Hello everyone, hoping you can provide some incite with a little problem I'm having..
I have the LDAP client configured and running on my AIX 5.3 server, which is authenticating against an eDirectory LDAP server. I can login via LDAP no problems on the AIX server with newly created users, however I can't get existing local AIX users switched over and logged in via LDAP.
I issue the following: chuser SYSTEM=LDAP registry=LDAP username and try to login in with that user via putty and get a message stating "server unexpectedly closed network connection".
However, if I first login with a local user, then su to the user via LDAP it authenticates successfully, so it appears there is something not right with just the initial login, ideas?
Is everything set for those users like loginshell, home directory etc?
Do those users have in /etc/security/user entries like
john:
SYSTEM="LDAP"
registry=LDAP
?
I don't know if the chuser adds the double quotes needed at the SYSTEM= variable. Iirc they are important.
I have set our server with the two variables up there in the default: stanza of the /etc/security/user so that only those accounts that should remain locally have something like
root:
SYSTEM="files"
registry=files
Also when changing local users to be LDAP users, you have to clear the following files of them:
And if uid and gid changes chown them accordingly in the filesystem.
Also remember to not mix local users and groups with ldap users and groups. SMIT will get problems else.
Yes, we have this set in LDAP for the users, and they will be using their existing home directories. When we su over to the LDAP user it shows them as being in their home directory.
Yes, once I switch the user via the chuser command those entries are made, including the double quotes.
Correct, ours is setup this way as well.
What do you mean by clear? Shouldn't AIX be able to maintain both accounts in the event LDAP fails? The idea is that their local accounts would be a backup means of authentication, so for example we may want to go with something like:
SYSTEM="LDAP or compat"
This will be something we will have to address once we get the users authenticated, we aren't sure how the ownership and permissions will translate.
You wrote that you switched with chuser the existing ones to SYSTEM="LDAP" and registry=LDAP. I am not sure what AIX does if it finds authentication data locally still of users that are supplied by LDAP.
If you want to keep them locally too, this should be possible with "LDAP or compat" I guess though I did not try it out, but it should be noted in the Redbook "Implementing AIX into heterogenous LDAP environments".
We have no backup users since the passwords will not be synchronized between LDAP and local users so that if something happens to our LDAP servers, they might have forgotten their old local passwords anyway.
Also some political thing does prevent us from keeping them locally anyway.
Maybe try it out with 1 user that is locally (save it's entries in /etc/passwd, /etc/group, /etc/security/user, /etc/security/passwd so you can put them back again), remove his other local entries etc., so that it will become a LDAP only user and see if this works. Else there will be something wrong with the "or" thingy to try LDAP 1st, then fall back to compat. Maybe you can try "LDAP or files" too.
I was able to get the issue resolved after opening a PMR with IBM.
What's not documented in the Redbook is that in order to login via SSH, both local and LDAP UID's/GID's must match exactly. SSH will check both local and LDAP user attributes if they exist in both places, regardless of registry. So after I changed the local UID and GID for the user to match LDAP I could login, this is very inconvenient as I also had to find all the orphaned files and reassign them via: