wiki

User Tools

Site Tools

Trace: aix_kubernetes pv_missing problem_determination 389-ds aix_ldap
aix:aix_ldap

Configure LDAP AIX

Use command line : 

mksecldap -c -h ldapserver1,ldapserver2 -a cn=root -p password -S rfc2307aix

or

file /etc/security/ldap/ldap.cfg 

ldapservers:ldapserver1,ldapserver2
binddn:cn=proxyuser,dc=azienda,dc=local
bindpwd:secretpassword
authtype:ldap_auth
useSSL: yes
ldapsslkeyf:/etc/security/ldap/ldap.kdb
ldapsslkeypwd:password
serverschematype: rfc2307

userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map

userbasedn:ou=people,dc=azienda,dc=local
groupbasedn:ou=groups,dc=azienda,dc=local

Copy the file ldap.krb in /etc/security/ldap: this file contains the public key of the certification authority that issued the LDAP certificate. Please note that to generate this file use the program gsk7ikm.

Start the LDAP client daemon with: 

start-secldapclntd

Test that the client works: 

lsldap -a passwd

If the above procedure works, autostart the ldap client service using: 

mkitab 'ldapclntd:2:once: /usr/sbin/secldapclntd > /dev/console 2>&1'

In the file /usr/lib/security/methods.cfg enable LDAP module with: 

  LDAP:
      program = /usr/lib/security/LDAP
      program_64 =/usr/lib/security/LDAP64

Set default authentication to LDAP: 

  chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or files"
  chsec -f /etc/security/user -s default -a "registry=LDAP"

Add creation of user home directory after first login in AIX STD_AUTH, standard authentification, since AIX 6.1 TL2. For PAM_AUTHentification, add the right parameter into /etc/pam.conf 

chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true

To allow local login, for each local user stanza in /etc/security/user specify the following: 

        SYSTEM = "files"
        registry = files

Before doing anything, install the following packages. You can find it on the AIX media. 

idsldap.clt32bit61.rte    6.1.0.17    C     F    Directory Server - 32 bit
idsldap.clt64bit61.rte    6.1.0.17    C     F    Directory Server - 64 bit
idsldap.clt_max_crypto32bit61.rte
idsldap.clt_max_crypto64bit61.rte
idsldap.cltbase61.adt     6.1.0.17    C     F    Directory Server - Base Client
idsldap.cltbase61.rte     6.1.0.17    C     F    Directory Server - Base Client

Then, re-establish the links with the following command: /opt/IBM/ldap/V6.1/bin/idslink -l 64

Start/Stop IBM LDAP

root@itds_server - /root >cat /etc/inittab | grep ldap
ldapd63:2:once: /opt/IBM/ldap/V6.3/sbin/ibmslapd -I ldapdb2 -f/home/ldapdb2/idsslapd-ldapdb2/etc/ibmslapd.conf > /dev/console 2>&1
ids0:2345:once:/opt/IBM/ldap/V6.3/sbin/ibmdiradm -I ldapdb2 > /dev/null 2>&1 #Autostart IBM LDAP Admin Daemon Instance
idsweb:2:once:/opt/IBM/ldap/V6.3/idstools/bin/startWebadminApp > /dev/null 2>&1
root@itds_server - /root >cat /etc/rc.shutdown
#!/bin/ksh
#CT_NODE_RUNSTATE_BEGIN: Do not modify this section manually
   if [[ -f /usr/sbin/rsct/bin/ct_node_runstate ]]
   then
        /usr/sbin/rsct/bin/ct_node_runstate -w SHUTDOWN
   fi
#CT_NODE_RUNSTATE_END:

main ()
{

/usr/bin/ibmslapd -k -I ldapdb2
su - ldapdb2 -c "/opt/IBM/ldap/V6.3/sbin/64/ibmdiradm -k"
su - ldapdb2 -c "/home/ldapdb2/sqllib/adm/db2stop"
/opt/IBM/tdsV6.3db2/bin/db2fmcd -k
/opt/IBM/ldap/V6.3/appsrv/profiles/TDSWebAdminProfile/bin/stopServer.sh server1
}
main > /etc/rc.shutdown.log 2>&1

# Exit 0 is required, else server won t stop
exit 0
aix/aix_ldap.txt · Last modified: 2021/10/18 15:51 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki