Differences

This shows you the differences between two versions of the page.

--- aix:user_adldap [2021/11/08 18:16]
manu
+++ aix:user_adldap [2022/08/22 09:24] (current)
manu [User password is expired]
@@ Line 1: / Line 1: @@
 ====== AIX with Active Directory authentification ======
- {{:aix:logo-aix.png|}}
+Kerberos vs LDAP for authentification ?
-https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
+LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid. You can also add in helpful things such as an external email address or a room number in a structured way.
-http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
+Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.
+ {{:aix:logo-aix.png|}}
+Kerberos can be an addon but it 'll only be used for password authentification, not required as standard LDAP client will do it also.
 ===== Required components =====
@@ Line 19: / Line 23: @@
 ===== Configuring Windows Active Directory =====
+**A connection user for AD is required, with rights to read all**
 **These are mandatory attributes to be able to connect from AIX to AD**
@@ Line 89: / Line 96: @@
 </cli>
-===== Connection to Active Directory =====
+===== Connection to Active Directory (unsecure) =====
 Setup LDAP:
@@ Line 186: / Line 193: @@
 [root@aix001]/root>  chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
 </cli>
+Change authentification order (to prevent error: Error committing changes to “default”, disable authcontroldomain)
+<cli prompt='>'>
+[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=''
+[root@aix001]/root> chsec -f /etc/security/user -s default -a SYSTEM="files or LDAP"
+[root@aix001]/root> chsec -f /etc/security/user -s default -a registry=LDAP
+[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP
+</cli>
 Test a remote connection
 <cli prompt='>'>
@@ Line 200: / Line 215: @@
 </cli>
+===== Connection to Active Directory (secure SSL) =====
+Setup LDAP:
+Create the key DB
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw "password" -type cms -stash
+[root@labo]/etc/security/ldap# ll
+...
+-rw-------    1 root     system           88 Nov  3 15:52 ldap.crl
+-rw-------    1 root     system           88 Nov  3 15:52 ldap.kdb
+-rw-------    1 root     system           88 Nov  3 15:52 ldap.rdb
+-rw-------    1 root     system          193 Nov  3 15:52 ldap.sth
+</cli>
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw "password" -stash
+Currently supported key database types:
+  cms
+  pkcs11
+  pkcs12
+  csp
+  pkcs7
+KDB file format is CMS version 4
+hdmac:
+    ...
+dbmac:
+    ...
+KDB password does not expire.
+Record count 0, Record size 5000
+Expected KDB file size is 88 bytes
+Actual KDB file size is 88 bytes.
+File size is as expected, good.
+</cli>
+I add a CA certificate into the key DB
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw "password" -type pem -file BA_certificate/ca2.ba.cer -label "BA_ca2.cer"
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw "password"
+Certificates found
+* default, - personal, ! trusted, # secret key
+!       BA_ca2.cer
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw "password" -label "BA_ca2.cer"
+Label : BA_ca2.cer
+Key Size : 2048
+Version : X509 V3
+Serial : 5a8xxxxxxxxxxxxxxxxxxf
+Issuer : CN=CA.BA.LU,DC=ba,DC=lu
+Subject : CA.BA.LU,DC=ba,DC=lu
+Not Before : February 5, 2012 5:54:02 PM GMT+01:00
+Not After : February 5, 2015 6:04:01 PM GMT+01:00
+Public Key
+    ...
+Trust Status : Enabled
+</cli>
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# ldapsearch -L -D "CN=ldap usr,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" -w "Mypasswd" -h ldap.ba.lu -p 636 -K /etc/security/ldap/ldap.kdb -b "OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" '(objectClass=*)'  uid uidNumber gidNumber Loginshell unixHomeDirectory
+...
+dn: CN=My User1,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
+uid: myuser1
+unixHomeDirectory: /home/myuser1
+loginShell: /usr/bin/bash
+gidNumber: 1200xxxxx
+uidNumber: 12004yyyyy
+</cli>
+Configure LDAP client with SSL certificate
+<cli prompt='#'>
+[root@aix001]/root# mksecldap -c -h ldap_srv.xxx.lu -n 636 -k /etc/security/ldap/ldap.kdb -w "password" -j SSL -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth -u NONE
+</cli>
 ===== Errors =====
+==== LDAP in debug mode ====
+Add rotation for the debug file
+<cli prompt='#'>
+# cat /etc/logrotate.d/system.conf
+/var/log/syslog/ldap.debug {
+    copytruncate
+    rotate 3
+    size=100M
+}
+</cli>
+Create the debug file
+<cli prompt='#'>
+# touch /var/log/syslog/ldap.debug
+</cli>
+Restart the LDAP daemon in debug mode
+<cli prompt='#'>
+[root@aix01]/root# export LDAP_DEBUG=65535
+[root@aix01]/root# export LDAP_DEBUG_FILE=/var/log/syslog/ldap.debug
+[root@aix01]/root# stop-secldapclntd
+The secldapclntd daemon is successfully terminated.
+[root@aix01]/root# start-secldapclntd
+Starting the secldapclntd daemon.
+The secldapclntd daemon started successfully.
+</cli>
 ==== User password is expired ====
@@ Line 311: / Line 429: @@
 </cli>
+===== Additionnal commands =====
+==== UNIX commands ====
+Check for password of **ldap-sds** user
+<cli prompt='#'>
+# ldapsearch -L -D ...  '(&(objectclass=*)(uid=userad01))' uid uidNumber gidNumber Loginshell unixHomeDirectory
+</cli>
+<cli prompt='#'>
+# ldapsearch -L -D ...  '(&(objectclass=*)(uid=userad01))'
+</cli>
+==== Windows commands ====
+Parameters extracted from Active Directory (using Powershell)
+<cli prompt='>'>
+PS C:\Windows\System32> Get-AdUser -Filter "givenName -eq 'userad01'" -Properties *
+</cli>
+You have 2 commands to list groups Get-ADGroup and Get-ADGroupMember
+<cli prompt='>'>
+PS C:\Windows\System32> Get-ADGroup -Identity 'groupad01' -Properties *
+</cli>
+===== References =====
+https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
+http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
 https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html

wiki

User Tools

Site Tools

Differences

Page Tools