This is an old revision of the document!
Table of Contents
AIX with Active Directory authentification
Required components
- BFF packages : ldap client
IBM Security Directory Client/Server is no longer available on the AIX expansion pack media.
IBM Security Directory Client/Server Version 6.4 is available on the AIX 7 with 7200-03 base media.
Download base version from passport advantage IBM or value pack for partner
And updates from:
https://www.ibm.com/support/pages/recommended-fixes-ibm-security-directory-server-ldap#ver64
Configuring Windows Active Directory
These are mandatory attributes to be able to connect from AIX to AD
Configure a group, and set in –> Properties –> Attribute Editor (available into AD advanced mode)
set a numeric value for the parameter **gidNumber** Ex: 20000 (must be uniq) optional parameter to add groups into AIX, on AD's groups, add into the field **MemberUid** user1;user2 --> uid
Create a user, user1, and set the attributes:
**uid** user1 **uidNumber** 200000 **gidNumber** 20000 **Loginshell** /bin/bash **unixHomeDirectory** /home/user1
User without shell will get a bad shell at connection, and the homedir won't be created. If no uidNumber and gidNumber is used, AIX won't see these users.
To list userID and groups (same for AIX and linux), configure a linux server with default Redhat procedure to connect to AD, and list the users and groups IDs
[root@linux01 ~]# su - user1 -c 'id'
Install LDAP client
Install packages from AIX base: idsldap client
First accept the license else packages won't be installed! Then install idsldap
[root@aix001]/export/aix7200-03/aix7200-03-03_lpp> echo "1" | ./license/idsLicense [root@aix001]/export/aix7200-03/aix7200-03-03_lpp> installp -d ./ -gaXY idsldap.clt32bit64.rte idsldap.clt64bit64.rte idsldap.clt_max_crypto32bit64.rte idsldap.clt_max_crypto64bit64.rte idsldap.cltbase64.adt idsldap.cltbase64.rte idsldap.license64.rte [root@aix001]/export/aix7200-03/aix7200-03-03_lpp> lslpp -Lc | grep idsl idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/: idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/: idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/: idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.license64:idsldap.license64.rte:6.4.0.15: : :C: :Directory Server - License: : : : : : :0:0:/:
Create the symbolic links to ldap packages
[root@aix001]/root> /opt/IBM/ldap/V6.4/bin/idslink -i -l 32 -g
Test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory dn: CN=user123,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu ... ldap_search: Sizelimit exceeded
–> I have an error, to many entries to list !
New test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory dn: CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu uid: user1 uidNumber: 200000 gidNumber: 20000 unixHomeDirectory: /home/user1 loginShell: /bin/bash
Connection to Active Directory
Setup LDAP:
[root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxxxxx -h ad.mydom.lu -d "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth Cannot find the group base DN from the ldap server. client setup failed. [root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth
Now it's connected, no output!
[root@aix001]/root> /usr/sbin/ls\-secldapclntd ldapservers=ad.mydom.lu current ldapserver=ad.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=1 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=SFUR2 userbasedn=OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu groupbasedn=OU=Microsoft Exchange Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu userobjectclass=user,person,organizationalperson groupobjectclass=group
–> bad : userbasedn and groupbasedn !!!
If you need to add multiples OU for example userbasedn, add multiple lines like: userbasedn:OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu userbasedn:OU=Users_specific,DC=ad,DC=myorg,DC=mydom,DC=lu
[root@aix001]/root> /usr/sbin/stop-secldapclntd [root@aix001]/root> vi /etc/security/ldap/ldap.cfg [root@aix001]/root> /usr/sbin/restart\-secldapclntd The secldapclntd daemon is not running. Starting the secldapclntd daemon. The secldapclntd daemon started successfully. [root@aix001]/root> /usr/sbin/ls\-secldapclntd ldapservers=ad.mydom.lu current ldapserver=ad.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=0 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=SFUR2 userbasedn=OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu groupbasedn=OU=Grp-Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu userobjectclass=user,person,organizationalperson groupobjectclass=group
List users and groups
[root@aix001]/root> lsgroup -R LDAP ALL testaixgrp id=20000 users=user1 registry=LDAP [root@aix001]/root> lsuser -R LDAP ALL user1 id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat or LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=2 minloweralpha=1 minupperalpha=1 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=0 minlen=11 histexpire=13 histsize=8 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= [root@aix001]/root> lsuser -R LDAP -f ALL user1: id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash .....
Enable automatic creation of home dir at first login
[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Test a remote connection
[root@aix001] /root/scripts> ssh user1@aix001 user1@aix001's password: ********************************** * # # ### # # * * ## # # ## ## * * # ## # # # # * * # # ### # # * ********************************** [user1@aix001]/home/user1>
Errors
User password is expired
Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
Check to see if your LDAP server maintains an attribute such as pwdLastSet that serves the same function as shadowLastChange by keeping track of the last time a user's password was changed. Windows AD maintains pwdLastSet, for example. If so, change your attribute map file (designated by the userattrmappath attribute in ldap.cfg) to map lastupdate to this other attribute.
One thing to note is that while shadowLastChange stores its value in 'days since epoch' -
shadowlastchange: 17971
pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -
pwdLastSet: 132076930680413464
Because of that difference, when setting a mapping for lastupdate → pwdLastSet, the unit used will need to be 'UTC':
lastupdate SEC_INT pwdLastSet s UTC yes
(compare that to the 'days' unit that is used for shadowLastChange, shown above).
Also note: any change made to the map files will require a 'restart-secldapclntd' for the change to be seen
If making this change, the LDAP users will still have the local 'maxage' value applied when checking password aging, but it will work correctly and only say the user's password is expired if it truly is.
For info
Convert AD pwdlastset to date using shell
#!/bin/bash BIN_DATE=/opt/freeware/bin/date pwdlastset=132790219411425836 # nano seconds since jan 1st 1601 adseconds=$(echo "scale=0;$pwdlastset/10000000" | bc) # seconds since jan 1st 1601 diffepochsec=$(echo "scale=6;((1970-1601) * 365.242190) * 86400" | bc) # unix epoch - AD epoch * number of tropical days * seconds in a day diffsec=$(echo "scale=6;$adseconds-$diffepochsec" | bc) # unix Timestamp versus of AD timestamp $BIN_DATE --date="@$diffsec" +%Y/%m/%d-%T
Optional components
- RPM packages : sudo
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/
RPM packages:
sudo_ids
To integrate sudo with LDAP
https://www.djouxtech.net/posts/aix-ldap-configuration/
To consult /etc/netsvc.conf LDAP first followed by the local sudoers file (if it exists), use:
sudoers = ldap, files
The local sudoers file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoritative and only use the local sudoers file if the user is not present in LDAP, use:
sudoers = ldap = auth, files
# cat /etc/netsvc.conf hosts=local,bind4 sudoers=ldap,files
https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html
https://www.djouxtech.net/posts/aix-ldap-configuration/
http://kb.ictbanking.net/article.php?id=279
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
https://banck.net/2014/02/preparing-windows-2012-r2-active-directory-for-linux/
