Differences

This shows you the differences between two versions of the page.

--- aix:user_ldapmaps [2021/09/29 13:25]
manu
+++ aix:user_ldapmaps [2022/10/25 10:57] (current)
manu
@@ Line 1: / Line 1: @@
 ====== LDAP map modification ======
-# cat /etc/security/ldap sfur2user.map
+===== LDAP map for AD connection =====
+My maps to connect to AD, I'm using LDAP RFC2107.
+AIX like every UNIX/Linux, works always with IDs for users as well for groups
+On AD for each user and group used for AIX, please set the following parameters (required). For info, these parameters are simulated throught sssd on linux.
+**User**
+^Parameter^Value^comment^
+|uid|user01|lowercase|
+|unixHomeDirectory|/home/user01|lowercase|
+|loginShell|/usr/bin/bash|shell: keep bash everywhere|
+|gidNumber|1200123456|primary group ID (always aix-group)|
+|uidNumber|1200789012|userID|
+**For info**: homedir can also have a different look : /home/user01@mydomain.lu
+**Group** ALL groups need a gidNumber
+^Parameter^Value^
+|name|aix-group|
+|gidNumber|1200123456|
+<cli prompt='#'>
+[root@aix01]/root# cat /etc/security/ldap/sfur2user.map
+username        SEC_CHAR        uid                     s       na      yes
+id              SEC_INT         uidNumber               s       na      yes
+pgrp            SEC_CHAR        gidNumber               s       na      yes
+home            SEC_CHAR        unixhomeDirectory       s       na      yes
+shell           SEC_CHAR        loginShell              s       na      yes
+gecos           SEC_CHAR        gecos                   s       na      yes
+spassword       SEC_CHAR        unicodePwd              s
+lastupdate      SEC_INT         pwdLastSet              s       UTC     no
+#time_last_login SEC_INT         lastLogon               s       UTC     no
+maxage          SEC_INT         codePage                s       na      yes
+minage          SEC_INT         shadowMin               s       na      yes
+maxexpired      SEC_INT         shadowExpire            s       na      yes
+pwdwarntime     SEC_INT         shadowWarning           s       na      yes
+pgid            SEC_INT         gidnumber               s       na      yes
+</cli>
+**time_last_login** is commented because it tries to update the field into AD, which is not allowed
+<cli prompt='#'>
+[root@aix01]/root# cat /etc/security/ldap/sfur2group.map
+groupname       SEC_CHAR        cn                      s       na      yes
+id              SEC_INT         gidNumber               s       na      yes
+users           SEC_LIST        member                  m       na      yes
+</cli>
 ===== username =====
@@ Line 35: / Line 82: @@
 lastupdate        SEC_INT pwdLastSet      s       UTC     yes
 </code>
+===== maxage =====
+If the value of shadowLastChange is found, interpret that value as days since Unix epoch.
+- maxage is mapped as follows
+<code>
+maxage        SEC_INT shadowMax      s       na      yes
+</code>
+AIX will attempt checking the LDAP user entry for a shadowMax attribute, and if found, will set the user's maxage to value 0 shadowMax.
+If shadowMax is not found, then AIX will attempt to look up the default value of maxage, which can be on LDAP or in the local /etc/security/user file.
+===== auth_name =====
+In some cases, your user’s AIX user name (AD UID) might not match their sAMAccountName in AD. If this is the case, add the following line to /etc/security/ldap/sfur2user.map to support users changing their password uring Kerberos.
+<code>
+auth_name  SEC_CHAR  sAMAccountName  s  na  yes
+</code>
+==== Mapping a local login to a different AD login ====
+First of all, add the kerberos authentication mode to the user using
+  chuser registry=KRB5files SYSTEM=KRB5files <user.name>
+It is possible to map a local login with an Active Directory account that is using another login name. For this, use the auth_name attribute of the local user like this :
+  chuser auth_name=<active.directory.login> <local.user.name>
+For example, to map the "joseph" local user to the remote "joseph.herlant" user, use the following (after the execution of the chuser registry=KRB5files SYSTEM=KRB5files <user.name> command explained in the previous step) :
+<code>
+chuser auth_name=joseph.herlant joseph
+</code>
+Then change the auth_name and auth_domain attribute to match the realm corresponding to you. For example:
+<code>
+chuser auth_domain=MYSECONDDOMAIN.MYFOREST auth_name=<active.directory.login> <local.user.name>
+</code>
+===== For info, AIX default map for AD =====
+Doesn't work by default, as some fields have changed into AD
+<cli prompt='#'>
+[root@aix01]/root# cat /etc/security/ldap/sfur2user.map
+username        SEC_CHAR        uid                     s       na      yes
+id              SEC_INT         uidNumber               s       na      yes
+pgrp            SEC_CHAR        gidNumber               s       na      yes
+home            SEC_CHAR        unixhomeDirectory       s       na      yes
+shell           SEC_CHAR        loginShell              s       na      yes
+gecos           SEC_CHAR        gecos                   s       na      yes
+spassword       SEC_CHAR        userPassword            s       na      yes
+lastupdate      SEC_INT         shadowLastChange        s       days    yes
+maxage          SEC_INT         shadowMax               s       na      yes
+minage          SEC_INT         shadowMin               s       na      yes
+maxexpired      SEC_INT         shadowExpire            s       na      yes
+pwdwarntime     SEC_INT         shadowWarning           s       na      yes
+pgid            SEC_INT         gidnumber               s       na      yes
+#spassword      SEC_CHAR        unicodePwd              s       na      yes
+#spassword      SEC_CHAR        unixuserPassword        s       na      yes
+</cli>
+<cli prompt='#'>
+[root@aix01]/root# cat /etc/security/ldap/sfur2group.map
+groupname       SEC_CHAR        cn                      s       na      yes
+id              SEC_INT         gidNumber               s       na      yes
+users           SEC_LIST        memberuid               m       na      yes
+</cli>

wiki

User Tools

Site Tools

Differences

Page Tools