User Tools

Site Tools


aix:user_adldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aix:user_adldap [2021/11/10 17:59]
manu
aix:user_adldap [2022/08/22 09:24] (current)
manu [User password is expired]
Line 1: Line 1:
 ====== AIX with Active Directory authentification ====== ====== AIX with Active Directory authentification ======
 +
 +Kerberos vs LDAP for authentification ?
 +
 +LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they'​re allowed to access (authorization),​ the user's full name and uid. You can also add in helpful things such as an external email address or a room number in a structured way.
 +
 +Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort. ​
  
  ​{{:​aix:​logo-aix.png|}}  ​{{:​aix:​logo-aix.png|}}
Line 187: Line 193:
 [root@aix001]/​root> ​ chsec -f /​etc/​security/​login.cfg -s usw -a mkhomeatlogin=true [root@aix001]/​root> ​ chsec -f /​etc/​security/​login.cfg -s usw -a mkhomeatlogin=true
 </​cli>​ </​cli>​
- + 
 +Change authentification order (to prevent error: Error committing changes to “default”,​ disable authcontroldomain)  
 +<cli prompt='>'>​ 
 +[root@aix001]/​root>​ chsec -f /​etc/​security/​login.cfg -s usw -a authcontroldomain=''​ 
 +[root@aix001]/​root>​ chsec -f /​etc/​security/​user -s default -a SYSTEM="​files or LDAP"​ 
 +[root@aix001]/​root>​ chsec -f /​etc/​security/​user -s default -a registry=LDAP 
 +[root@aix001]/​root>​ chsec -f /​etc/​security/​login.cfg -s usw -a authcontroldomain=LDAP 
 +</​cli>​ 
 Test a remote connection Test a remote connection
 <cli prompt='>'>​ <cli prompt='>'>​
Line 276: Line 290:
 Configure LDAP client with SSL certificate Configure LDAP client with SSL certificate
 <cli prompt='#'>​ <cli prompt='#'>​
-[root@aix001]/​rootmksecldap -c -h ldap_srv.xxx.lu -n 636 -k /​etc/​security/​ldap/​ldap.kdb -w "​password"​ -j SSL -c -a "​CN=user1,​OU=Grp-Users,​DC=ad,​DC=myorg,​DC=mydom,​DC=lu"​ -p xxxxxxxxxx -h ad.mydom.lu -d "​DC=ad,​DC=myorg,​DC=mydom,​DC=lu"​ -A ldap_auth -u NONE+[root@aix001]/​rootmksecldap -c -h ldap_srv.xxx.lu -n 636 -k /​etc/​security/​ldap/​ldap.kdb -w "​password"​ -j SSL -c -a "​CN=user1,​OU=Grp-Users,​DC=ad,​DC=myorg,​DC=mydom,​DC=lu"​ -p xxxxxxxxxx -h ad.mydom.lu -d "​DC=ad,​DC=myorg,​DC=mydom,​DC=lu"​ -A ldap_auth -u NONE
 </​cli>​ </​cli>​
 ===== Errors ===== ===== Errors =====
 +
 +==== LDAP in debug mode ====
 +
 +Add rotation for the debug file
 +<cli prompt='#'>​
 +# cat /​etc/​logrotate.d/​system.conf
 +/​var/​log/​syslog/​ldap.debug {
 +    copytruncate
 +    rotate 3
 +    size=100M
 +}
 +</​cli>​
 +
 +Create the debug file
 +<cli prompt='#'>​
 +# touch /​var/​log/​syslog/​ldap.debug
 +</​cli>​
 +
 +Restart the LDAP daemon in debug mode
 +<cli prompt='#'>​
 +[root@aix01]/​root#​ export LDAP_DEBUG=65535
 +[root@aix01]/​root#​ export LDAP_DEBUG_FILE=/​var/​log/​syslog/​ldap.debug
 +[root@aix01]/​root#​ stop-secldapclntd
 +The secldapclntd daemon is successfully terminated.
 +[root@aix01]/​root#​ start-secldapclntd
 +Starting the secldapclntd daemon.
 +The secldapclntd daemon started successfully.
 +</​cli>​
  
 ==== User password is expired ==== ==== User password is expired ====
aix/user_adldap.1636563546.txt.gz · Last modified: 2021/11/10 17:59 by manu