wiki

User Tools

Site Tools

Trace: scripts_check_cis
aix:user_ldapmaps

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
aix:user_ldapmaps [2021/09/29 13:21]
manu created 		aix:user_ldapmaps [2022/10/25 10:57] (current)
manu
Line 1: Line 1:
 ====== LDAP map modification ====== ====== LDAP map modification ======
  
-# cat /​etc/​security/​ldap sfur2user.map+===== LDAP map for AD connection =====
  
 +My maps to connect to AD, I'm using LDAP RFC2107.
  
 +AIX like every UNIX/Linux, works always with IDs for users as well for groups
 +
 +On AD for each user and group used for AIX, please set the following parameters (required). For info, these parameters are simulated throught sssd on linux.
 +
 +**User** ​
 +^Parameter^Value^comment^
 +|uid|user01|lowercase|
 +|unixHomeDirectory|/​home/​user01|lowercase|
 +|loginShell|/​usr/​bin/​bash|shell:​ keep bash everywhere|
 +|gidNumber|1200123456|primary group ID (always aix-group)|
 +|uidNumber|1200789012|userID|
 +
 +**For info**: homedir can also have a different look : /​home/​user01@mydomain.lu
 +
 +**Group** ALL groups need a gidNumber
 +^Parameter^Value^
 +|name|aix-group|
 +|gidNumber|1200123456|
 +
 +<cli prompt='#'>​
 +[root@aix01]/​root#​ cat /​etc/​security/​ldap/​sfur2user.map
 +username ​       SEC_CHAR ​       uid                     ​s ​      ​na ​     yes
 +id              SEC_INT ​        ​uidNumber ​              ​s ​      ​na ​     yes
 +pgrp            SEC_CHAR ​       gidNumber ​              ​s ​      ​na ​     yes
 +home            SEC_CHAR ​       unixhomeDirectory ​      ​s ​      ​na ​     yes
 +shell           ​SEC_CHAR ​       loginShell ​             s       ​na ​     yes
 +gecos           ​SEC_CHAR ​       gecos                   ​s ​      ​na ​     yes
 +spassword ​      ​SEC_CHAR ​       unicodePwd ​             s
 +lastupdate ​     SEC_INT ​        ​pwdLastSet ​             s       ​UTC ​    no
 +#​time_last_login SEC_INT ​        ​lastLogon ​              ​s ​      ​UTC ​    no
 +maxage ​         SEC_INT ​        ​codePage ​               s       ​na ​     yes
 +minage ​         SEC_INT ​        ​shadowMin ​              ​s ​      ​na ​     yes
 +maxexpired ​     SEC_INT ​        ​shadowExpire ​           s       ​na ​     yes
 +pwdwarntime ​    ​SEC_INT ​        ​shadowWarning ​          ​s ​      ​na ​     yes
 +pgid            SEC_INT ​        ​gidnumber ​              ​s ​      ​na ​     yes
 +</​cli>​
 +**time_last_login** is commented because it tries to update the field into AD, which is not allowed
 +
 +<cli prompt='#'>​
 +[root@aix01]/​root#​ cat /​etc/​security/​ldap/​sfur2group.map
 +groupname ​      ​SEC_CHAR ​       cn                      s       ​na ​     yes
 +id              SEC_INT ​        ​gidNumber ​              ​s ​      ​na ​     yes
 +users           ​SEC_LIST ​       member ​                 m       ​na ​     yes
 +</​cli>​
 +
 +===== username =====
  
