I will have to state flat out that I am not an AIX expert by any means.
I've been a Solaris admin for 10 years and recently got thrust into
the role of maintaining two AIX servers as well. So please be nice to
the newbie, unlike the Linux crowd. *cough*

We just deployed Sun ONE/Java Directory Server for our Sun systems. The
ONLY purpose is for user authentication so that we could get rid of NIS
entirely. We've now been tasked (thank you, Sarbanes-Oxley) with tying
our two AIX production systems into LDAP.

From what I've been reading, the LDAP/LDIF structure is standardized,
but how each operating system authenticates against LDAP differs. Throw
into the mix that netgroups will be used. Additionally, we are using a
proxy agent to add at least a modicum of security to Directory Server.
We also have password policies in place for expiration and locking out
of failed logins. We also have a three-way, multimaster configuration
for load balancing and redundancy.

On top of that, these two AIX systems are *production* systems. We do
not have any test AIX systems. So, if this can be done, it has to be
done right the first time.

I've downloaded and read Yantian Tom Lu's "Configuring an AIX Client
System for User Authentication and Management through LDAP", but it
still doesn't completely explain how to do this to my satisfaction.

I'm still probably going to open a case with IBM, but I fear the
"IBM:'It's Sun's problem'"/"Sun: 'It's IBM's problem'" will come into
play, particularly since Sun and IBM are acting like children in the
sandbox right now.

Is there anyone who has AIX systems authenticating users against a Sun
ONE/Java Directory Server who can give me some assistance or guidance on
this? Anyone? Anyone? Beuller?

-- John

John_B <spam.blows.and@spammers.suck.com> wrote in
news:POqdnbaXj7hAw8DfRVn-jw@giganews.com:
> I'm still probably going to open a case with IBM, but I fear the
> "IBM:'It's Sun's problem'"/"Sun: 'It's IBM's problem'" will come into
> play, particularly since Sun and IBM are acting like children in the
> sandbox right now.
LDAP is LDAP. Unless IBM can point to a reference of something broken in
SUN's LDAP, they'll have to tell you:

1. How to configure the AIX as an LDAP client.
2. What LDIF to load.

Note that you can keep operating the whole system with standalone
authentication and test the LDAP functions on new users until you have
confidence that you'll get it right.


Things to look for:
1. Install the latest LDAP fixes and the latest ML.
2. 5.2 has an LDIF different from 5.1.
3. create a test user with "mkuser -R LDAP username".
4. Backup /etc/security before you do the switch so that a restore is
quick.
5. Test TWO mksysbs before the switch. (Test that you can read the whole
tape (i.e. the 4 files) and test that you can boot from it).

--
Doing AIX support was the most monty-pythonesque
activity available at the time.
Eagerly awaiting my thin chocolat mint.

Jose Pina Coelho <eresquigal@netcabo.pt> wrote:
> John_B <spam.blows.and@spammers.suck.com> wrote in
> news:POqdnbaXj7hAw8DfRVn-jw@giganews.com:
[snip] getting AIX client to authenticate against SunONE/Java Directory Server

Yes, I have a 4 way multi-master config of SunONE
Directory Server 5.2 with Solaris8, 9, 10 (still issues)
and AIX 4.3 and 5.2 authenticating against them. I've already
answered quite some questions on this group and comp.unix.solaris
and comp.sys.sun.admin. Please send Google groups' search engine
into these groups with "authenticate LDAP" and you'll find some
posts. Feel free to mail me if you have any additional questions!

HTH, Erik.

Hi
You can configure AIX ldap client (secldapclntd) with mksecldap -c
command. mksecldap automatically recognizes the schema used by LDAP
server. The supported schemas are aix (aix account supported in
aix4.3/5.1), rfc2307 (posix account) and rfc2307aix (rfc2307 compliant
with full aix support - aix5.2/5.3). AIX 4.3/5.1 ldap clients do not
talk to servers using rfc2307/rfc2307aix schemas. Manual changes need to
be done to schema map files in /usr/security/ldap/*.map if your ldap
server is using different than which are shipped with aix.
mksecldap script is surprisingly buggy (IMHO), AFAIK at least one bug is
still not fixed in aix5.3ml01, but it work well for client config.
FYI: There are also some problems with lsuser (surprise!) and pwdadm on
aix5.2/5.3: lsuser (-R LDAP) does not show some attrubutes
(account_locked, unseccessfull_login_count, and some others) under
non-root account -member of security group, pwdadm does not work at all
with LDAP load module. IBM is working on it, the workaround is sudo so far.
The above is tested with ITDS5.2, so I can not tell you much about
SUN/ONE site so far, but probably I will in next couple of months :-)
useful links
http://www-1.ibm.com/servers/aix/whi...dap_server.pdf
http://publib16.boulder.ibm.com/doc_...ploitation.htm
http://publib-b.boulder.ibm.com/Redb...0123.html?Open
http://publib16.boulder.ibm.com/doc_.../mksecldap.htm
http://www-1.ibm.com/support/docview...1pTechnote1204
regards
Alex

Thanks to everyone who replied. I'll see what I can do based on what
you've told me, but I'm still really weary about doing anything like
this on production systems.

Is AIX proprietary to IBM hardware? Can it be run on regular x86
hardware or is there a separate x86 version, like with Solaris? We
have plenty of spare PCs around. We just don't have any IBM servers
available to play with.

-- John

John_B wrote:
> Thanks to everyone who replied. I'll see what I can do based on
what
> you've told me, but I'm still really weary about doing anything like
> this on production systems.
>
> Is AIX proprietary to IBM hardware? Can it be run on regular x86
> hardware or is there a separate x86 version, like with Solaris? We
> have plenty of spare PCs around. We just don't have any IBM servers
> available to play with.

If you can, try to procure at least 1 or 2 AIX systems for testing and
development. 43P models are fairly cheap, and easy to get ahold of from
EBAY. Even though they may not do LPARs (not sure), it's easy to just
load a fresh OS on a non-production server if needed.

Greg Beeker wrote:

> If you can, try to procure at least 1 or 2 AIX systems for testing and
> development. 43P models are fairly cheap, and easy to get ahold of from
> EBAY. Even though they may not do LPARs (not sure), it's easy to just
> load a fresh OS on a non-production server if needed.

Actually, I thought about that after I had posted (and after I had read
that the only version of AIX for Intel was version 1.something). Our
parent company has a lot of IBM hardware, so we should be able to get
something from them. I don't need anything special - just a box that
can run AIX 5.1.

John_B <spam.blows.and@spammers.suck.com> wrote:
> Greg Beeker wrote:
>
>> If you can, try to procure at least 1 or 2 AIX systems for testing and
>> development. 43P models are fairly cheap, and easy to get ahold of from
>> EBAY. Even though they may not do LPARs (not sure), it's easy to just
>> load a fresh OS on a non-production server if needed.
>
> Actually, I thought about that after I had posted (and after I had read
> that the only version of AIX for Intel was version 1.something). Our
> parent company has a lot of IBM hardware, so we should be able to get
> something from them. I don't need anything special - just a box that
> can run AIX 5.1.

Ouch, AIX 5.1 does not have CSSM (Configurable S? Schema Management) so
it is not rfc2307bis compliant. We have AIX 4.3 and AIX 5.2 connected
to SunONE Directory Server 5.2, but not 5.1. It's not standard in our
datacentre, and the few 5.1 systems will be migrated to 5.2 soon.

In 5.2 you can choose between the "traditional AIX schema",
rfc2307b or "rfc2307b + aix extensions". Below that your restricted
to the traditional AIX schema IBM invented. At least with the native
LDAP client you are. With PADL's or so it's a different story.
But we use the native LDAP client. It has some peculiarities that cost
us several month of digging to get is working. How to get it working
with IBM's Directory Server is quite well documented in white-papers on
IBM's site. Their directory server however does certain things in a
different way than SunONE Directory server, like always using lowercase
for the attribute names (not values), while SunONE Directory Server
spells the attribute name the way you have spelled it in you LDAPsearch
request (if available), or the way it's spelled in the schema
definition. Alas the AIX 4.3 native LDAP client depends on this, and
thus does not recognize userPassword={CRYPT}xxxxyyyxzz as a valid
password attribute, while it does recognize
userpassword={CRYPT}xxxxyyyxzz. Just change the schema definition of
SunONE directory server to lowercase and AIX 4.3 works. We haven't
tested this on 5.1 though because they will be migrated anyway.

Also you cannot update the password from AIX 4.3 to SunONE Directory
Server because AIX 4.3 CRYPT's the password, but does _not_ prefix
it with {CRYPT}, causing SunONE Directory Server to encrypt it again
with it's default encryption algorithm..... ;-(.

Also AIX 4.3 is not flexible in it's tree layout. We solved this by
making a separate tree-part for AIX 4.3, and syncing the users
attributes (including userpassword) from our ou=People container
to the ou=aixuser,cn=aixsecdb,ou=... container with SunONE Direc-
tory Server's Class of Service feature. Works like a charm!

If you need more info, please don't hesitate to contact me.

HTH, Erik

news@elaan.dds.nl wrote:

> Ouch, AIX 5.1 does not have CSSM (Configurable S? Schema Management) so
> it is not rfc2307bis compliant.

Whoops. That was fat-fingering on my part. I means 5.2. That's what
our other AIX servers run.

> Also you cannot update the password from AIX 4.3 to SunONE Directory
> Server because AIX 4.3 CRYPT's the password, but does _not_ prefix
> it with {CRYPT}, causing SunONE Directory Server to encrypt it again
> with it's default encryption algorithm..... ;-(.

Actually, we use a custom Perl script that does that already for a user
maintenance tool that I created for our help desk. It creates the
encrypted password, prepends {crypt} to it, and throws it into the
user's Directory Server entry. I don't see any reason why it wouldn't
work on AIX. Just create a symlink from passwd to such a script. The
user wouldn't know any better.

> If you need more info, please don't hesitate to contact me.

Won't be doing anything until those in higher authority than me manage
to get a test system from the parent company.