====== AIX with Active Directory authentification ======
Kerberos vs LDAP for authentification ?
LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for holding authoritative information about the accounts, such as what they're allowed to access (authorization), the user's full name and uid. You can also add in helpful things such as an external email address or a room number in a structured way.
Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.
{{:aix:logo-aix.png|}}
Kerberos can be an addon but it 'll only be used for password authentification, not required as standard LDAP client will do it also.
===== Required components =====
* BFF packages : ldap client
IBM Security Directory Client/Server is no longer available on the AIX expansion pack media. \\
IBM Security Directory Client/Server Version 6.4 is available on the AIX 7 with 7200-03 base media.
Download base version from passport advantage IBM or value pack for partner
And updates from:\\
https://www.ibm.com/support/pages/recommended-fixes-ibm-security-directory-server-ldap#ver64
===== Configuring Windows Active Directory =====
**A connection user for AD is required, with rights to read all**
**These are mandatory attributes to be able to connect from AIX to AD**
Configure a group, and set in --> Properties --> Attribute Editor (available into AD advanced mode)
set a numeric value for the parameter **gidNumber** Ex: 20000 (must be uniq)
optional parameter to add groups into AIX, on AD's groups, add into the field **MemberUid** user1;user2 --> uid
Create a user, **user1**, and set the attributes:
**uid** user1
**uidNumber** 200000
**gidNumber** 20000
**Loginshell** /bin/bash
**unixHomeDirectory** /home/user1
:-o User without shell will get a bad shell at connection, and the homedir won't be created. If no uidNumber and gidNumber is used, AIX won't see these users.
To list userID and groups (same for AIX and linux), configure a linux server with default Redhat procedure to connect to AD, and list the users and groups IDs
[root@linux01 ~]# su - user1 -c 'id'
===== Install LDAP client =====
https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
Install packages from AIX base: idsldap client
First accept the license else packages won't be installed!
Then install idsldap
[root@aix001]/export/aix7200-03/aix7200-03-03_lpp> echo "1" | ./license/idsLicense
[root@aix001]/export/aix7200-03/aix7200-03-03_lpp> installp -d ./ -gaXY idsldap.clt32bit64.rte idsldap.clt64bit64.rte idsldap.clt_max_crypto32bit64.rte idsldap.clt_max_crypto64bit64.rte idsldap.cltbase64.adt idsldap.cltbase64.rte idsldap.license64.rte
[root@aix001]/export/aix7200-03/aix7200-03-03_lpp> lslpp -Lc | grep idsl
idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/:
idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/:
idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.15: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/:
idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.15: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.15: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.license64:idsldap.license64.rte:6.4.0.15: : :C: :Directory Server - License: : : : : : :0:0:/:
Create the symbolic links to ldap packages
[root@aix001]/root> /opt/IBM/ldap/V6.4/bin/idslink -i -l 32 -g
Test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory
dn: CN=user123,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu
...
ldap_search: Sizelimit exceeded
--> I have an error, to many entries to list !
New test:
[root@aix001]/root> ldapsearch -L -D "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -w xxxxxxxxxxxxxx -h ad.mydom.lu -b CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory
dn: CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu
uid: user1
uidNumber: 200000
gidNumber: 20000
unixHomeDirectory: /home/user1
loginShell: /bin/bash
===== Connection to Active Directory (unsecure) =====
Setup LDAP:
[root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxxxxx -h ad.mydom.lu -d "OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth
Cannot find the group base DN from the ldap server.
client setup failed.
[root@aix001]/root> mksecldap -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth
Now it's connected, no output!
[root@aix001]/root> /usr/sbin/ls\-secldapclntd
ldapservers=ad.mydom.lu
current ldapserver=ad.mydom.lu
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=1
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=LDAP_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=SFUR2
userbasedn=OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu
groupbasedn=OU=Microsoft Exchange Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu
userobjectclass=user,person,organizationalperson
groupobjectclass=group
--> bad : userbasedn and groupbasedn !!!
If you need to add multiples OU for example userbasedn, add multiple lines like:
userbasedn:OU=Service Accounts,OU=GRP-Admins,DC=ad,DC=myorg,DC=mydom,DC=lu
userbasedn:OU=Users_specific,DC=ad,DC=myorg,DC=mydom,DC=lu
[root@aix001]/root> /usr/sbin/stop-secldapclntd
[root@aix001]/root> vi /etc/security/ldap/ldap.cfg
[root@aix001]/root> /usr/sbin/restart\-secldapclntd
The secldapclntd daemon is not running.
Starting the secldapclntd daemon.
The secldapclntd daemon started successfully.
