How to integrate AIX Client LPAR to make use of existing MS AD LDAP ?

System_Admin_77 · December 12, 2014, 5:06pm

Hi All,

Its regarding the LDAP in AIX.

we already have Microsoft Active Directory (LDAP) Server. And would like to integrate My client AIX LPAR to this LDAP server. So' that we can directly use Active directory crdentials to login. (instead of creating USERs on AIX)

from my AIX LPAR.

lslpp -L | grep -i ldap
  idsldap.clt32bit62.rte    6.2.0.16    C     F    Directory Server - 32 bit
  idsldap.clt64bit62.rte    6.2.0.16    C     F    Directory Server - 64 bit
  idsldap.cltbase62.adt     6.2.0.16    C     F    Directory Server - Base Client
  idsldap.cltbase62.rte     6.2.0.16    C     F    Directory Server - Base Client
  idsldap.cltjava62.rte     6.2.0.16    C     F    Directory Server - Java Client
  idsldap.ent62.rte          6.2.0.3    C     F    Directory Server - Entitlement
  idsldap.msg62.en_US       6.2.0.16    C     F    Directory Server - Messages -
  idsldap.srvbase64bit62.rte
  idsldap.srvproxy64bit62.rte
  idsldap.webadmin62.rte    6.2.0.16    C     F    Directory Server - Web


under /usr/lib/security
ls -ltr LDAP*
-r--r--r--    1 root     security     116702 Sep 16 2013  LDAP64
-r--r--r--    1 root     security     109810 Sep 16 2013  LDAP

Could you help me understand or give some quick dirty steps to implement LDAP in AIX.

Please provide your response.

bakunin · December 12, 2014, 5:30pm

You need to install Kerberos (actually Kerberos 5), because the much-toted "Active Directory" is simply a kerberized LDAP-server (dumbed down to the same level of usefulness you know from other M$ products).

Notice that several user properties you might need are missing in an AD and you are likely not able to get these: because there is no "home directory"-property and no "default shell" (Windows-users are homeless and suffer shelllessness) you might need to still create the users at your system using AIX methods and can only use the LDAP domain for the authentication (read: password checks). Use the "krb5" security method in in the user definition for this.

I hope this helps.

bakunin

System_Admin_77 · December 15, 2014, 10:24am

@bakunin

Thanks for your response and valuable input. I'm going to install Kerberos 5 on test lpar. Do you have any quick steps handy for setting up this. (ldap on AIX)

Anyway i will try to search for the online books/pdfs about this.

Thank you.

zaxxon · December 15, 2014, 10:48am

I found this one very helpful:
IBM Redbooks | Integrating AIX into Heterogeneous LDAP Environments

bakunin · December 15, 2014, 11:38am

Notice that there was a Kerberos problem lately which was fixed by an efix. See this link and similar links for more detail and make sure you update to the latest level.

You might want to forego the efix if you operate from an internal network. Denial-of-Service type attacks are typically massively parallel and therefore unlikely to take place inside the LAN, so that you could wait for a regular update. Deploying efixes is a nasty thing to do and you ahve to undeploy them before you can resume normal update routines.

I hope this helps.

bakunin