This is an old revision of the document!
Table of Contents
AIX with Active Directory authentification
Kerberos vs LDAP for authentification ?
Dans la mesure du possible, utilisez l'authentification Kerberos avant tout. Il a été construit pour fournir une authentification/autorisation et est le option la plus sécurisée . Le principe consiste à échanger des informations d'identification dans un environnement qui n'est pas approuvé.
LDAP peut être facilement mal configuré pour envoyer des informations d'identification en texte clair sur le réseau. Pour éviter cela, utilisez toujours LDAPS (TCP636) car il encapsule tout le trafic dans SSL. LDAP est souvent utilisé pour l'authentification/autorisation adhoc, en particulier les applications Web utilisant l'authentification par formulaire.
L'authentification LDAP est une authentification centralisée, ce qui signifie que vous devez vous connecter avec chaque service, mais si vous changez votre mot de passe, il change partout.
Kerberos est à authentification unique (SSO), ce qui signifie que vous vous connectez une fois et obtenez un jeton et n'avez pas besoin de vous connecter à d'autres services.
Il y a un compromis: LDAP est moins pratique mais plus simple. Kerberos est plus pratique mais plus complexe. Les choses sécurisées sont simples et pratiques.
Il n'y a pas de bonne réponse. Si vous avez besoin de l'authentification unique, utilisez Kerberos. Sinon LDAP. Vous pouvez également envisager YP/NIS (sur IPSEC) pour l'authn centralisé.
Le fait que les faucons de sécurité d'OpenBSD aient abandonné Kerberos mais aient créé leur propre serveur LDAP pourrait vous dire quelque chose …
Kerberos can be an addon but it 'll only be used for password authentification, not required as standard LDAP client will do it also.
Required components
- BFF packages : ldap client
IBM Security Directory Client/Server is no longer available on the AIX expansion pack media.
IBM Security Directory Client/Server Version 6.4 is available on the AIX 7 with 7200-03 base media.
Download base version from passport advantage IBM or value pack for partner
And updates from:
https://www.ibm.com/support/pages/recommended-fixes-ibm-security-directory-server-ldap#ver64
Configuring Windows Active Directory
A connection user for AD is required, with rights to read all
These are mandatory attributes to be able to connect from AIX to AD
Configure a group, and set in –> Properties –> Attribute Editor (available into AD advanced mode)
set a numeric value for the parameter **gidNumber** Ex: 20000 (must be uniq) optional parameter to add groups into AIX, on AD's groups, add into the field **MemberUid** user1;user2 --> uid
Create a user, user1, and set the attributes:
**uid** user1 **uidNumber** 200000 **gidNumber** 20000 **Loginshell** /bin/bash **unixHomeDirectory** /home/user1
User without shell will get a bad shell at connection, and the homedir won't be created. If no uidNumber and gidNumber is used, AIX won't see these users.
To list userID and groups (same for AIX and linux), configure a linux server with default Redhat procedure to connect to AD, and list the users and groups IDs
[root@linux01 ~]# su - user1 -c 'id'
Install LDAP client
Install packages from AIX base: idsldap client
First accept the license else packages won't be installed! Then install idsldap
[root@aix001]/export/aix7200-03/aix7200-03-03_lpp> echo "1" | ./license/idsLicense [root@aix001]/export/aix7200-03/aix7200-03-03_lpp> installp -d ./ -gaXY idsldap.clt32bit64.rte idsldap.clt64bit64.rte idsldap.clt_max_crypto32bit64.rte idsldap.clt_max_crypto64bit64.rte idsldap.cltbase64.adt idsldap.cltbase64.rte idsldap.license64.rte [root@aix001]/export/aix7200-03/aix7200-03-03_lpp> lslpp -Lc | grep idsl idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/: idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/: idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/: idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.license64:idsldap.license64.rte:6.4.0.15: : :C: :Directory Server - License: : : : : : :0:0:/:
Create the symbolic links to ldap packages
[root@aix001]/root> /opt/IBM/ldap/V6.4/bin/idslink -i -l 32 -g
Test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory dn: CN=user123,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu ... ldap_search: Sizelimit exceeded
–> I have an error, to many entries to list !
New test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory dn: CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu uid: user1 uidNumber: 200000 gidNumber: 20000 unixHomeDirectory: /home/user1 loginShell: /bin/bash
Connection to Active Directory (unsecure)
Setup LDAP:
[root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxxxxx -h ad.mydom.lu -d "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth Cannot find the group base DN from the ldap server. client setup failed. [root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth
Now it's connected, no output!
[root@aix001]/root> /usr/sbin/ls\-secldapclntd ldapservers=ad.mydom.lu current ldapserver=ad.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=1 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=SFUR2 userbasedn=OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu groupbasedn=OU=Microsoft Exchange Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu userobjectclass=user,person,organizationalperson groupobjectclass=group
–> bad : userbasedn and groupbasedn !!!
If you need to add multiples OU for example userbasedn, add multiple lines like: userbasedn:OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu userbasedn:OU=Users_specific,DC=ad,DC=myorg,DC=mydom,DC=lu
[root@aix001]/root> /usr/sbin/stop-secldapclntd [root@aix001]/root> vi /etc/security/ldap/ldap.cfg [root@aix001]/root> /usr/sbin/restart\-secldapclntd The secldapclntd daemon is not running. Starting the secldapclntd daemon. The secldapclntd daemon started successfully. [root@aix001]/root> /usr/sbin/ls\-secldapclntd ldapservers=ad.mydom.lu current ldapserver=ad.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=0 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=SFUR2 userbasedn=OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu groupbasedn=OU=Grp-Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu userobjectclass=user,person,organizationalperson groupobjectclass=group
List users and groups
[root@aix001]/root> lsgroup -R LDAP ALL testaixgrp id=20000 users=user1 registry=LDAP [root@aix001]/root> lsuser -R LDAP ALL user1 id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat or LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=2 minloweralpha=1 minupperalpha=1 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=0 minlen=11 histexpire=13 histsize=8 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= [root@aix001]/root> lsuser -R LDAP -f ALL user1: id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash .....
Enable automatic creation of home dir at first login
[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Test a remote connection
[root@aix001] /root/scripts> ssh user1@aix001 user1@aix001's password: ********************************** * # # ### # # * * ## # # ## ## * * # ## # # # # * * # # ### # # * ********************************** [user1@aix001]/home/user1>
Connection to Active Directory (secure SSL)
Setup LDAP:
Create the key DB
[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw "password" -type cms -stash [root@labo]/etc/security/ldap# ll ... 4 -rw------- 1 root system 88 Nov 3 15:52 ldap.crl 4 -rw------- 1 root system 88 Nov 3 15:52 ldap.kdb 4 -rw------- 1 root system 88 Nov 3 15:52 ldap.rdb 4 -rw------- 1 root system 193 Nov 3 15:52 ldap.sth
[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw "password" -stash Currently supported key database types: cms pkcs11 pkcs12 csp pkcs7 KDB file format is CMS version 4 hdmac: ... dbmac: ... KDB password does not expire. Record count 0, Record size 5000 Expected KDB file size is 88 bytes Actual KDB file size is 88 bytes. File size is as expected, good.
I add a CA certificate into the key DB
[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw "password" -type pem -file BA_certificate/ca2.ba.cer -label "BA_ca2.cer" [root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw "password" Certificates found * default, - personal, ! trusted, # secret key ! BA_ca2.cer [root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw "password" -label "BA_ca2.cer" Label : BA_ca2.cer Key Size : 2048 Version : X509 V3 Serial : 5a8xxxxxxxxxxxxxxxxxxf Issuer : CN=CA.BA.LU,DC=ba,DC=lu Subject : CA.BA.LU,DC=ba,DC=lu Not Before : February 5, 2012 5:54:02 PM GMT+01:00 Not After : February 5, 2015 6:04:01 PM GMT+01:00 Public Key ... Trust Status : Enabled
[root@labo]/etc/security/ldap# ldapsearch -L -D "CN=ldap usr,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" -w "Mypasswd" -h ldap.ba.lu -p 636 -K /etc/security/ldap/ldap.kdb -b "OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory ... dn: CN=My User1,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu uid: myuser1 unixHomeDirectory: /home/myuser1 loginShell: /usr/bin/bash gidNumber: 1200xxxxx uidNumber: 12004yyyyy
Configure LDAP client with SSL certificate
[root@aix001]/root> mksecldap -c -h ldap_srv.xxx.lu -n 636 -k /etc/security/ldap/ldap.kdb -w "password" -j SSL -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth -u NONE
Errors
User password is expired
Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
Check to see if your LDAP server maintains an attribute such as pwdLastSet that serves the same function as shadowLastChange by keeping track of the last time a user's password was changed. Windows AD maintains pwdLastSet, for example. If so, change your attribute map file (designated by the userattrmappath attribute in ldap.cfg) to map lastupdate to this other attribute.
One thing to note is that while shadowLastChange stores its value in 'days since epoch' -
shadowlastchange: 17971
pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -
pwdLastSet: 132076930680413464
Because of that difference, when setting a mapping for lastupdate → pwdLastSet, the unit used will need to be 'UTC':
lastupdate SEC_INT pwdLastSet s UTC yes
[root@labo]/etc/security/ldap# /usr/sbin/restart-secldapclntd [root@labo]/etc/security/ldap# pwdadm -R LDAP -q user1 user1: lastupdate = 1634548341
(compare that to the 'days' unit that is used for shadowLastChange, shown above).
Also note: any change made to the map files will require a 'restart-secldapclntd' for the change to be seen
If making this change, the LDAP users will still have the local 'maxage' value applied when checking password aging, but it will work correctly and only say the user's password is expired if it truly is.
For info
Convert AD pwdlastset to date using shell
#!/bin/bash BIN_DATE=/opt/freeware/bin/date pwdlastset=132790219411425836 # nano seconds since jan 1st 1601 adseconds=$(echo "scale=0;$pwdlastset/10000000" | bc) # seconds since jan 1st 1601 diffepochsec=$(echo "scale=6;((1970-1601) * 365.242190) * 86400" | bc) # unix epoch - AD epoch * number of tropical days * seconds in a day diffsec=$(echo "scale=6;$adseconds-$diffepochsec" | bc) # unix Timestamp versus of AD timestamp $BIN_DATE --date="@$diffsec" +%Y/%m/%d-%T
User password is expired maxage
Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
Another workarround is to find a parameter unto AD param, that is set to 0 Ex:
[root@labo]/etc/security/ldap# cat sfur2user.map maxage SEC_INT codePage s na yes
This is not the right parameter, but since shadowmax has disappear from AD, there is no substitution
Autologin
Current users in AD are automaticaly logged in with their user without password ???
I use PAM as connection method and one line was missing into /etc/pam.conf, the second in the following file
... sshd auth requisite pam_permission file=/etc/auth.allow found=allow sshd auth required pam_aix
Unable to login
If ssh connection is failing, and you password is OK, no lock…
Check the config file /etc/security/ldap/ldap.cfg, maybe the groupbasedn has a bad definition !!!
Too restrictive in the search, or bad OU
userbasedn:OU=My Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu groupbasedn:OU=app,OU=users Groups,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
Optional components
- RPM packages : sudo
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/
RPM packages:
sudo_ids
To integrate sudo with LDAP
https://www.djouxtech.net/posts/aix-ldap-configuration/
To consult /etc/netsvc.conf LDAP first followed by the local sudoers file (if it exists), use:
sudoers = ldap, files
The local sudoers file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoritative and only use the local sudoers file if the user is not present in LDAP, use:
sudoers = ldap = auth, files
# cat /etc/netsvc.conf hosts=local,bind4 sudoers=ldap,files
Additionnal commands
UNIX commands
Check for password of ldap-sds user
# ldapsearch -L -D ... '(&(objectclass=*)(uid=userad01))' uid uidNumber gidNumber Loginshell unixHomeDirectory
# ldapsearch -L -D ... '(&(objectclass=*)(uid=userad01))'
Windows commands
Parameters extracted from Active Directory (using Powershell)
PS C:\Windows\System32> Get-AdUser -Filter "givenName -eq 'userad01'" -Properties *
You have 2 commands to list groups Get-ADGroup and Get-ADGroupMember
PS C:\Windows\System32> Get-ADGroup -Identity 'groupad01' -Properties *
References
http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html
https://www.djouxtech.net/posts/aix-ldap-configuration/
http://kb.ictbanking.net/article.php?id=279
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
https://banck.net/2014/02/preparing-windows-2012-r2-active-directory-for-linux/
