AIX Authentication Integration in to Active Directory via LDAP

AIX can be integrated in to Active Directory in two ways: via Samba’s winbind directly as a Windows machine, and indirectly via LDAP.

The winbind configuration was already covered in a previous posting and worked rather well. However, because of GE’s requirements, it was not possible to utilize the winbind method for Active Directory integration. The alternative was to use LDAP to authenticate against Active Directory.

This approach is a bit more complex and has a few more parts to it, but it does provide additional user information directly from Active Directory.

Windows

First things first, on each of the Active Directory Domain Controllers, install the “Identity Management for UNIX”. This can be found under:

Control Panel -> Add / Remove Programs -> Add / Remove Windows Components -> Active Directory Services -> Identity Management for UNIX

This will extend the Active Directory LDAP schema to allow it to include UNIX attributes, such as the UID, GID, and Home Directory.

AIX

By default, AIX does not have the LDAP client package installed. Mount the first disc * from the pair of OS Install discs, and execute:

smit install

Navigate to the software install menus via:

Install and Update Software -> Install Software

Begin the software install via:

Enter /cdrom in to the field for “INPUT device / directory for software”

The window will refresh providing more options. The first item that is highlighted is “SOFTWARE to install” with the default of “_all_latest” entered in the field. Replace that entry with “ldap.client”.

Using the arrow keys and the tab key, make sure that the following options are set to “yes”:

• COMMIT software updates?
• AUTOMATICALLY install requisite software?
• EXTEND file systems if space needed?
• ACCEPT new license agreements?

Start the install by hitting “Enter”.

Once the package is installed, some minor configuration is necessary. While the client software is installed, the authentication mechanism still knows nothing about it. For this, we have to edit /usr/lib/security/methods.cfg to add the following lines:

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

Additionally, we need to tell the system that we want to authenticate against LDAP for all user accounts by default, but not for local accounts. For this to work, we need to edit /etc/security/user, find the stanza for “default” and then find the line that reads SYSTEM = “compat”. Replace that line with SYSTEM = “LDAP”. For all of the stanzas, which represent the local accounts, add the line SYSTEM = “compat”.

Rather than modifying the LDAP configuration file (/etc/security/ldap/ldap.cfg) directly, make use of mksecldap:

mksecldap -c -h ldapauth.chahq.local -a CN=Administrator,OU=IT\ Department,OU=Users,OU=My\ Business,DC=chahq,DC=local -p ourpassword

That will automatically set up the LDAP configuration file according to those command line arguments. As a security precaution, it encrypts the password in the configuration file. With LDAP now configured, start the LDAP authentication service:

start-secldapclntd

To confirm that the service is running properly:

lsuser -R LDAP ALL

ls-secldapclntd

To stop the service:

stop-secldapclntd