[root@aix001]/root> /usr/sbin/ls\-secldapclntd
ldapservers=ad.mydom.lu
current ldapserver=ad.mydom.lu
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=0
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=LDAP_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=SFUR2
userbasedn=OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu
groupbasedn=OU=Grp-Security Groups,DC=ad,DC=myorg,DC=mydom,DC=lu
userobjectclass=user,person,organizationalperson
groupobjectclass=group
List users and groups
[root@aix001]/root> lsgroup -R LDAP ALL
testaixgrp id=20000 users=user1 registry=LDAP
[root@aix001]/root> lsuser -R LDAP ALL
user1 id=200000 pgrp=testaixgrp groups=testaixgrp home=/home/user1 shell=/bin/bash login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat or LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=2 minloweralpha=1 minupperalpha=1 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=0 minlen=11 histexpire=13 histsize=8 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
[root@aix001]/root> lsuser -R LDAP -f ALL
user1:
id=200000
pgrp=testaixgrp
groups=testaixgrp
home=/home/user1
shell=/bin/bash
.....
Enable automatic creation of home dir at first login
[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
Change authentification order (to prevent error: Error committing changes to “default”, disable authcontroldomain)
[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=''
[root@aix001]/root> chsec -f /etc/security/user -s default -a SYSTEM="files or LDAP"
[root@aix001]/root> chsec -f /etc/security/user -s default -a registry=LDAP
[root@aix001]/root> chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP
Test a remote connection
[root@aix001] /root/scripts> ssh user1@aix001
user1@aix001's password:
**********************************
* # # ### # # *
* ## # # ## ## *
* # ## # # # # *
* # # ### # # *
**********************************
[user1@aix001]/home/user1>
===== Connection to Active Directory (secure SSL) =====
Setup LDAP:
Create the key DB
[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -create -db /etc/security/ldap/ldap.kdb -pw "password" -type cms -stash
[root@labo]/etc/security/ldap# ll
...
4 -rw------- 1 root system 88 Nov 3 15:52 ldap.crl
4 -rw------- 1 root system 88 Nov 3 15:52 ldap.kdb
4 -rw------- 1 root system 88 Nov 3 15:52 ldap.rdb
4 -rw------- 1 root system 193 Nov 3 15:52 ldap.sth
[root@labo]/etc/security/ldap# gsk8capicmd_64 -keydb -list -db /etc/security/ldap/ldap.kdb -pw "password" -stash
Currently supported key database types:
cms
pkcs11
pkcs12
csp
pkcs7
KDB file format is CMS version 4
hdmac:
...
dbmac:
...
KDB password does not expire.
Record count 0, Record size 5000
Expected KDB file size is 88 bytes
Actual KDB file size is 88 bytes.
File size is as expected, good.
I add a CA certificate into the key DB
[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -add -db /etc/security/ldap/ldap.kdb -pw "password" -type pem -file BA_certificate/ca2.ba.cer -label "BA_ca2.cer"
[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -list -db /etc/security/ldap/ldap.kdb -pw "password"
Certificates found
* default, - personal, ! trusted, # secret key
! BA_ca2.cer
[root@labo]/etc/security/ldap# gsk8capicmd_64 -cert -details -db /etc/security/ldap/ldap.kdb -pw "password" -label "BA_ca2.cer"
Label : BA_ca2.cer
Key Size : 2048
Version : X509 V3
Serial : 5a8xxxxxxxxxxxxxxxxxxf
Issuer : CN=CA.BA.LU,DC=ba,DC=lu
Subject : CA.BA.LU,DC=ba,DC=lu
Not Before : February 5, 2012 5:54:02 PM GMT+01:00
Not After : February 5, 2015 6:04:01 PM GMT+01:00
Public Key
...
Trust Status : Enabled
[root@labo]/etc/security/ldap# ldapsearch -L -D "CN=ldap usr,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" -w "Mypasswd" -h ldap.ba.lu -p 636 -K /etc/security/ldap/ldap.kdb -b "OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu" '(objectClass=*)' uid uidNumber gidNumber Loginshell unixHomeDirectory
...
dn: CN=My User1,OU=ALL Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
uid: myuser1
unixHomeDirectory: /home/myuser1
loginShell: /usr/bin/bash
gidNumber: 1200xxxxx
uidNumber: 12004yyyyy
Configure LDAP client with SSL certificate
[root@aix001]/root# mksecldap -c -h ldap_srv.xxx.lu -n 636 -k /etc/security/ldap/ldap.kdb -w "password" -j SSL -c -a "CN=user1,OU=Grp-Users,DC=ad,DC=myorg,DC=mydom,DC=lu" -p xxxxxxxxxx -h ad.mydom.lu -d "DC=ad,DC=myorg,DC=mydom,DC=lu" -A ldap_auth -u NONE
===== Errors =====
==== LDAP in debug mode ====
Add rotation for the debug file
# cat /etc/logrotate.d/system.conf
/var/log/syslog/ldap.debug {
copytruncate
rotate 3
size=100M
}
Create the debug file
# touch /var/log/syslog/ldap.debug
Restart the LDAP daemon in debug mode
[root@aix01]/root# export LDAP_DEBUG=65535
[root@aix01]/root# export LDAP_DEBUG_FILE=/var/log/syslog/ldap.debug
[root@aix01]/root# stop-secldapclntd
The secldapclntd daemon is successfully terminated.
[root@aix01]/root# start-secldapclntd
Starting the secldapclntd daemon.
The secldapclntd daemon started successfully.
==== User password is expired ====
Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
Check to see if your LDAP server maintains an attribute such as **pwdLastSet** that serves the same function as shadowLastChange by keeping track of the last time a user's password was changed. Windows AD maintains pwdLastSet, for example. If so, change your attribute map file (designated by the userattrmappath attribute in ldap.cfg) to map lastupdate to this other attribute.
One thing to note is that while shadowLastChange stores its value in 'days since epoch' -
shadowlastchange: 17971
pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -
pwdLastSet: 132076930680413464
Because of that difference, when setting a mapping for lastupdate -> pwdLastSet, the unit used will need to be 'UTC':
lastupdate SEC_INT pwdLastSet s UTC yes
[root@labo]/etc/security/ldap# /usr/sbin/restart-secldapclntd
[root@labo]/etc/security/ldap# pwdadm -R LDAP -q user1
user1:
lastupdate = 1634548341
(compare that to the 'days' unit that is used for shadowLastChange, shown above).
**Also note:** any change made to the map files will require a 'restart-secldapclntd' for the change to be seen
If making this change, the LDAP users will still have the local 'maxage' value applied when checking password aging, but it will work correctly and only say the user's password is expired if it truly is.
**For info**
Convert AD pwdlastset to date using shell
#!/bin/bash
BIN_DATE=/opt/freeware/bin/date
pwdlastset=132790219411425836 # nano seconds since jan 1st 1601
adseconds=$(echo "scale=0;$pwdlastset/10000000" | bc) # seconds since jan 1st 1601
diffepochsec=$(echo "scale=6;((1970-1601) * 365.242190) * 86400" | bc) # unix epoch - AD epoch * number of tropical days * seconds in a day
diffsec=$(echo "scale=6;$adseconds-$diffepochsec" | bc) # unix Timestamp versus of AD timestamp
$BIN_DATE --date="@$diffsec" +%Y/%m/%d-%T
==== User password is expired maxage ====
Accounts seems to be expired on AIX, a work around is to set maxage to 0 (as default)
Another workarround is to find a parameter unto AD param, that is set to **0**
Ex:
[root@labo]/etc/security/ldap# cat sfur2user.map
maxage SEC_INT codePage s na yes
This is not the right parameter, but since shadowmax has disappear from AD, there is no substitution
==== Autologin ====
Current users in AD are automaticaly logged in with their user **without password** ???
I use PAM as connection method and one line was missing into /etc/pam.conf, the second in the following file
...
sshd auth requisite pam_permission file=/etc/auth.allow found=allow
sshd auth required pam_aix
==== Unable to login ====
If ssh connection is failing, and you password is OK, no lock...\\
Check the config file **/etc/security/ldap/ldap.cfg**, maybe the groupbasedn has a bad definition !!!\\
Too restrictive in the search, or bad OU
userbasedn:OU=My Users,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
groupbasedn:OU=app,OU=users Groups,OU=ALL Users & Groups,DC=ba,DC=bc,DC=lu
===== Optional components =====
* RPM packages : sudo
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/sudo/
RPM packages:
sudo_ids
To integrate sudo with LDAP
https://www.djouxtech.net/posts/aix-ldap-configuration/
To consult **/etc/netsvc.conf** LDAP first followed by the local sudoers file (if it exists), use:
sudoers = ldap, files
The local sudoers file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoritative and only use the local sudoers file if the user is not present in LDAP, use:
sudoers = ldap = auth, files
# cat /etc/netsvc.conf
hosts=local,bind4
sudoers=ldap,files
===== Additionnal commands =====
==== UNIX commands ====
Check for password of **ldap-sds** user
# ldapsearch -L -D ... '(&(objectclass=*)(uid=userad01))' uid uidNumber gidNumber Loginshell unixHomeDirectory
# ldapsearch -L -D ... '(&(objectclass=*)(uid=userad01))'
==== Windows commands ====
Parameters extracted from Active Directory (using Powershell)
PS C:\Windows\System32> Get-AdUser -Filter "givenName -eq 'userad01'" -Properties *
You have 2 commands to list groups Get-ADGroup and Get-ADGroupMember
PS C:\Windows\System32> Get-ADGroup -Identity 'groupad01' -Properties *
===== References =====
https://www.ibm.com/support/pages/active-directory-ad-aix-step-step-instructions-integrate-active-directory-2016-aix-ldap-protocol
http://www.wmduszyk.com/?p=11663&langswitch_lang=pl&cpage=1#comment-50005
https://aerostitch.github.io/linux_and_unix/AIX/AIX-Security-Kerberos_Authentication.html
https://www.djouxtech.net/posts/aix-ldap-configuration/
http://kb.ictbanking.net/article.php?id=279
https://www.identitycosmos.com/http:/www.identitycosmos.com/strategie/microsoft-annonce-la-suppression-du-support-de-identity-management-for-unix-idmu-nis-server-role-dans-windows-server-2016-technical-preview-et-aprs
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016
https://banck.net/2014/02/preparing-windows-2012-r2-active-directory-for-linux/