Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: AD Group Policy Management and Kerberos / LDAP
Top Forums UNIX for Advanced & Expert Users AD Group Policy Management and Kerberos / LDAP Post 302968716 by Devyn on Monday 14th of March 2016 12:00:49 AM
Old 03-14-2016
I managed to get this going including HMC to AD (fully) without any local intervention required, however what remains now is how to get HBAC in. I have HBAC on users and SUDO in AD but that works allright in Linux, though it's far from production ready. I was looking for something specific for AIX to AD from IBM. No luck, even when asking our IBM representatives, they were not even aware that you can have HMC to AD fully integrated without having to create local accounts. So I think I scraped the barrel of that pot quite well.

I mean to get to this in time but Cloud stuff has my head spinning at the moment.

Cheers,
Tom
 

7 More Discussions You Might Find Interesting

1. HP-UX

LDAP/Kerberos Issue

I am getting the following error message when trying to login to the client: while verifying tgt If I move the /etc/krb5.keytab out of /etc, it works fine. This is HP-UX v23 Does anyone have any ideas? (1 Reply)
Discussion started by: dhernand
1 Replies

2. AIX

Kerberos and LDAP Auth

Good day I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right. When I ran kinit username I get a ticket and I can display it using klist. When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Discussion started by: mariusb
1 Replies

3. UNIX for Advanced & Expert Users

Compiling Samba from Source on AIX, Active Directory, LDAP, Kerberos

Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is.. I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)
Discussion started by: raidzero
9 Replies

4. Solaris

how to assign group policy to user in solaris

hi, how to assign group policy to user in solaris (1 Reply)
Discussion started by: meet2muneer
1 Replies

5. Windows & DOS: Issues & Discussions

QOS packet scheduler and group policy

hi, did anyone know how to configure a priority of dns ports (and other ports) on QOS on windows 2003? hard to understand the group policy "explain" tab on 'qos packet scheduler', no elaboration on how to use it. thanks for any comment you may add. ---------- Post updated at 05:03 PM... (0 Replies)
Discussion started by: itik
0 Replies

6. Solaris

LDAP Problem during Kerberos setting for Win server 03 Active Directory

Hi, FYI, I'm new in Solaris I'm trying to use Kerberos on authenticating LDAP Client with the Active Directory on Windows Server 2003 on both Solaris 10 5/08 and Solaris 10 9/10 by referring to the pdf file kerberos_s10.pdf available at sun official site. ... (0 Replies)
Discussion started by: chongzh
0 Replies

7. AIX

Trouble with Kerberos/LDAP and AIX 6.1

The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no. Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being... (2 Replies)
Discussion started by: jgeiger
2 Replies

LEARN ABOUT OPENDARWIN

ldap_bind

LDAP_BIND(3)						     Library Functions Manual						      LDAP_BIND(3)

NAME

       ldap_bind,  ldap_bind_s,  ldap_simple_bind, ldap_simple_bind_s, ldap_kerberos_bind_s, ldap_kerberos_bind1, ldap_kerberos_bind1_s, ldap_ker-
       beros_bind2,   ldap_kerberos_bind2_s,   ldap_sasl_bind,	 ldap_sasl_bind_s,   ldap_sasl_interactive_bind_s,    ldap_parse_sasl_bind_result,
       ldap_unbind, ldap_unbind_s - LDAP bind routines

LIBRARY

       OpenLDAP LDAP (libldap, -lldap)

SYNOPSIS

       #include <ldap.h>

       int ldap_bind(LDAP *ld, const char *who, const char *cred,
	      int method);

       int ldap_bind_s(LDAP *ld, const char *who, const char *cred,
	      int method);

       int ldap_simple_bind(LDAP *ld, const char *who, const char *passwd);

       int ldap_simple_bind_s(LDAP *ld, const char *who, const char *passwd);

       int ldap_kerberos_bind_s(LDAP *ld, const char *who);

       int ldap_kerberos_bind1(LDAP *ld, const char *who);

       int ldap_kerberos_bind1_s(LDAP *ld, const char *who);

       int ldap_kerberos_bind2(LDAP *ld, const char *who);

       int ldap_kerberos_bind2_s(LDAP *ld, const char *who);

       int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
	      struct berval *cred, LDAPControl *sctrls[],
	      LDAPControl *cctrls[], int *msgidp);

       int ldap_sasl_bind_s(LDAP *ld, const char *dn, const char *mechanism,
	      struct berval *cred, LDAPControl *sctrls[],
	      LDAPControl *cctrls[], struct berval **servercredp);

       int ldap_parse_sasl_bind_result(LDAP *ld, LDAPMessage *res,
	      struct berval **servercredp, int freeit);

       int ldap_sasl_interactive_bind_s(LDAP *ld, const char *dn,
	      const char *mechs, struct berval *cred,
	      LDAPControl *sctrls[], LDAPControl *cctrls[],
	      unsigned flags, LDAP_SASL_INTERACT_PROC *interact,
	      void *defaults);

       int ldap_unbind(LDAP *ld);

       int ldap_unbind_s(LDAP *ld);

DESCRIPTION

       These routines provide various interfaces to the LDAP bind operation.  After an association with an LDAP server is made using ldap_init(3),
       an LDAP bind operation should be performed before other operations are attempted over the connection.  An LDAP bind is required when  using
       Version 2 of the LDAP protocol; it is optional for Version 3 but is usually needed due to security considerations.

       There  are  many types of bind calls, providing simple authentication, Kerberos version 4 authentication, and general routines to do either
       one, as well as calls using SASL (Simple Authentication and Security Layer) that can negotiate one of many different kinds  of  authentica-
       tion.   Both  synchronous  and  asynchronous  versions  of each variant of the bind call are provided.  All routines take ld as their first
       parameter, as returned from ldap_init(3).

       Kerberos version 4 has been superseded by Kerberos version 5, and the Kerberos version 4 support is only provided for backward  compatibil-
       ity.  The  SASL	interfaces  should be used for new applications. SASL provides a general interface for using Kerberos versions 4 and 5 and
       many other security systems.

SIMPLE AUTHENTICATION

       The simplest form of the bind call is ldap_simple_bind_s().  It takes the DN to bind as in who, and the userPassword  associated  with  the
       entry  in  passwd.   It returns an LDAP error indication (see ldap_error(3)).  The ldap_simple_bind() call is asynchronous, taking the same
       parameters but only initiating the bind operation and returning the message id of the request it sent.  The result of the operation can	be
       obtained by a subsequent call to ldap_result(3).

KERBEROS AUTHENTICATION

       If  the LDAP library and LDAP server being contacted have been compiled with the KERBEROS option defined, Kerberos version 4 authentication
       can be performed. As mentioned above, these Kerberos routines are provided only for backward compatibility.

       These routines assume the user already has obtained a ticket granting ticket.  The routines take who, the DN of the entry to bind as.   The
       ldap_kerberos_bind_s()  routine	does  both steps of the Kerberos binding process synchronously.  The ldap_kerberos_bind1_s() and ldap_ker-
       beros_bind2_s() routines allow synchronous access to the individual steps, authenticating to the LDAP server and X.500  DSA,  respectively.
       The ldap_kerberos_bind1() and ldap_kerberos_bind2() routines provide equivalent asynchronous access.

       The  ldap_kerberos_bind_s()  routine  is  used  to perform both authentication steps when contacting an LDAP server that is a gateway to an
       X.500 DSA.  This kind of server configuration is only supported in the (very old) University of Michigan LDAP release.  The OpenLDAP  pack-
       age  no longer provides this gateway server.  The standalone LDAP server provided in OpenLDAP may still be configured with Kerberos version
       4 support, but it only requires one authentication step, and will return an error if the second step is	attempted.   Therefore,  only  the
       ldap_kerberos_bind1() routine or its synchronous equivalent may be used when contacting an OpenLDAP server.

GENERAL AUTHENTICATION

       The  ldap_bind()  and  ldap_bind_s() routines can be used when the authentication method to use needs to be selected at runtime.  They both
       take an extra method parameter selecting the authentication method to use.  It should be set to one of LDAP_AUTH_SIMPLE,  LDAP_AUTH_KRBV41,
       or  LDAP_AUTH_KRBV42,  to select simple authentication, Kerberos authentication to the LDAP server, or Kerberos authentication to the X.500
       DSA, respectively.  ldap_bind() returns the message id of the request it initiates.  ldap_bind_s() returns an LDAP error indication.

SASL AUTHENTICATION

       Description still under construction...

UNBINDING

       The ldap_unbind() call is used to unbind from the directory, terminate the current association, and free the resources contained in the	ld
       structure.   Once  it is called, the connection to the LDAP server is closed, and the ld structure is invalid.  The ldap_unbind_s() call is
       just another name for ldap_unbind(); both of these calls are synchronous in nature.

ERRORS

       Asynchronous routines will return -1 in case of error, setting the ld_errno parameter of the ld	structure.   Synchronous  routines  return
       whatever ld_errno is set to.  See ldap_error(3) for more information.

SEE ALSO

       ldap(3), ldap_error(3), ldap_open(3), RFC 2222 (http://www.ietf.org), Cyrus SASL (http://asg.web.cmu.edu/sasl/)

ACKNOWLEDGEMENTS

       OpenLDAP  is  developed and maintained by The OpenLDAP Project (http://www.openldap.org/).  OpenLDAP is derived from University of Michigan
       LDAP 3.3 Release.

OpenLDAP 2.1.X							    RELEASEDATE 						      LDAP_BIND(3)
All times are GMT -4. The time now is 09:28 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy