This is an old revision of the document!
Table of Contents
AIX with Active Directory authentification
Required components
- BFF packages : ldap client
IBM Security Directory Client/Server is no longer available on the AIX expansion pack media.
IBM Security Directory Client/Server Version 6.4 is available on the AIX 7 with 7200-03 base media.
Download base version from passport advantage IBM or value pack for partner
And updates from:
https://www.ibm.com/support/pages/recommended-fixes-ibm-security-directory-server-ldap#ver64
Configuring Windows Active Directory
These are mandatory attributes to be able to connect from AIX to AD
Configure a group, and set in –> Properties –> Attribute Editor (available into AD advanced mode)
set a numeric value for the parameter **gidNumber** Ex: 20000 (must be uniq) optional parameter to add groups into AIX, on AD's groups, add into the field **MemberUid** user1;user2 --> uid
Create a user, user1, and set the attributes:
**uid** user1 **uidNumber** 200000 **gidNumber** 20000 **Loginshell** /bin/bash **unixHomeDirectory** /home/user1
User without shell will get a bad shell at connection, and the homedir won't be created. If no uidNumber and gidNumber is used, AIX won't see these users.
To list userID and groups (same for AIX and linux), configure a linux server with default Redhat procedure to connect to AD, and list the users and groups IDs
[root@linux01 ~]# su - user1 -c 'id'
Install LDAP client
Install packages from AIX base: idsldap client
First accept the license else packages won't be installed! Then install idsldap
[root@aix001]/export/aix7200-03/aix7200-03-03_lpp> echo "1" | ./license/idsLicense [root@aix001]/export/aix7200-03/aix7200-03-03_lpp> installp -d ./ -gaXY idsldap.clt32bit64.rte idsldap.clt64bit64.rte idsldap.clt_max_crypto32bit64.rte idsldap.clt_max_crypto64bit64.rte idsldap.cltbase64.adt idsldap.cltbase64.rte idsldap.license64.rte [root@aix001]/export/aix7200-03/aix7200-03-03_lpp> lslpp -Lc | grep idsl idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/: idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/: idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/: idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.license64:idsldap.license64.rte:6.4.0.15: : :C: :Directory Server - License: : : : : : :0:0:/:
Create the symbolic links to ldap packages
[root@aix001]/root> /opt/IBM/ldap/V6.4/bin/idslink -i -l 32 -g
Test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory dn: CN=user123,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu ... ldap_search: Sizelimit exceeded
–> I have an error, to many entries to list !
New test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory dn: CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu uid: user1 uidNumber: 200000 gidNumber: 20000 unixHomeDirectory: /home/user1 loginShell: /bin/bash
Connection to Active Directory
Setup LDAP:
[root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxxxxx -h ad.mydom.lu -d "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth Cannot find the group base DN from the ldap server. client setup failed. [root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth
Now it's connected, no output!
[root@aix001]/root> /usr/sbin/ls\-secldapclntd ldapservers=ad.mydom.lu current ldapserver=ad.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=1 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=SFUR2 userbasedn=OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu groupbasedn=OU=Microsoft Exchange Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu userobjectclass=user,person,organizationalperson groupobjectclass=group
–> bad : userbasedn and groupbasedn !!!
If you need to add multiples OU for example userbasedn, add multiple lines like: userbasedn:OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu userbasedn:OU=Users_specific,DC=ad,DC=myorg,DC=mydom,DC=lu
[root@aix001]/root> /usr/sbin/stop-secldapclntd [root@aix001]/root> vi /etc/security/ldap/ldap.cfg [root@aix001]/root> /usr/sbin/restart\-secldapclntd The secldapclntd daemon is not running. Starting the secldapclntd daemon. The secldapclntd daemon started successfully. [root@aix001]/root> /usr/sbin/ls\-secldapclntd ldapservers=ad.mydom.lu current ldapserver=ad.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=0 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=SFUR2 userbasedn=OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu groupbasedn=OU=Grp-Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu userobjectclass=user,person,organizationalperson groupobjectclass=group
List users and groups
[root@aix001]/root> lsgroup -R LDAP ALL testaixgrp id=20000 users=user1 registry=LDAP [root@aix001]/root> lsuser -R LDAP ALL user1 id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat or LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=2 minloweralpha=1 minupperalpha=1 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=0 minlen=11 histexpire=13 histsize=8 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= [root@aix001]/root> lsuser -R LDAP -f ALL user1: id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash .....
Enable automatic creation of home dir at first login
[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Test a remote connection
[root@aix001] /root/scripts> ssh user1@aix001 user1@aix001's password: ********************************** * # # ### # # * * ## # # ## ## * * # ## # # # # * * # # ### # # * ********************************** [user1@aix001]/home/user1>
Optional components
- RPM packages : sudo
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/
RPM packages:
sudo_ids
To integrate sudo with LDAP
https://www.djouxtech.net/posts/aix-ldap-configuration/
To consult /etc/netsvc.conf LDAP first followed by the local sudoers file (if it exists), use:
sudoers = ldap, files
The local sudoers file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoritative and only use the local sudoers file if the user is not present in LDAP, use:
sudoers = ldap = auth, files
# cat /etc/netsvc.conf hosts=local,bind4 sudoers=ldap,files
https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html
https://www.djouxtech.net/posts/aix-ldap-configuration/
http://kb.ictbanking.net/article.php?id=279
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
https://banck.net/2014/02/preparing-windows-2012-r2-active-directory-for-linux/
