AIX authenticate against Fedora DS
 

Hello,

I've setup a Fedora Directory Server, which is totally new for me. I was just trying it in search for a solution to centrally manage the users on our Linux and AIX systems.

But I cant find anything useful about AIX clients authenticating against a Fedora DS server. Is it even possible?

When I try the following command which I found in a document from IBM to connect AIX clients to the IBM directory server:

mksecldap -c -h fedora-ds -a ou="cn=Directory Manager",ou=UserPreferences,ou=domain.nl,o=Netscaperoot -p ###PASSWORD###

I get the following output:

Cannot find users from all base DN.
Client setup failed.

As I said fedora DS is new for me so I just followed a howto to install and configure it. What am I missing.

Hi Pete83,

I think there's a couple of things wrong with your 'mksecldap' command...

1. I don't like the look of your admin DN (although I'm not familiar with Fedora DS, I use OpenLDAP). It seems excessively long and it doesn't end with a 'dn=domain'.
2. You are not specifying the base DN (hence the error).

For example:
My base DN = 'dc=mydomain'
My admin DN = 'cn=Admin,dc=mydomain'

So my 'mksecldap' command would look like:

I think you should probably go back to your fedora DS setup and confirm your base and admin DN's, then try and fit them into my command.

You should also look at encrypting your LDAP connections, otherwise you'll be sending passwords over your network in clear-text.

If you created a self-signed SSL certificate, you could change the above command to:

On your AIX box you'll probably need to edit the 'SYSTEM' and 'registry' entries in the default stanza in /etc/security/user to :-
... Then restart the LDAP client:
Hope this is useful!

Thank you rizhun, I will try it. Will let you know if I get it wworking.

rizhun,

I've tried the command you suggested and at least it gives some other output.

<code>
mksecldap -c -h "fedora-ds" -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -p ###PASSWORD### -d "dc=domain,dc=nl" -A ldap_auth

Cannot find the group base DN from the ldap server.
Client setup failed.
</code>

Also changed the default stanza in /etc/security/user as you said.

Probably I'm missing something in the configuration on my fedora-ds server.

Pete83,

That's good news!
It means that AIX is talking to LDAP, but is not finding some things it expects (users & groups!).

Now all you should need to do is modify '/etc/security/ldap/ldap.cfg' (on your AIX box) to tell it where to look for these things in your directory.

Going back to my previous example, if my base DN is 'dc=mydomain' and under that I have my list of users in 'ou=users,dc=mydomain' and my groups in 'ou=groups,dc=mydomain', I'd have to change the following lines in ldap.cfg:

Set these values to whatever is appropriate for your directory server.

Then re-try your 'mksecldap' command.

Let me know how it goes.

Just thought...
This IBM RedBook might be useful:
Integrating AIX into Heterogeneous LDAP Environments

Sorry Rizhun, for the late reaction.

I modified /etc/security/ldap/ldap.cfg as you said and added:

userbasedn:ou=People,dc=domain,dc=nl
groupbasedn:cn=test,cn=PD Managers,ou=groups,dc=domain,dc=nl

I had to add some other things to ldap.cfg like binddn, bindpwd and userattrmappath and groupattrmappath.

then restarted ldap restart-secldapclntd.

And tried the mksecldap command and got the same message as before:

Cannot find the group base DN from the ldap server.
Client setup failed.

So what am I doing wrong?! Thank you for the RedBook I will browse trough it and see if it can help me.

Have you tried:

... ?

rizhun,

Sorry for the late response again.

I have managed to authenticate my AIX client to the Centos DS. I switched to Centos DS after switching to OpenLDAP which learned me to understand LDAP a little bit more. In OpenLDAP I could authenticate after I executed the following command on the client:

Thank you for the redbook!!

Then I imported the *.ldif file in to the LDAP database which added some local users of the client in LDAP.

After that I executed the mksecldap command on the client side:

And this authenticated the client with the LDAP server. I also added to /etc/security/user default stanza. I know this is wrong but this is just for testing. After this I could log on with LDAP users.

With OpenLDAP I used the Apache Directory Studio to manage the users and this works well because you can copy user entries with the right object classes for AIX. And I can change the password.

But with CentOS DS I use the centos-idm-console to manage the users. And I can't add users with the right object classes like this:

And can't change the password. I don't like this. So I'm using Apache Directory Studio to add AIX users and change their passwords.

Is there someone out there with some experience with AIX users and Centos DS or Red Hat DS or Fedora DS? I don't get it anymore it should be possible to do with the centos-idm-console isn't it.

On the client side add this to your /etc/security/ldap/ldap.cfg:

instead of:

Now I can add users normally and change their passwords through the idm-console.

Now I can try to find out about home directories, passwordpolicies and profiles.

What also would be nice is to automatically generate a UID.

At least I'm getting somewhere!!!

You could always create a wrapper script for the 'mkuser' command that uses the next unused UID.

Rizhun,

I'm not adding users from the command-line but from the centos-idm-console which is a GUI for the Centos Directory Server.

Like this:

https://help.ubuntu.com/community/Fe...pPosixUser.jpg

It would be nice if it automatically fills in a unique UID and GID.

Also I'm struggling with the auto creation of home dirs under AIX. I have a NFS share on the Directory Server which is exported to the AIX client. Tried to get pam_mkuserhome working but with no success. Grabbed some info from here: http://blog.maniac.nl/setting-up-lda...ients/#homedir

Maybe you have more experience with auto home dir creation??