Hi. Always me!

It's been months trying to use AIX as a client of our OpenLDAP servers
without any luck. Let me explain how my infrastructure works:

We have kerberos 5 on linux for authentication, openldap on linux for
user information (gecos, home dir, login shell...), openafs as a
distributed file system (don't bother about it).

Under linux, I just use openldap client and nss_ldap mapping uid, gid,
homedir and so on. Works like a charm on all 5 distros we use. It also
works under macosx, flawlessly. LDAP do NOT contain passwords, since I
use kerberos. And everything just works on these platforms.

AIX is the bad guy.

Note this:
- I can kinit, kadmin in AIX, so krb5.conf and keytab are ok.
- I can do ldapsearch -h HOST, *not* ldapsearch alone, since it still
contacts *localhost*! even if in /etc/security/ldap/ldap.cfg I set the
correct names.
- In /etc/security/user:
SYSTEM = "KRB5LDAP"
registry = "KRB5LDAP" (tried with LDAP also, but it doesn't work)
- In /lib/security/methods.cfg:
LDAP:
program = /lib/security/LDAP
KRB5LDAP:
program = /lib/security/KRB5A
options = authonly,db=LDAP,kadmind=no

Has anyone got aix working as a client of openldap? If so how? If I
can't use aix ldap, has anyone got openldap work as a client on aix? And
how to use a nssswitch in aix?
--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>

The difference between stupidity and genius is that genius has its limits.
Albert Einstein

Sensei wrote:
> Hi. Always me!
>
> It's been months trying to use AIX as a client of our OpenLDAP servers
> without any luck. Let me explain how my infrastructure works:
>
> We have kerberos 5 on linux for authentication, openldap on linux for
> user information (gecos, home dir, login shell...), openafs as a
> distributed file system (don't bother about it).
>
> Under linux, I just use openldap client and nss_ldap mapping uid, gid,
> homedir and so on. Works like a charm on all 5 distros we use. It also
> works under macosx, flawlessly. LDAP do NOT contain passwords, since I
> use kerberos. And everything just works on these platforms.
>
> AIX is the bad guy.
>
> Note this:
> - I can kinit, kadmin in AIX, so krb5.conf and keytab are ok.
> - I can do ldapsearch -h HOST, *not* ldapsearch alone, since it still
> contacts *localhost*! even if in /etc/security/ldap/ldap.cfg I set the
> correct names.
> - In /etc/security/user:
> SYSTEM = "KRB5LDAP"
> registry = "KRB5LDAP" (tried with LDAP also, but it doesn't work)
> - In /lib/security/methods.cfg:
> LDAP:
> program = /lib/security/LDAP
> KRB5LDAP:
> program = /lib/security/KRB5A
> options = authonly,db=LDAP,kadmind=no
>
> Has anyone got aix working as a client of openldap? If so how? If I
> can't use aix ldap, has anyone got openldap work as a client on aix? And
> how to use a nssswitch in aix?

I don't have access to AIX enviroment, so if the below are incorrect
please treat them as rubbish. Sometimes back I had tried Kerberos (pw)
and LDAP (uid) with success on Solaris and RedHat, nowaday I have given
up using Kerberos as I think simple bind+TLS is good and simple enough.
Another reason is Kerberos pw is not CRYPT format, so migration of pw is
not possible.

The OpenLDAP LDAP Server should have been compiled with SASL/GSSAPI
support and its slapd.conf should have lines something like:

sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com
access to *
by dn="uid=[^/]+/admin,cn=GSSAPI,cn=auth" write
by * read

The above are taken from:
http://ofb.net/~jheiss/krbldap/howto.html

I also suggest you do not use IBM native ldap client, i,e, forget about
/etc/security/... and /lib/security/... config files , use PADL's
library and config files (/etc/ldap.conf and /etc/pam.conf) instead,
download and compile nss_ldap and pam_ldap (use AIX 5L 5.2 as it has
full PAM support).

Configure nss_ldap and pam_ldap, something like:

CC=gcc
MAKE=gmake
LDFLAGS="-L/opt/freeware/lib"
LIBS=-lc
CPPFLAGS="-I/opt/freeware/include -D_LINUX_SOURCE_COMPAT -DPAM_EXTERN="
../configure --with-ldap-lib=openldap \
--with-ldap-conf-file=/etc/ldap.conf \
--enable-configurable-krb5-ccname-env \
--enable-configurable-krb5-ccname-gssapi

After the Makefile is generated, modify it:

Add -L/opt/freeware/lib to the defintion of pam_ldap_so_LDFLAGS
Change all occurences of -g root to -g system
Copy exports.linux to exports.aix

The above are taken from:
http://www.redbooks.ibm.com/redbooks/pdfs/sg246622.pdf

You must modify the OpenLDAP slapd start script to pass "ldap" service
Kerberos keytab file, prior to running slapd.

===
# IMPORTANT: if you intend to use Kerberos for password authentication
# and LDAP for user id name service lookup, pls customize next line
KRB5_KTNAME="etc/openldap/ldap.keytab"; export KRB5_KTNAME
===

ldap service must be defined KDC:

(Assuming LDAP Server and Kerberos Server are on the same host)
kadmin:
* addprinc -randkey ldap/hostname
* ktadd -k /etc/openldap/ldap.keytab ldap/hostname

If you use OpenSSH, "host/hostname" service principal is needed, I think
AFS may also need one such, "afs/hostname"? read:

http://www.bayour.com/LDAPv3-HOWTO.html (Kerberos+LDAP+OpenAFS)

Assuming krb5.conf on client is set, you must compile a Kerberized
version of OpenSSH so that you could test a simple login like:

$ ssh -v gtay@sshclient
$ klist -e

(id taken from /etc/nsswitch.conf and /etc/ldap.conf, pw taken from
Kerberos)

Sample OpenSSH config step:
# ./configure --with-pam \
--sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl
--with-kerberos5=/usr/local

Sample sshd_config:
KerberosAuthentication yes
UsePAM yes

Sample /etc/pam.conf:
login auth sufficient pam_krb5.so.1
login auth required pam_unix.so.1 try_first_pass
other auth sufficient pam_krb5.so.1
other auth required pam_unix.so.1 try_first_pass
other account sufficient pam_krb5.so.1
other account required pam_unix.so.1
other session sufficient pam_krb5.so.1
other session required pam_unix.so.1
other password sufficient pam_krb5.so.1
other password required pam_unix.so.1 try_first_pass

Gary