 LDAPA will only use the user map file, but the group map file also needs to be specified in ldap.cfg otherwise secldapclntd won’t start. LDAPA will only use the user map file, but the group map file also needs to be specified in ldap.cfg otherwise secldapclntd won’t start.
Line 19: Line 66:
 username ​       SEC_CHAR ​       sAMAccountName ​                    ​s ​      ​na ​     yes username ​       SEC_CHAR ​       sAMAccountName ​                    ​s ​      ​na ​     yes
 </​code>​ </​code>​
 +
 +
 +===== lastupdate =====
 +
 +One thing to note is that while shadowLastChange stores its value in 'days since epoch' -
 +  shadowlastchange:​ 17971
 +
 +
 +pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -
 +  pwdLastSet: 132076930680413464
 +
 +
 +Because of that difference, when setting a mapping for lastupdate -> pwdLastSet, the unit used will need to be '​UTC':​
 +<​code>​
 +lastupdate ​       SEC_INT pwdLastSet ​     s       ​UTC ​    yes
 +</​code>​
 +
 +===== maxage =====
 +
 +If the value of shadowLastChange is found, interpret that value as days since Unix epoch.
 +
 +- maxage is mapped as follows
 +<​code>​
 +maxage ​       SEC_INT shadowMax ​     s       ​na ​     yes
 +</​code>​
 +AIX will attempt checking the LDAP user entry for a shadowMax attribute, and if found, will set the user's maxage to value 0 shadowMax.
 +
 +If shadowMax is not found, then AIX will attempt to look up the default value of maxage, which can be on LDAP or in the local /​etc/​security/​user file.
 +===== auth_name =====
 +
 +In some cases, your user’s AIX user name (AD UID) might not match their sAMAccountName in AD. If this is the case, add the following line to /​etc/​security/​ldap/​sfur2user.map to support users changing their password uring Kerberos.
 +<​code>​
 +auth_name ​ SEC_CHAR ​ sAMAccountName ​ s  na  yes
 +</​code>​
 +
 +==== Mapping a local login to a different AD login ====
 +
 +First of all, add the kerberos authentication mode to the user using 
 +  chuser registry=KRB5files SYSTEM=KRB5files <​user.name>​
 +
 +It is possible to map a local login with an Active Directory account that is using another login name. For this, use the auth_name attribute of the local user like this :
 +  chuser auth_name=<​active.directory.login>​ <​local.user.name>​
 +
 +For example, to map the "​joseph"​ local user to the remote "​joseph.herlant"​ user, use the following (after the execution of the chuser registry=KRB5files SYSTEM=KRB5files <​user.name>​ command explained in the previous step) :
 +<​code>​
 +chuser auth_name=joseph.herlant joseph
 +</​code>​
 +Then change the auth_name and auth_domain attribute to match the realm corresponding to you. For example:
 +<​code>​
 +chuser auth_domain=MYSECONDDOMAIN.MYFOREST auth_name=<​active.directory.login>​ <​local.user.name>​
 +</​code>​
 +
 +===== For info, AIX default map for AD =====
 +
 +Doesn'​t work by default, as some fields have changed into AD
 +<cli prompt='#'>​
 +[root@aix01]/​root#​ cat /​etc/​security/​ldap/​sfur2user.map
 +username ​       SEC_CHAR ​       uid                     ​s ​      ​na ​     yes
 +id              SEC_INT ​        ​uidNumber ​              ​s ​      ​na ​     yes
 +pgrp            SEC_CHAR ​       gidNumber ​              ​s ​      ​na ​     yes
 +home            SEC_CHAR ​       unixhomeDirectory ​      ​s ​      ​na ​     yes
 +shell           ​SEC_CHAR ​       loginShell ​             s       ​na ​     yes
 +gecos           ​SEC_CHAR ​       gecos                   ​s ​      ​na ​     yes
 +spassword ​      ​SEC_CHAR ​       userPassword ​           s       ​na ​     yes
 +lastupdate ​     SEC_INT ​        ​shadowLastChange ​       s       ​days ​   yes
 +maxage ​         SEC_INT ​        ​shadowMax ​              ​s ​      ​na ​     yes
 +minage ​         SEC_INT ​        ​shadowMin ​              ​s ​      ​na ​     yes
 +maxexpired ​     SEC_INT ​        ​shadowExpire ​           s       ​na ​     yes
 +pwdwarntime ​    ​SEC_INT ​        ​shadowWarning ​          ​s ​      ​na ​     yes
 +pgid            SEC_INT ​        ​gidnumber ​              ​s ​      ​na ​     yes
 +
 +#​spassword ​     SEC_CHAR ​       unicodePwd ​             s       ​na ​     yes
 +#​spassword ​     SEC_CHAR ​       unixuserPassword ​       s       ​na ​     yes
 +</​cli>​
 +
 +<cli prompt='#'>​
 +[root@aix01]/​root#​ cat /​etc/​security/​ldap/​sfur2group.map
 +groupname ​      ​SEC_CHAR ​       cn                      s       ​na ​     yes
 +id              SEC_INT ​        ​gidNumber ​              ​s ​      ​na ​     yes
 +users           ​SEC_LIST ​       memberuid ​              ​m ​      ​na ​     yes
 +</​cli>​
 +
aix/user_ldapmaps.1632914473.txt.gz · Last modified: 2021/09/29 13:21 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki