====== OpenLDAP server installation ======
The installation is done on CentOS 7.2 ppcLE
http://www.zytrax.com/books/ldap/
https://www.vincentliefooghe.net/content/gestion-des-mots-passe-avec-openldap
http://www.flagword.net/2013/02/openldap-with-tls-ppolicy-and-master-master-replication-on-rhel6-3/comment-page-1/
http://itdavid.blogspot.lu/2012/05/howto-centos-6.html
===== Reset config from scratch =====
//Optional//\\
As root, cleanup /etc/openldap/slapd.d and /var/lib/ldap folders, and do (this is the post install script from package openldap-servers):
Create LDAP directory and change rights:
# mkdir /etc/openldap/slap.d
# chown -R ldap. /etc/openldap/slap.d
Then generate LDAP config:
# /usr/libexec/openldap/convert-config.sh -f /usr/share/openldap-servers/slapd.ldif &>/dev/null
Or:
# /sbin/runuser --shell /bin/sh --session-command "/usr/sbin/slapadd -F /etc/openldap/slapd.d -n 0 -l /usr/share/openldap-servers/slapd.ldif" ldap
__For info:__ If you plan to use passwordpolicy (ppolicy), then uncomment in /usr/share/openldap-servers/slapd.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: ppolicy.la
===== Install LDAP server =====
LDAP server version 2.4.40
[root@rhldaph1 ~]# yum update && yum install openldap openldap-clients openldap-servers nss-pam-ldapd samba sudo
For LDAP client:
[root@rhldaph1 ~]# yum update && yum install openldap openldap-clients nss-pam-ldapd
===== LDAP Initialization =====
Starting LDAP server
[root@rhldaph1 ~]# mkdir /var/lib/ldap
[root@rhldaph1 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@rhldaph1 ~]# chown -R ldap. /var/lib/ldap
Manual start (for information, you can add //-d 255// for debug):
[root@rhldaph1 ~]# /usr/sbin/slapd -u ldap -d 3 -F /etc/openldap/slapd.d -h "ldapi:// ldaps://0.0.0.0:636 ldap://127.0.0.1:389"
Or
systemctl start slapd
Verify access to LDAP server
[root@rhldaph1 openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=mydom,dc=tst
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
===== Base config =====
**Suffix and RootDN:**
[root@rhldapr1 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
[root@rhldapr1 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
**Generate a LDAP password**
For test passwd is: **ld@pssw0rd**
[root@rhldaph1 Packages]# slappasswd
New password:
Re-enter new password:
{SSHA}vGIzlcCnP35Tt/HkTtjZuakgOkiBg7Rs
[root@rhldapr1 ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
**View the changes:**
[root@rhldapr1 ~]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
==== Organization, Users, Groups ====
Create an organization tree and add a user. This is required to start, but later you'll see how create an LDAP user from a host.
[root@rhldaph1 cn=config]# vi user_init.ldif
dn: dc=mydom,dc=tst
objectClass: dcObject
objectClass: organizationalUnit
dc: mydom
ou: Mydom Dot Tst
dn: cn=Manager,dc=mydom,dc=tst
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator
userPassword: {SSHA}vGIzlcCnP35Tt/HkTtjZuakgOkiBg7Rs
dn: ou=people,dc=mydom,dc=tst
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=mydom,dc=tst
objectClass: organizationalUnit
ou: groups
dn: uid=userldap1,ou=people,dc=mydom,dc=tst
homeDirectory: /home/ldapuser3
isAdministrator: false
loginShell: /usr/bin/ksh
uidNumber: 6001
gidNumber: 20000
passwordChar: *
uid: userldap1
cn: userldap1
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
objectClass: aixAuxAccount
objectClass: ibm-SecurityIdentities
dn: cn=grouptest1,ou=groups,dc=mydom,dc=tst
objectClass: top
objectClass: aixAuxGroup
objectClass: posixGroup
isAdministrator: false
gidNumber: 20000
cn: grouptest1
memberUid: userldap1
The following 2 commands are identic, just no password asked for the first
ldapadd -Y EXTERNAL -H ldapi:/// -f user_init.ldif
Or
ldapadd -x -W -c -D "cn=Manager,dc=mydom,dc=tst" -f user_init.ldif
[root@rhldaph1 cn=config]# ldapadd -x -W -c -D "cn=Manager,dc=mydom,dc=tst" -f user_init.ldif
[root@rhldaph1 cn=config]# ldapsearch -x -D cn=Manager,dc=mydom,dc=tst -H ldap:// -b dc=mydom,dc=tst -w ld@pssw0rd
[root@rhldaph1 cn=config]# ldapsearch -x -b "dc=mydom,dc=tst" -H ldaps://localhost
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mydom.tst
dn: dc=mydom,dc=tst
objectClass: dcObject
objectClass: organizationalUnit
dc: mydom
ou: Mydom Dot Tst
# Manager, mydom.tst
dn: cn=Manager,dc=mydom,dc=tst
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Manager
description: LDAP administrator
===== Start options =====
If securure LDAP is required, change the parameter **SLAPD_URLS**
[root@rhldaph1 sysconfig]# cat /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"
# Any custom options
#SLAPD_OPTIONS=""
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
==== Enable / Start / Stop /Status LDAP as service ====
[root@rhldaph1 ~]# systemctl start slapd.service
[root@rhldaph1 ~]# systemctl status slapd.service
â slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2016-06-01 17:38:01 CEST; 1s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 23142 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 23126 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 23143 (slapd)
CGroup: /system.slice/slapd.service
ââ23143 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jun 01 17:38:01 rhldaph1 systemd[1]: Starting OpenLDAP Server Daemon...
Jun 01 17:38:01 rhldaph1 runuser[23129]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 01 17:38:01 rhldaph1 runuser[23129]: pam_unix(runuser:session): session closed for user ldap
Jun 01 17:38:01 rhldaph1 slapd[23142]: @(#) $OpenLDAP: slapd 2.4.40 (Nov 22 2015 13:57:05) $
mockbuild@p8levm3.lon1.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/servers/slapd
Jun 01 17:38:01 rhldaph1 slapd[23143]: hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=mydom,dc=tst".
Jun 01 17:38:01 rhldaph1 slapd[23143]: slapd starting
Jun 01 17:38:01 rhldaph1 systemd[1]: Started OpenLDAP Server Daemon.
Manually start LDAP:
[root@rhldaph1 ~]# /usr/sbin/slapd -u ldap -F /etc/openldap/slapd.d -h "ldapi:// ldaps://0.0.0.0:636 ldap://127.0.0.1:389"
===== Add new schema to LDAP =====
==== List and add schema ====
List all schema installed
[root@rhldaph1 cn=config]# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
**The minimum schemas should be:**
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
==== List and update the LDAP config ====
[root@rhldaph1 cn=config]# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
ldapmodify -Y EXTERNAL -H ldapi:/// -f file.ldif
==== Other method to configure base parameters ====
Remove old HDB file
[root@rhldaph1 ~]# cd /etc/openldap/slapd.d/cn=config
[root@rhldaph1 cn=config]# mv /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif /tmp
Apply parameters
[root@rhldaph1 ~]# cat newhdb.ldif
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=ldapdom,dc=tst
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=ldapdom,dc=tst
olcRootPW: {SSHA}a23yJUEn9OqA2E6JXVBzfvaaw88IUy3t
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: objectClass eq
olcDbCacheSize: 20000
olcDbCheckpoint: 512 30
olcDbIDLcacheSize: 320000
olcDbConfig: set_lg_bsize 2097512
olcDbConfig: set_flags DB_LOG_AUTOREMOVE
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=ldapdom,dc=tst" write
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager,dc=ldapdom,dc=tst" write
by * read
Apply parameters
[root@rhldaph1 ~]# slapd -F /etc/openldap/slapd.d -h "ldapi://"
[root@rhldaph1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f newhdb.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=hdb,cn=config"
[root@rhldaph1 ~]# cd /etc/openldap/slapd.d/cn=config
[root@rhldaph1 ~]# chown ldap.ldap *.ldif
Start LDAP
[root@rhldaph1 ~]# systemctl start slapd
**Error**
[root@rhldaph1 ldap]# systemctl status slapd.service
â slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2016-06-02 15:58:38 CEST; 11s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 29380 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 29349 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Jun 02 15:58:38 rhldaph1 runuser[29376]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jun 02 15:58:38 rhldaph1 runuser[29376]: pam_unix(runuser:session): session closed for user ldap
Jun 02 15:58:38 rhldaph1 slapd[29380]: @(#) $OpenLDAP: slapd 2.4.40 (Nov 22 2015 13:57:05) $
mockbuild@p8levm3.lon1.centos.org:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/servers/slapd
Jun 02 15:58:38 rhldaph1 slapd[29380]: ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
Jun 02 15:58:38 rhldaph1 slapd[29380]: slapd stopped.
.......
==== List and add schema ====
List all schema installed
[root@rhldaph1 cn=config]# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
**The minimum schemas should be:**
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
https://wiki.debian.org/LDAP/OpenLDAPSetup
All available schema are located in /etc/openldap/schema
[root@rhldaph1 cn=schema]# ls /etc/openldap/schema/
collective.ldif corba.ldif core.ldif cosine.ldif duaconf.ldif dyngroup.ldif inetorgperson.ldif java.ldif misc.ldif nis.ldif openldap.ldif pmi.ldif ppolicy.ldif collective.schema corba.schema core.schema cosine.schema duaconf.schema dyngroup.schema inetorgperson.schema java.schema misc.schema nis.schema openldap.schema pmi.schema ppolicy.schema
For AIX rfc2307aix.schema copy the file from annexe http://emmanuel.iffly.free.fr/doku.php?id=ldap:openldap_2.4#rfc2307aix.schema
Prepare the LDIF file creation:
# cat /tmp/schema.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/rfc2307aix.schema
# mkdir /tmp/slapd.d
# slaptest -f /tmp/schema.conf -F /tmp/slapd.d/
config file testing succeeded
Copy LDIF files and restart:
# cd /tmp/slapd.d/cn=config/cn=schema
# cp /etc/openldap/slapd.d/cn=config/cn=schema/cn={0\}core.ldif /tmp
# cp *.ldif /etc/openldap/slapd.d/cn=config/cn=schema/
# cd /etc/openldap/slapd.d/cn=config/cn=schema/
# chown -R ldap.ldap /etc/openldap/slapd.d/cn=config/cn=schema/*.ldif
# systemctl restart slapd
=== Validate the full config ===
[root@rhldaph1 slapd.d]# slaptest -u
config file testing succeeded
===== Tuning =====
==== syslog ====
Add the lines, and restart syslog and slapd
[root@rhldaph1 ldap]# cat /etc/rsyslog.conf
......
# Log Openldap
local4.* /var/log/slapd.log
[root@rhldaph1 ldap]# touch /var/log/slapd.log
[root@rhldaph1 ldap]# systemctl restart rsyslog
[root@rhldaph1 ldap]# systemctl restart slapd
Rotate the slapd.log
[root@rhldaph1 logrotate.d]# cat /etc/logrotate.d/openldap
# OpenLDAP
/var/log/slapd.log {
copytruncate
missingok
notifempty
compress
weekly
rotate 10
size=50M
sharedscripts
postrotate
# OpenLDAP logs via syslog, restart syslog if running
systemctl restart rsyslog
endscript
}
==== Indexes ====
For better performance do more indexing than the default.
Create a LDIF file : **olcDbIndex.ldif**
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq
Use ldapmodify to add this settings to the ldap :
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif
Don't forget the - ! After the execution, slapd will launch a internal task to create indexes. Don't stop slapd during this indexation.
==== Access control ====
Configuring 'chsh' and 'chfn' to work with LDAP
Create a LDIF file **olcAccess.ldif** with access permissions to loginShell and gecos entries for the user and admins :
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=loginShell,gecos
by dn="cn=admin,dc=example,dc=com" write
by self write
by * read
Instantly apply these new permissions to ldap with :
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif
===== Clients authentification =====
==== Local linux authentification ====
Local authentification
[root@rhldaph1 ~]# slapd -u ldap -d127 -h "ldap:/// ldaps:/// ldapi:///"
[root@rhldaph1 openldap]# ldapsearch -x -D "cn=Manager,dc=mydom,dc=tst" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
[root@rhldaph1 openldap]# openssl s_client -connect localhost:636 -showcerts
CONNECTED(00000003)
depth=0 CN = rhldaph1
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = rhldaph1
verify return:1
---
........
SSL handshake has read 839 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
==== Linux clients ====
[root@rhlabh1 ~]# yum -y install openldap-clients nss-pam-ldapd
[root@rhlabh1 ~]# authconfig --enableldap --enableldapauth --ldapserver=rhldaph1 --ldapbasedn="dc=mydom,dc=tst" --enablemkhomedir --update
[root@rhlabh1 openldap]# cat ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON on
URI ldap://rhldaph1/
BASE dc=mydom,dc=tst
[root@rhlabh1 home]# cat /etc/nslcd.conf | grep -v '^#'
uid nslcd
gid ldap
uri ldap://rhldaph1/
base dc=mydom,dc=tst
ssl no
tls_cacertdir /etc/openldap/cacerts
[root@rhlabh1 home]# cat /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
...
[root@rhlabh1 openldap]# su - ldapuser1
Creating directory '/home/ldapuser1'.
==== AIX clients ====
http://www-01.ibm.com/support/docview.wss?uid=swg2700977
=== Install LDAP client AIX packages ===
Search on IBM Fix Central https://www-945.ibm.com/support/fixcentral/ the latest packages for "IBM Security Directory Server"
//Example packages//
9 6.4.0.10-ISS-ISDS-AIX-IF0010.tar.gz
8.0.50.67-ISS-GSKIT-AIX-FP0067.tar.gz
Untar the packages, the go into the directories, first install
ISS-GSKIT-AIX
Then in the folder ISS-ISDS-AIX, accept the license
echo 1 | ./license/idsLicense
cd images
installp -agXY -d ./ idsldap.license64 idsldap.clt_max_crypto64bit64 idsldap.clt64bit64
Also required 32bits ldap packages:
installp -agXY -d ./ idsldap.clt32bit64 idsldap.clt_max_crypto32bit64
[root@aixsrv]/root# lslpp -Lc | egrep 'idsldap|GSK'
GSKit8:GSKit8.gskcrypt64.ppc.rte:8.0.50.67: : :C: :IBM GSKit Cryptography Runtime: : : : : : :0:0:/:
GSKit8:GSKit8.gskssl64.ppc.rte:8.0.50.67: : :C: :IBM GSKit SSL Runtime With Acme Toolkit: : : : : : :0:0:/:
idsldap.clt32bit64:idsldap.clt32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client: : : : : : :0:0:/:
idsldap.clt64bit64:idsldap.clt64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client: : : : : : :0:0:/:
idsldap.clt_max_crypto32bit64:idsldap.clt_max_crypto32bit64.rte:6.4.0.10: : :C: :Directory Server - 32 bit Client (SSL): : : : : : :0:0:/:
idsldap.clt_max_crypto64bit64:idsldap.clt_max_crypto64bit64.rte:6.4.0.10: : :C: :Directory Server - 64 bit Client (SSL): : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.adt:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.cltbase64:idsldap.cltbase64.rte:6.4.0.10: : :C: :Directory Server - Base Client: : : : : : :0:0:/:
idsldap.license64:idsldap.license64.rte:6.4.0.10: : :C: :Directory Server - License: : : : : : :0:0:/:
=== Configure LDAP client AIX ===
As you can see in the following example if OpenLDAP if in order to use rfc2307aix, then it's validated in the AIX config: serverschematype=RFC2307AIX
[root@aixsrv]/root# mksecldap -c -h rhldaph1 -A ldap_auth -D ldap -d "dc=mydom,dc=tst" -a "cn=Manager,dc=mydom,dc=tst" -p ld@pssw0rd -S rfc2307aix -u NONE
[root@aixsrv]/root# ls-secldapclntd
ldapservers=rhldaph1
current ldapserver=rhldaph1
ldapport=389
active connections=1
ldapversion=3
usercachesize=1000
usercacheused=0
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeat interval=300
numberofthread=10
connectionsperserver=10
authtype=LDAP_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
serverschematype=RFC2307
userbasedn=ou=people,dc=mydom,dc=tst
groupbasedn=ou=groups,dc=mydom,dc=tst
userobjectclass=posixaccount,account,shadowaccount
groupobjectclass=posixgroup
[root@aixsrv]/root# ps -ef | grep ldap
root 5767328 1 0 10:40:18 - 0:00 /usr/sbin/secldapclntd
List all users on LDAP, create users, groups. **Up now don't forget to add in you commands: -R LDAP or -R files**
[root@aixsrv]/root# lsuser -R LDAP ALL
ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
[root@aixsrv]/root# mkgroup -R LDAP id=1 staff
[root@aixsrv]/root# mkuser -R LDAP id=6002 pgrp=staff ldapuser2
[root@aixsrv]/root# lsuser -R LDAP ALL
ldapuser1 id=6001 pgrp=grouptest1 groups=grouptest1 home=/home/ldapuser1 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
ldapuser2 id=6002 pgrp=staff groups=staff home=/home/ldapuser2 shell=/usr/bin/ksh93 auditclasses=general,SRC,cron,tcpip login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=5 account_locked=false minage=1 maxage=6 maxexpired=13 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=0 minspecialchar=0 mindiff=2 maxrepeats=4 minlen=12 histexpire=13 histsize=24 pwdchecks= dictionlist= core_compress=on core_path=on core_pathname=/var/core core_naming=on default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
Change AIX default behaviour (for info root will never be defined in a LDAP)
[root@aixsrv]/root# chsec -f /etc/security/user -s default -a registry=LDAP
[root@aixsrv]/root# chsec -f /etc/security/user -s default -a SYSTEM=LDAP
[root@aixsrv]/root# chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
[root@aixsrv]/root# chdev -l sys0 -a max_logname=256
[root@aixsrv]/root# chdev -l sys0 -a ngroups_allowed=2048
AIX LDAP config files and schema are stored in /etc/security/ldap/, /etc/security/login.cfg , and /etc/security/user
[root@aixsrv]/etc/security/ldap# cat ldap.cfg | grep -v '^#' | sed '/^$/d'
ldapservers:rhldaph1.mydom.lu
binddn:cn=Manager,dc=mydom,dc=tst
bindpwd:{DESv2}DB483D108C643477D2B2F192 7C07C1FFE513FB8325B81B6
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/2307aixuser.map
groupattrmappath:/etc/security/ldap/2307aixgroup.map
userbasedn:ou=people,dc=mydom,dc=tst
groupbasedn:ou=groups,dc=mydom,dc=tst
userclasses:posixaccount,account,shadowaccount,aixauxaccount,ibm-securityIdentities
groupclasses:posixgroup,aixauxgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:rfc2307aix
[root@aixsrv]/etc/security/ldap# ll
total 396
4 drwxr-xr-x 2 root security 4096 Oct 20 10:58 .
4 drwxr-x--- 12 root security 4096 Oct 19 00:17 ..
4 -rw-r----- 1 root security 2973 May 19 16:41 2307aixgroup.map
8 -rw-r----- 1 root security 7863 May 19 16:41 2307aixuser.map
4 -rw-r----- 1 root security 2598 Apr 18 2010 2307group.map
4 -rw-r----- 1 root security 3429 Aug 23 2010 2307user.map
120 -rw-r----- 1 root security 122375 Jun 07 12:10 aixSchemaForAD.ldif
52 -rw-r----- 1 root security 50385 Jun 07 12:10 aixSchemaForNS5.ldif
4 -rw-r----- 1 root security 2852 May 19 16:41 aixgroup.map
4 -rw-r----- 1 root security 2837 May 25 2010 aixid.map
8 -rw-r----- 1 root security 7515 May 19 16:41 aixuser.map
12 -rw------- 1 root security 12102 Oct 20 10:58 ldap.cfg
4 -rw-r----- 1 root security 1567 Sep 21 2009 ldapid.ldif.template
28 -rw-r----- 1 root security 25523 Feb 19 2008 nisSchema.ldif
4 -rw------- 1 root security 3893 Sep 21 2009 proxy.ldif.template
52 -rw-r----- 1 root security 52063 Jun 07 12:10 sec.ldif
4 -rw-r----- 1 root security 2294 Apr 23 2009 sectoldif.cfg
4 -rw-r----- 1 root security 2495 May 25 2010 sfu20group.map
4 -rw-r----- 1 root security 2933 May 25 2010 sfu20user.map
4 -rw-r----- 1 root security 2781 May 25 2010 sfu30aixgroup.map
8 -rw-r----- 1 root security 7634 May 17 2011 sfu30aixuser.map
4 -rw-r----- 1 root security 2503 Aug 23 2010 sfu30group.map
4 -rw-r----- 1 root security 3005 Aug 23 2010 sfu30user.map
4 -rw-r----- 1 root security 2739 May 25 2010 sfur2aixgroup.map
8 -rw-r----- 1 root security 7611 May 17 2011 sfur2aixuser.map
4 -rw-r----- 1 root security 2390 May 25 2010 sfur2group.map
4 -rw-r----- 1 root security 2853 May 25 2010 sfur2user.map
Change a user's password from AIX LDAP client:
[root@aixsrv]/root# echo "testuser:testuser" | chpasswd -R LDAP -c
[root@aixsrv]/root# lsldap -a passwd testuser
===== ANNEXE =====
==== rfc2307aix.schema ====
**/etc/openldap/schema/rfc2307aix.schema**
# Definitions from RFC2307AIX (Experimental)
# An Approach for Using LDAP as a Network Information Service for AIX
#
# Author: Patrick Vaughan
#
# Depends upon core.schema, cosine.schema, and nis.schema
#
# Note: The definitions in RFC2307aix are not entirely known,
# and this information is taken from the work of others.
# This schema may contain extra information not necessarily needed by AIX,
# but used by IBM with other products. Some modifications had to be made to
# work with OpenLDAP, mainly that boolean types were changed to text because
# of an incompatibility with some of the attributes and OpenLDAP. This seems
# to work with AIX, until a better solution is found.
# Attribute Type Definitions
attributetype ( 1.3.18.0.2.4.810 NAME 'adminGroupNames'
DESC 'list of groups a user adminstrates'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.793 NAME 'AIXDefaultMACLevel'
DESC 'AIX default level mac'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.766 NAME 'AIXFuncMode'
DESC 'AIX smit acl function modes'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.797 NAME 'AIXisDCEExport'
DESC 'DCE integration flag'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.778 NAME 'AIXLowMACLevel'
DESC 'AIX low level mac'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.777 NAME 'AIXPromptMAC'
DESC 'prompt MAC, Mandatory Access Control, or not'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.752 NAME 'AIXScreens'
DESC 'AIX SMIT screen access list'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.746 NAME 'AIXUpperMACLevel'
DESC 'AIX upper level mac'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.812 NAME 'auditClasses'
DESC 'classes, events, a user will be audited on'
EQUALITY 2.5.13.5
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.762 NAME 'authMethod1' DESC 'the primary method for authenticating a user'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.780 NAME 'authMethod2'
DESC 'secondary method for authenticating a user'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.483 NAME 'caption'
DESC 'CIM-derived attribute to provide short description of the directory object entry for display purposes.'
EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.751 NAME 'coreSizeLimit'
DESC 'core file size limit'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.798 NAME 'coreSizeLimitHard'
DESC 'hard core file size limit'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.805 NAME 'cpuSize'
DESC 'limit of system units a process can use'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.789 NAME 'cpuSizeHard'
DESC 'largest amount of system time process can use'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.763 NAME 'dataSegSize'
DESC 'size for data segment'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.758 NAME 'dataSegSizeHard'
DESC 'largest size of data segment'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.757 NAME 'filePermMask'
DESC 'mask to set file permission'
EQUALITY 2.5.13.8
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.785 NAME 'fileSizeLimit'
DESC 'file size limit'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.779 NAME 'fileSizeLimitHard'
DESC 'file size limit'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.803 NAME 'groupList'
DESC 'list of groups a user or role can belong to'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.538 NAME 'groupid'
DESC 'Required attribute for eDominoGroup'
EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.773 NAME 'groupSwitchUserAllowed'
DESC 'list of groups that can switch user to this user'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.787 NAME 'hostLastLogin'
DESC 'host name of the last successful login'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.748 NAME 'hostLastUnsuccessfulLogin'
DESC 'host name of last unsuccessful login'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.726 NAME 'isAccountEnabled'
DESC 'indicates whether users are allowed to login using an account (true) or not (false)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.728 NAME 'isAdministrator'
DESC 'indicates whether an account has administrative authority'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.761 NAME 'isDaemon'
DESC 'AIX indicator whether a user can run programs under cron or src'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.743 NAME 'isLoginAllowed'
DESC 'indicate wheter a user can login'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.799 NAME 'isRemoteAccessAllowed'
DESC 'permits access from a remote system'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.808 NAME 'isSwitchUserAllowed'
DESC 'indicate whether a user can switch to this users account'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.760 NAME 'ixLastUpdate'
DESC 'time of last update'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.771 NAME 'ixTimeLastLogin'
DESC 'time of users last login'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.749 NAME 'ixTimeLastUnsuccessfulLogin'
DESC 'user time of last unsuccessful'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.801 NAME 'loginTimes'
DESC 'valid times a user is allowed to login'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.710 NAME 'maxFailedLogins'
DESC 'Maximum number of failed logins before the account is locked'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.807 NAME 'maxLogin'
DESC 'maximum number of logins'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.464 NAME 'numberWarnDays'
DESC ' '
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.781 NAME 'openFileLimit'
DESC 'limit for number of open files'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.784 NAME 'openFileLimitHard'
DESC 'maximun number of open files'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.458 NAME 'passwordCheckMethods'
DESC 'Methods for checking passwords.'
EQUALITY 2.5.13.5
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.463 NAME 'passwordDictFiles'
DESC 'Password dictionary files.'
EQUALITY 2.5.13.5
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.788 NAME 'passwordExpiredWeeks'
DESC 'number of weeks a user passwd history expired'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.485 NAME 'passwordExpireTime'
DESC 'Defines, in YYYYMMDDHHMMSS format, the date and time when a user password expires.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.753 NAME 'passwordFlags'
DESC 'password flags'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.772 NAME 'passwordHistSize'
DESC 'number of previous passwords that can be stored in password history'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 2.16.840.1.113730.3.1.97 NAME 'passwordMaxAge'
DESC 'Specifies, in seconds, the period of time passwords can be used before they expire.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.802 NAME 'passwordChar'
DESC 'password existance character'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.454 NAME 'passwordMaxRepeatedChars'
DESC ' '
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.473 NAME 'passwordMinAlphaChars'
DESC 'Specifies the minimum number of characters required for a users password.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.499 NAME 'passwordMinDiffChars'
DESC 'Specifies the minimum number of different (unique) characters required for a users password.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 2.16.840.1.113730.3.1.99 NAME 'passwordMinLength'
DESC 'Specifies the minimum number of characters required for a user\27s password.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.469 NAME 'passwordMinOtherChars'
DESC ' '
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.790 NAME 'physicalMemLimit'
DESC 'limit for the amount fo physical memory that can be allocated'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.744 NAME 'physicalMemLimitHard'
DESC 'largest amount of physical memory that can be allocated'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.319 NAME 'principalPtr'
DESC 'DN pointer to a principal object (e.g. person, user, service, etc.)'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.786 NAME 'roleList'
DESC 'list of roles a user or role may belong to'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE userApplications )
attributetype ( 1.3.18.0.2.4.759 NAME 'stackSizeLimit'
DESC 'size limit for process stack'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE USAGE userApplications )
attributetype ( 1.3.18.0.2.4.754 NAME 'stackSizeLimitHard'
DESC 'largest stack segment for a process'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE USAGE userApplications )
attributetype ( 1.3.18.0.2.4.804 NAME 'systemEnvironment'
DESC 'protect environment'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE userApplications )
attributetype ( 1.3.18.0.2.4.809 NAME 'terminalAccess'
DESC 'list of terminals that can access users account'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE userApplications )
attributetype ( 1.3.18.0.2.4.767 NAME 'terminalLastLogin'
DESC 'terminal users last successfully login'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE userApplications )
attributetype ( 1.3.18.0.2.4.769 NAME 'terminalLastUnsuccessfulLogin'
DESC 'terminal of users last unsuccessful login'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.806 NAME 'timeExpiredLogout'
DESC 'inactivity time out'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.474 NAME 'timeExpireLockout'
DESC ' '
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.800 NAME 'trustedPathStatus'
DESC 'indicates the users trusted path status'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.811 NAME 'unsuccessfulLoginCount'
DESC 'count of unsuccessful logins'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.795 NAME 'userEnvironment'
DESC 'user public environment'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.783 NAME 'userName'
DESC 'user name'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.1101 NAME 'passwordHistList'
DESC 'list of user passwords'
EQUALITY 2.5.13.5
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.2321 NAME 'hostsAllowedLogin'
DESC 'The names or addresses of computer systems or networks to which a user is allowed to login.'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications)
attributetype ( 1.3.18.0.2.4.2322 NAME 'hostsDeniedLogin'
DESC 'The names or addresses of a computer systems or networks to which a user is not allowed to login.'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications)
attributetype ( 1.3.18.0.2.4.2504 NAME 'passwordHistExpire'
DESC 'number of weeks a user passwd history expired'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.145 NAME 'capability'
DESC 'Indicates the capabilities this GSO Target Service Type allows.'
EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.814 NAME 'GroupName'
DESC 'Name of DCE group'
EQUALITY 2.5.13.5
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.768 NAME 'AIXGroupAdminList'
DESC 'list of administrators'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.765 NAME 'groupPassword'
DESC 'Group Password'
EQUALITY 2.5.13.5
ORDERING 2.5.13.6
SUBSTR 2.5.13.7
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities'
DESC 'Alternate security identities. A Kerberos identity must be defined in the format kerberos:@; for example, kerberos:alice@austin.ibm.com. This attribute is defined on Active Directory.'
EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName'
DESC 'Primary security identity in the form @; for example, alice@austin.ibm.com. This attribute is defined on Active Directory.'
EQUALITY 2.5.13.5
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.813 NAME 'gid'
DESC 'integer ID of the group name. Used for access control of resources.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3396 NAME 'passwordMaxConsecutiveRepeatedChars'
DESC 'Attribute used to impose the maximum number of consecutive repeated characters in the password field.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3107 NAME 'rcmds'
DESC 'allow, deny, hostlogincontrol. Specifies whether a user is allowed to run remote commands.'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.756 NAME 'AIXAdminGroupId'
DESC 'AIX new admin group id storage'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.776 NAME 'AIXAdminUserId'
DESC 'AIX new admin user id storage'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.782 NAME 'AIXGroupID'
DESC 'AIX new group id storage'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.770 NAME 'AIXUserID'
DESC 'Aix new user id storage attribute'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3237 NAME 'ibm-aixProjectNameList'
DESC 'Advanced accounting, list of project names'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetypes: ( 1.3.18.0.2.4.3349 NAME 'ibm-defaultRoles'
DESC 'List of default roles'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3337 NAME 'ibm-coreNamingPolicy'
DESC 'Specifies core file naming policy'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetypes: ( 1.3.18.0.2.4.3336 NAME 'ibm-coreCompressionEnable'
DESC 'Enable or disable corefile compression'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3338 NAME 'ibm-corePathEnable'
DESC 'Enable or disable core file path specification.'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3339 NAME 'ibm-corePathName'
DESC 'Specifies a location for core files'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3233 NAME 'ibm-aixAdminPolicyEntry'
DESC 'Advanced accounting, admin policy rule'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3234 NAME 'ibm-aixAdminPolicyName'
DESC 'Advanced accounting, name of admin policy'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3235 NAME 'ibm-aixProjectDefinition'
DESC 'Advanced accounting, project definition entry'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3236 NAME 'ibm-aixProjectName'
DESC 'Advanced accounting, name of project definition file'
EQUALITY caseExactMatch
ORDERING caseExactOrderingMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3340 NAME 'ibm-aixpertLabel'
DESC 'An unique label for a XML file'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3341 NAME 'ibm-aixpertXmlConfigFile'
DESC 'Aixpert XML configuration file'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
SINGLE-VALUE
USAGE userApplications )
# EQUALITY octetStringMatch
attributetype ( 1.3.18.0.2.4.3363 NAME 'ibm-authorizationID'
DESC 'authorization numeric ID'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.332 NAME 'msgFileName'
DESC 'This attribute is used to indicate a message file name which contains displayable/translatable strings for those attributes which are displayable.'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.774 NAME 'msgNumber'
DESC 'index into a message catalog'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3364 NAME 'ibm-msgSet'
DESC 'Message set'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3359 NAME 'ibm-accessAuths'
DESC 'Access authorizations'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3354 NAME 'ibm-authPrivs'
DESC 'Authorized privieges'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3361 NAME 'ibm-egid'
DESC 'The effective group id'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3362 NAME 'ibm-euid'
DESC 'The effective user id'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3358 NAME 'ibm-innatePrivs'
DESC 'Innate privileges'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3365 NAME 'ibm-inheritPrivs'
DESC 'Inheritable privileges'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3357 NAME 'ibm-secFlags'
DESC 'Security flags'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetype ( 1.3.18.0.2.4.3356 NAME 'ibm-readPrivs'
DESC 'Privileges required to read an object'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetypes: ( 1.3.18.0.2.4.3355 NAME 'ibm-writePrivs'
DESC 'Privileges required to write to an object'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetypes: ( 1.3.18.0.2.4.3353 NAME 'ibm-readAuths'
DESC 'Authorizations required to read an object'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
attributetypes: ( 1.3.18.0.2.4.3352 NAME 'ibm-writeAuths'
DESC 'Authorizations requried to write to an object'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
USAGE userApplications )
# No OID
#attributetype ( NAME 'IBM-ENTRYUUID' DESC 'A Unique Entry UUID from TDS' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
#attributetype ( NAME 'control' DESC 'Some IBM Control attribute from TDS' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
# Invalid Name 'userCertificate;binary'
#attributetype ( 2.5.4.36 NAME ( 'userCertificate' 'userCertificate;binary' ) DESC 'Used to represent certificates from one or more Certification Authorities representing a user.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 USAGE userApplications )
# Attributes already in the core.schema
#attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' ) DESC 'This attribute contains the name of a locality, such as a city, county or other geographic region (localityName).' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
#attributetype ( 2.5.4.31 NAME 'member' DESC 'Identifies the distinguished names for each member of the group.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE userApplications )
#attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' 'organization' ) DESC 'This attribute contains the name of an organization (organizationName).' SUP 2.5.4.11 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
objectclass ( 1.3.18.0.2.6.78 NAME 'eAccount'
DESC 'Account information as used and maintained by the system.'
SUP 'account'
STRUCTURAL
MAY ( caption $ userPassword $ userCertificate $ principalPtr ) )
objectclass ( 1.3.18.0.2.6.167 NAME 'AIXAccount'
DESC 'AIX user information object class'
SUP 'eAccount'
STRUCTURAL
MUST ( gid $ passwordChar $ userName )
MAY ( adminGroupNames $ AIXDefaultMACLevel $ AIXFuncMode $ AIXisDCEExport $ AIXLowMACLevel $ AIXPromptMAC $ AIXScreens $ AIXUpperMACLevel $ auditClasses $ authMethod1 $ authMethod2 $ coreSizeLimit $ coreSizeLimitHard $ cpuSize $ cpuSizeHard $ dataSegSize $ dataSegSizeHard $ filePermMask $ fileSizeLimit $ fileSizeLimitHard $ gecos $ groupList $ groupSwitchUserAllowed $ homeDirectory $ hostLastLogin $ hostLastUnsuccessfulLogin $ isAccountEnabled $ isadministrator $ isDaemon $ isLoginAllowed $ isRemoteAccessAllowed $ isSwitchUserAllowed $ ixLastUpdate $ ixTimeLastLogin $ ixTimeLastUnsuccessfulLogin $ loginShell $ loginTimes $ maxFailedLogins $ maxLogin $ numberWarnDays $ openFileLimit $ openFileLimitHard $ passwordCheckMethods $ passwordDictFiles $ passwordExpiredWeeks $ passwordExpireTime $ passwordFlags $ passwordHistSize $ passwordMaxAge $ passwordMaxRepeatedChars $ passwordMinAlphaChars $ passwordMinDiffChars $ passwordMinLength $ passwordMinOtherChars $ physicalMemLimit $ physicalMemLimitHard $ roleList $ stackSizeLimit $ stackSizeLimitHard $ systemEnvironment $ terminalAccess $ terminalLastLogin $ terminalLastUnsuccessfulLogin $ timeExpiredLogout $ timeExpireLockout $ trustedPathStatus $ unsuccessfulLoginCount $ userEnvironment $ passwordHistList $ passwordHistExpire $ hostsAllowedLogin $ hostsDeniedLogin ) )
objectclass ( 1.3.18.0.2.6.170 NAME 'AIXaccessGroup'
DESC 'AIX group information'
SUP 'top'
STRUCTURAL
MUST ( gid $ GroupName )
MAY ( AIXGroupAdminList $ AIXisDCEExport $ AIXScreens $ groupPassword $ isadministrator $ member ) )
objectclass ( 1.3.18.0.2.6.28 NAME 'container'
DESC 'An object that can contain other objects.'
SUP 'top'
STRUCTURAL
MUST ( cn ) )
objectclass ( 1.3.18.0.2.6.169 NAME 'AIXAdmin'
DESC 'AIX class to store user/group administration attributes'
SUP top
STRUCTURAL
MAY ( AIXAdminGroupId $ AIXAdminUserId $ AIXGroupID $ AIXUserID $ cn ) )
objectclass ( 1.3.18.0.2.6.473 NAME 'aixAuxGroup'
DESC 'Auxiliary AIX group information objectclass, for use with the posixgroup objectclass.'
SUP top
AUXILIARY
MAY ( aIXGroupAdminList $ aIXisDCEExport $ aIXScreens $ groupPassword $ isadministrator $ ibm-aixProjectNameList ) )
objectclass ( 1.3.18.0.2.6.620 NAME 'ibm-aixAccountingAdminPolicy'
DESC 'Advanced Accounting admin policy object'
SUP top
STRUCTURAL
MUST ( ibm-aixAdminPolicyEntry $ ibm-aixAdminPolicyName ) )
objectclass ( 1.3.18.0.2.6.621 NAME 'ibm-aixAccountingProject'
DESC 'Advanced Accounting project defintion object'
SUP top
STRUCTURAL
MUST ( ibm-aixProjectDefinition $ ibm-aixProjectName ) )
objectclass ( 1.3.18.0.2.6.637 NAME 'ibm-aixAixpert'
DESC 'For storing Aixpert specific data'
SUP top
STRUCTURAL
MUST ( ibm-aixpertLabel $ ibm-aixpertXmlConfigFile ) )
objectclass ( 1.3.18.0.2.6.640 NAME 'ibm-authorization'
DESC 'Contains authorization definition'
SUP top
STRUCTURAL
MUST ( cn $ ibm-authorizationID )
MAY ( msgFileName $ msgNumber $ ibm-msgSet $ description ) )
objectclass ( 1.3.18.0.2.6.642 NAME 'ibm-privcmd'
DESC 'Contains privileged command definition'
SUP top
STRUCTURAL
MUST cn
MAY ( ibm-accessAuths $ ibm-authPrivs $ ibm-egid $ ibm-euid $ ibm-innatePrivs $ ibm-inheritPrivs $ ibm-secFlags $ description ) )
objectclass ( 1.3.18.0.2.6.641 NAME 'ibm-privdev'
DESC 'Contains privileged device definition'
SUP top
STRUCTURAL
MUST cn
MAY ( ibm-readPrivs $ ibm-writePrivs $ description ) )
objectclass ( 1.3.18.0.2.6.639 NAME 'ibm-privfile'
DESC 'Trusted configruation files'
SUP top
STRUCTURAL
MUST cn
MAY ( ibm-readAuths $ ibm-writeAuths $ description ) )
objectclass ( 1.3.18.0.2.6.241 NAME 'ibm-SecurityIdentities'
DESC 'Defines the security identities of a user. The user could be a person or a service.'
SUP top
AUXILIARY
MAY ( altSecurityIdentities $ userPrincipalName ) )
objectclass ( 1.3.18.0.2.6.472 NAME 'aixAuxAccount'
DESC 'Auxiliary AIX user information objectclass, for use with posixaccount and shadowaccount objectclasses'
SUP top
AUXILIARY
MAY ( passwordChar $ adminGroupNames $ aIXDefaultMACLevel $ aIXFuncMode $ aIXisDCEExport $ aIXLowMACLevel $ aIXPromptMAC $ aIXScreens $ aIXUpperMACLevel $ auditClasses $ authMethod1 $ authMethod2 $ coreSizeLimit $ coreSizeLimitHard $ cPuSize $ cPuSizeHard $ dataSegSize $ dataSegSizeHard $ filePermMask $ fileSizeLimit $ fileSizeLimitHard $ groupList $ groupSwitchUserAllowed $ hostLastLogin $ hostLastUnsuccessfulLogin $ hostsAllowedLogin $ hostsDeniedLogin $ isAdministrator $ isAccountEnabled $ isDaemon $ isLoginAllowed $ isRemoteAccessAllowed $ isSwitchUserAllowed $ ixTimeLastLogin $ ixTimeLastUnsuccessfulLogin $ loginTimes $ maxFailedLogins $ maxLogin $ openFileLimit $ openFileLimitHard $ passwordCheckMethods $ passwordDictFiles $ passwordExpireTime $ passwordHistSize $ passwordMaxRepeatedChars $ passwordMinAlphaChars $ passwordMinDiffChars $ passwordMinLength $ passwordMinOtherChars $ physicalMemLimit $ physicalMemLimitHard $ roleList $ StackSizeLimit $ StackSizeLimitHard $ SystemEnvironment $ terminalAccess $ terminalLastLogin $ terminalLastUnsuccessfulLogin $ timeExpiredLogout $ timeExpireLockout $ trustedPathStatus $ unsuccessfulLoginCount $ userEnvironment $ passwordFlags $ capability $ passwordHistExpire $ passwordHistList $ rcmds $ ibm-aixProjectNameList $ ibm-defaultRoles $ ibm-coreNamingPolicy $ ibm-coreCompressionEnable $ ibm-corePathEnable $ ibm-corePathName $ passwordMaxConsecutiveRepeatedChars ) )
==== Schemas ====
core.schema - Standard schema defined by the core LDAP RFCs 2252, 2256 (required)
cosine.schema - Cosine and Internet X.500 (recommended)
interorgperson.schema - interorgperson as defined in RFC 2798 (recommended)
java.schema - Java objects as defined by RFC 2713
krb5-kdc.schema - Kerberos v5 key distribution center
misc.schema - Assorted definitions
openldap.schema - OpenLDAP Project
ndaf.schema - North American Directory Forum
nis.schema - Network Information Services
corba.schema - CORBA object as defined by RFC 2714
dyngroup.schema - Dynamic Group (experimental)
policy.schema - Password Policy Schema (work in progress)
java.schema Java Object
nadf.schema North American Directory Forum (obsolete)
==== Configure redhat as LDAP client ====
# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --update
==== Change loglevel ====
To modify LDAP loglevel, add values from following array to reach the required level. Ex trace and connections: 9
# ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 9
^number^hex-value^log-name^Logging description^
|-1|0xFFFF|any|enable all logging|
|0|0x0000 |none|logging inhibited - no logging occurs including critical errors. Not recommended.|
|1|0x1|trace|trace function calls|
|2|0x2|packets|debug packet handling|
|4|0x4|args|heavy trace debugging|
|8|0x8|conns|connection management|
|16|0x10|BER|print out packets sent and received|
|32|0x20|filter|search filter processing|
|64|0x40|config|configuration file processing|
|128|0x80|ACL|access control list processing|
|256|0x100|stats|stats log connections/operations/results (default)|
|512|0x200|stats2|stats log entries sent|
|1024|0x400|shell|print communication with shell backends|
|2048|0x800|parse|entry parsing debugging|
|4096|0x1000|cache|caching (unused)|
|8192|0x2000|index|indexing (unused)|
|16384|0x4000|sync|print syncrepl (replica) logging|
|32768|0x8000|none|A misnomer - it will log messages that are not categorized - specifically including critical messages|
===== Under construction =====
==== Test secure connection ====
From AIX node:
[root@aixsrv]/root# openssl s_client -host rhldaph1 -port 636
CONNECTED(00000004)
depth=0 CN = rhldaph1
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = rhldaph1
verify return:1
---
Certificate chain
0 s:/CN=rhldaph1
i:/CN=rhldaph1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2TCCAUKgAwIBAgIFAKaHEF8wDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAxMI
cmhsZGFwaDEwHhcNMTYwNjAxMTQ0MzI0WhcNMTcwNjAxMTQ0MzI0WjATMREwDwYD
VQQDEwhyaGxkYXBoMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAveR19sGO
SlUkFNTkYeAheaGbFqNqGTJxo8VEdsfsdaXhL1YmuHfwqPKbsaw0kc/PQWyEIx1qs
T2cXrXruupT308HA4cdYsGIyO98MfjfghcMUIsJ5S+vbmNo6D6ODNdjBdmMDcL/5H
k5QPOqgZSHArURlyOfgvQCL61jntfmHXN+UCAwEAAaM5MDcwNQYDVR0RBC4wLIII
cmhsZGFwaDGCCWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluMA0GCSqG
SIb3DQEBCwUAA4GBAIdY6JYXHyoEIixeDSDEz/8xwg18Uw3WCDFOsQc/mQW95Z/I
XsoCpCLh48jHlCWD/5vnUHgxiL4ezb1siPqg4ZuEcSOWFfrmpA+I8KexP3kGA5dZ
mi5cY/nYYrAZrh1uFWqtX21fj34qiUUVz7c2piHhyzbW/BcMQBJfGAALemzp
-----END CERTIFICATE-----
subject=/CN=rhldaph1
issuer=/CN=rhldaph1
---
No client certificate CA names sent
---
SSL handshake has read 839 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 0E0B9DDB007ACF1EA6FC7B42122C0BBED0CDB91A83182B7C5001CBCD7CDE9D
Session-ID-ctx:
Master-Key: AFF74402BAEBFC5C846F179413FAA8683E412533ECFD9DA91488A1D7E45D8F4E9FC3CC90325200D4FB5C3163
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1465401511
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
=== Generate openssl certificates on server ===
[root@rhldaph1 certs]# openssl req -newkey rsa:2048 -x509 -nodes -out /etc/pki/tls/certs/rhldaph1_pubkey.pem -keyout /etc/pki/tls/certs/rhldaph1_privkey.pem -days 3650
Generating a 2048 bit RSA private key
.....+++
...................................................................+++
writing new private key to '/etc/pki/tls/certs/rhldaph1_privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:LU
State or Province Name (full name) []:Luxembourg
Locality Name (eg, city) [Default City]:Luxembourg
Organization Name (eg, company) [Default Company Ltd]:mydom
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:rhldaph1
Email Address []:rhldaph1@mydomain.com
[root@rhldaph1 certs]# chown ldap. rhldaph*pem
[root@rhldaph1 certs]# ll
total 20
lrwxrwxrwx. 1 root root 49 Jun 1 14:24 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Jun 1 14:24 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x. 1 root root 610 Oct 10 2015 make-dummy-cert
-rw-r--r--. 1 root root 2388 Oct 10 2015 Makefile
-rwxr-xr-x. 1 root root 829 Oct 10 2015 renew-dummy-cert
-rw-r--r-- 1 ldap ldap 1704 Jun 8 18:17 rhldaph1_privkey.pem
-rw-r--r-- 1 ldap ldap 1472 Jun 8 18:17 rhldaph1_pubkey.pem
==== Install PHP LDAP Admin ====
[root@rhldaph1 ldap]# yum -y install php php-ldap
[root@rhldaph1 ldap]# rpm -Uhv phpldapadmin-1.2.3-5.el7.noarch.rpm
# install from EPEL
[root@rhldaph1 ldap]# vi /etc/phpldapadmin/config.php
# line 397: uncomment, line 398: comment out
$servers->setValue('login','attr','dn');
//
$servers->setValue('login','attr','uid');
[root@rhldaph1 ldap]# vi /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
# Apache 2.4
# line 12: add access permission
Require local
Require ip 10.0.0.0/24
[root@rhldaph1 ldap]#systemctl restart httpd
http://10.10.10.120/ldapadmin
=== References ===
http://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=4