Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: UNIX authentication strategy - LDAP or AD
Operating Systems AIX UNIX authentication strategy - LDAP or AD Post 302779485 by MichaelFelt on Tuesday 12th of March 2013 05:39:54 PM
Old 03-12-2013
AIX has ldif additions to add into an AD server what it needs for full AIX support. However, I hear AD support may "stop" when you add any "foreign" ldif files. I also hear it is very difficult (read impossible) to back out a ldif extension.

The AIX client does not really care what LDAP server is supplying the answers to queries. But it does need much more than simple rfc2307 (basically that only supports the 7 user administration entries in /etc/passwd and /etc/group (with the encrypted password "shadowed" away).

So, the key thing to test/verify - does the LDAP server support multiple DIT domains (some shops use different domains for production and server to support different specifications of the authentications and privileges assigned to roles under RBAC. In other words, the role name is the same on all systems, but the "power" differs.

IMHO: is it very much worth the time and effort to get AIX system configuration configured behind LDAP services.

From /etc/security/ldap/ldap.cfg (client side)
Code:
# Base DN where the user and group data are stored in the LDAP server.
# e.g., if user foo's DN is: uid=foo,ou=people,cn=aixdata
# then the user base DN is: ou=people,cn=aixdata
#userbasedn:ou=people,cn=aixdata
#groupbasedn:ou=groups,cn=aixdata
#idbasedn:cn=aixid,ou=system,cn=aixdata
#hostbasedn:ou=hosts,cn=aixdata
#servicebasedn:ou=services,cn=aixdata
#protocolbasedn:ou=protocols,cn=aixdata
#networkbasedn:ou=networks,cn=aixdata
#netgroupbasedn:ou=netgroup,cn=aixdata
#rpcbasedn:ou=rpc,cn=aixdata
#automountbasedn:ou=automount,cn=aixdata
#aliasbasedn:ou=aliases,cn=aixdata
#bootparambasedn:ou=ethers,cn=aixdata
#etherbasedn:ou=ethers,cn=aixdata
#authbasedn:ou=authorizations,cn=aixdata
#rolebasedn:ou=roles,cn=aixdata
#privcmdbasedn:ou=privcmds,cn=aixdata
#privdevbasedn:ou=privdevs,cn=aixdata
#privfilebasedn:ou=privfiles,cn=aixdata
#domainbasedn:ou=domains,cn=aixdata
#domobjbasedn:ou=domobjs,cn=aixdata

The first two are what most people are thinking of initially, while AIX preferes the first three (the third brings the file /etc/security/.ids into LDAP simplyfying/ensuring unique userid generation).
In short, if your choice for an LDAP server is not going to support, or is difficult about supporting these many different domains - it is not suitable as an LDAP server for AIX.

Hope this helps!

p.s. regarding the Tivoli Directory Servers - they permit multiple versions installed and operating on a single AIX system (obviously using different ports).
AIX v4 client only knows about the AIX-only schema, so you will need a separate LDAP server for that - regardless of your choice. When you get to the point that you have everything bu AIXv4 under LDAP - try and contact me and I'll ask my LDAP SSO colleagues if they have suggestions.
This User Gave Thanks to MichaelFelt For This Post:
vs1
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Module for LDAP Authentication

Hello Everyone, I have enabled LDAP authentication on my Web script by adding the list of valid users in /etc/apach2/default-server.conf. However, I now want to retrieve the username of the person that logs in. How can I do that? Is there any such module? Regards, Harsha (0 Replies)
Discussion started by: garric
0 Replies

2. UNIX and Linux Applications

LDAP authentication question

Hello, I have a Linux box with RHEL4 running on it. The box is meant to be on the DMZ. There is a directory on the box that will be remotely from time to time and I want a form of authentication on it. Presently, I have configured Basic authentication with apache but the security is not tight. I... (1 Reply)
Discussion started by: bptronics
1 Replies

3. Linux

LDAP authentication question

Hello, I have a Linux box with RHEL4 running on it. The box is meant to be on the DMZ. There is a directory on the box that will be remotely from time to time and I want a form of authentication on it. Presently, I have configured Basic authentication with apache but the security is not tight. I... (1 Reply)
Discussion started by: bptronics
1 Replies

4. Cybersecurity

LDAP authentication question

Hello, I have a Linux box with RHEL4 running on it. The box is meant to be on the DMZ. There is a directory on the box that will be remotely from time to time and I want a form of authentication on it. Presently, I have configured Basic authentication with apache but the security is not tight. I... (1 Reply)
Discussion started by: bptronics
1 Replies

