AIX Authentication Integration in to Active Directory via LDAP

3
2168

AIX can be integrated in to Active Directory in two ways: via Samba’s winbind directly as a Windows machine, and indirectly via LDAP.

The winbind configuration was already covered in a previous posting and worked rather well. However, because of GE’s requirements, it was not possible to utilize the winbind method for Active Directory integration. The alternative was to use LDAP to authenticate against Active Directory.

This approach is a bit more complex and has a few more parts to it, but it does provide additional user information directly from Active Directory.

Windows

First things first, on each of the Active Directory Domain Controllers, install the “Identity Management for UNIX”. This can be found under:

Control Panel -> Add / Remove Programs -> Add / Remove Windows Components -> Active Directory Services -> Identity Management for UNIX

This will extend the Active Directory LDAP schema to allow it to include UNIX attributes, such as the UID, GID, and Home Directory.

AIX

By default, AIX does not have the LDAP client package installed. Mount the first disc * from the pair of OS Install discs, and execute:

smit install

Navigate to the software install menus via:

Install and Update Software -> Install Software

Begin the software install via:

Enter /cdrom in to the field for “INPUT device / directory for software”

The window will refresh providing more options. The first item that is highlighted is “SOFTWARE to install” with the default of “_all_latest” entered in the field. Replace that entry with “ldap.client”.

Using the arrow keys and the tab key, make sure that the following options are set to “yes”:

  • COMMIT software updates?
  • AUTOMATICALLY install requisite software?
  • EXTEND file systems if space needed?
  • ACCEPT new license agreements?

Start the install by hitting “Enter”.

Once the package is installed, some minor configuration is necessary. While the client software is installed, the authentication mechanism still knows nothing about it. For this, we have to edit /usr/lib/security/methods.cfg to add the following lines:

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

Additionally, we need to tell the system that we want to authenticate against LDAP for all user accounts by default, but not for local accounts. For this to work, we need to edit /etc/security/user, find the stanza for “default” and then find the line that reads SYSTEM = “compat”. Replace that line with SYSTEM = “LDAP”. For all of the stanzas, which represent the local accounts, add the line SYSTEM = “compat”.

Rather than modifying the LDAP configuration file (/etc/security/ldap/ldap.cfg) directly, make use of mksecldap:

mksecldap -c -h ldapauth.chahq.local -a CN=Administrator,OU=IT\ Department,OU=Users,OU=My\ Business,DC=chahq,DC=local -p ourpassword

That will automatically set up the LDAP configuration file according to those command line arguments. As a security precaution, it encrypts the password in the configuration file. With LDAP now configured, start the LDAP authentication service:

start-secldapclntd

To confirm that the service is running properly:

lsuser -R LDAP ALL

ls-secldapclntd

To stop the service:

stop-secldapclntd

3 COMMENTS

  1. hi dear Emre Özkan
    Thank you
    I have configured AIX and AD. My created AD users can log in but I have problems.
    my problem: AD users after login have read-only permission and for example, they don’t run smit commands or ls commands. (they don’t have permission)
    IN an AD, how to define an admin user that it can log in as an admin on AIX?
    best regards

  2. merhaba , emre bey.
    red hat 8’de samba ile active directory kurulumu yapmaya çalışıyorum ama bir türlü olmuyor. internetteki dökümanlarda ;
    sudo yum -y install docbook-style-xsl gcc gdb gnutls-devel gpgme-devel jansson-devel keyutils-libs-devel krb5-workstation libacl-devel libaio-devel libarchive-devel libattr-devel libblkid-devel libtasn1 libtasn1-tools libxml2-devel libxslt lmdb-devel openldap-devel pam-devel perl perl-ExtUtils-MakeMaker perl-Parse-Yapp popt-devel python3-cryptography python3-dns python3-gpg python36-devel readline-devel rpcgen systemd-devel tar zlib-devel

    Komut var ama belirtilen komuttaki bazı uygulamalar kurulmuyor.
    Ayrıca ,
    yum config-manager –set-enabled PowerTools komutunun da aktif edilmesi gerekiyormuş.Ama bu komutta çalışmıyor.
    Kaç gündür uğraşıyorum kafayı yemek üzereyim.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.