we already have Microsoft Active Directory (LDAP) Server. And would like to integrate My client AIX LPAR to this LDAP server. So' that we can directly use Active directory crdentials to login. (instead of creating USERs on AIX)
from my AIX LPAR.
lslpp -L | grep -i ldap
idsldap.clt32bit62.rte 6.2.0.16 C F Directory Server - 32 bit
idsldap.clt64bit62.rte 6.2.0.16 C F Directory Server - 64 bit
idsldap.cltbase62.adt 6.2.0.16 C F Directory Server - Base Client
idsldap.cltbase62.rte 6.2.0.16 C F Directory Server - Base Client
idsldap.cltjava62.rte 6.2.0.16 C F Directory Server - Java Client
idsldap.ent62.rte 6.2.0.3 C F Directory Server - Entitlement
idsldap.msg62.en_US 6.2.0.16 C F Directory Server - Messages -
idsldap.srvbase64bit62.rte
idsldap.srvproxy64bit62.rte
idsldap.webadmin62.rte 6.2.0.16 C F Directory Server - Web
under /usr/lib/security
ls -ltr LDAP*
-r--r--r-- 1 root security 116702 Sep 16 2013 LDAP64
-r--r--r-- 1 root security 109810 Sep 16 2013 LDAP
Could you help me understand or give some quick dirty steps to implement LDAP in AIX.
You need to install Kerberos (actually Kerberos 5), because the much-toted "Active Directory" is simply a kerberized LDAP-server (dumbed down to the same level of usefulness you know from other M$ products).
Notice that several user properties you might need are missing in an AD and you are likely not able to get these: because there is no "home directory"-property and no "default shell" (Windows-users are homeless and suffer shelllessness) you might need to still create the users at your system using AIX methods and can only use the LDAP domain for the authentication (read: password checks). Use the "krb5" security method in in the user definition for this.
Thanks for your response and valuable input. I'm going to install Kerberos 5 on test lpar. Do you have any quick steps handy for setting up this. (ldap on AIX)
Anyway i will try to search for the online books/pdfs about this.
Notice that there was a Kerberos problem lately which was fixed by an efix. See this link and similar links for more detail and make sure you update to the latest level.
You might want to forego the efix if you operate from an internal network. Denial-of-Service type attacks are typically massively parallel and therefore unlikely to take place inside the LAN, so that you could wait for a regular update. Deploying efixes is a nasty thing to do and you ahve to undeploy them before you can resume normal update routines.