====== aix_ldap ======
===== Register a new AD user =====
If the user **-it** still exist, check the UID on a linux server connected to Active Directory (sssd process will convert Windows SID to an UNIX UID; Else create it first into active directory
[root@LINUX ~]# id user01
uid=1200123421(emmiff4-it@test.lu) gid=12001222222(domain users@test.lu) ......,12004111111(storage-admin@test.lu),1200123456(aix-users@test.lu)
We need uid=1200123421(user01@test.lu) and 1200123456(aix-users@test.lu)
**For AIX users the following field must be fulfill into Active Directory**
^Parameter^Value^comment^
|uid|user01|lowercase|
|unixHomeDirectory|/home/user01|lowercase|
|loginShell|/bin/bash|shell: keep bash everywhere|
|gidNumber|1200123456|primary group ID (always aix-users)|
|uidNumber|1200123421|userID|
**For AIX groups the following field must be fulfill into Active Directory (For group aix-users)**
^Parameter^Value^
|gidNumber|1200123456|
===== config LDAP =====
[root@aixsrv]/etc/security/ldap# cat sfur2user.map
username SEC_CHAR uid s na yes
id SEC_INT uidNumber s na yes
pgrp SEC_CHAR gidNumber s na yes
home SEC_CHAR unixhomeDirectory s na yes
shell SEC_CHAR loginShell s na yes
gecos SEC_CHAR gecos s na yes
spassword SEC_CHAR unicodePwd s
lastupdate SEC_INT pwdLastSet s UTC no
time_last_login SEC_INT lastLogon s UTC no
maxage SEC_INT codePage s na yes
minage SEC_INT shadowMin s na yes
maxexpired SEC_INT shadowExpire s na yes
pwdwarntime SEC_INT shadowWarning s na yes
pgid SEC_INT gidnumber s na yes
[root@aixsrv]/etc/security/ldap# cat sfur2group.map
groupname SEC_CHAR cn s na yes
id SEC_INT gidNumber s na yes
users SEC_LIST member m na yes
AD registration in secure mode, using CA certificate
gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type cms -stash
gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw $pwd1 -stash
gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw $pwd1 -type pem -file /tmp/ca2.ad.cer -label 'AD_LU_ca2.cer'
gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw $pwd1
gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw $pwd1 -label 'AD_LU_ca2.cer'
mksecldap -c -h ldap_srv.test.lu -n 636 -k /etc/security/ldap/ldap.kdb -w $pwd1 -j SSL -a 'CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu' -p $pwd2 -d 'OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu' -A ldap_auth -u NONE
If mksecldap command failed, maybe you are not looking at right tree into AD, change the OU
[root@aixsrv]/etc/security/ldap# grep -v '^#' /etc/security/ldap/ldap.cfg | sed '/^$/d'
serverschematype:sfur2
ldapservers:ldap_srv.test.lu
binddn:CN=ldapuser,OU=Users Misc,OU=Users,OU=....,DC=aaa,DC=test,DC=lu
bindpwd:{DESv2}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authtype:ldap_auth
searchmode:ALL
defaultentrylocation:LDAP
ldapport:636
useSSL:SSL
pwdalgorithm:system
ldapsslkeyf:/etc/security/ldap/ldap.kdb
ldapsslkeypwd:{DESv2}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
userclasses:user,person,organizationalperson
groupclasses:group
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=Users,OU=Users & Groups,DC=aaa,DC=test,DC=lu
groupbasedn:OU=xxx,OU=Groups,OU=Users & Groups,DC=aaa,DC=test,DC=lu
Check if LDAP is present, else add the 3 following lines (added by mksecldap command)
[root@aixsrv]/etc# cat /etc/methods.cfg
...
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
...
Change default user authentification to default LDAP, or files (both required)
chsec -f /etc/security/user -s default -a registry=files
chsec -f /etc/security/user -s default -a "SYSTEM=files or LDAP"
chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Check into the files user and login.cfg
[root@aixsrv]/etc# cat /etc/security/user
...
default:
...
SYSTEM = "files or LDAP"
registry = "files"
...
===== Enable PAM on AIX =====
PAM is more flexible to control access protocols compared to AIX standard authentifications
You can comment unused services
To use PAM with access control for user and groups
[root@aixsrv]/etc # cat /etc/pam.conf
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos720 src/bos/etc/pam/pam.conf 1.8.1.1
