LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices



Reply
 
Search this Thread
Old 08-25-2010, 05:00 PM   #1
DennisC31
Member
 
Registered: May 2007
Location: beyond my means
Distribution: Mint 11.04
Posts: 55

Rep: Reputation: 19
Any luck getting AIX (5.3 / TL9 / SP2) or higher to authenticate users to AD 2k8?


I have been around and around with IBM on this.

Apparently its not so easily done. The official blurb is:

1. Make sure you have Support for unix installed on AD (done that -- with the identity management for unix role for AD / DS).
2. run mksecldap -- I do this but it complainst hat it cant find users in the context I supply.
3. Done.

My problem is -- how do I add a unix user to Ad? Tomorrow I am going to try an ldapmodify against a domain controller and try to setup the posixaccount objectclass.

If /anyone/ has done this successfully, please share. =)

Keep in mind:

The goal is NOT to use smit to manage Active Directory (which everyone at IBM seems to think is the objective). The objective is to have little Susie from accounting hit ctrl+alt+del, change her winders password, then open up securecrt to login to "the green screen" and then magically type in lsusie and then her new windows P@55w0rd and get in. On the back end, I just want AIX to authenticate to AD and then use the local /etc/passwd and group file for homedirs and group sets.

IBM said today I have to use "ldap A" in aix 6.1 TL4+ for this.

Ideas?

Last edited by DennisC31; 04-11-2012 at 06:22 PM.
 
Old 08-31-2010, 03:17 PM   #2
DennisC31
Member
 
Registered: May 2007
Location: beyond my means
Distribution: Mint 11.04
Posts: 55

Original Poster
Rep: Reputation: 19
Found a way!

Many thanks to the folks at IBM and to the 50 different articles I had to read on the tubes to find a way to do this.

http://rattyboy.wordpress.com/2010/0...ad-and-aix-5l/

This worked for me — I was able to actually authenticate users against Active Directory and use local files to manage their rights.


Laissez-moi une message si cette vous aidez!

1. Install 2008 SP2 + patch (I tested with 8/26/10’s patches), add the Domain Server Role.
2. Under Server Manager/Active Directory Domain Service, add the Identity Management for Unix/Server for Network Information Services Role Service and the corresponding Administration Tools Service.
3. Add the Subsystem for Unix Based Applications feature
4. Add SSH services to your AIX server if you want them. I use AIX 5.3 TL9 SP4.
5. Download tds62-aix-ppc64-base from IBM (http://www14.software.ibm.com/webapp...=21&fp f=&fdt= select #6 IBM Tivoli Directory Server), IBM Tivoli Directory Server provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure, then download the IBM Tivoli Directory Server V 6.2 Client-Server for IBM AIX link.
6. From that download, now install:
a. idsldap.clt64bit62
b. idsldap.clt_max_crypto64bit62
c. idsldap.cltbase62
d. idsldap.clt_max_crypto32bit62
7. Go to step 8. =)
8. Test an ldapsearch against your AD server (these are all in /opt/IBM/ldap/V6.2/bin):
ldapsearch -h adtestserver -D administrator@yourtestserver -w $password -b cn=users,dc=yourtestserver,dc=com « (Objectclass=*) »
9. Comment out groupbasedn from ldap.cfg.
10. Edit the mksecldap file as follows (add groupbasedn to the top and remove the if statement on line 1447 and just manually specify rfc2307 as the type. The reason is that AD 2008 is 2307 compliant (according to IBM who said that Microsoft said that it would be on page 237 of some obscure document I had to pour over to get this to work).
55d54
< GROUPBASEDN= »cn=aixgroups,dc=aixtestserver,dc=com »
1448c1447,1450
< servertype= »rfc2307″

> get_servertype
> if [[ $? -ne 0 ]] then
> return 1
> else
1449a1452
> fi
11. Run:
mksecldap -c -h adtestserver.youraddomain.com -a cn=administrator,cn=users,dc=aixtest,dc=yourdomain,dc=com -p $password -d cn=users,dc=aixtest,dc=yourdomain,dc=com -A ldap_auth
12. Change the keyobjectclass from posixaccount to user in /etc/security/ldap/2307user.map.
13. Edit the /usr/lib/security/methods.cfg and add the LDAP stanzas below:
LDAPA:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options=authonly

LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

LDAPAfiles:
options= auth=LDAPA,db=BUILTIN

14. Start the ldap daemon with restart-secldapclntd.
15. Set the user’s NIS domain so that AD will allow them to Auth over Ldap.
16. Add this entry to the end of the /etc/security/user file on AIX to enable ldap based logins for a test account.
user:
admin = false
SYSTEM = LDAP
registry = LDAP

17. Add the above to the default section of the /etc/security/user file to enable this for everyone. If you try to make root ldap enabled, you are crazy.

