===== LDAP client configuration on AIX =====
==== Install LDAP client AIX packages ====
Latest AIX package is called: **IBM Security Verify Directory** and version is 10.x.x
Search on IBM Fix Central https://www-945.ibm.com/support/fixcentral/ the latest packages for "IBM Security Directory Server"
//Example packages//
9 6.4.0.10-ISS-ISDS-AIX-IF0010.tar.gz
8.0.50.67-ISS-GSKIT-AIX-FP0067.tar.gz
Untar the packages, the go into the directories, first install
ISS-GSKIT-AIX
Then in the folder ISS-ISDS-AIX, accept the license
echo 1 | ./license/idsLicense
cd images
installp -agXY -d ./ idsldap.license64 idsldap.clt_max_crypto64bit64 idsldap.clt64bit64
Also required 32bits ldap packages:
installp -agXY -d ./ idsldap.clt32bit64 idsldap.clt_max_crypto32bit64
[root@ldapclt]/root# lslpp -Lc | egrep 'idsldap|GSK'
GSKit8:GSKit8.gskcrypt64.ppc.rte:8.0.50.67: : :C: :IBM GSKit Cryptography Runtime: : : : : : :0:0:/:
GSKit8:GSKit8.gskssl64.ppc.rte:8.0.50.67: : :C: :IBM GSKit SSL Runtime With Acme Toolkit: : : : : : :0:0:/:
idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/:
idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/:
idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/:
idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.license64:idsldap.license64.rte:6.4.0.10: : :C: :Directory Server - License: : : : : : :0:0:/:
List all users on LDAP, create users, groups. **Up now don't forget to add in you commands: -R LDAP or -R files**
==== Configure LDAP client AIX ====
As you can see in the following example if OpenLDAP if in order to use rfc2307aix, then it's validated in the AIX config: serverschematype=RFC2307AIX
[root@ldapclt]/root# mksecldap -c -h rhldaph1.mydom.lu -A ldap_auth -D ldap -d "dc=myldapdom,dc=tst" -a "cn=Manager,dc=myldapdom,dc=tst" -p ldapp@ssword -S rfc2307aix -u NONE
[root@ldapclt]/root# ls-secldapclntd
ldapservers=rhldaph1.mydom.lu
current ldapserver=rhldaph1.mydom.lu
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=1
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=LDAP_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=RFC2307AIX
userbasedn=ou=people,dc=myldapdom,dc=tst
groupbasedn=ou=groups,dc=myldapdom,dc=tst
userobjectclass=posixaccount,account,shadowaccount,aixauxaccount,ibm-securityIdentities
groupobjectclass=posixgroup,aixauxgroup
[root@ldapclt]/root# ps -ef | grep ldap
root 5767328 1 0 10:40:18 - 0:00 /usr/sbin/secldapclntd
List all users on LDAP, create users, groups. **Up now don't forget to add in you commands: -R LDAP or -R files**
[root@ldapclt]/root# lsuser -R LDAP ALL
ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
[root@ldapclt]/root# mkgroup -R LDAP id=1 staff
[root@ldapclt]/root# mkuser -R LDAP id=6002 pgrp=staff ldapuser2
[root@ldapclt]/root# lsuser -R LDAP ALL
ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
ldapuser2 id=6002 pgrp=staff groups=staff home=/home/ldapuser2 shell=/usr/bin/ksh93 auditclasses=general,SRC,cron,tcpip login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
Change AIX default behaviour, to user LDAP authentification by default except for root, make home dir at first login...
[root@ldapclt]/root# chsec -f /etc/security/user -s default -a registry=LDAP
[root@ldapclt]/root# chsec -f /etc/security/user -s default -a SYSTEM=LDAP
[root@ldapclt]/root# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
[root@ldapclt]/root# chdev -l sys0 -a max_logname=256
[root@ldapclt]/root# chdev -l sys0 -a ngroups_allowed=2048
AIX LDAP config files and schema are stored in /etc/security/ldap/, /etc/security/login.cfg , and /etc/security/user
[root@ldapclt]/etc/security/ldap# cat ldap.cfg | grep -v '^#' | sed '/^$/d'
ldapservers:rhldaph1.mydom.lu
binddn:cn=Manager,dc=myldapdom,dc=tst
bindpwd:{DESv2}DA483A108C643477D2B2F192 7C07C1AAE512FB8325B81B6
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/2307aixuser.map
groupattrmappath:/etc/security/ldap/2307aixgroup.map
userbasedn:ou=people,dc=myldapdom,dc=tst
groupbasedn:ou=groups,dc=myldapdom,dc=tst
userclasses:posixaccount,account,shadowaccount,aixauxaccount,ibm-securityIdentities
groupclasses:posixgroup,aixauxgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:rfc2307aix
[root@ldapclt]/etc/security/ldap# ll
total 396
4 drwxr-xr-x 2 root security 4096 Oct 20 10:58 .
