Visit Our UNIX and Linux User Community


LDAP user authentication issue


 
Thread Tools Search this Thread
Operating Systems AIX LDAP user authentication issue
# 1  
Old 11-09-2009
LDAP user authentication issue

Hello everyone, hoping you can provide some incite with a little problem I'm having..

I have the LDAP client configured and running on my AIX 5.3 server, which is authenticating against an eDirectory LDAP server. I can login via LDAP no problems on the AIX server with newly created users, however I can't get existing local AIX users switched over and logged in via LDAP.

I issue the following: chuser SYSTEM=LDAP registry=LDAP username and try to login in with that user via putty and get a message stating "server unexpectedly closed network connection".

However, if I first login with a local user, then su to the user via LDAP it authenticates successfully, so it appears there is something not right with just the initial login, ideas?
# 2  
Old 11-10-2009
Is everything set for those users like loginshell, home directory etc?
Do those users have in /etc/security/user entries like
Code:
john:
    SYSTEM="LDAP"
    registry=LDAP

?
I don't know if the chuser adds the double quotes needed at the SYSTEM= variable. Iirc they are important.

I have set our server with the two variables up there in the default: stanza of the /etc/security/user so that only those accounts that should remain locally have something like
Code:
root:
     SYSTEM="files"
     registry=files

Also when changing local users to be LDAP users, you have to clear the following files of them:
Code:
/etc/passwd
/etc/group
/etc/security/passwd
/etc/security/group

And if uid and gid changes chown them accordingly in the filesystem.
Also remember to not mix local users and groups with ldap users and groups. SMIT will get problems else.
# 3  
Old 11-10-2009
Thanks for the reply!

Quote:
Is everything set for those users like loginshell, home directory etc?
Yes, we have this set in LDAP for the users, and they will be using their existing home directories. When we su over to the LDAP user it shows them as being in their home directory.

Quote:
Do those users have in /etc/security/user entries like
Code:
john:
    SYSTEM="LDAP"
    registry=LDAP

?
I don't know if the chuser adds the double quotes needed at the SYSTEM= variable. Iirc they are important.
Yes, once I switch the user via the chuser command those entries are made, including the double quotes.

Quote:
I have set our server with the two variables up there in the default: stanza of the /etc/security/user so that only those accounts that should remain locally have something like
Code:
root:
     SYSTEM="files"
     registry=files

Correct, ours is setup this way as well.

Quote:
Also when changing local users to be LDAP users, you have to clear the following files of them:
Code:
/etc/passwd
/etc/group
/etc/security/passwd
/etc/security/group

What do you mean by clear? Shouldn't AIX be able to maintain both accounts in the event LDAP fails? The idea is that their local accounts would be a backup means of authentication, so for example we may want to go with something like:
Code:
SYSTEM="LDAP or compat"

Quote:
And if uid and gid changes chown them accordingly in the filesystem.Also remember to not mix local users and groups with ldap users and groups. SMIT will get problems else.
This will be something we will have to address once we get the users authenticated, we aren't sure how the ownership and permissions will translate.
# 4  
Old 11-11-2009
You wrote that you switched with chuser the existing ones to SYSTEM="LDAP" and registry=LDAP. I am not sure what AIX does if it finds authentication data locally still of users that are supplied by LDAP.
If you want to keep them locally too, this should be possible with "LDAP or compat" I guess though I did not try it out, but it should be noted in the Redbook "Implementing AIX into heterogenous LDAP environments".

We have no backup users since the passwords will not be synchronized between LDAP and local users so that if something happens to our LDAP servers, they might have forgotten their old local passwords anyway.
Also some political thing does prevent us from keeping them locally anyway.

Maybe try it out with 1 user that is locally (save it's entries in /etc/passwd, /etc/group, /etc/security/user, /etc/security/passwd so you can put them back again), remove his other local entries etc., so that it will become a LDAP only user and see if this works. Else there will be something wrong with the "or" thingy to try LDAP 1st, then fall back to compat. Maybe you can try "LDAP or files" too.
# 5  
Old 11-11-2009
I was able to get the issue resolved after opening a PMR with IBM.

