This shows you the differences between two versions of the page.
— |
aixldapad [2013/02/02 20:43] (current) sjoerd created |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | = AIX LDAP on AD | ||
+ | As a counterfeit on [[aixldapedirectory]] this article will explain everything if you don't want to authenticate on eDirectory but on Active Directory. The AIX level will be the same, the AD will be a Windows 2008 AD and is installed as described in [[adldapforlinux|here]]. | ||
+ | = Install LDAP Client on AIX | ||
+ | == Requisites | ||
+ | |||
+ | The LDAP client has a few requisites which you need to install: | ||
+ | * bos.loc.iso.en_US | ||
+ | * xlC.rte at level 8 | ||
+ | This is how you install them through [[aixnim]] | ||
+ | <code> | ||
+ | root@lpar1:/home/root>lslpp -L | grep bos.loc | ||
+ | root@lpar1:/home/root>lslpp -L | grep xlC | ||
+ | xlC.aix50.rte 8.0.0.0 C F C Set ++ Runtime for AIX 5.0 | ||
+ | xlC.cpp 6.0.0.0 C F C for AIX Preprocessor | ||
+ | xlC.rte 8.0.0.0 C F C Set ++ Runtime | ||
+ | root@lpar1:/home/root>nimclient -o allocate -a lpp_source=lpp_5300_06_07 | ||
+ | root@lpar1:/home/root>nimclient -o cust -a lpp_source=lpp_5300_06_07 -a filesets=bos.loc.iso.en_US | ||
+ | |||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Pre-installation Verification... | ||
+ | +-----------------------------------------------------------------------------+ | ||
+ | Verifying selections...done | ||
+ | Verifying requisites...done | ||
+ | Results... | ||
+ | |||
+ | SUCCESSES | ||
+ | --------- | ||
+ | Filesets listed in this section passed pre-installation verification | ||
+ | and will be installed. | ||
+ | |||
+ | Selected Filesets | ||
+ | ----------------- | ||
+ | bos.loc.iso.en_US 5.3.0.0 # Base System Locale ISO Code ... | ||
+ | |||
+ | ...<cut>... | ||
+ | |||
+ | Installation Summary | ||
+ | -------------------- | ||
+ | Name Level Part Event Result | ||
+ | ------------------------------------------------------------------------------- | ||
+ | bos.loc.iso.en_US 5.3.0.0 USR APPLY SUCCESS | ||
+ | </code> | ||
+ | |||
+ | == Install LDAP | ||
+ | The LDAP client is not installed by default, so you have to install the files from the CD set you get with AIX. If you have a LDAP client it's probably the client for AIX 5.2, while I the idsldap client prefer which was originally created for AIX 6.1. Below you'll see the version I installed: | ||
+ | <code> | ||
+ | SUCCESSES | ||
+ | --------- | ||
+ | Filesets listed in this section passed pre-installation verification | ||
+ | and will be installed. | ||
+ | |||
+ | Selected Filesets | ||
+ | ----------------- | ||
+ | idsldap.clt32bit61.rte 6.1.0.17 # Directory Server - 32 bit Cl... | ||
+ | idsldap.cltbase61.adt 6.1.0.17 # Directory Server - Base Client | ||
+ | idsldap.cltbase61.rte 6.1.0.17 # Directory Server - Base Client | ||
+ | |||
+ | << End of Success Section >> | ||
+ | </code> | ||
+ | <code> | ||
+ | root@lpar1:/tmp/sft/ldap>lslpp -L | grep ldap | ||
+ | idsldap.clt32bit61.rte 6.1.0.17 C F Directory Server - 32 bit | ||
+ | idsldap.cltbase61.adt 6.1.0.17 C F Directory Server - Base Client | ||
+ | idsldap.cltbase61.rte 6.1.0.17 C F Directory Server - Base Client | ||
+ | </code> | ||
+ | |||
+ | === Test LDAP Client | ||
