Differences

This shows you the differences between two versions of the page.

--- aix:user_adldap [2021/01/01 21:24]
127.0.0.1 external edit
+++ aix:user_adldap [2022/08/22 09:24] (current)
manu [User password is expired]
@@ Line 1: / Line 1: @@
 ====== AIX with Active Directory authentification ======
- {{:aix:logo-aix.png|}}
+Kerberos vs LDAP for authentification ?
-https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
+LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid. You can also add in helpful things such as an external email address or a room number in a structured way.
-http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
+Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.
+ {{:aix:logo-aix.png|}}
+Kerberos can be an addon but it 'll only be used for password authentification, not required as standard LDAP client will do it also.
 ===== Required components =====
@@ Line 19: / Line 23: @@
 ===== Configuring Windows Active Directory =====
+**A connection user for AD is required, with rights to read all**
 **These are mandatory attributes to be able to connect from AIX to AD**
@@ Line 89: / Line 96: @@
 </cli>
-===== Connection to Active Directory =====
+===== Connection to Active Directory (unsecure) =====
 Setup LDAP:
@@ Line 186: / Line 193: @@
 [root@aix001]/root>  chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
 </cli>
+Change authentification order (to prevent error: Error committing changes to “default”, disable authcontroldomain)
+<cli prompt='>'>
+[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=''
+[root@aix001]/root> chsec -f /etc/security/user -s default -a SYSTEM="files or LDAP"
+[root@aix001]/root> chsec -f /etc/security/user -s default -a registry=LDAP
+[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP
+</cli>
 Test a remote connection
 <cli prompt='>'>
@@ Line 200: / Line 215: @@
 </cli>
+===== Connection to Active Directory (secure SSL) =====
+Setup LDAP:
+Create the key DB
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw "password" -type cms -stash
+[root@labo]/etc/security/ldap# ll
+...
+-rw-------    1 root     system           88 Nov  3 15:52 ldap.crl
+-rw-------    1 root     system           88 Nov  3 15:52 ldap.kdb
+-rw-------    1 root     system           88 Nov  3 15:52 ldap.rdb
+-rw-------    1 root     system          193 Nov  3 15:52 ldap.sth
+</cli>
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw "password" -stash
+Currently supported key database types:
+  cms
+  pkcs11
+  pkcs12
+  csp
+  pkcs7
+KDB file format is CMS version 4
+hdmac:
+    ...
+dbmac:
+    ...
+KDB password does not expire.
+Record count 0, Record size 5000
+Expected KDB file size is 88 bytes
+Actual KDB file size is 88 bytes.
+File size is as expected, good.
+</cli>
+I add a CA certificate into the key DB
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw "password" -type pem -file BA_certificate/ca2.ba.cer -label "BA_ca2.cer"
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw "password"
+Certificates found
+* default, - personal, ! trusted, # secret key
+!       BA_ca2.cer
+[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw "password" -label "BA_ca2.cer"
+Label : BA_ca2.cer
+Key Size : 2048
+Version : X509 V3
+Serial : 5a8xxxxxxxxxxxxxxxxxxf
+Issuer : CN=CA.BA.LU,DC=ba,DC=lu
+Subject : CA.BA.LU,DC=ba,DC=lu
+Not Before : February 5, 2012 5:54:02 PM GMT+01:00
+Not After : February 5, 2015 6:04:01 PM GMT+01:00
+Public Key
+    ...
+Trust Status : Enabled
+</cli>
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# ldapsearch -L -D "CN=ldap usr,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" -w "Mypasswd" -h ldap.ba.lu -p 636 -K /etc/security/ldap/ldap.kdb -b "OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" '(objectClass=*)'  uid uidNumber gidNumber Loginshell unixHomeDirectory
+...
+dn: CN=My User1,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
+uid: myuser1
+unixHomeDirectory: /home/myuser1
+loginShell: /usr/bin/bash
+gidNumber: 1200xxxxx
+uidNumber: 12004yyyyy
+</cli>
+Configure LDAP client with SSL certificate
+<cli prompt='#'>
+[root@aix001]/root# mksecldap -c -h ldap_srv.xxx.lu -n 636 -k /etc/security/ldap/ldap.kdb -w "password" -j SSL -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth -u NONE
+</cli>
+===== Errors =====
+==== LDAP in debug mode ====
+Add rotation for the debug file
+<cli prompt='#'>
+# cat /etc/logrotate.d/system.conf
+/var/log/syslog/ldap.debug {
+    copytruncate
+    rotate 3
+    size=100M
+}
+</cli>
+Create the debug file
+<cli prompt='#'>
+# touch /var/log/syslog/ldap.debug
+</cli>
+Restart the LDAP daemon in debug mode