What's not documented in the Redbook is that in order to login via SSH, both local and LDAP UID's/GID's must match exactly. SSH will check both local and LDAP user attributes if they exist in both places, regardless of registry. So after I changed the local UID and GID for the user to match LDAP I could login, this is very inconvenient as I also had to find all the orphaned files and reassign them via:
Code:
find / -user ### -exec chown <username>:<groupname> {} \;

Thanks for the help!

Previous Thread | Next Thread
Test Your Knowledge in Computers #504
Difficulty: Medium
Typically, programs operate in a reverse-linear flow of control.
True or False?

10 More Discussions You Might Find Interesting

1. Emergency UNIX and Linux Support

LDAP and AD Authentication Query

Hi Friends, I have below scenarios . dom1.test.com - LDAP dom2.test.com - AD Requirement is establish a trust relation between LDAP and AD server in such a way that if any user login on LDAP managed authentication server with dom1\username -> get authenticated by LDAP host ... (2 Replies)
Discussion started by: Shirishlnx
2 Replies

2. AIX

LDAP authentication client issue

Hi, I am trying to authenticate AIX server against a IDS LDAP instance. The AIX version is 6.1 and TDS client is 6.1. I configured the secldapclntd using ldap.cfg file and changed /etc/security/user to set SYSTEM=LDAP, registry=LDAP for one user. Below are the ldap.cfg configurations - ... (5 Replies)
Discussion started by: vs1
5 Replies

3. AIX

LDAP authentication

Hi, We are trying to use LDAP to authenticate the login from our application. Our application is installed on AIX 6.1 and LDAP server is on active directory windows 2003. We are getting the below error when we try to login. We have the required lib file in the path it is looking for. Any idea... (3 Replies)
Discussion started by: Nand1010_MA
3 Replies

4. Debian

webdav share per user ldap authentication

hi all, i have configured Apache with WEBDAV & my aim is sharing outlook calendars because we don't use M$ ExChange. From outlook i did a simple test & am able to share a calendar. I want to create share for each user & then authenticate against LDAP before they can publish their... (0 Replies)
Discussion started by: coolatt
0 Replies

5. Solaris

Iplanet LDAP User Authentication on Solaris

Dear Friends, I have recently installed iplanet directory server on my Solaris 10 machine.I was able to successfully install and configure ldap on my system.Furthermore, was also able to add user entries to the LDAP database server.But now I am finding it difficult to authenticate LDAP users... (1 Reply)
Discussion started by: raunaqnilekani
1 Replies

6. Solaris

LDAP authentication

Hi folks, i have opends 1.2 manually installed subversion 1.4.3 and apache2 updated by package manager. i want to access svn using LDAP authentication its giving an error: ldap_simple_bind_s() failed. what could be the problem. i wrote some text at the end of httpd.conf fpr ldap... (2 Replies)
Discussion started by: visu_buri
2 Replies

7. UNIX for Advanced & Expert Users

LDAP Authentication AND Authorization

I see a lot of thread on LDAP Authentication but I want to enable LDAP Authentication with Authorization. Meaning, removing the user ID's and groups from the local servers and move them to an LDAP server. When a user logs in (via LDAP) they will be given their group memberships and access to the... (3 Replies)
Discussion started by: scottsl
3 Replies

8. Cybersecurity

LDAP authentication question

Hello, I have a Linux box with RHEL4 running on it. The box is meant to be on the DMZ. There is a directory on the box that will be remotely from time to time and I want a form of authentication on it. Presently, I have configured Basic authentication with apache but the security is not tight. I... (1 Reply)
Discussion started by: bptronics
1 Replies

9. Linux

LDAP authentication question

Hello, I have a Linux box with RHEL4 running on it. The box is meant to be on the DMZ. There is a directory on the box that will be remotely from time to time and I want a form of authentication on it. Presently, I have configured Basic authentication with apache but the security is not tight. I... (1 Reply)
Discussion started by: bptronics
1 Replies

10. Shell Programming and Scripting

Module for LDAP Authentication

Hello Everyone, I have enabled LDAP authentication on my Web script by adding the list of valid users in /etc/apach2/default-server.conf. However, I now want to retrieve the username of the person that logs in. How can I do that? Is there any such module? Regards, Harsha (0 Replies)
Discussion started by: garric
0 Replies

Featured Tech Videos