AIXThis forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've setup a Fedora Directory Server, which is totally new for me. I was just trying it in search for a solution to centrally manage the users on our Linux and AIX systems.
But I cant find anything useful about AIX clients authenticating against a Fedora DS server. Is it even possible?
When I try the following command which I found in a document from IBM to connect AIX clients to the IBM directory server:
mksecldap -c -h fedora-ds -a ou="cn=Directory Manager",ou=UserPreferences,ou=domain.nl,o=Netscaperoot -p ###PASSWORD###
I get the following output:
Cannot find users from all base DN.
Client setup failed.
As I said fedora DS is new for me so I just followed a howto to install and configure it. What am I missing.
I think there's a couple of things wrong with your 'mksecldap' command...
I don't like the look of your admin DN (although I'm not familiar with Fedora DS, I use OpenLDAP). It seems excessively long and it doesn't end with a 'dn=domain'.
You are not specifying the base DN (hence the error).
For example:
My base DN = 'dc=mydomain'
My admin DN = 'cn=Admin,dc=mydomain'
So my 'mksecldap' command would look like:
Code:
mksecldap -c -h "fedora-ds" -a "cn=Admin,dc=mydomain" -p <password> -d "dc=mydomain" -A ldap_auth
I think you should probably go back to your fedora DS setup and confirm your base and admin DN's, then try and fit them into my command.
You should also look at encrypting your LDAP connections, otherwise you'll be sending passwords over your network in clear-text.
If you created a self-signed SSL certificate, you could change the above command to:
Code:
mksecldap -c -h "fedora-ds" -a "cn=Admin,dc=mydomain" -p <password> -d "dc=mydomain" -k "/path/to/cert.kdb" -w cert_password -A ldap_auth
On your AIX box you'll probably need to edit the 'SYSTEM' and 'registry' entries in the default stanza in /etc/security/user to :-
Code:
SYSTEM = "files or compat or LDAP"
registry = compat
That's good news!
It means that AIX is talking to LDAP, but is not finding some things it expects (users & groups!).
Now all you should need to do is modify '/etc/security/ldap/ldap.cfg' (on your AIX box) to tell it where to look for these things in your directory.
Going back to my previous example, if my base DN is 'dc=mydomain' and under that I have my list of users in 'ou=users,dc=mydomain' and my groups in 'ou=groups,dc=mydomain', I'd have to change the following lines in ldap.cfg:
I have managed to authenticate my AIX client to the Centos DS. I switched to Centos DS after switching to OpenLDAP which learned me to understand LDAP a little bit more. In OpenLDAP I could authenticate after I executed the following command on the client:
Then I imported the *.ldif file in to the LDAP database which added some local users of the client in LDAP.
After that I executed the mksecldap command on the client side:
Code:
mksecldap -c -h "centos-ds" -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -p ###PASSWORD### -d "dc=domain,dc=nl" -A ldap_auth
And this authenticated the client with the LDAP server. I also added
Code:
SYSTEM = LDAP
registry = LDAP
to /etc/security/user default stanza. I know this is wrong but this is just for testing. After this I could log on with LDAP users.
With OpenLDAP I used the Apache Directory Studio to manage the users and this works well because you can copy user entries with the right object classes for AIX. And I can change the password.
But with CentOS DS I use the centos-idm-console to manage the users. And I can't add users with the right object classes like this:
Code:
dn: uid=test,ou=People,dc=domain,dc=nl
uid: test
objectClass: posixaccount
objectClass: shadowaccount
objectClass: account
cn: test
uidnumber: 101
gidnumber: 101
gecos: test user
homedirectory: /home/test
loginshell: /usr/bin/ksh
shadowwarning: 3
shadowexpire: 1
shadowmax: 13
shadowmin: 1
userpassword: {crypt}IwvD9cv/Mk6EE
shadowlastchange: 14491
And can't change the password. I don't like this. So I'm using Apache Directory Studio to add AIX users and change their passwords.
Is there someone out there with some experience with AIX users and Centos DS or Red Hat DS or Fedora DS? I don't get it anymore it should be possible to do with the centos-idm-console isn't it.
It would be nice if it automatically fills in a unique UID and GID.
Also I'm struggling with the auto creation of home dirs under AIX. I have a NFS share on the Directory Server which is exported to the AIX client. Tried to get pam_mkuserhome working but with no success. Grabbed some info from here: http://blog.maniac.nl/setting-up-lda...ients/#homedir
Maybe you have more experience with auto home dir creation??
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.