+<cli prompt='#'>
+[root@aix01]/root# export LDAP_DEBUG=65535
+[root@aix01]/root# export LDAP_DEBUG_FILE=/var/log/syslog/ldap.debug
+[root@aix01]/root# stop-secldapclntd
+The secldapclntd daemon is successfully terminated.
+[root@aix01]/root# start-secldapclntd
+Starting the secldapclntd daemon.
+The secldapclntd daemon started successfully.
+</cli>
+==== User password is expired ====
+Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
+Check to see if your LDAP server maintains an attribute such as **pwdLastSet** that serves the same function as shadowLastChange by keeping track of the last time a user's password was changed. Windows AD maintains pwdLastSet, for example. If so, change your attribute map file (designated by the userattrmappath attribute in ldap.cfg) to map lastupdate to this other attribute.
+One thing to note is that while shadowLastChange stores its value in 'days since epoch' -
+  shadowlastchange: 17971
+pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -
+  pwdLastSet: 132076930680413464
+Because of that difference, when setting a mapping for lastupdate -> pwdLastSet, the unit used will need to be 'UTC':
+  lastupdate        SEC_INT pwdLastSet      s       UTC     yes
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# /usr/sbin/restart-secldapclntd
+[root@labo]/etc/security/ldap# pwdadm -R LDAP -q user1
+user1:
+        lastupdate = 1634548341
+</cli>
+(compare that to the 'days' unit that is used for shadowLastChange, shown above).
+**Also note:** any change made to the map files will require a 'restart-secldapclntd' for the change to be seen
+If making this change, the LDAP users will still have the local 'maxage' value applied when checking password aging, but it will work correctly and only say the user's password is expired if it truly is.
+**For info**
+Convert AD pwdlastset to date using shell
+<code>
+#!/bin/bash
+BIN_DATE=/opt/freeware/bin/date
+pwdlastset=132790219411425836   # nano seconds since jan 1st 1601
+adseconds=$(echo "scale=0;$pwdlastset/10000000" | bc) # seconds since jan 1st 1601
+diffepochsec=$(echo "scale=6;((1970-1601) * 365.242190) * 86400" | bc) # unix epoch - AD epoch * number of tropical days * seconds in a day
+diffsec=$(echo "scale=6;$adseconds-$diffepochsec" | bc) # unix Timestamp versus of AD timestamp
+$BIN_DATE --date="@$diffsec" +%Y/%m/%d-%T
+</code>
+==== User password is expired maxage ====
+Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
+Another workarround is to find a parameter unto AD param, that is set to **0**
+Ex:
+<cli prompt='#'>
+[root@labo]/etc/security/ldap# cat sfur2user.map
+maxage          SEC_INT         codePage                s       na      yes
+</cli>
+This is not the right parameter, but since shadowmax has disappear from AD, there is no substitution
+==== Autologin ====
+Current users in AD are automaticaly logged in with their user **without password** ???
+I use PAM as connection method and one line was missing into /etc/pam.conf, the second in the following file
+<cli>
+...
+sshd    auth    requisite       pam_permission file=/etc/auth.allow found=allow
+sshd    auth    required        pam_aix
+</cli>
+==== Unable to login ====
+If ssh connection is failing, and you password is OK, no lock...\\
+Check the config file **/etc/security/ldap/ldap.cfg**, maybe the groupbasedn has a bad definition !!!\\
+Too restrictive in the search, or bad OU
+<cli>
+userbasedn:OU=My Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
+groupbasedn:OU=app,OU=users Groups,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
+</cli>
 ===== Optional components =====
@@ Line 229: / Line 429: @@
 </cli>
+===== Additionnal commands =====
+==== UNIX commands ====
+Check for password of **ldap-sds** user
+<cli prompt='#'>
+# ldapsearch -L -D ...  '(&(objectclass=*)(uid=userad01))' uid uidNumber gidNumber Loginshell unixHomeDirectory
+</cli>
+<cli prompt='#'>
+# ldapsearch -L -D ...  '(&(objectclass=*)(uid=userad01))'
+</cli>
+==== Windows commands ====
+Parameters extracted from Active Directory (using Powershell)
+<cli prompt='>'>
+PS C:\Windows\System32> Get-AdUser -Filter "givenName -eq 'userad01'" -Properties *
+</cli>
+You have 2 commands to list groups Get-ADGroup and Get-ADGroupMember
+<cli prompt='>'>
+PS C:\Windows\System32> Get-ADGroup -Identity 'groupad01' -Properties *
+</cli>
+===== References =====
+https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
+http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
 https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html

wiki

User Tools

Site Tools

Differences

Page Tools