LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices


Reply
  Search this Thread
Old 10-23-2015, 11:33 AM   #1
gnu699
LQ Newbie
 
Registered: Jun 2012
Posts: 12

Rep: Reputation: Disabled
AIX LDAP client authenticate against Linux Openldap server over TLS/SSL


Hi folks,

How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL?

It works like a charm without TLS/SSL.

i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.

Thanks in advance.
 
Old 10-23-2015, 12:45 PM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by gnu699 View Post
Hi folks,
How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL?

It works like a charm without TLS/SSL. i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.

Thanks in advance.
The OpenLDAP documentation is a good place to start:
http://www.openldap.org/faq/data/cache/185.html

You don't say what you've done/tried, if you've read that, or what version/distro of Linux and openldap you're using, so it's hard to be specific.
 
Old 10-26-2015, 01:23 PM   #3
gnu699
LQ Newbie
 
Registered: Jun 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Yes, i already read it. And justly, my question is: how can i apply this same configuration (what is for linux clients) for aix clients?

Thnaks in advance.
 
Old 10-27-2015, 07:40 AM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by gnu699 View Post
Yes, i already read it. And justly, my question is: how can i apply this same configuration (what is for linux clients) for aix clients?
Well, if you read that documentation, you'd know that LDAP is LDAP...it DOES NOT MATTER what connects to it, as long as it obeys the protocol standard, same as with SSH, FTP, Telnet, IMAP, or anything else you can think of.

You configure the AIX LDAP client however you see fit, and point it to the LDAP server...and it doesn't matter if that server is Linux, Solaris, Windows, or any other operating system. If the LDAP server is functional, and your client is configured, you're done. IBM has much documentation on client configuration. Again, you still don't say what you've done/tried of your own, or tell us what version/distro of Linux.
https://www.ibm.com/developerworks/c..._dirty?lang=en
http://www.ibm.com/developerworks/ai.../au-ldapconfg/
http://www.openldap.org/lists/openld.../msg00188.html

AIX is a purchased, supported OS. If you're having problems with LDAP, you can always contact IBM tech support.
 
Old 01-16-2016, 07:04 AM   #5
Michael AM
Member
 
Registered: May 2006
Distribution: AIX 5.3, AIX 6.1, AIX 7.1
Posts: 123

Rep: Reputation: 33
Post

The main thing is to realize that additional filesets are needed to support SSL.

I have not experimented with the most recent AIX ldap, so the fileset names may not be accurate, but besides the base you need a combination something like this (notebly the *crypto* filesets)

Code:
[[ $1 == "-c" ]] && installp -d ${IDSDIR}/tdsfiles -agXc \
        idsldap.cltbase63 \
        idsldap.clt32bit63 idsldap.clt_max_crypto32bit63 \
        idsldap.clt64bit63 idsldap.clt_max_crypto64bit63 \
        idsldap.msg63.en_US
further, you will need to exchange keys - and GSkit is preferred for that:

Code:
installp -d ${IDSDIR}/gskit -agXc \
        GSKit8.gskcrypt64.ppc GSKit8.gskssl64.ppc \
        GSKit8.gskcrypt32.ppc GSKit8.gskssl32.ppc
This is a script I used to 'automate' the key creation for the client - roughly 50 lines -
Code:
#!/usr/bin/ksh
# Copyright 2013 Michael Felt, aixtools.net

PATH=/opt/IBM/ldap/V6.3/bin:/opt/idsldap/bin:${PATH}
# take mksecldap arguments to set environment variables
# -c # just required to be sure!
# -h # set hostname
# -p # LDAP admin password
# -P # client keyring password


# if environment file not existing - call IDSinit.ksh
if [[ ! -e /var/idsldap/client.env ]]
then
        echo $0: please run idsInit.ksh to setup environment variables
        exit -1
else
. /var/idsldap/client.env
fi

mkdir -p ${CLI_DIR}
rm -f ${CLI_DIR}/clientkey.*

if [[ ! -e ${CLI_DIR}/serverkey.arm ]]
then
        print copying server key $LDAP_SERVER:${KEY_DIR}/serverkey.arm to ${CLI_DIR}
        print please enter passward after next prompt!
        scp $LDAP_SERVER:${KEY_DIR}/serverkey.arm ${CLI_DIR}
        [[ $? -ne 0 ]] && print please copy key and then rerun command && exit -1
fi
# create client certificate database
### print - creating new client keys
${GSK} -keydb -create -db ${CLI_DIR}/clientkey.kdb \
        -pw ${CLI_PW} -type cms -stash

#import the server (self-signed) certificate into key database
#hostname ${LDAP_SERVER} as name of CA (Certificate Authority) -label
#### print - import server certificate into key database, ${LDAP_SERVER} is used as CA
${GSK} -cert -add -db ${CLI_DIR}/clientkey.kdb \
        -pw ${CLI_PW} -label ${LDAP_SERVER} \
        -file ${CLI_DIR}/serverkey.arm

print - list client key database
${GSK} -cert -list -db ${CLI_DIR}/clientkey.kdb -pw ${CLI_PW}

print - verify IDS can communicaten with LDAP_SERVER - if successful, all okay!
idsldapsearch -h ${LDAP_SERVER} -Z -K ${CLI_DIR}/clientkey.kdb -P ${CLI_PW} \
        -b "" -s base objectclass=* > /dev/null
[[ $? -ne 0 ]] && print cannot communicate with IDSldap on ${LDAP_SERVER} using SSL keys, sigh && exit -1

exit 0
Hope this helps!
 
  


Reply

Tags
ldap openldap filter, ssl authentication, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
openldap client fails to connect ldap server 'ldap_bind: Can't contact LDAP server' Suresh Chandra Linux - Server 1 04-30-2014 02:23 AM
Best way to create a SSL/TLS certificate to connect the LDAP Client rgtruss Linux - Newbie 1 11-08-2012 08:00 AM
TLS/SSl client certificate creation for LDAP. sheelavantar Linux - Server 2 09-20-2011 09:35 PM
[SOLVED] openldap client fails to connect ldap server 'ldap_bind: Can't contact LDAP server' JALITE Linux - Server 12 09-30-2010 08:17 AM
getting a linux client to authenticate against OpenLDAP server mars_fun_size Linux - Software 1 03-15-2007 03:22 AM

LinuxQuestions.org > Forums > Other *NIX Forums > AIX

All times are GMT -5. The time now is 06:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration