LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   AIX (https://www.linuxquestions.org/questions/aix-43/)
-   -   AIX LDAP client authenticate against Linux Openldap server over TLS/SSL (https://www.linuxquestions.org/questions/aix-43/aix-ldap-client-authenticate-against-linux-openldap-server-over-tls-ssl-4175556975/)

gnu699 10-23-2015 11:33 AM
AIX LDAP client authenticate against Linux Openldap server over TLS/SSL
 
Hi folks,

How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL?

It works like a charm without TLS/SSL.

i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.

Thanks in advance.

TB0ne 10-23-2015 12:45 PM
Quote:
Originally Posted by gnu699 (Post 5439102)
Hi folks,
How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL?

It works like a charm without TLS/SSL. i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.

Thanks in advance.
The OpenLDAP documentation is a good place to start:
http://www.openldap.org/faq/data/cache/185.html

You don't say what you've done/tried, if you've read that, or what version/distro of Linux and openldap you're using, so it's hard to be specific.

gnu699 10-26-2015 01:23 PM
Yes, i already read it. And justly, my question is: how can i apply this same configuration (what is for linux clients) for aix clients?

Thnaks in advance.

TB0ne 10-27-2015 07:40 AM
Quote:
Originally Posted by gnu699 (Post 5440532)
Yes, i already read it. And justly, my question is: how can i apply this same configuration (what is for linux clients) for aix clients?
Well, if you read that documentation, you'd know that LDAP is LDAP...it DOES NOT MATTER what connects to it, as long as it obeys the protocol standard, same as with SSH, FTP, Telnet, IMAP, or anything else you can think of.

You configure the AIX LDAP client however you see fit, and point it to the LDAP server...and it doesn't matter if that server is Linux, Solaris, Windows, or any other operating system. If the LDAP server is functional, and your client is configured, you're done. IBM has much documentation on client configuration. Again, you still don't say what you've done/tried of your own, or tell us what version/distro of Linux.
https://www.ibm.com/developerworks/c..._dirty?lang=en
http://www.ibm.com/developerworks/ai.../au-ldapconfg/
http://www.openldap.org/lists/openld.../msg00188.html

AIX is a purchased, supported OS. If you're having problems with LDAP, you can always contact IBM tech support.

Michael AM 01-16-2016 07:04 AM
The main thing is to realize that additional filesets are needed to support SSL.

I have not experimented with the most recent AIX ldap, so the fileset names may not be accurate, but besides the base you need a combination something like this (notebly the *crypto* filesets)

Code:
[[ $1 == "-c" ]] && installp -d ${IDSDIR}/tdsfiles -agXc \
        idsldap.cltbase63 \
        idsldap.clt32bit63 idsldap.clt_max_crypto32bit63 \
        idsldap.clt64bit63 idsldap.clt_max_crypto64bit63 \
        idsldap.msg63.en_US
further, you will need to exchange keys - and GSkit is preferred for that:

Code:
installp -d ${IDSDIR}/gskit -agXc \
        GSKit8.gskcrypt64.ppc GSKit8.gskssl64.ppc \
        GSKit8.gskcrypt32.ppc GSKit8.gskssl32.ppc
This is a script I used to 'automate' the key creation for the client - roughly 50 lines -
Code:
#!/usr/bin/ksh
# Copyright 2013 Michael Felt, aixtools.net

PATH=/opt/IBM/ldap/V6.3/bin:/opt/idsldap/bin:${PATH}
# take mksecldap arguments to set environment variables
# -c # just required to be sure!
# -h # set hostname
# -p # LDAP admin password
# -P # client keyring password


# if environment file not existing - call IDSinit.ksh
if [[ ! -e /var/idsldap/client.env ]]
then
        echo $0: please run idsInit.ksh to setup environment variables
        exit -1
else
. /var/idsldap/client.env
fi

mkdir -p ${CLI_DIR}
rm -f ${CLI_DIR}/clientkey.*

if [[ ! -e ${CLI_DIR}/serverkey.arm ]]
then
        print copying server key $LDAP_SERVER:${KEY_DIR}/serverkey.arm to ${CLI_DIR}
        print please enter passward after next prompt!
        scp $LDAP_SERVER:${KEY_DIR}/serverkey.arm ${CLI_DIR}
        [[ $? -ne 0 ]] && print please copy key and then rerun command && exit -1
fi
# create client certificate database
### print - creating new client keys
${GSK} -keydb -create -db ${CLI_DIR}/clientkey.kdb \
        -pw ${CLI_PW} -type cms -stash

#import the server (self-signed) certificate into key database
#hostname ${LDAP_SERVER} as name of CA (Certificate Authority) -label
#### print - import server certificate into key database, ${LDAP_SERVER} is used as CA
${GSK} -cert -add -db ${CLI_DIR}/clientkey.kdb \
        -pw ${CLI_PW} -label ${LDAP_SERVER} \
        -file ${CLI_DIR}/serverkey.arm

print - list client key database
${GSK} -cert -list -db ${CLI_DIR}/clientkey.kdb -pw ${CLI_PW}

print - verify IDS can communicaten with LDAP_SERVER - if successful, all okay!
idsldapsearch -h ${LDAP_SERVER} -Z -K ${CLI_DIR}/clientkey.kdb -P ${CLI_PW} \
        -b "" -s base objectclass=* > /dev/null
[[ $? -ne 0 ]] && print cannot communicate with IDSldap on ${LDAP_SERVER} using SSL keys, sigh && exit -1

exit 0
Hope this helps!


All times are GMT -5. The time now is 08:30 AM.