Differences

This shows you the differences between two versions of the page.

--- aix:user_adldap [2021/11/10 17:56]
manu
+++ aix:user_adldap [2022/08/22 09:24] (current)
manu [User password is expired]
@@ Line 1: / Line 1: @@
 ====== AIX with Active Directory authentification ======
- {{:aix:logo-aix.png|}}
+Kerberos vs LDAP for authentification ?
-https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
+LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid. You can also add in helpful things such as an external email address or a room number in a structured way.
-http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
+Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.
+ {{:aix:logo-aix.png|}}
-http://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html
+Kerberos can be an addon but it 'll only be used for password authentification, not required as standard LDAP client will do it also.
 ===== Required components =====
@@ Line 191: / Line 193: @@
 [root@aix001]/root>  chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
 </cli>
+Change authentification order (to prevent error: Error committing changes to “default”, disable authcontroldomain)
+<cli prompt='>'>
+[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=''
+[root@aix001]/root> chsec -f /etc/security/user -s default -a SYSTEM="files or LDAP"
+[root@aix001]/root> chsec -f /etc/security/user -s default -a registry=LDAP
+[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP
+</cli>
 Test a remote connection
 <cli prompt='>'>
@@ Line 280: / Line 290: @@
 Configure LDAP client with SSL certificate
 <cli prompt='#'>
-[root@aix001]/root> mksecldap -c -h ldap_srv.xxx.lu -n 636 -k /etc/security/ldap/ldap.kdb -w "password" -j SSL -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth -u NONE
+[root@aix001]/root# mksecldap -c -h ldap_srv.xxx.lu -n 636 -k /etc/security/ldap/ldap.kdb -w "password" -j SSL -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth -u NONE
 </cli>
 ===== Errors =====
+==== LDAP in debug mode ====
+Add rotation for the debug file
+<cli prompt='#'>
+# cat /etc/logrotate.d/system.conf
+/var/log/syslog/ldap.debug {
+    copytruncate
+    rotate 3
+    size=100M
+}
+</cli>
+Create the debug file
+<cli prompt='#'>
+# touch /var/log/syslog/ldap.debug
+</cli>
+Restart the LDAP daemon in debug mode
+<cli prompt='#'>
+[root@aix01]/root# export LDAP_DEBUG=65535
+[root@aix01]/root# export LDAP_DEBUG_FILE=/var/log/syslog/ldap.debug
+[root@aix01]/root# stop-secldapclntd
+The secldapclntd daemon is successfully terminated.
+[root@aix01]/root# start-secldapclntd
+Starting the secldapclntd daemon.
+The secldapclntd daemon started successfully.
+</cli>
 ==== User password is expired ====
@@ Line 415: / Line 453: @@
 </cli>
+===== References =====
+https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
+http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
 https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html

wiki

User Tools

Site Tools

Differences

Page Tools