+ | You can do a ldapsearch to check ldap connectivity: | ||
+ | <code> | ||
+ | root@lpar1:/opt/IBM/ldap/V6.1/bin>./ldapsearch -h 10.10.10.101 -D sa_ldap@adldaptest.local -w ? -b OU=Internet,DC=adldaptest,DC=local uid=sjoerd | ||
+ | Enter password ==> | ||
+ | CN=Sjoerd Hooft,OU=Internet,DC=adldaptest,DC=local | ||
+ | objectClass=top | ||
+ | objectClass=person | ||
+ | objectClass=organizationalPerson | ||
+ | objectClass=user | ||
+ | cn=Sjoerd Hooft | ||
+ | sn=Hooft | ||
+ | givenName=Sjoerd | ||
+ | distinguishedName=CN=Sjoerd Hooft,OU=Internet,DC=adldaptest,DC=local | ||
+ | instanceType=4 | ||
+ | whenCreated=20100817120919.0Z | ||
+ | whenChanged=20100823135928.0Z | ||
+ | displayName=Sjoerd Hooft | ||
+ | uSNCreated=16616 | ||
+ | uSNChanged=20878 | ||
+ | name=Sjoerd Hooft | ||
+ | objectGUID=NOT ASCII | ||
+ | userAccountControl=66048 | ||
+ | badPwdCount=0 | ||
+ | codePage=0 | ||
+ | countryCode=0 | ||
+ | badPasswordTime=129272986076195000 | ||
+ | lastLogoff=0 | ||
+ | lastLogon=129272986101820000 | ||
+ | pwdLastSet=129265205592977500 | ||
+ | primaryGroupID=513 | ||
+ | objectSid=NOT ASCII | ||
+ | accountExpires=9223372036854775807 | ||
+ | logonCount=44 | ||
+ | sAMAccountName=sjoerd | ||
+ | sAMAccountType=805306368 | ||
+ | userPrincipalName=sjoerd@adldaptest.local | ||
+ | objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=adldaptest,DC=local | ||
+ | dSCorePropagationData=16010101000000.0Z | ||
+ | lastLogonTimestamp=129265962121415000 | ||
+ | uid=sjoerd | ||
+ | msSFU30Name=sjoerd | ||
+ | msSFU30NisDomain=adldaptest | ||
+ | msSFU30PosixMemberOf=CN=autoyast-sudo,OU=Internet,DC=adldaptest,DC=local | ||
+ | msSFU30PosixMemberOf=CN=autoyast,OU=Internet,DC=adldaptest,DC=local | ||
+ | msSFU30PosixMemberOf=CN=LDAPUsers,OU=Internet,DC=adldaptest,DC=local | ||
+ | uidNumber=10000 | ||
+ | gidNumber=10000 | ||
+ | unixHomeDirectory=/home/sjoerd | ||
+ | loginShell=/bin/bash | ||
+ | </code> | ||
+ | |||
+ | = Configure LDAP Authentication | ||
+ | == ldap.cfg | ||
+ | LDAP is really easy to configure through a special command: | ||
+ | <code> | ||
+ | root@lpar1:/home/root>/usr/sbin/mksecldap -c -h 10.10.10.101 -a sa_ldap@adldaptest.local -p LD4Paccess -d OU=Internet,DC=adldaptest,DC=local | ||
+ | </code> | ||
+ | This command however does not change everything what is required for successful authentication, you need to at least change the authtype, and check the user and groupbasedns. They tend to be lower in the LDAP hierarchy than expected: | ||
+ | <code> | ||
+ | root@lpar1:/home/root>cat /etc/security/ldap/ldap.cfg | grep '^[a-z]' | ||
+ | ldapservers:10.10.10.101 | ||
+ | binddn:sa_ldap@adldaptest.local | ||
+ | bindpwd:LD4Paccess | ||
+ | authtype:ldap_auth | ||
+ | useSSL:no | ||
+ | userattrmappath:/etc/security/ldap/sfur2user.map | ||
+ | groupattrmappath:/etc/security/ldap/sfur2group.map | ||
+ | userbasedn:OU=Internet,DC=adldaptest,DC=local | ||
+ | groupbasedn:OU=Internet,DC=adldaptest,DC=local | ||
+ | userclasses:user,person,organizationalperson | ||
+ | groupclasses:group | ||
+ | ldapport:389 | ||
+ | searchmode:ALL | ||
+ | defaultentrylocation:LDAP | ||
+ | serverschematype:sfur2 | ||
+ | </code> | ||
+ | |||
+ | == methods.cfg | ||
+ | The mksecldap command also changes the logon methods as defined in the methods.cfg. It does so however, with a typo (it missed a space after one of the = symbols). Set the LDAP methods exactly like stated here: | ||
+ | <code> | ||
+ | root@lpar1:/home/root>cat /usr/lib/security/methods.cfg | grep -p LDAP | ||
+ | LDAP: | ||
+ | program = /usr/lib/security/LDAP | ||
+ | program_64 = /usr/lib/security/LDAP64 | ||
+ | </code> | ||
+ | |||
+ | == User | ||
+ | Now you can view the LDAP users by querying for them: | ||
+ | <code> | ||
+ | root@lpar1:/home/root>lsuser -R LDAP sjoerd | ||
+ | sjoerd id=10000 pgrp=LDAPUsers groups=LDAPUsers,autoyast,autoyast-sudo home=/home/sjoerd shell=/bin/bash login=false su=false rlogin=true daemon=true admin=false sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat logintimes= loginretries=3 pwdwarntime=7 account_locked=false minage=1 maxage=26 maxexpired=-1 minalpha=5 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=26 histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= | ||
+ | </code> | ||
+ | You need to change the authentication method for these users: | ||
+ | <code> | ||
+ | root@lpar1:/home/root>chuser SYSTEM=LDAP registry=LDAP sjoerd | ||
+ | root@lpar1:/home/root>lsuser -R LDAP sjoerd | ||
+ | sjoerd id=10000 pgrp=LDAPUsers groups=LDAPUsers,autoyast,autoyast-sudo home=/home/sjoerd shell=/bin/bash login=false su=false rlogin=true daemon=true admin=false sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=3 pwdwarntime=7 account_locked=false minage=1 maxage=26 maxexpired=-1 minalpha=5 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=26 histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= | ||
+ | </code> | ||
+ | |||
+ | Now you can login with this user. | ||
+ | |||
+ | === Default LDAP User | ||
+ | You can make it the default for users to logon through LDAP. It is not my preference, but it is possible. To do so, follow these steps: | ||
+ | * Edit /etc/security/user | ||
+ | * Go to the 'default' section and find the line that says SYSTEM = 'compat' | ||
+ | * Replace 'compat' for 'LDAP' | ||
+ | Now, to make sure all local accounts can still authenticate, in the same file do this: | ||
+ | * Add the line SYSTEM = 'compat' to all sections in the file | ||
+ | |||
+ | == Restart the service | ||
+ | Now restart the ldap client service: | ||
+ | <code> | ||
+ | root@lpar1:/home/root>stop-secldapclntd | ||
+ | The secldapclntd daemon is successfully terminated. | ||
+ | root@lpar1:/home/root>start-secldapclntd | ||
+ | Starting the secldapclntd daemon. | ||
+ | The secldapclntd daemon started successfully. | ||
+ | </code> | ||
+ | |||
+ | Now it's possible to log on! | ||
+ | |||
+ | = Additional resources | ||
+ | http://www.ibm.com/developerworks/aix/library/au-secureopenssh/index.html \\ | ||
+ | http://www.ibm.com/developerworks/aix/library/au-kerberosaix6/index.html \\ | ||
+ | http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/kerberos_configuring_v5_client.htm \\ | ||
+ | http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.security/doc/security/kerberos_configuring_windows_server2000_kerberos_service.htm \\ | ||
+ | http://geekdom.wesmo.com/2009/01/26/aix-authentication-inegration-in-to-active-directory-via-ldap/ \\ | ||
+ | |||
+ | |||
+ | {{tag>aix ldap ad}} |