18. Create a new regular user in AD and use that account for binding in /etc/security/ldap/ldap.cfg. You really don’t need administrator to do this. Grant read rights in asdi edit. After doing this if someone (ie. another admin) deletes an account, it wont remove it from AD.

Last edited by DennisC31; 04-11-2012 at 06:25 PM. Reason: added #18 + link to dld page.
 
Old 09-01-2010, 03:02 PM   #3
DennisC31
Member
 
Registered: May 2007
Location: beyond my means
Distribution: Mint 11.04
Posts: 55

Original Poster
Rep: Reputation: 19
How to do it without adding roles:

1. Install 2008 SP2 + patch (I tested with 8/26/10’s patches), add the Domain Server Role.
2. Download tds62-aix-ppc64-base from IBM (select #6 IBM Tivoli Directory Server), IBM Tivoli Directory Server provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure, then download the IBM Tivoli Directory Server V 6.2 Client-Server for IBM AIX link.
3. From that download, now install:
a. idsldap.clt64bit62
b. idsldap.clt_max_crypto64bit62
c. idsldap.cltbase62
d. idsldap.clt_max_crypto32bit62
4. Test an ldapsearch against your AD server (these are all in /opt/IBM/ldap/V6.2/bin):
ldapsearch -h adtestserver -D administrator@aixtest.acme.com -w $password -b cn=users,dc=aixtest,dc=acme,dc=com "(Objectclass=*)"
5. Edit the mksecldap file as follows (add groupbasedn to the top and remove the if statement on line 1447 and just manually specify rfc2307 as the type. The reason is that AD 2008 is 2307 compliant.
55d54
< GROUPBASEDN="cn=aixgroups,dc=aixtest,dc=acme,dc=com"
1448c1447,1450
< servertype="rfc2307"
---
> get_servertype
> if [[ $? -ne 0 ]] then
> return 1
> else
1449a1452
> fi
6. Run:
mksecldap -c -h adtestserver.acme.com -a cn=administrator,cn=users,dc=aixtest,dc=acme,dc=com -p $password -d cn=users,dc=aixtest,dc=acme,dc=com -A ldap_auth
7. Comment out groupbasedn from ldap.cfg.
8. Add user to the userclasses line in ldap.cfg.
8b. Don’t forget this step: add ?one to the end of the userbasedn line in ldap.cfg. The problem is that Active Directory will return a referral if you leave the default of search entire subtree. The AIX software doesn’t properly handle the referral. With ?one, it will only search the current container. It took tcpdumps and some old ibm files for me to catch this one.
9. Change the keyobjectclass from posixaccount to user in /etc/security/ldap/2307user.map.
10. Change the mapping for username to SAMAccountName from uid in the 2307user.map file.
11. Edit the /usr/lib/security/methods.cfg and add the LDAP stanza below:
LDAPA:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options=authonly


LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

LDAPAfiles:
options= auth=LDAPA,db=BUILTIN

12. Start the ldap daemon with restart-secldapclntd.
13. Set the user’s NIS domain so that AD will allow them to Auth over Ldap.
14. Add this entry to the end of the /etc/security/user file on AIX to enable ldap based logins.
user:
admin = false
SYSTEM = LDAPAfiles
registry = LDAPAfiles
15. Add the SYSTEM and registry entries above to the default section of the user file to enable ldap across the board.
16. Create a new “regular” user in AD and change the ldap.cfg parameters to bind as that user. You don’t need admin to bind to LDAP and search for user accounts. Grant this user read rights to the users folder in asdi edit.

Last edited by DennisC31; 04-11-2012 at 06:25 PM.
 
  


Reply

Tags
aix, directory, integration, ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
authenticate AD users to openldap hkg04 Linux - Enterprise 4 02-24-2010 10:34 AM
AIX authenticate against Fedora DS pete83 AIX 11 09-10-2009 10:46 AM
How to Authenticate users in a Hotspot landysaccount Linux - Newbie 1 10-15-2008 11:05 AM
Samba: New AD users can't authenticate warci Linux - Networking 2 04-10-2006 03:18 AM
how to authenticate external users but bypass prompt on local LAN users? taiwf Linux - Security 5 07-13-2005 10:01 AM


All times are GMT -5. The time now is 05:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration