated=20100817120919.0Z
 +whenChanged=20100823135928.0Z
 +displayName=Sjoerd Hooft
 +uSNCreated=16616
 +uSNChanged=20878
 +name=Sjoerd Hooft
 +objectGUID=NOT ASCII
 +userAccountControl=66048
 +badPwdCount=0
 +codePage=0
 +countryCode=0
 +badPasswordTime=129272986076195000
 +lastLogoff=0
 +lastLogon=129272986101820000
 +pwdLastSet=129265205592977500
 +primaryGroupID=513
 +objectSid=NOT ASCII
 +accountExpires=9223372036854775807
 +logonCount=44
 +sAMAccountName=sjoerd
 +sAMAccountType=805306368
 +userPrincipalName=sjoerd@adldaptest.local
 +objectCategory=CN=Person,​CN=Schema,​CN=Configuration,​DC=adldaptest,​DC=local
 +dSCorePropagationData=16010101000000.0Z
 +lastLogonTimestamp=129265962121415000
 +uid=sjoerd
 +msSFU30Name=sjoerd
 +msSFU30NisDomain=adldaptest
 +msSFU30PosixMemberOf=CN=autoyast-sudo,​OU=Internet,​DC=adldaptest,​DC=local
 +msSFU30PosixMemberOf=CN=autoyast,​OU=Internet,​DC=adldaptest,​DC=local
 +msSFU30PosixMemberOf=CN=LDAPUsers,​OU=Internet,​DC=adldaptest,​DC=local
 +uidNumber=10000
 +gidNumber=10000
 +unixHomeDirectory=/​home/​sjoerd
 +loginShell=/​bin/​bash
 +</​code>​
 +
 += Configure LDAP Authentication
 +== ldap.cfg
 +LDAP is really easy to configure through a special command:
 +<​code>​
 +root@lpar1:/​home/​root>/​usr/​sbin/​mksecldap -c -h 10.10.10.101 -a sa_ldap@adldaptest.local -p LD4Paccess -d OU=Internet,​DC=adldaptest,​DC=local
 +</​code>​
 +This command however does not change everything what is required for successful authentication,​ you need to at least change the authtype, and check the user and groupbasedns. They tend to be lower in the LDAP hierarchy than expected:
 +<​code>​
 +root@lpar1:/​home/​root>​cat /​etc/​security/​ldap/​ldap.cfg | grep '​^[a-z]'​
 +ldapservers:​10.10.10.101
 +binddn:​sa_ldap@adldaptest.local
 +bindpwd:​LD4Paccess
 +authtype:​ldap_auth
 +useSSL:no
 +userattrmappath:/​etc/​security/​ldap/​sfur2user.map
 +groupattrmappath:/​etc/​security/​ldap/​sfur2group.map
 +userbasedn:​OU=Internet,​DC=adldaptest,​DC=local
 +groupbasedn:​OU=Internet,​DC=adldaptest,​DC=local
 +userclasses:​user,​person,​organizationalperson
 +groupclasses:​group
 +ldapport:​389
 +searchmode:​ALL
 +defaultentrylocation:​LDAP
 +serverschematype:​sfur2
 +</​code>​
 +
 +== methods.cfg
 +The mksecldap command also changes the logon methods as defined in the methods.cfg. It does so however, with a typo (it missed a space after one of the = symbols). Set the LDAP methods exactly like stated here:
 +<​code>​
 +root@lpar1:/​home/​root>​cat /​usr/​lib/​security/​methods.cfg | grep -p LDAP
 +LDAP:
 +        program = /​usr/​lib/​security/​LDAP
 +        program_64 = /​usr/​lib/​security/​LDAP64
 +</​code>​
 +
 +== User
 +Now you can view the LDAP users by querying for them:
 +<​code>​
 +root@lpar1:/​home/​root>​lsuser -R LDAP sjoerd
 +sjoerd id=10000 pgrp=LDAPUsers groups=LDAPUsers,​autoyast,​autoyast-sudo home=/​home/​sjoerd shell=/​bin/​bash login=false su=false rlogin=true daemon=true admin=false sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat logintimes= loginretries=3 pwdwarntime=7 account_locked=false minage=1 maxage=26 maxexpired=-1 minalpha=5 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=26 histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
 +</​code>​
 +You need to change the authentication method for these users:
 +<​code>​
 +root@lpar1:/​home/​root>​chuser SYSTEM=LDAP registry=LDAP sjoerd
 +root@lpar1:/​home/​root>​lsuser -R LDAP sjoerd
 +sjoerd id=10000 pgrp=LDAPUsers groups=LDAPUsers,​autoyast,​autoyast-sudo home=/​home/​sjoerd shell=/​bin/​bash login=false su=false rlogin=true daemon=true admin=false sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=3 pwdwarntime=7 account_locked=false minage=1 maxage=26 maxexpired=-1 minalpha=5 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=26 histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
 +</​code>​
 +
 +Now you can login with this user. 
 +
 +=== Default LDAP User
 +You can make it the default for users to logon through LDAP. It is not my preference, but it is possible. To do so, follow these steps:
 +* Edit /​etc/​security/​user
 +* Go to the '​default'​ section and find the line that says SYSTEM = '​compat'​
 +* Replace '​compat'​ for '​LDAP'​
 +Now, to make sure all local accounts can still authenticate,​ in the same file do this:
 +* Add the line SYSTEM = '​compat'​ to all sections in the file
 +
 +== Restart the service
 +Now restart the ldap client service:
 +<​code>​
 +root@lpar1:/​home/​root>​stop-secldapclntd
 +The secldapclntd daemon is successfully terminated.
 +root@lpar1:/​home/​root>​start-secldapclntd
 +Starting the secldapclntd daemon.
 +The secldapclntd daemon started successfully.
 +</​code>​
 +
 +Now it's possible to log on!
 +
 += Additional resources
 +http://​www.ibm.com/​developerworks/​aix/​library/​au-secureopenssh/​index.html \\
 +http://​www.ibm.com/​developerworks/​aix/​library/​au-kerberosaix6/​index.html \\
 +http://​publib.boulder.ibm.com/​infocenter/​pseries/​v5r3/​index.jsp?​topic=/​com.ibm.aix.security/​doc/​security/​kerberos_configuring_v5_client.htm \\
 +http://​publib.boulder.ibm.com/​infocenter/​aix/​v6r1/​index.jsp?​topic=/​com.ibm.aix.security/​doc/​security/​kerberos_configuring_windows_server2000_kerberos_service.htm \\
 +http://​geekdom.wesmo.com/​2009/​01/​26/​aix-authentication-inegration-in-to-active-directory-via-ldap/​ \\
 +
 +
 +{{tag>​aix ldap ad}}
aixldapad.txt ยท Last modified: 2013/02/02 20:43 by sjoerd