LDAP
LDAP under AIX
The following information applies for AIX LDAP client and Novell eDirectory.
Bear in mind that most of the steps described below apply for a custom environment - yours may be different.
It is always a good idea to consult the LDAP admin if there is a separate person for it.
Novell eDirectory server configuration
On the eDir, you must make users POSIX-enabled ("Enable Users for Linux").
You may use the Novell command line tool 'nambulkadd' shipped with Novell OES in the novell-lum RPM package.
Also if the users do not exist, of course you must create them first, with Novell's ICE command line tool, for example:
# ice -S LDIF -f import.ldif -a -D LDAP -s ldapserver -p 636 -d cn=<admin_cn> -w <admin_password>
AIX OS configuration
Filesets
AIX 6.1
- idsldap.clt32bit61.rte
- idsldap.clt64bit61.rte
- idsldap.cltbase61.adt
- idsldap.cltbase61.rte
- idsldap.clt_max_crypto32bit61.rte - for SSL [1]
- idsldap.clt_max_crypto64bit61.rte - for SSL [1]
- gsksa.rte - for SSL keystore management
- gskta.rte - for SSL keystore management
[1] - these are in the Expansion Pack
AIX 5.3
- ldap.client.adt
- ldap.client.rte
- (+SSL)
Maximum login name length
Change max_logname attribute if necessary (adjust to the maximum length of your usernames) - a reboot is required!
# lsattr -El sys0 -a max_logname
# chdev -l sys0 -a max_logname=64
Changes to AIX configuration files
Maybe on older TLs, you may find that you must edit /etc/methods.cfg and add the following manually:
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
- but these are done automatically now on fresh TLs.
In the following examples, we use the special hostname 'ldapserver' defined in /etc/hosts.
# vi /etc/hosts
...
10.1.1.125 ldapserver
Enabling and starting the LDAP client
# mksecldap -c -h ldapserver -a cn=<bind_user> -p <bind_pw> -d ou=<ou> -n 389 -M OS -A ldap_auth
It will add the LDAP client daemon to inittab automatically. The daemon is not controlled by SRC.
# lsitab ldapclntd
ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd > /dev/console 2>&1
Configuring AIX 6.1 secure LDAP (SSL)
In theory, the same is possible with 5.2/5.3 but I didn't test it. If you prefer the graphical interface, use IBM's ikeyman.
Create new SSL keystore and import LDAP server certificate(s)
# gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw <password> -type cms
# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw <password>
# gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /root/cert-LDAP-ORGCA.b64 -format ascii -label "Example.com CA Certificate" -pw <password> -trust enable
# gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /root/cert-LDAP-SELFSIG.b64 -format ascii -label "Example.com self-signed CA" -pw <password> -trust enable
List the results:
# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw password
# gsk7cmd -cert -details -showOID -db /etc/security/ldap/key.kdb -pw 12345678 -label "Example.com self-signed CA"
Configure the LDAP client:
# mksecldap -c -h ldapserver -a cn=<bind user> -p <bind_pw> -d ou=<ou> -n 636 -M OS -A ldap_auth -k </path/to/keydb.kdb> -w <password>
Check and modify LDAP configuration files:
# ls-secldapclntd
- dumps the configuration to stdout.
You must extend the file with the necessary extra user base DNs.
On AIX 6.1, the following setting may be required:
# vi /etc/security/ldap/ldap.cfg
...
memberfulldn: yes
In some environments, 'cn' is used, you must edit the following line in the user map file:
# vi /etc/security/ldap/2307user.map
...
username SEC_CHAR cn s
After editing these files, restart the client daemon.
# restart-secldapclntd
Listing users in LDAP
Check if you can list the user from LDAP:
# lsldap -a passwd username
If you are getting "3001-801 Object(s) not found: ", it means the user's base DN is missing.
You can use the 'id' command as an alternative:
# id username
3004-820 User not found in /etc/passwd file
If the user can be identified, you will get a lot of information about the user account.
You can list every user available from LDAP using this command, for example. Unfortunately, the name 'parameter' cannot be selected with lsuser:
# lsuser -R LDAP -a home ALL
To list LDAP users enabled for login (i. e. their registry changed to LDAP):
# lsuser -R LDAP -a SYSTEM ALL | grep LDAP
Local users can be listed in a similar manner:
# lsuser -R files -a home ALL
Unfortunately, the username is not an attribute and thus cannot be listed alone.
To test if a user is already added to the LDAP registry:
# lssec -s <user1> -f /etc/security/user -a registry -a SYSTEM
user1 registry=LDAP SYSTEM="LDAP"
You can use the lsuser command (as root!), here is a user which comes from LDAP but is not yet added to the LDAP registry:
# lsuser -a registry SYSTEM user2
user2 registry=LDAP SYSTEM=compat
As you can see, there are many ways. ;-)
Adding a new LDAP user to AIX
If a user can be resolved from LDAP, it must also be explicitly added to the LDAP registry in AIX.
It is a good idea to test for the existence of the users in the local registry ('migration')
The AIX LDAP client cannot create home directories, you must do this manually. The same applies to skeleton files (shell profile, etc).
I use this simple script:
users="alpha bravo charlie delta"
for user in $users; do
# change user's registry; if it fails for some reason, skip to next item
chuser -R LDAP SYSTEM=LDAP registry=LDAP $user || continue
# create home directory
mkdir /home/$user
# try to determine user's primary group from LDAP
group=$((lsuser -R LDAP -a pgrp $user 2>/dev/null || echo pgrp=staff) | sed 's/.*=//g')
chown $user\:$group /home/$user
# I prefer restricting home directories
chmod 0700 /home/$user
done
Removing the user from the LDAP registry
# chuser -R LDAP SYSTEM=compat username
LDAP query
AIX
lsldap (limited) - using the LDAP client secldapclntd; only root can see every entry
$ lsldap -a passwd lgee
Linux/Novell
ldapsearch - available for every user (bind DN is specified individually)
With password on the command line:
$ ldapsearch [ -H <uri> | -h <hostname> -p <port> ] -D <bind_dn> -w <password> [-x] <search string> [<parameters>]
Interactive password prompt:
$ ldapsearch -H <uri> -D <bind_dn> -W [-x] <search string>
Example:
$ ldapsearch -H ldap://ldapserver2:636 -D cn=bind_user,ou=staff,o=myco,c=hu -W -x -LLL cn=lgee ou groupMembership
-H: LDAP URI (-h is deprecated)
-x: simple auth (not SASL)
-L: LDIF format
-LLL: LDIF format, plain output (no comments/version)
References
ldap.cfg File Format in AIX 'Files Reference'
Manual pages:
- mksecldap
- lsldap
- lsuser/chuser
- lssec/chsec
- ls-secldapclntd
- start-secldapclntd
- restart-secldapclntd
- stop-secldapclntd
hup.hu AIX LDAP auth (in Hungarian)
hup.hu AIX vs LDAP sudo (in Hungarian)