LDAP under AIX
The following information applies for AIX LDAP client and Novell eDirectory.
Bear in mind that most of the steps described below apply for a custom environment - yours may be different.
It is always a good idea to consult the LDAP admin if there is a separate person for it.
On the eDir, you must make users POSIX-enabled ("Enable Users for Linux").
You may use the Novell command line tool 'nambulkadd' shipped with Novell OES in the novell-lum RPM package.
Also if the users do not exist, of course you must create them first, with Novell's ICE command line tool, for example:
# ice -S LDIF -f import.ldif -a -D LDAP -s ldapserver -p 636 -d cn=<admin_cn> -w <admin_password>AIX 6.1
[1] - these are in the Expansion Pack
AIX 5.3
Change max_logname attribute if necessary (adjust to the maximum length of your usernames) - a reboot is required!
# lsattr -El sys0 -a max_logname# chdev -l sys0 -a max_logname=64Maybe on older TLs, you may find that you must edit /etc/methods.cfg and add the following manually:
LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64- but these are done automatically now on fresh TLs.
In the following examples, we use the special hostname 'ldapserver' defined in /etc/hosts.
# vi /etc/hosts...10.1.1.125 ldapserver# mksecldap -c -h ldapserver -a cn=<bind_user> -p <bind_pw> -d ou=<ou> -n 389 -M OS -A ldap_authIt will add the LDAP client daemon to inittab automatically. The daemon is not controlled by SRC.
# lsitab ldapclntdldapclntd:23456789:wait:/usr/sbin/start-secldapclntd > /dev/console 2>&1In theory, the same is possible with 5.2/5.3 but I didn't test it. If you prefer the graphical interface, use IBM's ikeyman.
Create new SSL keystore and import LDAP server certificate(s)
# gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw <password> -type cms# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw <password># gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /root/cert-LDAP-ORGCA.b64 -format ascii -label "Example.com CA Certificate" -pw <password> -trust enable# gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /root/cert-LDAP-SELFSIG.b64 -format ascii -label "Example.com self-signed CA" -pw <password> -trust enableList the results:
# gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw password# gsk7cmd -cert -details -showOID -db /etc/security/ldap/key.kdb -pw 12345678 -label "Example.com self-signed CA"Configure the LDAP client:
# mksecldap -c -h ldapserver -a cn=<bind user> -p <bind_pw> -d ou=<ou> -n 636 -M OS -A ldap_auth -k </path/to/keydb.kdb> -w <password>Check and modify LDAP configuration files:
# ls-secldapclntd- dumps the configuration to stdout.
You must extend the file with the necessary extra user base DNs.
On AIX 6.1, the following setting may be required:
# vi /etc/security/ldap/ldap.cfg...memberfulldn: yesIn some environments, 'cn' is used, you must edit the following line in the user map file:
# vi /etc/security/ldap/2307user.map...username SEC_CHAR cn sAfter editing these files, restart the client daemon.
# restart-secldapclntdCheck if you can list the user from LDAP:
# lsldap -a passwd usernameIf you are getting "3001-801 Object(s) not found: ", it means the user's base DN is missing.
You can use the 'id' command as an alternative:
# id username3004-820 User not found in /etc/passwd fileIf the user can be identified, you will get a lot of information about the user account.
You can list every user available from LDAP using this command, for example. Unfortunately, the name 'parameter' cannot be selected with lsuser:
# lsuser -R LDAP -a home ALLTo list LDAP users enabled for login (i. e. their registry changed to LDAP):
# lsuser -R LDAP -a SYSTEM ALL | grep LDAPLocal users can be listed in a similar manner:
# lsuser -R files -a home ALLUnfortunately, the username is not an attribute and thus cannot be listed alone.
To test if a user is already added to the LDAP registry:
# lssec -s <user1> -f /etc/security/user -a registry -a SYSTEMuser1 registry=LDAP SYSTEM="LDAP"You can use the lsuser command (as root!), here is a user which comes from LDAP but is not yet added to the LDAP registry:
# lsuser -a registry SYSTEM user2user2 registry=LDAP SYSTEM=compatAs you can see, there are many ways. ;-)
If a user can be resolved from LDAP, it must also be explicitly added to the LDAP registry in AIX.
It is a good idea to test for the existence of the users in the local registry ('migration')
The AIX LDAP client cannot create home directories, you must do this manually. The same applies to skeleton files (shell profile, etc).
I use this simple script:
users="alpha bravo charlie delta"for user in $users; do # change user's registry; if it fails for some reason, skip to next item chuser -R LDAP SYSTEM=LDAP registry=LDAP $user || continue # create home directory mkdir /home/$user # try to determine user's primary group from LDAP group=$((lsuser -R LDAP -a pgrp $user 2>/dev/null || echo pgrp=staff) | sed 's/.*=//g') chown $user\:$group /home/$user # I prefer restricting home directories chmod 0700 /home/$userdone # chuser -R LDAP SYSTEM=compat usernameAIX
lsldap (limited) - using the LDAP client secldapclntd; only root can see every entry
$ lsldap -a passwd lgeeLinux/Novell
ldapsearch - available for every user (bind DN is specified individually)
With password on the command line:
$ ldapsearch [ -H <uri> | -h <hostname> -p <port> ] -D <bind_dn> -w <password> [-x] <search string> [<parameters>]Interactive password prompt:
$ ldapsearch -H <uri> -D <bind_dn> -W [-x] <search string>Example:
$ ldapsearch -H ldap://ldapserver2:636 -D cn=bind_user,ou=staff,o=myco,c=hu -W -x -LLL cn=lgee ou groupMembership-H: LDAP URI (-h is deprecated)
-x: simple auth (not SASL)
-L: LDIF format
-LLL: LDIF format, plain output (no comments/version)
ldap.cfg File Format in AIX 'Files Reference'
Manual pages:
hup.hu AIX LDAP auth (in Hungarian)
hup.hu AIX vs LDAP sudo (in Hungarian)