LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices

Reply
 
Search this Thread
Old 08-20-2009, 03:35 AM   #1
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Rep: Reputation: 15
AIX authenticate against Fedora DS


Hello,

I've setup a Fedora Directory Server, which is totally new for me. I was just trying it in search for a solution to centrally manage the users on our Linux and AIX systems.

But I cant find anything useful about AIX clients authenticating against a Fedora DS server. Is it even possible?

When I try the following command which I found in a document from IBM to connect AIX clients to the IBM directory server:

mksecldap -c -h fedora-ds -a ou="cn=Directory Manager",ou=UserPreferences,ou=domain.nl,o=Netscaperoot -p ###PASSWORD###

I get the following output:

Cannot find users from all base DN.
Client setup failed.

As I said fedora DS is new for me so I just followed a howto to install and configure it. What am I missing.
 
Old 08-20-2009, 04:58 AM   #2
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Hi Pete83,

I think there's a couple of things wrong with your 'mksecldap' command...
  1. I don't like the look of your admin DN (although I'm not familiar with Fedora DS, I use OpenLDAP). It seems excessively long and it doesn't end with a 'dn=domain'.
  2. You are not specifying the base DN (hence the error).

For example:
My base DN = 'dc=mydomain'
My admin DN = 'cn=Admin,dc=mydomain'

So my 'mksecldap' command would look like:

Code:
mksecldap -c -h "fedora-ds" -a "cn=Admin,dc=mydomain" -p <password> -d "dc=mydomain" -A ldap_auth
I think you should probably go back to your fedora DS setup and confirm your base and admin DN's, then try and fit them into my command.

You should also look at encrypting your LDAP connections, otherwise you'll be sending passwords over your network in clear-text.

If you created a self-signed SSL certificate, you could change the above command to:

Code:
mksecldap -c -h "fedora-ds" -a "cn=Admin,dc=mydomain" -p <password> -d "dc=mydomain" -k "/path/to/cert.kdb" -w cert_password -A ldap_auth
On your AIX box you'll probably need to edit the 'SYSTEM' and 'registry' entries in the default stanza in /etc/security/user to :-
Code:
SYSTEM = "files or compat or LDAP"
registry = compat
... Then restart the LDAP client:
Code:
restart-secldapclntd
Hope this is useful!
 
Old 08-20-2009, 05:03 AM   #3
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Original Poster
Rep: Reputation: 15
Thank you rizhun, I will try it. Will let you know if I get it wworking.
 
Old 08-20-2009, 08:34 AM   #4
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Original Poster
Rep: Reputation: 15
rizhun,

I've tried the command you suggested and at least it gives some other output.

<code>
mksecldap -c -h "fedora-ds" -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -p ###PASSWORD### -d "dc=domain,dc=nl" -A ldap_auth

Cannot find the group base DN from the ldap server.
Client setup failed.
</code>

Also changed the default stanza in /etc/security/user as you said.

Probably I'm missing something in the configuration on my fedora-ds server.
 
Old 08-20-2009, 08:50 AM   #5
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Pete83,

That's good news!
It means that AIX is talking to LDAP, but is not finding some things it expects (users & groups!).

Now all you should need to do is modify '/etc/security/ldap/ldap.cfg' (on your AIX box) to tell it where to look for these things in your directory.

Going back to my previous example, if my base DN is 'dc=mydomain' and under that I have my list of users in 'ou=users,dc=mydomain' and my groups in 'ou=groups,dc=mydomain', I'd have to change the following lines in ldap.cfg:

Code:
userbasedn:ou=users,dc=mydomain
groupbasedn:ou=groups,dc=mydomain
Set these values to whatever is appropriate for your directory server.

Then re-try your 'mksecldap' command.

Let me know how it goes.
 
Old 08-20-2009, 10:00 AM   #6
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Just thought...
This IBM RedBook might be useful:
Integrating AIX into Heterogeneous LDAP Environments
 
Old 08-25-2009, 09:02 AM   #7
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Original Poster
Rep: Reputation: 15
Sorry Rizhun, for the late reaction.

I modified /etc/security/ldap/ldap.cfg as you said and added:

userbasednu=People,dc=domain,dc=nl
groupbasedn:cn=test,cn=PD Managers,ou=groups,dc=domain,dc=nl

I had to add some other things to ldap.cfg like binddn, bindpwd and userattrmappath and groupattrmappath.

then restarted ldap restart-secldapclntd.

And tried the mksecldap command and got the same message as before:

Cannot find the group base DN from the ldap server.
Client setup failed.