5. HP-UX

HpUx and ldap Authentication

Hi to all, i try to configure an HpUx 11.23 to use a Sun Directory Server to authenticate in system. In my ldap the users is posixAccount. I read in www that there is a sotware called LDAPUX but it use a profile, and it requires a change that i can't execute in my ldap because it is used also... (0 Replies)
Discussion started by: suuuper
0 Replies

6. Red Hat

CVS ldap authentication

I am trying to convert all my redhat servers over to ldap. I have solved almost all the probems but am having trouble getting cvs pserver to authenticate. I'm running redhat 4. Just patched everything the other day. cvs is cvs-1.11.17-9.1.el4_7.1. Any suggestions would be welcome. Obviously... (1 Reply)
Discussion started by: jhtrice
1 Replies

7. Solaris

LDAP authentication

Hi folks, i have opends 1.2 manually installed subversion 1.4.3 and apache2 updated by package manager. i want to access svn using LDAP authentication its giving an error: ldap_simple_bind_s() failed. what could be the problem. i wrote some text at the end of httpd.conf fpr ldap... (2 Replies)
Discussion started by: visu_buri
2 Replies

8. Solaris

Authentication with LDAP in opensolaris

Hi all, I have two virtual machines, one with Suse and another with opensolaris 2009.06. The ldap server is in the Suse machine. From my opensolaris, with command ldalist i can see the information about the ldap configuration, i mean, the dn: ou:.... if i type id <ldapuser> i can see the user... (0 Replies)
Discussion started by: checoturco
0 Replies

9. AIX

LDAP authentication

Hi, We are trying to use LDAP to authenticate the login from our application. Our application is installed on AIX 6.1 and LDAP server is on active directory windows 2003. We are getting the below error when we try to login. We have the required lib file in the path it is looking for. Any idea... (3 Replies)
Discussion started by: Nand1010_MA
3 Replies

10. Emergency UNIX and Linux Support

LDAP and AD Authentication Query

Hi Friends, I have below scenarios . dom1.test.com - LDAP dom2.test.com - AD Requirement is establish a trust relation between LDAP and AD server in such a way that if any user login on LDAP managed authentication server with dom1\username -> get authenticated by LDAP host ... (2 Replies)
Discussion started by: Shirishlnx
2 Replies

LEARN ABOUT MOJAVE

net::ldap::extra::ad

Net::LDAP::Extra::AD(3) 				User Contributed Perl Documentation				   Net::LDAP::Extra::AD(3)

NAME

       Net::LDAP::Extra::AD -- AD convenience methods

SYNOPSIS

	 use Net::LDAP::Extra qw(AD);

	 $ldap = Net::LDAP->new( ... );

	 ...

	 if ($ldap->is_AD || $ldap->is_ADAM) {
	   $ldap->change_ADpassword($dn, $old_password, $new_password);
	 }

DESCRIPTION

       Net::LDAP::Extra::AD tries to spare users the necessity to reinvent the wheel again and again in order to correctly encode password strings
       so that they can be used in AD password change operations.

       To do so, it provides the following methods:

METHODS

       is_AD ( )
	   Tell if the LDAP server queried is an Active Directory Domain Controller.

	   As the check is done by querying the root DSE of the directory, it works without being bound to the directory.

       is_ADAM ( )
	   Tell if the LDAP server queried is running AD LDS (Active Directory Lightweight Directory Services), previously known as ADAM (Active
	   Directoy Application Mode).

	   As the check is done by querying the root DSE of the directory, it works without being bound to the directory.

       change_ADpassword ( DN, OLD_PASSWORD, NEW_PASSWORD )
	   Change the password of the account given by DN from its old value OLD_PASSWORD to the new value NEW_PASSWORD.

	   This method requires encrypted connections.

       reset_ADpassword ( DN, NEW_PASSWORD, OPTIONS )
	   Reset the password of the account given by DN to the value given in NEW_PASSWORD.  OPTIONS is a list of key/value pairs. The following
	   keys are recognized:

	   force_change
	       If TRUE, the affected user is required to change the password at next login.

	   For this method to work, the caller needs to be bound to AD with sufficient permissions, and the connection needs to be encrypted.

AUTHOR

       Peter Marschall <peter@adpm.de<gt>

COPYRIGHT

       Copyright (c) 2012 Peter Marschall. All rights reserved. This program is free software; you can redistribute it and/or modify it under the
       same terms as Perl itself.

perl v5.18.2							    2013-12-23						   Net::LDAP::Extra::AD(3)
All times are GMT -4. The time now is 07:49 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy