LDAP server on AIX 5.3

Hello World,

So I'm building an LDAP server on AIX 5.3 ML 4, that can be used to
authenticate users both on AIX and on Linux. I found the documentation
to be somewhat... optimistic about the capabilities of the mksecldap
script, so I thought I'd share with you how I got it to run.

I started out with a freshly-installed AIX 5.3 LPAR - nice and clean.
We have working DNS, we have working network. We have a NIM server. We
have an AIX 5.3 LPPsource in /data/lppsource. The first thing to do,
then, is to install the requisite software:

# installp -acgXYd /data/lppsource \
db2_08_01.ca db2_08_01.cc db2_08_01.ch.en_US.iso88591 \
db2_08_01.cj db2_08_01.client db2_08_01.cnvucs db2_08_01.conn \
db2_08_01.conv db2_08_01.cs.rte db2_08_01.das
db2_08_01.db2.engn \
db2_08_01.db2.rte db2_08_01.db2.samples db2_08_01.essg \
db2_08_01.icuc db2_08_01.icut db2_08_01.jdbc
db2_08_01.jhlp.en_US.iso88591 \
db2_08_01.ldap db2_08_01.msg.en_US.iso88591 db2_08_01.pext \
db2_08_01.repl db2_08_01.sqlproc ldap.client.adt
ldap.client.rte \
ldap.server.cfg ldap.server.com ldap.server.java
ldap.server.rte

This will pull in a number of additional filesets to support the Java
config client, which I don't use here. The docs will tell you that just
installing ldap.server will pull in all the necessary filesets. Don't
rely on that - give installp the complete list of filesets. Another
thing it does not do, is LICENSE the database server. This shows itself
when you run mksecldap. It says "The database failed to start", and
then breaks down all the things it did. To avoid this, type the
following command:

# /usr/opt/db2_08_01/adm/db2licm -a
/usr/ldap/etc/ldap-custom-db2ese.lic

Something in there requires a reboot, so you do that now. Then, you can
run your mksecldap command:

# mksecldap -s \
-a 'cn=root,dc=example,dc=com' \
-p 'P@ssw0rd' \
-S RFC2307AIX \
-d 'dc=example,dc=com' \
-u ALL

This does a number of things: First, it checks if your /home directory
is a local file system (D'oh!). Then, it creates a user called ldapdb2
with a random user ID (D'oh!), a DB2 instance with the database in
/home/ldapdb2/... and converts all your local users to the LDAP
database, including ldapdb2. (Can you see the problem with that yet?)

The -a flag is the administrative user for LDAP, and the -p flag is the
password. The -S flag determines the LDAP schemas to use. You can also
choose RFC2307, which loses the AIX specific extensions, so things like
host-of-last-unsuccessful-login don't work anymore. Whatever you do,
don't use "AIX" here unless you have to. You have to if you have to
serve AIX 5.1 or 4.3.x LDAP clients, in which case it may be better
just to shoot yourself now. I don't plan on supporting anything here
below 5.2, so I use RFC2307AIX - Standard NIS schema with all the
extras. The -d flag gives your domain's LDAP "home directory". Finally,
the -u flag makes it convert all the users. You need to do this,
because otherwise mksecldap won't create the "People" and "Group"
containers. You could probably create those yourself, but I haven't
really got the hang of ldif files, ldapadd and ldapsearch yet.

Then, it's time to have the server use its own LDAP services to
authenticate users. You do this with the following command:

# mksecldap -c \
-h localhost \
-a 'cn=root,dc=example,dc=com' \
-p 'P@ssw0rd' \
-d 'dc=example,dc=com' \
-u ALL

This configures AIX to use the LDAP server you just created for user
authentication. However, I have found it necessary to modify the
/etc/security/user file as follows: In the "default:" stanza, you find
the line that says:

SYSTEM = "compat"

Change it to:

SYSTEM = "LDAP"
registry = LDAP

This will make AIX look for user authentication data in LDAP by
default. On my system, the root user is still authenticated locally,
because the "SYSTEM" and "registry" attribute in root's stanza are set
to "compat" and "files" respectively.

And then, you have a running LDAP server. However, I'm assuming that
you want this to work even AFTER a reboot, so there are a few more
things to do. First, mksecldap has at some point changed the ldapdb2
user to be authenticated using LDAP. This leads to a nice
chicken-and-egg problem when rebooting, because LDAP isn't up yet, but
we need the LDAP user to start it. So we set ldapdb2 back to local
files, thus:

# chuser SYSTEM="compat" registry=files ldapdb2

And then, we have an LDAP server that will work even after a reboot.

The next step is to configure another AIX machine to authenticate with
the new LDAP server. In this case, all you need on the client is the
fileset ldap.client. This time, it *will* pull in all that you need,
which is nice. Use this command:

# installp -acgXYd /data/lppsource ldap.client

This, again, requires a reboot, so you do that. Then, you configure the
client as follows:

# mksecldap -c \
-h ldapserver.example.com \
-S RFC2307AIX \
-a 'cn=root,dc=example,dc=com' \
-p 'Z@rquon' \
-d 'dc=example,dc=com' \
-u ALL

This should say nothing. Then, modify /etc/security/user in the same
way you did on the server above or It Won't Work. I have found that you
may need to restart a process called /usr/sbin/secldapclntd on
occasion.

And that, my friends, is that.

There are a few problems remaining with this setup, of course. I mount
my home directories from an NFS server, so putting a database there is
clearly inappropriate. So I'll have to find a way of moving the
database. I also don't like it that mksecldap creates the ldapdb2 user
with no way to influence the userid or the groupid. Also, I haven't yet
"armored" this LDAP server - apparently passwords fly over the wire in
plaintext. For this server I don't care because I can physically see
the network switch this happens on, but for production I want something
more cryptographically sound.

If and when I solve these problems, I'll post again.

Cheers,
Menno

.

Relevant Pages

  • Re: OpenLDAP + User Authentication
    ... and you cant really import the passwords from the other ldap server into yours. ... now what you will want to do is set up one ldap server as the masterm and the other as the replica. ... Subject: OpenLDAP + User Authentication ... is not the intended recipient or the employee or agent responsible to ...
    (RedHat)
  • USE of ADFS
    ... user outside our domain tries to authenticate using ... LDAP it does not work. ... We are in a single forest with multiple trees that we ... setting to configure a single LDAP server so it appears like anytime a user ...
    (microsoft.public.windows.server.active_directory)
  • Re: freebsd6 authenticating against openldap 2.4?
    ... machines to get LDAP authentication working. ... Every box was configured differently and ports trees had ... able to run shell accounts on different boxes on a per-user basis, ... LDAP server as user ldap, the system tries to consult all the sources ...
    (freebsd-questions)
  • LDAP Authentication with AIX 5.3 ML2 without a reboot
    ... I ran in an issue fairly recently when trying to get an existing AIX ... ML2 environment to authenticate against SUN's LDAP server using the ...
    (comp.unix.aix)
  • Re: Migration Of All Users In LDAP Server In LINUX Fedora!
    ... One other command you may need to look at is authconfig...which will ... help set up all the config files necessary to authenticate using ldap ... LDAP server. ... Now we have the data in the format understood by LDAP server. ...
    (Fedora)