LDAP

LDAP under AIX

The following information applies for AIX LDAP client and Novell eDirectory.

Bear in mind that most of the steps described below apply for a custom environment - yours may be different.

It is always a good idea to consult the LDAP admin if there is a separate person for it.

Novell eDirectory server configuration

On the eDir, you must make users POSIX-enabled ("Enable Users for Linux").

You may use the Novell command line tool 'nambulkadd' shipped with Novell OES in the novell-lum RPM package.

Also if the users do not exist, of course you must create them first, with Novell's ICE command line tool, for example:

# ice -S LDIF -f import.ldif -a -D LDAP -s ldapserver -p 636 -d cn=<admin_cn> -w <admin_password>

AIX OS configuration

Filesets

AIX 6.1

  • idsldap.clt32bit61.rte
  • idsldap.clt64bit61.rte
  • idsldap.cltbase61.adt
  • idsldap.cltbase61.rte
  • idsldap.clt_max_crypto32bit61.rte - for SSL [1]
  • idsldap.clt_max_crypto64bit61.rte - for SSL [1]
  • gsksa.rte - for SSL keystore management
  • gskta.rte - for SSL keystore management

[1] - these are in the Expansion Pack

AIX 5.3

  • ldap.client.adt
  • ldap.client.rte
  • (+SSL)

Maximum login name length

Change max_logname attribute if necessary (adjust to the maximum length of your usernames) - a reboot is required!

# lsattr -El sys0 -a max_logname
# chdev -l sys0 -a max_logname=64

Changes to AIX configuration files

Maybe on older TLs, you may find that you must edit /etc/methods.cfg and add the following manually:

LDAP:
        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64

- but these are done automatically now on fresh TLs.

In the following examples, we use the special hostname 'ldapserver' defined in /etc/hosts.

# vi /etc/hosts
...
10.1.1.125    ldapserver

Enabling and starting the LDAP client

# mksecldap -c -h ldapserver -a cn=<bind_user> -p <bind_pw> -d ou=<ou> -n 389 -M OS -A ldap_auth

It will add the LDAP client daemon to inittab automatically. The daemon is not controlled by SRC.

# lsitab ldapclntd
ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd  > /dev/console 2>&1

Configuring AIX 6.1 secure LDAP (SSL)

In theory, the same is possible with 5.2/5.3 but I didn't test it. If you prefer the graphical interface, use IBM's ikeyman.

Create new SSL keystore and import LDAP server certificate(s)

# gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw <password> -type cms
# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw <password>
# gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /root/cert-LDAP-ORGCA.b64 -format ascii -label "Example.com CA Certificate" -pw <password> -trust enable
# gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /root/cert-LDAP-SELFSIG.b64 -format ascii -label "Example.com self-signed CA" -pw <password> -trust enable

List the results:

# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw password
# gsk7cmd -cert -details -showOID -db /etc/security/ldap/key.kdb -pw 12345678 -label "Example.com self-signed CA"

Configure the LDAP client:

# mksecldap -c -h ldapserver -a cn=<bind user> -p <bind_pw> -d ou=<ou> -n 636 -M OS -A ldap_auth -k </path/to/keydb.kdb> -w <password>

Check and modify LDAP configuration files:

# ls-secldapclntd

- dumps the configuration to stdout.

You must extend the file with the necessary extra user base DNs.

On AIX 6.1, the following setting may be required:

# vi /etc/security/ldap/ldap.cfg
...
memberfulldn: yes

In some environments, 'cn' is used, you must edit the following line in the user map file:

# vi /etc/security/ldap/2307user.map
...
username        SEC_CHAR        cn                      s

After editing these files, restart the client daemon.

# restart-secldapclntd

Listing users in LDAP

Check if you can list the user from LDAP:

# lsldap -a passwd username

If you are getting "3001-801 Object(s) not found: ", it means the user's base DN is missing.

You can use the 'id' command as an alternative:

# id username
3004-820 User not found in /etc/passwd file

If the user can be identified, you will get a lot of information about the user account.

You can list every user available from LDAP using this command, for example. Unfortunately, the name 'parameter' cannot be selected with lsuser:

# lsuser -R LDAP -a home ALL

To list LDAP users enabled for login (i. e. their registry changed to LDAP):

# lsuser -R LDAP -a SYSTEM ALL | grep LDAP

Local users can be listed in a similar manner:

# lsuser -R files -a home ALL

Unfortunately, the username is not an attribute and thus cannot be listed alone.

To test if a user is already added to the LDAP registry:

# lssec -s <user1> -f /etc/security/user -a registry -a SYSTEM
user1 registry=LDAP SYSTEM="LDAP"

You can use the lsuser command (as root!), here is a user which comes from LDAP but is not yet added to the LDAP registry:

# lsuser -a registry SYSTEM user2
user2 registry=LDAP SYSTEM=compat

As you can see, there are many ways. ;-)

Adding a new LDAP user to AIX

If a user can be resolved from LDAP, it must also be explicitly added to the LDAP registry in AIX.

It is a good idea to test for the existence of the users in the local registry ('migration')

The AIX LDAP client cannot create home directories, you must do this manually. The same applies to skeleton files (shell profile, etc).

I use this simple script:

users="alpha bravo charlie delta"
for user in $users; do
  # change user's registry; if it fails for some reason, skip to next item
  chuser -R LDAP SYSTEM=LDAP registry=LDAP $user || continue
  # create home directory
  mkdir /home/$user
  # try to determine user's primary group from LDAP
  group=$((lsuser -R LDAP -a pgrp $user 2>/dev/null || echo pgrp=staff) | sed 's/.*=//g')
  chown $user\:$group /home/$user
  # I prefer restricting home directories
  chmod 0700 /home/$user
done

Removing the user from the LDAP registry

# chuser -R LDAP SYSTEM=compat username

LDAP query

AIX

lsldap (limited) - using the LDAP client secldapclntd; only root can see every entry

$ lsldap -a passwd lgee

Linux/Novell

ldapsearch - available for every user (bind DN is specified individually)

With password on the command line:

$ ldapsearch [ -H <uri> | -h <hostname> -p <port> ] -D <bind_dn> -w <password> [-x] <search string> [<parameters>]

Interactive password prompt:

$ ldapsearch -H <uri> -D <bind_dn> -W [-x] <search string>

Example:

$ ldapsearch -H ldap://ldapserver2:636 -D cn=bind_user,ou=staff,o=myco,c=hu -W -x -LLL cn=lgee ou groupMembership

-H: LDAP URI (-h is deprecated)

-x: simple auth (not SASL)

-L: LDIF format

-LLL: LDIF format, plain output (no comments/version)

References

ldap.cfg File Format in AIX 'Files Reference'

Manual pages:

  • mksecldap
  • lsldap
  • lsuser/chuser
  • lssec/chsec
  • ls-secldapclntd
  • start-secldapclntd
  • restart-secldapclntd
  • stop-secldapclntd

RFC 2307

hup.hu AIX LDAP auth (in Hungarian)

hup.hu AIX vs LDAP sudo (in Hungarian)