4 drwxr-x--- 12 root security 4096 Oct 19 00:17 ..
4 -rw-r----- 1 root security 2973 May 19 16:41 2307aixgroup.map
8 -rw-r----- 1 root security 7863 May 19 16:41 2307aixuser.map
4 -rw-r----- 1 root security 2598 Apr 18 2010 2307group.map
4 -rw-r----- 1 root security 3429 Aug 23 2010 2307user.map
120 -rw-r----- 1 root security 122375 Jun 07 12:10 aixSchemaForAD.ldif
52 -rw-r----- 1 root security 50385 Jun 07 12:10 aixSchemaForNS5.ldif
4 -rw-r----- 1 root security 2852 May 19 16:41 aixgroup.map
4 -rw-r----- 1 root security 2837 May 25 2010 aixid.map
8 -rw-r----- 1 root security 7515 May 19 16:41 aixuser.map
12 -rw------- 1 root security 12102 Oct 20 10:58 ldap.cfg
4 -rw-r--r-- 1 root system 1 Jun 21 2011 ldap.cfg.SS
12 -rw------- 1 root system 11573 Oct 20 10:58 ldap.cfg.save
12 -rw------- 1 root system 11573 Oct 20 10:58 ldap.cfg.save.orig
4 -rw-r----- 1 root security 1567 Sep 21 2009 ldapid.ldif.template
28 -rw-r----- 1 root security 25523 Feb 19 2008 nisSchema.ldif
4 -rw------- 1 root security 3893 Sep 21 2009 proxy.ldif.template
52 -rw-r----- 1 root security 52063 Jun 07 12:10 sec.ldif
4 -rw-r----- 1 root security 2294 Apr 23 2009 sectoldif.cfg
4 -rw-r----- 1 root security 2495 May 25 2010 sfu20group.map
4 -rw-r----- 1 root security 2933 May 25 2010 sfu20user.map
4 -rw-r----- 1 root security 2781 May 25 2010 sfu30aixgroup.map
8 -rw-r----- 1 root security 7634 May 17 2011 sfu30aixuser.map
4 -rw-r----- 1 root security 2503 Aug 23 2010 sfu30group.map
4 -rw-r----- 1 root security 3005 Aug 23 2010 sfu30user.map
4 -rw-r----- 1 root security 2739 May 25 2010 sfur2aixgroup.map
8 -rw-r----- 1 root security 7611 May 17 2011 sfur2aixuser.map
4 -rw-r----- 1 root security 2390 May 25 2010 sfur2group.map
4 -rw-r----- 1 root security 2853 May 25 2010 sfur2user.map
==== Error LDAP userpassword set to crypt ====
The password algorithm user to encrypt the USER's password in LDAP is defined in the LDAP client configuration. If you change the the the password algorithm (parameter: ibm-slapdPwEncryption in ibmslapd.conf), it has no effect on encryption!
On the client, edit the file /etc/security/ldap/ldap.cfg and change the parameter pwdalgorithm
pwdalgorithm:system
Then change the password algorithm used to encrypt password with the command (file: /etc/security/login.cfg)
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
Algorithm supported on AIX are: crypt (default), smd5, ssha1, ssha258, ssha512, sblowfish
Now restart the ldap client, and try to change the password:
/usr/sbin/restart-secldapclntd
[root@ldapclt]/root# ps -ef | grep sec
root 12386516 1 0 10:58:40 - 0:00 /usr/sbin/secldapclntd
Before the change:
root@tstbcp - /etc/security > /usr/sbin/lsldap -a passwd testuser
uid: testuser
...
userpassword: {crypt}3pqRiHBWWjDNU
After:
root@tstbcp - /etc/security > echo "testuser:testuser" | chpasswd -R LDAP -c
root@tstbcp - /etc/security > /usr/sbin/lsldap -a passwd testuser
uid: testuser
...
{ssha512}06$hedp1Ro5Rcmx.Sbi$X5qt.m0f6vsztKA2HBS3q9e2K98fceb92gEiuuzh7TCYoAQMFbo6mPZHk/AwGNsh8RRQWmVhPXjoO1CLseZi..