AIX LDAP authentication on eDirectory

This is a tutorial on how to setup AIX local authentication through LDAP on eDirectory. The version eDirectory that is being used is 8.8.4 which is installed on a NetWare 6.5 SP8 server. This server is for testing purposes and installed according to this installation report only upgraded to SP 8. The AIX version being used is 5.3 TL 6 FP 7 (5300-06-07-0818). This server is also for testing purposes but (because it's a POWER architecture based OS) can't run inside VMware and is running as a LPAR inside the production network. To be able to use the LDAP from the NetWare server I had to use port forwarding inside vmware and add a static route in AIX.
NOTE: During testing I had to change the NetWare test server for a NetWare production server. I found out you need to LUM enable users which is not so easy on a NetWare only environment. In my production environment the schema was already extended with the correct schema.

See AIX Info for more information about static routes on AIX.
See VMware Tips for more information about port forwarding in VMware Server.

The steps taken are:

Extend the eDirectory schema to support the AIX NIS ldap schema.
Install the client software on AIX
Configure the LDAP client software
Enable users to authenticate through LDAP

If everything works successful we'll try these configurations to enhance our solution:

Automatically create home directory and profile for new users
Make sure users can su to root
Make sure users can use sudo

Extend the eDirectory schema

Although it's not installed by default, eDirectory supports LDAP extensions as defined in RFC 2307. The necessary schema extensions files are even created and supported by Novell. You can find the files in any eDirectory installation file/cdrom. I used the eDirectory 8.8.2 ISO for NetWare and I used 7zip to extract the schema files. You can find them in this directory:

netware iso name\nw\sys\system\schema\rfc2307-nis.sch
netware iso name\nw\sys\system\schema\rfc2307-usergroup.sch

The easiest way to extend the eDirectory schema is by using iManager. If possible, try to use the iManager installed on the local server, when using the portable edition of iManager you could run into this error. On NetWare and OES iManager can be accessed (by default) on https://<ip-address>/nps/iManager.html.

After logging in (you'll need admin or equivalent access) expand the schema option and select “Extend Schema”.
Now follow the wizard to extend the schema:

Note: This is a test environment which means I can use an unsecure connection to extend the schema. Be careful with what you do in a production environment!

The last screen gives you an option to check a log. In case everything went ok the log should look a bit like this:

Novell Import Convert Export utility for Novell eDirectory
version: 20215.04
Copyright 2000-2005 Novell, Inc.  All rights reserved.  U.S. Patent No. 6,915,287.
Source Handler: ICE SCH Data handler for Novell eDirectory (version: 20215.04 )
Destination Handler: ICE LDAP handler for Novell eDirectory (version: 20215.04 )
Getting source schema...done.

Summary :
    Total Records Parsed    = 24
    Attributes Parsed    = 15
    ObjectClasses Parsed    = 9

Getting destination schema...done.
Starting schema update...
Schema already updated.
Done.

Options Used:
 -b -lsys:\tomcat\5.0\webapps\nps\WEB-INF\temp\ice31348\ice.log -esys:\tomcat\5.0\webapps\nps\WEB-INF\temp\ice31348\error.ldf -v -C -a -SSCH -fsys:\tomcat\5.0\webapps\nps\WEB-INF\temp\ice31348\ice31366.tmp -DLDAP -s192.168.177.10 -p389 -dcn=admin,o=shift

Dont't forget you need to run the wizard twice! You have two schema files:

After extending the schema with both of the schema files you can check some attributes that should not have been there before:

Install AIX Client Software

Before you can decide which software you want to install there is something you need to know about some of the AIX LDAP components. The mksecldap script is only for 32 bits software, so even if you're on a 64 bits system, don't install the 64 bits LDAP client, only the 32 bits client. You also need to know which packages you need to install. There is no AIX 5.3 LDAP client. There is one for AIX 5.2 and one for AIX 6.1.
The one for AIX 5.2 is called ldap.client but it's impossible to get if you don't have the original CDs for AIX 5.2. This is however the module all IBM's documentation talks about.
Supplied on the AIX 5.3 Expansion Pack CD2 are the idsldap modules which will also work and they are the ones that I use, and luckily, most of IBM's documentation also applies to these modules.

Requisites

Before you can install them there are some requisites that you need to install:

bos.loc.iso.en_US

If you have a NIM server which can provide you with these modules please install them before you try to install the LDAP modules. See this page for the commands to use a NIM server to install additional software.
Another requisite is xlC to be installed at version 8.0.0.0 or greater. If you don't have that version you can download the latest version using the download link in Additional Sources .

Install the LDAP client

After you have installed the required modules you can install the ldap client from the Expansion Pack cd. You need to install:

idsldap.clt32bit61
+ 6.1.0.17  Directory Server - 32 bit Client

idsldap.cltbase61
+ 6.1.0.17  Directory Server - Base Client
+ 6.1.0.17  Directory Server - Base Client

When you have installed these packages you can check them like this:

root@ms-lpar04:/tmp/sft>lslpp -L | grep ldap
  idsldap.clt32bit61.rte    6.1.0.17    C     F    Directory Server - 32 bit
  idsldap.cltbase61.adt     6.1.0.17    C     F    Directory Server - Base Client
  idsldap.cltbase61.rte     6.1.0.17    C     F    Directory Server - Base Client

Note, on AIX 6.1 I used the versions listed below, and also note that the ldap software is being installed in /opt/IBM/ldap/V6.2.

root@ms-soe6:/tmp/sft>lslpp -L | grep ldap
  idsldap.clt32bit62.rte     6.2.0.3    C     F    Directory Server - 32 bit
  idsldap.cltbase62.adt      6.2.0.3    C     F    Directory Server - Base Client
  idsldap.cltbase62.rte      6.2.0.3    C     F    Directory Server - Base Client

To check if LDAP is actually working, you can

root@ms-lpar04:/opt/IBM/ldap/V6.1/bin>./ldapsearch -h 192.168.177.1 -D cn=admin,o=shift -w ? -b ou=SRV,o=shift cn=sjoerd
Enter password ==>
cn=shooft,ou=SRV,o=SHIFT
uid=shooft
Language=ENGLISH
sn=hooft
objectClass=inetOrgPerson
objectClass=organizationalPerson
objectClass=Person
objectClass=ndsLoginProperties
objectClass=Top
cn=shooft
ACL=2#subtree#cn=shooft,ou=SRV,o=SHIFT#[All Attributes Rights]
ACL=6#entry#cn=shooft,ou=SRV,o=SHIFT#loginScript
ACL=2#entry#[Public]#messageServer
ACL=2#entry#[Root]#groupMembership
ACL=6#entry#cn=shooft,ou=SRV,o=SHIFT#printJobConfiguration
ACL=2#entry#[Root]#networkAddress

NOTE: As you might notice, the user I searched for has no “objectClass=posixAccount” listed as attribute. This means the user is not LUM enabled yet which will be done in the Enable eDirectory Users

Configure the LDAP client software

As soon as the LDAP search works you can start to configure the AIX client to authenticate over LDAP. There is a command which can do this for you, however, my experience with this command is not so positive. What I usually do is use a basic version of the command, and then edit the config files manually to ensure everything is configured correctly.
This is the command I use:

/usr/sbin/mksecldap -c -h 192.168.177.1 -a cn=admin,o=shift -p beheer -d o=shift

This command will do the following steps for you:

It sets up the /etc/security/ldap/ldap.cfg config file for you
It sets up the /usr/lib/security/methods.cfg config file for you
It starts the /usr/sbin/secldapclntd daemon and adds it to inittab for you

ldap.cfg

Now, edit the ldap.cfg file so it suits your needs:

root@ms-lpar04:/tmp/sft>cat /etc/security/ldap/ldap.cfg | grep '^[a-z]'
ldapservers:192.168.177.1
binddn:cn=admin,o=shift
bindpwd:beheer
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:ou=SRV,o=SHIFT
groupbasedn:ou=SRV,o=SHIFT
userclasses:posixaccount,account,shadowaccount
groupclasses:posixgroup
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:rfc2307

The one thing I always adjust is the authtype attribute. By default this is set to unix_auth, but should be set to ldap_auth.

methods.cfg

Now check to see if the methods.cfg is extended with these lines:

root@ms-lpar04:/usr/sbin>cat /usr/lib/security/methods.cfg
...<cut>...
LDAP:
        program = /usr/lib/security/LDAP
        program_64 = /usr/lib/security/LDAP64

If these lines are not added to the end of the file add them manually.

Note: When installing the version 6.2 there is a typo in this file:
Replace:

program_64 =/usr/lib/security/LDAP64

with

program_64 = /usr/lib/security/LDAP64

secldapclntd daemon

Check if the secldapclntd daemon has been started and been added to the inittab:

root@ms-lpar04:/tmp/sft>ps -ef | grep ldap
    root 315488      1   5 11:23:02      -  0:00 /usr/sbin/secldapclntd

root@ms-lpar04:/home/root>cat /etc/inittab | grep ldap
ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd  > /dev/console 2>&1

If you made any changes to the LDAP configuration you'll need to restart the daemon. To do so, kill the daemon and start it again:

root@ms-lpar04:/tmp/sft>/usr/sbin/secldapclntd

Enable users to authenticate through LDAP

Since LDAP searches and compares etc. are working now on the AIX box we want to enable eDirectory users to log on to the AIX box. eDirectory users are not capable to log on to an unix or a linux box by default (from now on, when mentioned unix this could also mean linux). Users on unix boxes differ from eDirectory users in a few ways, for example, on unix boxes users have a uid number and a primary group. To enable eDirectory users for unix we have to create linux enabled users and groups in eDirectory. Linux enabled means they get extended with attributes necessary for a unix system. Unix boxes also have a different way for granting rights and roles to users. By making users members of a secondary group which is enabled to use the sudo command, users can issue commands normally reserved for the root user.

So, to conclude, to enable users for an unix box we need to have or to do the following steps:

Create a linux enabled primary group for the linux enabled users
Linux enable eDirectory users
Create secondary groups for eDirectory users
Setup the AIX box

Enable eDirectory Users

Before you can use an eDirectory user account you'll have to LUM the user, and while doing so you can also directly create the primary group. LUM stands for Linux User Management and after LUMming the userobject will have the needed objectclasses and attributes it needs on a linux/unix system. For more information about LUM see the link in the Additional Sources section.

To LUM an user log into iManager, expand the Linux User Management section and click on “Enable Users for Linux”. A wizard is started:

As you can see, when you linux enable an user you get the possibility to create a linux enabled group as well. This will be set as the primary group for the user.

Note that the workstation object selected is not of an AIX system. To LUM-enable a user the wizard just requires a linux box to give access rights to.

Create secondary groups

Before it's useful to work with secondary groups you'll have to enable the system with sudo usage so the members of the secondary group can indeed issue the sudo command. To combine these items you'll have to do the following steps:

Create the secondary group
Setup the AIX box for the new users
Configure sudo

Group Config

Create linux enabled group

If you have an existing group it's almost the same procedure to linux enable a group as to linux enable an user. To LUM a group log into iManager, expand the Linux User Management section and click on “Enable Groups for Linux”. A wizard is started:

Select the group, but uncheck the checkmark for linux enabling all users in the group. Not only are all users already linux enabled, it could mess up the primary group membership.

Note that the workstation object selected is not of an AIX system. To LUM-enable a user the wizard just requires a linux box to give access rights to.

Check the group

The group added in the eDirectory is also a LDAP group which you can see with this command:

SHooft@ms-lpar04:/home/SHooft>sudo lsgroup ssh-ms-lpar04
ssh-ms-lpar04 id=607 users=sjoerd registry=LDAP

Add the members

Note that it's not the primary group of the user you're looking at, and that provides one extra step. When adding members to the group you'll have to add those members on two different attribute fields, to make sure unix boxes can see the membership as well.

First, like you'd normally do, add the (lum-enabled) user to the group:

After you've done so, go into the “other” tab, expand the “memberUid” attribute and click on “Add”. Now manually add the unique id of the user you're trying to add:

You're done now with adding the members to the secondary group. Unfortunately, it's not working yet. When you've added users to the group the aix group doesn't see the membership. It's probably a time-out, but I don't know how long it takes (approx 30 minutes). You can also restart the ldap client on the AIX box and you'll be fine.

Setup the AIX box

Enable long login names

By default you can only have a maximum of 8 characters for login names. You probably have longer login names defined in your LDAP environment. To change this setting use smitty:
smitty:

System Environments
- Change / Show Characteristics of Operating System
  - Maximum login name length at boot time

Change the value to suit your environment.

After setting this you have to reboot the box.

Setup LDAP authentication

The linux enabled user is now almost ready to login to the AIX system using his eDirectory credentials. You can check so by issuing this command:

root@ms-lpar04:/home/root>lsuser -R LDAP sjoerd
sjoerd id=610 pgrp=DIA-linux groups=DIA-linux home=/home/sjoerd shell=/bin/bash login=false su=false rlogin=true daemon=true admin=false
sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=3
pwdwarntime=7 account_locked=false minage=1 maxage=13 maxexpired=-1 minalpha=5 minother=3 mindiff=1 maxrepeats=2 minlen=8 histexpire=26
histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

Before you can login you'll have to issue this command:

root@ms-lpar04:/home/root>chuser SYSTEM=LDAP registry=LDAP sjoerd

NOTE: The username in the last command is case sensitive and is off course the uniqueid as displayed in the other tab in ConsoleOne. If you've created your eDirectory users with capitals you'll have to adjust this in this command.

Sudo

Always remember to change the sudo config as last, if you've messed anything up or forgot one of the steps before you disable sudo access for your accounts, which means you can't change anything anymore.

Sudo Config

This is the configuration of the sudo implementation. You'll have to edit the /etc/sudoers file with the special command:

visudo

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
%ssh-ms-lpar04 ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

As you can see I added the group ssh-ms-lpar04 to be able to use sudo without the need for a password. This is just an example to just have a LDAP group for sudo. If you want more security or more configuration options please refer to the Sudo article.