AIX LDAP on AD
Install LDAP Client on AIX
- Requisites
- Install LDAP
  - Test LDAP Client
Configure LDAP Authentication
Additional resources

AIX LDAP on AD

As a counterfeit on AIX LDAP authentication on eDirectory this article will explain everything if you don't want to authenticate on eDirectory but on Active Directory. The AIX level will be the same, the AD will be a Windows 2008 AD and is installed as described in here.

Install LDAP Client on AIX

Requisites

The LDAP client has a few requisites which you need to install:

bos.loc.iso.en_US
xlC.rte at level 8

This is how you install them through AIX NIM

root@lpar1:/home/root>lslpp -L | grep bos.loc
root@lpar1:/home/root>lslpp -L | grep xlC
  xlC.aix50.rte              8.0.0.0    C     F    C Set ++ Runtime for AIX 5.0
  xlC.cpp                    6.0.0.0    C     F    C for AIX Preprocessor
  xlC.rte                    8.0.0.0    C     F    C Set ++ Runtime
root@lpar1:/home/root>nimclient -o allocate -a lpp_source=lpp_5300_06_07
root@lpar1:/home/root>nimclient -o cust -a lpp_source=lpp_5300_06_07 -a filesets=bos.loc.iso.en_US

+-----------------------------------------------------------------------------+
                    Pre-installation Verification...
+-----------------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...

SUCCESSES
---------
  Filesets listed in this section passed pre-installation verification
  and will be installed.

  Selected Filesets
  -----------------
  bos.loc.iso.en_US 5.3.0.0                   # Base System Locale ISO Code ...

...<cut>...

Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
bos.loc.iso.en_US           5.3.0.0         USR         APPLY       SUCCESS

Install LDAP

The LDAP client is not installed by default, so you have to install the files from the CD set you get with AIX. If you have a LDAP client it's probably the client for AIX 5.2, while I the idsldap client prefer which was originally created for AIX 6.1. Below you'll see the version I installed:

SUCCESSES
---------
  Filesets listed in this section passed pre-installation verification
  and will be installed.

  Selected Filesets
  -----------------
  idsldap.clt32bit61.rte 6.1.0.17             # Directory Server - 32 bit Cl...
  idsldap.cltbase61.adt 6.1.0.17              # Directory Server - Base Client
  idsldap.cltbase61.rte 6.1.0.17              # Directory Server - Base Client

  << End of Success Section >>

root@lpar1:/tmp/sft/ldap>lslpp -L | grep ldap
  idsldap.clt32bit61.rte    6.1.0.17    C     F    Directory Server - 32 bit
  idsldap.cltbase61.adt     6.1.0.17    C     F    Directory Server - Base Client
  idsldap.cltbase61.rte     6.1.0.17    C     F    Directory Server - Base Client

Test LDAP Client

You can do a ldapsearch to check ldap connectivity:

root@lpar1:/opt/IBM/ldap/V6.1/bin>./ldapsearch -h 10.10.10.101 -D sa_ldap@adldaptest.local -w ? -b OU=Internet,DC=adldaptest,DC=local uid=sjoerd
Enter password ==>
CN=Sjoerd Hooft,OU=Internet,DC=adldaptest,DC=local
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=Sjoerd Hooft
sn=Hooft
givenName=Sjoerd
distinguishedName=CN=Sjoerd Hooft,OU=Internet,DC=adldaptest,DC=local
instanceType=4
whenCreated=20100817120919.0Z
whenChanged=20100823135928.0Z
displayName=Sjoerd Hooft
uSNCreated=16616
uSNChanged=20878
name=Sjoerd Hooft
objectGUID=NOT ASCII
userAccountControl=66048
badPwdCount=0
codePage=0
countryCode=0
badPasswordTime=129272986076195000
lastLogoff=0
lastLogon=129272986101820000
pwdLastSet=129265205592977500
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=44
sAMAccountName=sjoerd
sAMAccountType=805306368
userPrincipalName=sjoerd@adldaptest.local
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=adldaptest,DC=local
dSCorePropagationData=16010101000000.0Z
lastLogonTimestamp=129265962121415000
uid=sjoerd
msSFU30Name=sjoerd
msSFU30NisDomain=adldaptest
msSFU30PosixMemberOf=CN=autoyast-sudo,OU=Internet,DC=adldaptest,DC=local
msSFU30PosixMemberOf=CN=autoyast,OU=Internet,DC=adldaptest,DC=local
msSFU30PosixMemberOf=CN=LDAPUsers,OU=Internet,DC=adldaptest,DC=local
uidNumber=10000
gidNumber=10000
unixHomeDirectory=/home/sjoerd
loginShell=/bin/bash

Configure LDAP Authentication

ldap.cfg

LDAP is really easy to configure through a special command:

root@lpar1:/home/root>/usr/sbin/mksecldap -c -h 10.10.10.101 -a sa_ldap@adldaptest.local -p LD4Paccess -d OU=Internet,DC=adldaptest,DC=local

This command however does not change everything what is required for successful authentication, you need to at least change the authtype, and check the user and groupbasedns. They tend to be lower in the LDAP hierarchy than expected:

root@lpar1:/home/root>cat /etc/security/ldap/ldap.cfg | grep '^[a-z]'
ldapservers:10.10.10.101
binddn:sa_ldap@adldaptest.local
bindpwd:LD4Paccess
authtype:ldap_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=Internet,DC=adldaptest,DC=local
groupbasedn:OU=Internet,DC=adldaptest,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2

methods.cfg

The mksecldap command also changes the logon methods as defined in the methods.cfg. It does so however, with a typo (it missed a space after one of the = symbols). Set the LDAP methods exactly like stated here:

root@lpar1:/home/root>cat /usr/lib/security/methods.cfg | grep -p LDAP
LDAP:
        program = /usr/lib/security/LDAP
        program_64 = /usr/lib/security/LDAP64

User

Now you can view the LDAP users by querying for them:

root@lpar1:/home/root>lsuser -R LDAP sjoerd
sjoerd id=10000 pgrp=LDAPUsers groups=LDAPUsers,autoyast,autoyast-sudo home=/home/sjoerd shell=/bin/bash login=false su=false rlogin=true daemon=true admin=false sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=compat logintimes= loginretries=3 pwdwarntime=7 account_locked=false minage=1 maxage=26 maxexpired=-1 minalpha=5 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=26 histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

You need to change the authentication method for these users:

root@lpar1:/home/root>chuser SYSTEM=LDAP registry=LDAP sjoerd
root@lpar1:/home/root>lsuser -R LDAP sjoerd
sjoerd id=10000 pgrp=LDAPUsers groups=LDAPUsers,autoyast,autoyast-sudo home=/home/sjoerd shell=/bin/bash login=false su=false rlogin=true daemon=true admin=false sugroups= admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=3 pwdwarntime=7 account_locked=false minage=1 maxage=26 maxexpired=-1 minalpha=5 minother=2 mindiff=1 maxrepeats=2 minlen=8 histexpire=26 histsize=4 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

Now you can login with this user.

Default LDAP User

You can make it the default for users to logon through LDAP. It is not my preference, but it is possible. To do so, follow these steps:

Edit /etc/security/user
Go to the 'default' section and find the line that says SYSTEM = 'compat'
Replace 'compat' for 'LDAP'

Now, to make sure all local accounts can still authenticate, in the same file do this:

Add the line SYSTEM = 'compat' to all sections in the file

Restart the service

Now restart the ldap client service:

root@lpar1:/home/root>stop-secldapclntd
The secldapclntd daemon is successfully terminated.
root@lpar1:/home/root>start-secldapclntd
Starting the secldapclntd daemon.
The secldapclntd daemon started successfully.

Now it's possible to log on!