AIX can be integrated in to Active Directory in two ways: via Samba’s winbind directly as a Windows machine, and indirectly via LDAP.
The winbind configuration was already covered in a previous posting and worked rather well. However, because of GE’s requirements, it was not possible to utilize the winbind method for Active Directory integration. The alternative was to use LDAP to authenticate against Active Directory.
This approach is a bit more complex and has a few more parts to it, but it does provide additional user information directly from Active Directory.
Windows
First things first, on each of the Active Directory Domain Controllers, install the “Identity Management for UNIX”. This can be found under:
Control Panel -> Add / Remove Programs -> Add / Remove Windows Components -> Active Directory Services -> Identity Management for UNIX
This will extend the Active Directory LDAP schema to allow it to include UNIX attributes, such as the UID, GID, and Home Directory.
AIX
By default, AIX does not have the LDAP client package installed. Mount the first disc * from the pair of OS Install discs, and execute:
smit install
Navigate to the software install menus via:
Install and Update Software -> Install Software
Begin the software install via:
Enter /cdrom in to the field for “INPUT device / directory for software”
The window will refresh providing more options. The first item that is highlighted is “SOFTWARE to install” with the default of “_all_latest” entered in the field. Replace that entry with “ldap.client”.
Using the arrow keys and the tab key, make sure that the following options are set to “yes”:
- COMMIT software updates?
- AUTOMATICALLY install requisite software?
- EXTEND file systems if space needed?
- ACCEPT new license agreements?
Start the install by hitting “Enter”.
Once the package is installed, some minor configuration is necessary. While the client software is installed, the authentication mechanism still knows nothing about it. For this, we have to edit /usr/lib/security/methods.cfg to add the following lines:
LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64
Additionally, we need to tell the system that we want to authenticate against LDAP for all user accounts by default, but not for local accounts. For this to work, we need to edit /etc/security/user, find the stanza for “default” and then find the line that reads SYSTEM = “compat”. Replace that line with SYSTEM = “LDAP”. For all of the stanzas, which represent the local accounts, add the line SYSTEM = “compat”.
Rather than modifying the LDAP configuration file (/etc/security/ldap/ldap.cfg) directly, make use of mksecldap:
mksecldap -c -h ldapauth.chahq.local -a CN=Administrator,OU=IT\ Department,OU=Users,OU=My\ Business,DC=chahq,DC=local -p ourpassword
That will automatically set up the LDAP configuration file according to those command line arguments. As a security precaution, it encrypts the password in the configuration file. With LDAP now configured, start the LDAP authentication service:
start-secldapclntd
To confirm that the service is running properly:
lsuser -R LDAP ALL
ls-secldapclntd
To stop the service:
stop-secldapclntd
hi dear Emre Özkan
Thank you
I have configured AIX and AD. My created AD users can log in but I have problems.
my problem: AD users after login have read-only permission and for example, they don’t run smit commands or ls commands. (they don’t have permission)
IN an AD, how to define an admin user that it can log in as an admin on AIX?
best regards
merhaba , emre bey.
red hat 8’de samba ile active directory kurulumu yapmaya çalışıyorum ama bir türlü olmuyor. internetteki dökümanlarda ;
sudo yum -y install docbook-style-xsl gcc gdb gnutls-devel gpgme-devel jansson-devel keyutils-libs-devel krb5-workstation libacl-devel libaio-devel libarchive-devel libattr-devel libblkid-devel libtasn1 libtasn1-tools libxml2-devel libxslt lmdb-devel openldap-devel pam-devel perl perl-ExtUtils-MakeMaker perl-Parse-Yapp popt-devel python3-cryptography python3-dns python3-gpg python36-devel readline-devel rpcgen systemd-devel tar zlib-devel
Komut var ama belirtilen komuttaki bazı uygulamalar kurulmuyor.
Ayrıca ,
yum config-manager –set-enabled PowerTools komutunun da aktif edilmesi gerekiyormuş.Ama bu komutta çalışmıyor.
Kaç gündür uğraşıyorum kafayı yemek üzereyim.
Is there a link to the Winbind method you discussed? I can’t find it by searching