This is an old revision of the document!
Configurare LDAP AIX Da Security e-Book. Vai a: navigazione, ricerca AIX 5.3 modify the
Use command line : mksecldap -c -h ldapserver1,ldapserver2 -a cn=root -p password -S rfc2307aix
or
file /etc/security/ldap/ldap.cfg
ldapservers:ldapserver1,ldapserver2 binddn:cn=proxyuser,dc=azienda,dc=local bindpwd:secretpassword authtype:ldap_auth useSSL: yes ldapsslkeyf:/etc/security/ldap/ldap.kdb ldapsslkeypwd:password serverschematype: rfc2307
userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:ou=people,dc=azienda,dc=local groupbasedn:ou=groups,dc=azienda,dc=local
Copy the file ldap.krb in /etc/security/ldap: this file contains the public key of the certification authority that issued the LDAP certificate. Please note that to generate this file use the program gsk7ikm.
Start the LDAP client daemon with:
start-secldapclntd
Test that the client works:
lsldap -a passwd
If the above procedure works, autostart the ldap client service using:
mkitab 'ldapclntd:2:once: /usr/sbin/secldapclntd > /dev/console 2>&1'
In the file /usr/lib/security/methods.cfg enable LDAP module with:
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
Set default authentication to LDAP:
chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or files" chsec -f /etc/security/user -s default -a "registry=LDAP"
Add creation of user home directory after first login in AIX STD_AUTH, standard authentification, since AIX 6.1 TL2. For PAM_AUTHentification, add the right parameter into /etc/pam.conf
chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
To allow local login, for each local user stanza in /etc/security/user specify the following:
SYSTEM = "files"
registry = files
AIX 6.1 Before doing anything, install the following packages. You can find it on the AIX media.
idsldap.clt32bit61.rte 6.1.0.17 C F Directory Server - 32 bit idsldap.clt64bit61.rte 6.1.0.17 C F Directory Server - 64 bit idsldap.clt_max_crypto32bit61.rte idsldap.clt_max_crypto64bit61.rte idsldap.cltbase61.adt 6.1.0.17 C F Directory Server - Base Client idsldap.cltbase61.rte 6.1.0.17 C F Directory Server - Base Client
Then, re-establish the links with the following command:
/opt/IBM/ldap/V6.1/bin/idslink -l 64 Proceed as the 5.3 from now on.
Start/Stop IBM LDAP
root@itds_server - /root >cat /etc/inittab | grep ldap
ldapd63:2:once: /opt/IBM/ldap/V6.3/sbin/ibmslapd -I ldapdb2 -f/home/ldapdb2/idsslapd-ldapdb2/etc/ibmslapd.conf > /dev/console 2>&1
ids0:2345:once:/opt/IBM/ldap/V6.3/sbin/ibmdiradm -I ldapdb2 > /dev/null 2>&1 #Autostart IBM LDAP Admin Daemon Instance
idsweb:2:once:/opt/IBM/ldap/V6.3/idstools/bin/startWebadminApp > /dev/null 2>&1
root@itds_server - /root >cat /etc/rc.shutdown
#!/bin/ksh
#CT_NODE_RUNSTATE_BEGIN: Do not modify this section manually
if [[ -f /usr/sbin/rsct/bin/ct_node_runstate ]]
then
/usr/sbin/rsct/bin/ct_node_runstate -w SHUTDOWN
fi
#CT_NODE_RUNSTATE_END:
main ()
{
/usr/bin/ibmslapd -k -I ldapdb2
su - ldapdb2 -c "/opt/IBM/ldap/V6.3/sbin/64/ibmdiradm -k"
su - ldapdb2 -c "/home/ldapdb2/sqllib/adm/db2stop"
/opt/IBM/tdsV6.3db2/bin/db2fmcd -k
/opt/IBM/ldap/V6.3/appsrv/profiles/TDSWebAdminProfile/bin/stopServer.sh server1
}
main > /etc/rc.shutdown.log 2>&1
# Exit 0 is required, else server won t stop
exit 0
