ldap:itds_installclientaix
Table of Contents
LDAP client configuration on AIX
Install LDAP client AIX packages
Latest AIX package is called: IBM Security Verify Directory and version is 10.x.x
Search on IBM Fix Central https://www-945.ibm.com/support/fixcentral/ the latest packages for “IBM Security Directory Server” Example packages
9 6.4.0.10-ISS-ISDS-AIX-IF0010.tar.gz 8.0.50.67-ISS-GSKIT-AIX-FP0067.tar.gz
Untar the packages, the go into the directories, first install
ISS-GSKIT-AIX
Then in the folder ISS-ISDS-AIX, accept the license
echo 1 | ./license/idsLicense cd images installp -agXY -d ./ idsldap.license64 idsldap.clt_max_crypto64bit64 idsldap.clt64bit64
Also required 32bits ldap packages:
installp -agXY -d ./ idsldap.clt32bit64 idsldap.clt_max_crypto32bit64
[root@ldapclt]/root# lslpp -Lc | egrep 'idsldap|GSK' GSKit8:GSKit8.gskcrypt64.ppc.rte:8.0.50.67: : :C: :IBM GSKit Cryptography Runtime: : : : : : :0:0:/: GSKit8:GSKit8.gskssl64.ppc.rte:8.0.50.67: : :C: :IBM GSKit SSL Runtime With Acme Toolkit: : : : : : :0:0:/: idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/: idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/: idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/: idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/: idsldap.license64:idsldap.license64.rte:6.4.0.10: : :C: :Directory Server - License: : : : : : :0:0:/:
List all users on LDAP, create users, groups. Up now don't forget to add in you commands: -R LDAP or -R files
Configure LDAP client AIX
As you can see in the following example if OpenLDAP if in order to use rfc2307aix, then it's validated in the AIX config: serverschematype=RFC2307AIX
[root@ldapclt]/root# mksecldap -c -h rhldaph1.mydom.lu -A ldap_auth -D ldap -d "dc=myldapdom,dc=tst" -a "cn=Manager,dc=myldapdom,dc=tst" -p ldapp@ssword -S rfc2307aix -u NONE [root@ldapclt]/root# ls-secldapclntd ldapservers=rhldaph1.mydom.lu current ldapserver=rhldaph1.mydom.lu ldapport=389 active connections=1 ldapversion=3 usercachesize=1000 usercacheused=1 groupcachesize=100 groupcacheused=0 usercachetimeout=300 groupcachetimeout=300 heartbeat interval=300 numberofthread=10 connectionsperserver=10 authtype=LDAP_AUTH searchmode=ALL defaultentrylocation=LDAP ldaptimeout=60 serverschematype=RFC2307AIX userbasedn=ou=people,dc=myldapdom,dc=tst groupbasedn=ou=groups,dc=myldapdom,dc=tst userobjectclass=posixaccount,account,shadowaccount,aixauxaccount,ibm-securityIdentities groupobjectclass=posixgroup,aixauxgroup [root@ldapclt]/root# ps -ef | grep ldap root 5767328 1 0 10:40:18 - 0:00 /usr/sbin/secldapclntd
List all users on LDAP, create users, groups. Up now don't forget to add in you commands: -R LDAP or -R files
[root@ldapclt]/root# lsuser -R LDAP ALL ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= [root@ldapclt]/root# mkgroup -R LDAP id=1 staff [root@ldapclt]/root# mkuser -R LDAP id=6002 pgrp=staff ldapuser2 [root@ldapclt]/root# lsuser -R LDAP ALL ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= ldapuser2 id=6002 pgrp=staff groups=staff home=/home/ldapuser2 shell=/usr/bin/ksh93 auditclasses=general,SRC,cron,tcpip login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
Change AIX default behaviour, to user LDAP authentification by default except for root, make home dir at first login…
[root@ldapclt]/root# chsec -f /etc/security/user -s default -a registry=LDAP [root@ldapclt]/root# chsec -f /etc/security/user -s default -a SYSTEM=LDAP [root@ldapclt]/root# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true [root@ldapclt]/root# chdev -l sys0 -a max_logname=256 [root@ldapclt]/root# chdev -l sys0 -a ngroups_allowed=2048
AIX LDAP config files and schema are stored in /etc/security/ldap/, /etc/security/login.cfg , and /etc/security/user
[root@ldapclt]/etc/security/ldap# cat ldap.cfg | grep -v '^#' | sed '/^$/d' ldapservers:rhldaph1.mydom.lu binddn:cn=Manager,dc=myldapdom,dc=tst bindpwd:{DESv2}DA483A108C643477D2B2F192 7C07C1AAE512FB8325B81B6 authtype:ldap_auth useSSL:no userattrmappath:/etc/security/ldap/2307aixuser.map groupattrmappath:/etc/security/ldap/2307aixgroup.map userbasedn:ou=people,dc=myldapdom,dc=tst groupbasedn:ou=groups,dc=myldapdom,dc=tst userclasses:posixaccount,account,shadowaccount,aixauxaccount,ibm-securityIdentities groupclasses:posixgroup,aixauxgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP serverschematype:rfc2307aix [root@ldapclt]/etc/security/ldap# ll total 396 4 drwxr-xr-x 2 root security 4096 Oct 20 10:58 . 4 drwxr-x--- 12 root security 4096 Oct 19 00:17 .. 4 -rw-r----- 1 root security 2973 May 19 16:41 2307aixgroup.map 8 -rw-r----- 1 root security 7863 May 19 16:41 2307aixuser.map 4 -rw-r----- 1 root security 2598 Apr 18 2010 2307group.map 4 -rw-r----- 1 root security 3429 Aug 23 2010 2307user.map 120 -rw-r----- 1 root security 122375 Jun 07 12:10 aixSchemaForAD.ldif 52 -rw-r----- 1 root security 50385 Jun 07 12:10 aixSchemaForNS5.ldif 4 -rw-r----- 1 root security 2852 May 19 16:41 aixgroup.map 4 -rw-r----- 1 root security 2837 May 25 2010 aixid.map 8 -rw-r----- 1 root security 7515 May 19 16:41 aixuser.map 12 -rw------- 1 root security 12102 Oct 20 10:58 ldap.cfg 4 -rw-r--r-- 1 root system 1 Jun 21 2011 ldap.cfg.SS 12 -rw------- 1 root system 11573 Oct 20 10:58 ldap.cfg.save 12 -rw------- 1 root system 11573 Oct 20 10:58 ldap.cfg.save.orig 4 -rw-r----- 1 root security 1567 Sep 21 2009 ldapid.ldif.template 28 -rw-r----- 1 root security 25523 Feb 19 2008 nisSchema.ldif 4 -rw------- 1 root security 3893 Sep 21 2009 proxy.ldif.template 52 -rw-r----- 1 root security 52063 Jun 07 12:10 sec.ldif 4 -rw-r----- 1 root security 2294 Apr 23 2009 sectoldif.cfg 4 -rw-r----- 1 root security 2495 May 25 2010 sfu20group.map 4 -rw-r----- 1 root security 2933 May 25 2010 sfu20user.map 4 -rw-r----- 1 root security 2781 May 25 2010 sfu30aixgroup.map 8 -rw-r----- 1 root security 7634 May 17 2011 sfu30aixuser.map 4 -rw-r----- 1 root security 2503 Aug 23 2010 sfu30group.map 4 -rw-r----- 1 root security 3005 Aug 23 2010 sfu30user.map 4 -rw-r----- 1 root security 2739 May 25 2010 sfur2aixgroup.map 8 -rw-r----- 1 root security 7611 May 17 2011 sfur2aixuser.map 4 -rw-r----- 1 root security 2390 May 25 2010 sfur2group.map 4 -rw-r----- 1 root security 2853 May 25 2010 sfur2user.map
Error LDAP userpassword set to crypt
The password algorithm user to encrypt the USER's password in LDAP is defined in the LDAP client configuration. If you change the the the password algorithm (parameter: ibm-slapdPwEncryption in ibmslapd.conf), it has no effect on encryption!
On the client, edit the file /etc/security/ldap/ldap.cfg and change the parameter pwdalgorithm
pwdalgorithm:system
Then change the password algorithm used to encrypt password with the command (file: /etc/security/login.cfg)
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
Algorithm supported on AIX are: crypt (default), smd5, ssha1, ssha258, ssha512, sblowfish
Now restart the ldap client, and try to change the password:
/usr/sbin/restart-secldapclntd
[root@ldapclt]/root# ps -ef | grep sec root 12386516 1 0 10:58:40 - 0:00 /usr/sbin/secldapclntd
Before the change:
root@tstbcp - /etc/security > /usr/sbin/lsldap -a passwd testuser uid: testuser ... userpassword: {crypt}3pqRiHBWWjDNU
After:
root@tstbcp - /etc/security > echo "testuser:testuser" | chpasswd -R LDAP -c root@tstbcp - /etc/security > /usr/sbin/lsldap -a passwd testuser uid: testuser ... {ssha512}06$hedp1Ro5Rcmx.Sbi$X5qt.m0f6vsztKA2HBS3q9e2K98fceb92gEiuuzh7TCYoAQMFbo6mPZHk/AwGNsh8RRQWmVhPXjoO1CLseZi..
ldap/itds_installclientaix.txt · Last modified: 2024/08/19 18:41 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
