Table of Contents
LDAP map modification
LDAP map for AD connection
My maps to connect to AD, I'm using LDAP RFC2107.
AIX like every UNIX/Linux, works always with IDs for users as well for groups
On AD for each user and group used for AIX, please set the following parameters (required). For info, these parameters are simulated throught sssd on linux.
User
| Parameter | Value | comment |
|---|---|---|
| uid | user01 | lowercase |
| unixHomeDirectory | /home/user01 | lowercase |
| loginShell | /usr/bin/bash | shell: keep bash everywhere |
| gidNumber | 1200123456 | primary group ID (always aix-group) |
| uidNumber | 1200789012 | userID |
For info: homedir can also have a different look : /home/user01@mydomain.lu
Group ALL groups need a gidNumber
| Parameter | Value |
|---|---|
| name | aix-group |
| gidNumber | 1200123456 |
[root@aix01]/root# cat /etc/security/ldap/sfur2user.map username SEC_CHAR uid s na yes id SEC_INT uidNumber s na yes pgrp SEC_CHAR gidNumber s na yes home SEC_CHAR unixhomeDirectory s na yes shell SEC_CHAR loginShell s na yes gecos SEC_CHAR gecos s na yes spassword SEC_CHAR unicodePwd s lastupdate SEC_INT pwdLastSet s UTC no #time_last_login SEC_INT lastLogon s UTC no maxage SEC_INT codePage s na yes minage SEC_INT shadowMin s na yes maxexpired SEC_INT shadowExpire s na yes pwdwarntime SEC_INT shadowWarning s na yes pgid SEC_INT gidnumber s na yes
time_last_login is commented because it tries to update the field into AD, which is not allowed
[root@aix01]/root# cat /etc/security/ldap/sfur2group.map groupname SEC_CHAR cn s na yes id SEC_INT gidNumber s na yes users SEC_LIST member m na yes
username
LDAPA will only use the user map file, but the group map file also needs to be specified in ldap.cfg otherwise secldapclntd won’t start.
Look at the user map file and note the “username” entry. For the sfur2user.map file, the username entry may look like this:
username SEC_CHAR uid s na yes
This specifies that AIX will look for a “uid” attribute on LDAP server to map to the AIX username. From Step 3 and 4 above, this will need to change from “uid” to “sAMAccountName”.
Edit the custom user map file – which is myuser.map in this example – and change the username entry to this:
username SEC_CHAR sAMAccountName s na yes
lastupdate
One thing to note is that while shadowLastChange stores its value in 'days since epoch' -
shadowlastchange: 17971
pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -
pwdLastSet: 132076930680413464
Because of that difference, when setting a mapping for lastupdate → pwdLastSet, the unit used will need to be 'UTC':
lastupdate SEC_INT pwdLastSet s UTC yes
maxage
If the value of shadowLastChange is found, interpret that value as days since Unix epoch.
- maxage is mapped as follows
maxage SEC_INT shadowMax s na yes
AIX will attempt checking the LDAP user entry for a shadowMax attribute, and if found, will set the user's maxage to value 0 shadowMax.
If shadowMax is not found, then AIX will attempt to look up the default value of maxage, which can be on LDAP or in the local /etc/security/user file.
auth_name
In some cases, your user’s AIX user name (AD UID) might not match their sAMAccountName in AD. If this is the case, add the following line to /etc/security/ldap/sfur2user.map to support users changing their password uring Kerberos.
auth_name SEC_CHAR sAMAccountName s na yes
Mapping a local login to a different AD login
First of all, add the kerberos authentication mode to the user using
chuser registry=KRB5files SYSTEM=KRB5files <user.name>
It is possible to map a local login with an Active Directory account that is using another login name. For this, use the auth_name attribute of the local user like this :
chuser auth_name=<active.directory.login> <local.user.name>
For example, to map the “joseph” local user to the remote “joseph.herlant” user, use the following (after the execution of the chuser registry=KRB5files SYSTEM=KRB5files <user.name> command explained in the previous step) :
chuser auth_name=joseph.herlant joseph
Then change the auth_name and auth_domain attribute to match the realm corresponding to you. For example:
chuser auth_domain=MYSECONDDOMAIN.MYFOREST auth_name=<active.directory.login> <local.user.name>
For info, AIX default map for AD
Doesn't work by default, as some fields have changed into AD
[root@aix01]/root# cat /etc/security/ldap/sfur2user.map username SEC_CHAR uid s na yes id SEC_INT uidNumber s na yes pgrp SEC_CHAR gidNumber s na yes home SEC_CHAR unixhomeDirectory s na yes shell SEC_CHAR loginShell s na yes gecos SEC_CHAR gecos s na yes spassword SEC_CHAR userPassword s na yes lastupdate SEC_INT shadowLastChange s days yes maxage SEC_INT shadowMax s na yes minage SEC_INT shadowMin s na yes maxexpired SEC_INT shadowExpire s na yes pwdwarntime SEC_INT shadowWarning s na yes pgid SEC_INT gidnumber s na yes #spassword SEC_CHAR unicodePwd s na yes #spassword SEC_CHAR unixuserPassword s na yes
[root@aix01]/root# cat /etc/security/ldap/sfur2group.map groupname SEC_CHAR cn s na yes id SEC_INT gidNumber s na yes users SEC_LIST memberuid m na yes
