AIX LDAP client authenticate against Linux Openldap server over TLS/SSL

paco699 · October 26, 2015, 2:25pm

Hi folks,

How can i configure an AIX LDAP client to authenticate against an Linux Openldap server over TLS/SSL?

It works like a charm without TLS/SSL.

i would like to have SSL encrypted communication for ldap (secldapclntd) and ldapsearch etc. while accepting every kind of certificate/CA.

Thanks in advance.

agent.kgb · October 26, 2015, 5:27pm

What exactly the problem is? I neved did it with OpenLDAP, but did it with IBM Tivoli Directory Server and don't remember any problems with SSL.

On AIX side you must install crypto packages for LDAP and GSKit. Then you create a key file:

gsk7cmd -keydb -create -db /path/to/key.kdb -pw SOMEPASSWORD

and add your server certificate to the file:

gsk7cmd -cert -add -db /path/to/key.kdb -pw SOMEPASSWORD -label CertName -file /path/to/certificate.der -format binary

MichaelFelt · October 26, 2015, 6:43pm

There are also extra filesets (client) if I recall correctly - for the SSL support.
No time to look into this this week - but if a hard answer stays outstanding I shall research in more detail.

Which client version, e.g., 6.2, 6.3, 6.3.1?

paco699 · October 26, 2015, 7:51pm

From my Openldap server (Suse12) I have generated 3 files (.key, .csr, .crt.) with openssl command, files that i copy to the linux clients side. Then, i just need configure the /etc/ldap.conf file. No more.

Can i use the same 3 files from my OpenLDAP server (.key, .csr, .crt.) and put them on the AIX clients side?

---------- Post updated at 05:51 PM ---------- Previous update was at 04:51 PM ----------

Hi MichaelFelt,

oslevel of my AIX clients:
7100-03-04-1441

Like says agent.kgb, the filesets are:

idsldap.clt_max_crypto32bit62.rte
idsldap.clt_max_crypto64bit62.rte

GSKit8.gskcrypt32.ppc.rte
GSKit8.gskcrypt64.ppc.rte
GSKit8.gskssl32.ppc.rte
GSKit8.gskssl64.ppc.rte

agent.kgb · October 27, 2015, 3:16am

Read this article about GSKit - Managing certificates with IBM GSKit

You have to convert your OpenSSL certificate to some format, which GSKit understands.

openssl pkcs12 -export -in host.mycompany.com.crt -inkey host.mycompany.com.key -out host.mycompany.com.p12 -name "CA signed"


gsk8capicmd -cert -import -db host.mycompany.com.p12 -pw abc -target server.kdb

_XrAy · October 27, 2015, 5:08am

The final command after creating the key.db and importing the ldap-server certificate should be:

mksecldap -c \
          -h <ldap-server>,<ldap-server-backup> \
          -a <admin-dn> \
          -p <admin-password> \
          -d <base-dn> \
          -M OS \
          -D LDAP \
          -A ldap_auth \
          -n 636 \
          -k </path/to/key.kdb> \
          -w <SOMEPASSWRD>

Regards

MichaelFelt · October 29, 2015, 7:07pm

I worked on a set of scripts to automate, read simplify, the installation of idsldap63 (i.e., version 6.3, NOT 6.3.1) filesets.

I never tested them with idsldap version 6.2 but I expect they should work.

FYI: version 6.3.0.X is the version that was supplied with AIX 7.1 on the initial expansion disk. About two years ago idsldap was moved to the IBM Security group (from Tivoli) and they started a new numbering scheme, and naming scheme. I was not able to get my scripts to work with the "Try and Buy" version they posted - then.

Anyway, if you want to look at my scripts you wil need to "install" them. They include some scripts for generating keys for a client (as well as for a server).

See idsldap - AIXTOOLS for more info.

Not promising anything - but I hope it helps!