So what am I doing wrong?! Thank you for the RedBook I will browse trough it and see if it can help me.
 
Old 09-01-2009, 04:51 AM   #8
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
Have you tried:

Code:
groupbasedn:ou=groups,dc=domain,dc=nl
... ?

Last edited by rizhun; 09-01-2009 at 05:03 AM. Reason: added CODE tags
 
Old 09-04-2009, 08:57 AM   #9
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Original Poster
Rep: Reputation: 15
rizhun,

Sorry for the late response again.

I have managed to authenticate my AIX client to the Centos DS. I switched to Centos DS after switching to OpenLDAP which learned me to understand LDAP a little bit more. In OpenLDAP I could authenticate after I executed the following command on the client:

Code:
sectoldif -d dc=domain,dc=nl -S RFC2307 > /tmp/RFC23071.ldif
Thank you for the redbook!!

Then I imported the *.ldif file in to the LDAP database which added some local users of the client in LDAP.

After that I executed the mksecldap command on the client side:

Code:
mksecldap -c -h "centos-ds" -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -p ###PASSWORD### -d "dc=domain,dc=nl" -A ldap_auth
And this authenticated the client with the LDAP server. I also added
Code:
SYSTEM = LDAP
registry = LDAP
to /etc/security/user default stanza. I know this is wrong but this is just for testing. After this I could log on with LDAP users.

With OpenLDAP I used the Apache Directory Studio to manage the users and this works well because you can copy user entries with the right object classes for AIX. And I can change the password.

But with CentOS DS I use the centos-idm-console to manage the users. And I can't add users with the right object classes like this:

Code:
dn: uid=test,ou=People,dc=domain,dc=nl
uid: test
objectClass: posixaccount
objectClass: shadowaccount
objectClass: account
cn: test
uidnumber: 101
gidnumber: 101
gecos: test user
homedirectory: /home/test
loginshell: /usr/bin/ksh
shadowwarning: 3
shadowexpire: 1
shadowmax: 13
shadowmin: 1
userpassword: {crypt}IwvD9cv/Mk6EE
shadowlastchange: 14491
And can't change the password. I don't like this. So I'm using Apache Directory Studio to add AIX users and change their passwords.

Is there someone out there with some experience with AIX users and Centos DS or Red Hat DS or Fedora DS? I don't get it anymore it should be possible to do with the centos-idm-console isn't it.

Last edited by pete83; 09-07-2009 at 03:53 AM.
 
Old 09-09-2009, 06:41 AM   #10
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Original Poster
Rep: Reputation: 15
On the client side add this to your /etc/security/ldap/ldap.cfg:

Code:
authtype:ldap_auth
instead of:

Code:
authtype:unix_auth
Now I can add users normally and change their passwords through the idm-console.

Now I can try to find out about home directories, passwordpolicies and profiles.

What also would be nice is to automatically generate a UID.

At least I'm getting somewhere!!!
 
Old 09-09-2009, 06:47 AM   #11
rizhun
Member
 
Registered: Jun 2005
Location: England
Distribution: Ubuntu, SLES, AIX
Posts: 268

Rep: Reputation: 47
You could always create a wrapper script for the 'mkuser' command that uses the next unused UID.
 
Old 09-10-2009, 09:46 AM   #12
pete83
Member
 
Registered: Dec 2007
Location: The Netherlands
Distribution: Ubuntu
Posts: 50

Original Poster
Rep: Reputation: 15
Rizhun,

I'm not adding users from the command-line but from the centos-idm-console which is a GUI for the Centos Directory Server.

Like this:

https://help.ubuntu.com/community/Fe...pPosixUser.jpg

It would be nice if it automatically fills in a unique UID and GID.

Also I'm struggling with the auto creation of home dirs under AIX. I have a NFS share on the Directory Server which is exported to the AIX client. Tried to get pam_mkuserhome working but with no success. Grabbed some info from here: http://blog.maniac.nl/setting-up-lda...ients/#homedir

Maybe you have more experience with auto home dir creation??
 
  


Reply

Tags
aix, fedora, ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to authenticate user with Fedora 10 and I know the password is correct eomalley Fedora 3 04-08-2009 01:59 PM
can not authenticate user with fedora 9 on login here Linux - Newbie 1 08-25-2008 02:49 AM
Allowing windoze clients to authenticate using fedora directory strong.s Linux - Software 1 07-20-2006 02:28 PM
Using Fedora Directory to authenticate windoze users strong.s Fedora 0 07-20-2006 11:16 AM


All times are GMT -5. The time now is 01:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration