LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   AIX (http://www.linuxquestions.org/questions/aix-43/)
-   -   AIX authenticate against Fedora DS (http://www.linuxquestions.org/questions/aix-43/aix-authenticate-against-fedora-ds-748954/)

pete83 08-20-2009 03:35 AM

AIX authenticate against Fedora DS
 
Hello,

I've setup a Fedora Directory Server, which is totally new for me. I was just trying it in search for a solution to centrally manage the users on our Linux and AIX systems.

But I cant find anything useful about AIX clients authenticating against a Fedora DS server. Is it even possible?

When I try the following command which I found in a document from IBM to connect AIX clients to the IBM directory server:

mksecldap -c -h fedora-ds -a ou="cn=Directory Manager",ou=UserPreferences,ou=domain.nl,o=Netscaperoot -p ###PASSWORD###

I get the following output:

Cannot find users from all base DN.
Client setup failed.

As I said fedora DS is new for me so I just followed a howto to install and configure it. What am I missing.

rizhun 08-20-2009 04:58 AM

Hi Pete83,

I think there's a couple of things wrong with your 'mksecldap' command...
  1. I don't like the look of your admin DN (although I'm not familiar with Fedora DS, I use OpenLDAP). It seems excessively long and it doesn't end with a 'dn=domain'.
  2. You are not specifying the base DN (hence the error).

For example:
My base DN = 'dc=mydomain'
My admin DN = 'cn=Admin,dc=mydomain'

So my 'mksecldap' command would look like:

Code:

mksecldap -c -h "fedora-ds" -a "cn=Admin,dc=mydomain" -p <password> -d "dc=mydomain" -A ldap_auth
I think you should probably go back to your fedora DS setup and confirm your base and admin DN's, then try and fit them into my command.

You should also look at encrypting your LDAP connections, otherwise you'll be sending passwords over your network in clear-text.

If you created a self-signed SSL certificate, you could change the above command to:

Code:

mksecldap -c -h "fedora-ds" -a "cn=Admin,dc=mydomain" -p <password> -d "dc=mydomain" -k "/path/to/cert.kdb" -w cert_password -A ldap_auth
On your AIX box you'll probably need to edit the 'SYSTEM' and 'registry' entries in the default stanza in /etc/security/user to :-
Code:

SYSTEM = "files or compat or LDAP"
registry = compat

... Then restart the LDAP client:
Code:

restart-secldapclntd
Hope this is useful!

pete83 08-20-2009 05:03 AM

Thank you rizhun, I will try it. Will let you know if I get it wworking.

pete83 08-20-2009 08:34 AM

rizhun,

I've tried the command you suggested and at least it gives some other output.

<code>
mksecldap -c -h "fedora-ds" -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -p ###PASSWORD### -d "dc=domain,dc=nl" -A ldap_auth

Cannot find the group base DN from the ldap server.
Client setup failed.
</code>

Also changed the default stanza in /etc/security/user as you said.

Probably I'm missing something in the configuration on my fedora-ds server.

rizhun 08-20-2009 08:50 AM

Pete83,

That's good news!
It means that AIX is talking to LDAP, but is not finding some things it expects (users & groups!).

Now all you should need to do is modify '/etc/security/ldap/ldap.cfg' (on your AIX box) to tell it where to look for these things in your directory.

Going back to my previous example, if my base DN is 'dc=mydomain' and under that I have my list of users in 'ou=users,dc=mydomain' and my groups in 'ou=groups,dc=mydomain', I'd have to change the following lines in ldap.cfg:

Code:

userbasedn:ou=users,dc=mydomain
groupbasedn:ou=groups,dc=mydomain

Set these values to whatever is appropriate for your directory server.

Then re-try your 'mksecldap' command.

Let me know how it goes.

rizhun 08-20-2009 10:00 AM

Just thought...
This IBM RedBook might be useful:
Integrating AIX into Heterogeneous LDAP Environments

pete83 08-25-2009 09:02 AM

Sorry Rizhun, for the late reaction.

I modified /etc/security/ldap/ldap.cfg as you said and added:

userbasedn:ou=People,dc=domain,dc=nl
groupbasedn:cn=test,cn=PD Managers,ou=groups,dc=domain,dc=nl

I had to add some other things to ldap.cfg like binddn, bindpwd and userattrmappath and groupattrmappath.

then restarted ldap restart-secldapclntd.

And tried the mksecldap command and got the same message as before:

Cannot find the group base DN from the ldap server.
Client setup failed.

So what am I doing wrong?! Thank you for the RedBook I will browse trough it and see if it can help me.

rizhun 09-01-2009 04:51 AM

Have you tried:

Code:

groupbasedn:ou=groups,dc=domain,dc=nl
... ?

pete83 09-04-2009 08:57 AM

rizhun,

Sorry for the late response again.

I have managed to authenticate my AIX client to the Centos DS. I switched to Centos DS after switching to OpenLDAP which learned me to understand LDAP a little bit more. In OpenLDAP I could authenticate after I executed the following command on the client:

Code:

sectoldif -d dc=domain,dc=nl -S RFC2307 > /tmp/RFC23071.ldif
Thank you for the redbook!!

Then I imported the *.ldif file in to the LDAP database which added some local users of the client in LDAP.

After that I executed the mksecldap command on the client side:

Code:

mksecldap -c -h "centos-ds" -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -p ###PASSWORD### -d "dc=domain,dc=nl" -A ldap_auth
And this authenticated the client with the LDAP server. I also added
Code:

SYSTEM = LDAP
registry = LDAP

to /etc/security/user default stanza. I know this is wrong but this is just for testing. After this I could log on with LDAP users.

With OpenLDAP I used the Apache Directory Studio to manage the users and this works well because you can copy user entries with the right object classes for AIX. And I can change the password.

But with CentOS DS I use the centos-idm-console to manage the users. And I can't add users with the right object classes like this:

Code:

dn: uid=test,ou=People,dc=domain,dc=nl
uid: test
objectClass: posixaccount
objectClass: shadowaccount
objectClass: account
cn: test
uidnumber: 101
gidnumber: 101
gecos: test user
homedirectory: /home/test
loginshell: /usr/bin/ksh
shadowwarning: 3
shadowexpire: 1
shadowmax: 13
shadowmin: 1
userpassword: {crypt}IwvD9cv/Mk6EE
shadowlastchange: 14491

And can't change the password. I don't like this. So I'm using Apache Directory Studio to add AIX users and change their passwords.

Is there someone out there with some experience with AIX users and Centos DS or Red Hat DS or Fedora DS? I don't get it anymore it should be possible to do with the centos-idm-console isn't it.

pete83 09-09-2009 06:41 AM

On the client side add this to your /etc/security/ldap/ldap.cfg:

Code:

authtype:ldap_auth
instead of:

Code:

authtype:unix_auth
Now I can add users normally and change their passwords through the idm-console.

Now I can try to find out about home directories, passwordpolicies and profiles.

What also would be nice is to automatically generate a UID.

At least I'm getting somewhere!!!

rizhun 09-09-2009 06:47 AM

You could always create a wrapper script for the 'mkuser' command that uses the next unused UID.

pete83 09-10-2009 09:46 AM

Rizhun,

I'm not adding users from the command-line but from the centos-idm-console which is a GUI for the Centos Directory Server.

Like this:

https://help.ubuntu.com/community/Fe...pPosixUser.jpg

It would be nice if it automatically fills in a unique UID and GID.

Also I'm struggling with the auto creation of home dirs under AIX. I have a NFS share on the Directory Server which is exported to the AIX client. Tried to get pam_mkuserhome working but with no success. Grabbed some info from here: http://blog.maniac.nl/setting-up-lda...ients/#homedir

Maybe you have more experience with auto home dir creation??


All times are GMT -5. The time now is 08:00 PM.