#
# Licensed Materials - Property of IBM
#
# COPYRIGHT International Business Machines Corp. 2003,2012
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
# PAM Configuration File
#
# This file controls the PAM stacks for PAM enabled services.
# The format of each entry is as follows:
#
# [module_options]
#
# Where:
# is:
# The name of the PAM enabled service.
#
# is one of:
# auth, account, password, session
#
# is one of:
# required, requisite, sufficient, optional
#
# is:
# The path to the module. If the field does not begin with '/'
# then /usr/lib/security/ is prefixed for 32-bit services,
# /usr/lib/security/64/ is prefixed for 64-bit services.
# If the module path is specified as full path,then it
# directly uses for 32-bit services, for 64-bit services
# module path derived as /64/.
#
# [module_options] is:
# An optional field. Consult the specified modules documentation
# for valid options.
#
# The service name OTHER controls the behavior of services that are PAM
# enabled but do not have an explicit entry in this file.
#
#
# Authentication
#
authexec auth required pam_aix
dtaction auth required pam_aix
dtsession auth required pam_aix
dtlogin auth required pam_aix
ftp auth required pam_aix
imap auth required pam_aix
login auth required pam_aix
rexec auth required pam_aix
rlogin auth sufficient pam_rhosts_auth
rlogin auth required pam_aix
rsh auth required pam_rhosts_auth
snapp auth required pam_aix
sshd auth requisite pam_permission file=/etc/auth.allow found=allow
sshd auth required pam_aix
su auth sufficient pam_allowroot
su auth required pam_aix
swrole auth required pam_aix
telnet auth required pam_aix
xdm auth required pam_aix
OTHER auth required pam_prohibit
#
# Account Management
#
authexec account required pam_aix
dtlogin account required pam_aix
ftp account required pam_aix
login account required pam_aix
rexec account required pam_aix
rlogin account required pam_aix
rsh account required pam_aix
sshd account required pam_aix
su account sufficient pam_allowroot
su account required pam_aix
sudo account sufficient pam_allowroot
sudo account required pam_aix
swrole account required pam_aix
telnet account required pam_aix
xdm account required pam_aix
OTHER account required pam_prohibit
#
# Password Management
#
authexec password required pam_aix
dtlogin password required pam_aix
login password required pam_aix
passwd password required pam_aix
rlogin password required pam_aix
sshd password required pam_aix
su password required pam_aix
sudo password required pam_aix
telnet password required pam_aix
xdm password required pam_aix
OTHER password required pam_prohibit
#
# Session Management
#
dtlogin session required pam_aix
ftp session required pam_aix
imap session required pam_aix
login session required pam_aix
rexec session required pam_aix
rlogin session required pam_aix
rsh session required pam_aix
snapp session required pam_aix
sshd session required pam_aix
sshd session optional pam_mkuserhome
su session required pam_aix
sudo session required pam_aix
sudo session optional pam_mkuserhome
swrole session required pam_aix
telnet session required pam_aix
xdm session required pam_aix
OTHER session required pam_prohibit
#Support for IBM MQ
ibmmq auth required pam_aix
ibmmq account required pam_aix
Create the access control file
[root@aixsrv]/etc # cat /etc/auth.allow
root
@users
@dba_group
user01
Enable PAM into SSH
[root@aixsrv]/etc # cat /etc/ssh/sshd_config | grep '^UsePAM'
UsePAM yes
[root@aixsrv]/etc # stopsrc -s sshd
[root@aixsrv]/etc # startsrc -s sshd
Change default authentification mechanism
[root@aixsrv]/etc # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=STD_AUTH
[root@aixsrv]/etc # chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
check_nimclient.sh
#!/usr/bin/ksh
#set -x
##################################################
#@(#) Check NIM CPUID
##################################################
# version: 1.0 2023-02 emmiff4
##################################################
dir=`dirname $0`
. $dir/.env
###########################################################################
# usage ()
#
# Display usage message and exit
#
# Parameters:
# - none
###########################################################################
usage()
{
echo "Usage:"
echo "no parameter, will check CPUID on master and client, and change if not OK"
echo "-c reset -l : will delete the nim client and recreate"
exit 0
}
#------------------------------------------------
reset_cpuid () {
MASTERCPUID=$(uname -m)
for lpar in $(lsnim -t standalone | awk '{print $1}' | grep -v vio)
do
CPUID=$(ssh -o ConnectTimeout=10 $lpar 'uname -m' 2>/dev/null)
lenght=${#CPUID}
if [ "$lenght" -ne "12" ]
then
echo "$lpar: no CPUID $CPUID $lenght"
else
NIMCPUID=$(lsnim -l $lpar | grep cpuid | rev | awk '{print $1}' | rev)
CLIENTCPUID=$(ssh $lpar "grep NIM_MASTERID /etc/niminfo" | sed 's/=/\ /g' | rev | awk '{print $1}' | rev)
cmd=$(echo sed "'s/"${CLIENTCPUID}"/"${MASTERCPUID}"/'")
if [ "$NIMCPUID" == "$CPUID" ]
then
#echo "$CPUID $CLIENTCPUID $NIMCPUID" | tr ' ' '\n' | sort -u
if [ "$MASTERCPUID" == "$CLIENTCPUID" ]
then
echo "$lpar: MASTERCPUID OK"
else
echo "$lpar: client $CPUID /etc/niminfo ERROR"
echo "$lpar: changed"
ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
fi
else
echo "$lpar: nimserver $CPUID $NIMCPUID ERROR"
nim -o change -a cpuid=${CPUID} $lpar
if [ "$MASTERCPUID" != "$CLIENTCPUID" ]
then
echo "$lpar: client $CPUID /etc/niminfo ERROR"
echo "$lpar: changed"
ssh $lpar "cp /etc/niminfo /etc/niminfo.old ; cat /etc/niminfo | $cmd > /etc/niminfo.new ; mv /etc/niminfo.new /etc/niminfo ; stopsrc -s nimsh ; startsrc -s nimsh"
fi
fi
fi
done
}
#------------------------------------------------
recreate_client () {
echo $lpar $COMMAND
echo "nim -o remove $lpar"
echo "ssh $lpar ""'"rm /etc/niminfo"'"
echo "ssh $lpar ""'"stopsrc -s nimsh"'"
echo "ssh $lpar ""'"niminit -a name=$lpar -a pif_name=en0 -a master=$master -a platform=chrp -a connect=nimsh -a cable_type='"'N/A'"'"'"
}
#############################################
# main
#############################################
main()
{
master=$(hostname -s)
if [ -z "$1" ]
then
echo "OK"
reset_cpuid
else
while (( "$#" )); do
case $1 in
help|-h|-help) usage ;;
-c) shift && COMMAND="$1" ;;
-l) shift && lpar="$1"
recreate_client ;;
esac
shift
done
fi
}
main $* | tee $logname 2>&1