I have been around and around with IBM on this.

Apparently its not so easily done. The official blurb is:

1. Make sure you have Support for unix installed on AD (done that -- with the identity management for unix role for AD / DS).
2. run mksecldap -- I do this but it complainst hat it cant find users in the context I supply.
3. Done.

My problem is -- how do I add a unix user to Ad? Tomorrow I am going to try an ldapmodify against a domain controller and try to setup the posixaccount objectclass.

If /anyone/ has done this successfully, please share. =)

Keep in mind:

The goal is NOT to use smit to manage Active Directory (which everyone at IBM seems to think is the objective). The objective is to have little Susie from accounting hit ctrl+alt+del, change her winders password, then open up securecrt to login to "the green screen" and then magically type in lsusie and then her new windows P@55w0rd and get in. On the back end, I just want AIX to authenticate to AD and then use the local /etc/passwd and group file for homedirs and group sets.

IBM said today I have to use "ldap A" in aix 6.1 TL4+ for this.

Ideas?

Many thanks to the folks at IBM and to the 50 different articles I had to read on the tubes to find a way to do this.

http://rattyboy.wordpress.com/2010/0...ad-and-aix-5l/

This worked for me — I was able to actually authenticate users against Active Directory and use local files to manage their rights.


Laissez-moi une message si cette vous aidez!

1. Install 2008 SP2 + patch (I tested with 8/26/10’s patches), add the Domain Server Role.
2. Under Server Manager/Active Directory Domain Service, add the Identity Management for Unix/Server for Network Information Services Role Service and the corresponding Administration Tools Service.
3. Add the Subsystem for Unix Based Applications feature
4. Add SSH services to your AIX server if you want them. I use AIX 5.3 TL9 SP4.
5. Download tds62-aix-ppc64-base from IBM (http://www14.software.ibm.com/webapp...=21&fp f=&fdt= select #6 IBM Tivoli Directory Server), IBM Tivoli Directory Server provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure, then download the IBM Tivoli Directory Server V 6.2 Client-Server for IBM AIX link.
6. From that download, now install:
a. idsldap.clt64bit62
b. idsldap.clt_max_crypto64bit62
c. idsldap.cltbase62
d. idsldap.clt_max_crypto32bit62
7. Go to step 8. =)
8. Test an ldapsearch against your AD server (these are all in /opt/IBM/ldap/V6.2/bin):
ldapsearch -h adtestserver -D administrator@yourtestserver -w $password -b cn=users,dc=yourtestserver,dc=com « (Objectclass=*) »
9. Comment out groupbasedn from ldap.cfg.
10. Edit the mksecldap file as follows (add groupbasedn to the top and remove the if statement on line 1447 and just manually specify rfc2307 as the type. The reason is that AD 2008 is 2307 compliant (according to IBM who said that Microsoft said that it would be on page 237 of some obscure document I had to pour over to get this to work).
55d54
< GROUPBASEDN= »cn=aixgroups,dc=aixtestserver,dc=com »
1448c1447,1450
< servertype= »rfc2307″
—
> get_servertype
> if [[ $? -ne 0 ]] then
> return 1
> else
1449a1452
> fi
11. Run:
mksecldap -c -h adtestserver.youraddomain.com -a cn=administrator,cn=users,dc=aixtest,dc=yourdomain,dc=com -p $password -d cn=users,dc=aixtest,dc=yourdomain,dc=com -A ldap_auth
12. Change the keyobjectclass from posixaccount to user in /etc/security/ldap/2307user.map.
13. Edit the /usr/lib/security/methods.cfg and add the LDAP stanzas below:
LDAPA:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options=authonly

LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

LDAPAfiles:
options= auth=LDAPA,db=BUILTIN

14. Start the ldap daemon with restart-secldapclntd.
15. Set the user’s NIS domain so that AD will allow them to Auth over Ldap.
16. Add this entry to the end of the /etc/security/user file on AIX to enable ldap based logins for a test account.
user:
admin = false
SYSTEM = LDAP
registry = LDAP

17. Add the above to the default section of the /etc/security/user file to enable this for everyone. If you try to make root ldap enabled, you are crazy.

18. Create a new regular user in AD and use that account for binding in /etc/security/ldap/ldap.cfg. You really don’t need administrator to do this. Grant read rights in asdi edit. After doing this if someone (ie. another admin) deletes an account, it wont remove it from AD.

How to do it without adding roles:

1. Install 2008 SP2 + patch (I tested with 8/26/10’s patches), add the Domain Server Role.
2. Download tds62-aix-ppc64-base from IBM (select #6 IBM Tivoli Directory Server), IBM Tivoli Directory Server provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure, then download the IBM Tivoli Directory Server V 6.2 Client-Server for IBM AIX link.
3. From that download, now install:
a. idsldap.clt64bit62
b. idsldap.clt_max_crypto64bit62
c. idsldap.cltbase62
d. idsldap.clt_max_crypto32bit62
4. Test an ldapsearch against your AD server (these are all in /opt/IBM/ldap/V6.2/bin):
ldapsearch -h adtestserver -D administrator@aixtest.acme.com -w $password -b cn=users,dc=aixtest,dc=acme,dc=com "(Objectclass=*)"
5. Edit the mksecldap file as follows (add groupbasedn to the top and remove the if statement on line 1447 and just manually specify rfc2307 as the type. The reason is that AD 2008 is 2307 compliant.
55d54
< GROUPBASEDN="cn=aixgroups,dc=aixtest,dc=acme,dc=com"
1448c1447,1450
< servertype="rfc2307"
---
> get_servertype
> if [[ $? -ne 0 ]] then
> return 1
> else
1449a1452
> fi
6. Run:
mksecldap -c -h adtestserver.acme.com -a cn=administrator,cn=users,dc=aixtest,dc=acme,dc=com -p $password -d cn=users,dc=aixtest,dc=acme,dc=com -A ldap_auth
7. Comment out groupbasedn from ldap.cfg.
8. Add user to the userclasses line in ldap.cfg.
8b. Don’t forget this step: add ?one to the end of the userbasedn line in ldap.cfg. The problem is that Active Directory will return a referral if you leave the default of search entire subtree. The AIX software doesn’t properly handle the referral. With ?one, it will only search the current container. It took tcpdumps and some old ibm files for me to catch this one.
9. Change the keyobjectclass from posixaccount to user in /etc/security/ldap/2307user.map.
10. Change the mapping for username to SAMAccountName from uid in the 2307user.map file.
11. Edit the /usr/lib/security/methods.cfg and add the LDAP stanza below:
LDAPA:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
options=authonly


LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

LDAPAfiles:
options= auth=LDAPA,db=BUILTIN

12. Start the ldap daemon with restart-secldapclntd.
13. Set the user’s NIS domain so that AD will allow them to Auth over Ldap.
14. Add this entry to the end of the /etc/security/user file on AIX to enable ldap based logins.
user:
admin = false
SYSTEM = LDAPAfiles
registry = LDAPAfiles
15. Add the SYSTEM and registry entries above to the default section of the user file to enable ldap across the board.
16. Create a new “regular” user in AD and change the ldap.cfg parameters to bind as that user. You don’t need admin to bind to LDAP and search for user accounts. Grant this user read rights to the users folder in asdi edit.