Mix LDAP and LOCAL user on AIX


 
Thread Tools Search this Thread
Operating Systems AIX Mix LDAP and LOCAL user on AIX
# 8  
Old 11-25-2015
The thing is that on CentOS, redhat servers we have, we can login to local users and LDAP users, and when performing actions on users, it only affects local users.
If it's not possible to do it on AIX well... I'll have to find a workaround.
# 9  
Old 11-25-2015
Maybe I do not understand the question. But, let's say michael exists in both LDAP and AIX domains.

To change the account michael 'locally' I would use:

# chuser -R files .... michael

And the same, or a different change on LDAP would be:

# chuser -R LDAP .... michael

However, I expect most changes using chuser -R LDAP ... michael will fail if your server only supports the RFC2307 DIT or LDIF specification (basically, what is found in /etc/passwd and /etc/group and the shadowed encryption of the password).

Basics:
when you ran the mksecldap command you configured the file /etc/security/ldap.cfg and arranged for the daemons to start.

Look at this section on your server - I do not have LDAP configured so all are commented out - you should have a few uncommented.

Line numbers are approximate!
unix_auth is default, and preferred
Code:
   +30  # Authentication type. Valid values are unix_auth and ldap_auth.
   +31  # Default is unix_auth.
   +32  # unix_auth - Retrieve user password and authenticate user locally.
   +33  # ldap_auth - Bind to LDAP server to authenticate user remotely through LDAP.
   +34  #authtype:unix_auth

Preferred is "system" and update /etc/security/login.cfg to use sssh256
Code:
   +60  # Default is "crypt".
   +61  #  crypt      - Specifies the legacy crypt() (DES) algorithm.
   +62  #  system     - Specifies the syste-wide password algorithm that is
   +63  #               defined in /etc/security/login.cfg. Using syste-wide
   +64  #               password algorithm may require that LDAP server's
   +65  #               password encryption be disabled to avoid double
   +66  #               encryption, which can make the password unusable.
   +67  #pwdalgorithm:crypt

These are the user attributes defining the schema used. Are these uncommented? What do they point too?

Code:
   +69  # AIX-LDAP attribute map path.
   +70  #userattrmappath:/etc/security/ldap/aixuser.map
   +71  #groupattrmappath:/etc/security/ldap/aixgroup.map
   +72  #idattrmappath:/etc/security/ldap/aixid.map

Code:
michael@x071:[/etc/security/ldap]ls /etc/security/ldap/*.map
/etc/security/ldap/2307aixgroup.map  /etc/security/ldap/aixuser.map        /etc/security/ldap/sfu30user.map
/etc/security/ldap/2307aixuser.map   /etc/security/ldap/sfu20group.map     /etc/security/ldap/sfur2aixgroup.map
/etc/security/ldap/2307group.map     /etc/security/ldap/sfu20user.map      /etc/security/ldap/sfur2aixuser.map
/etc/security/ldap/2307user.map      /etc/security/ldap/sfu30aixgroup.map  /etc/security/ldap/sfur2group.map
/etc/security/ldap/aixgroup.map      /etc/security/ldap/sfu30aixuser.map   /etc/security/ldap/sfur2user.map
/etc/security/ldap/aixid.map         /etc/security/ldap/sfu30group.map

And finally, for the basics: what is active/inactive here?

Code:
   +74  # Base DN where the user and group data are stored in the LDAP server.
   +75  # e.g., if user foo's DN is: uid=foo,ou=people,cn=aixdata
   +76  # then the user base DN is: ou=people,cn=aixdata
   +77  #userbasedn:ou=people,cn=aixdata
   +78  #groupbasedn:ou=groups,cn=aixdata
   +79  #idbasedn:cn=aixid,ou=system,cn=aixdata
   +80  #hostbasedn:ou=hosts,cn=aixdata
   +81  #servicebasedn:ou=services,cn=aixdata
   +82  #protocolbasedn:ou=protocols,cn=aixdata
   +83  #networkbasedn:ou=networks,cn=aixdata
   +84  #netgroupbasedn:ou=netgroup,cn=aixdata
   +85  #rpcbasedn:ou=rpc,cn=aixdata
   +86  #automountbasedn:ou=automount,cn=aixdata
   +87  #aliasbasedn:ou=aliases,cn=aixdata
   +88  #bootparambasedn:ou=ethers,cn=aixdata
   +89  #etherbasedn:ou=ethers,cn=aixdata
   +90  #authbasedn:ou=authorizations,cn=aixdata
   +91  #rolebasedn:ou=roles,cn=aixdata
   +92  #privcmdbasedn:ou=privcmds,cn=aixdata
   +93  #privdevbasedn:ou=privdevs,cn=aixdata
   +94  #privfilebasedn:ou=privfiles,cn=aixdata
   +95  #domainbasedn:ou=domains,cn=aixdata
   +96  #domobjbasedn:ou=domobjs,cn=aixdata

---------- Post updated at 02:17 PM ---------- Previous update was at 02:14 PM ----------

Quote:
Originally Posted by AIX_user_324891
The thing is that on CentOS, redhat servers we have, we can login to local users and LDAP users, and when performing actions on users, it only affects local users.
If it's not possible to do it on AIX well... I'll have to find a workaround.
I expect it is using, by default, the same schema (attribute mapping) in LDAP and it does in it's local files.

AIX includes an LDAP server at no additional charge for AIX user admin. Maybe using that will get you 90% of the way. You can still configure AIX to go to a 'foreign' LDAP server for "login" verification.

Last edited by MichaelFelt; 11-25-2015 at 09:18 AM.. Reason: typo
# 10  
Old 11-25-2015
Okay,

i found a solution that seems to work (in my setup):

Security authentication mechanism in AIX

authcontroldomain attribute

AIX introduced a new alternative authentication control attribute "authcontroldomain" from AIX 6.1 Tl07 and 71 Tl01 releases. When this attribute is set, SYSTEM and registry attributes are stored or retrieved from that database. For local users, SYSTEM and registry attribute are stored in /etc/security/user file irrespective of the authcontroldomain value.

The authcontroldomain attribute needs to be defined with a loadmodule name which is defined in the /etc/methods.cfg or /usr/lib/security/methods.cfg file. This attribute needs to be defined in the /etc/security/login.cfg file under the usw stanza.

authcontroldomain attribute can be set for a system as using the chsec command. For example:

Code:
chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP

Code:
/etc/security/user
default:
        SYSTEM = "files"
        registry = files

Quick Test: LDAP and local User Login works fine without further specifying SYSTEM or registry.


Regards

Edit:
IBM Systems Magazine - AIX Authentication Mechanism Simplifies System Security | AIX | IBM Systems Magazine | System p, System p5, Power System | security, Uma M. Chandolu, LDAP, Kerberos, PAM, NIS, authentication mechanism

Security load modules are defined in /usr/lib/security/methods.cfg file. User identification is done based on order in, which load modules are defined in methods.cfg file. Local load module information is not defined in the /usr/lib/security/methods.cfg file. However, the user information will be verified first in local module; then the order that is defined in methods.cfg file will follow.
These 2 Users Gave Thanks to -=XrAy=- For This Post:
# 11  
Old 11-25-2015
Thanks -=XrAy=-, for reminding me that sometimes developerworks has new information, not just rehashed.

AIX_user_324891 - lots of feedback in both directions. I am still not sure exactly what you want to achieve. If I was at your location I would ask for a demonstration of what you do on your linux servers - and then think about how I would approach that on AIX. Security is Managing Detail - without control of the details security is not - imho. So, describing, in definitive terms helps an old fool like myself (fool because I play blind (I prefer saying I try to not assume) to things everyone else sees as self-evident).
This User Gave Thanks to MichaelFelt For This Post:
# 12  
Old 11-25-2015
Quote:
Originally Posted by -=XrAy=-
Okay,

i found a solution that seems to work (in my setup):

authcontroldomain attribute

AIX introduced a new alternative authentication control attribute "authcontroldomain" from AIX 6.1 Tl07 and 71 Tl01 releases. When this attribute is set, SYSTEM and registry attributes are stored or retrieved from that database. For local users, SYSTEM and registry attribute are stored in /etc/security/user file irrespective of the authcontroldomain value.

The authcontroldomain attribute needs to be defined with a loadmodule name which is defined in the /etc/methods.cfg or /usr/lib/security/methods.cfg file. This attribute needs to be defined in the /etc/security/login.cfg file under the usw stanza.

authcontroldomain attribute can be set for a system as using the chsec command. For example:

Code:
chsec -f /etc/security/login.cfg -s usw -a authcontroldomain=LDAP

Code:
/etc/security/user
default:
        SYSTEM = "files"
        registry = files

Quick Test: LDAP and local User Login works fine without further specifying SYSTEM or registry.


Regards

Security load modules are defined in /usr/lib/security/methods.cfg file. User identification is done based on order in, which load modules are defined in methods.cfg file. Local load module information is not defined in the /usr/lib/security/methods.cfg file. However, the user information will be verified first in local module; then the order that is defined in methods.cfg file will follow.
Thanks for you reply,

Its almost what i need, your solution looks good but now i think i've got a configuration problem Smilie, when i login to my ldap user via root (su ldap_user) it works, but when i try to login with a normal user i got an error message.

Code:
root@vsqft01:/ # lsuser ldap_user
ldap_user id=15000 pgrp=admin_system groups=admin_system 
home=/home/ldap_user shell=/usr/bin/bash login=true su=true 
rlogin=true daemon=true admin=false sugroups=ALL admgroups= 
tpath=nosak ttys=ALL expires=0 auth1=SYSTEM umask=22 
registry=files SYSTEM=compat logintimes= loginretries=0 
pwdwarntime=0 account_locked=false minage=0 maxage=0 
maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 
minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 
minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= 
fsize=-1 cpu=-1 data=-1 stack=-1 core=0 rss=-1 nofiles=-1 
unsuccessful_login_count=5 roles=
root@vsqft01:/ # su ldap_user

ldap_user@vsqft01:/ # lsuser ldap_user
ldap_user id=15000 pgrp=admin_system groups=admin_system home=/home/ldap_user shell=/usr/bin/bash registry=LDAP SYSTEM= roles=
ldap_user@vsqft01:/ # su ldap_user
ldap_user's Password:
Cannot su to "ldap_user" : Authentication is denied.

---------- Post updated at 09:15 AM ---------- Previous update was at 08:50 AM ----------

Quote:
Originally Posted by MichaelFelt
Thanks -=XrAy=-, for reminding me that sometimes developerworks has new information, not just rehashed.

AIX_user_324891 - lots of feedback in both directions. I am still not sure exactly what you want to achieve. If I was at your location I would ask for a demonstration of what you do on your linux servers - and then think about how I would approach that on AIX. Security is Managing Detail - without control of the details security is not - imho. So, describing, in definitive terms helps an old fool like myself (fool because I play blind (I prefer saying I try to not assume) to things everyone else sees as self-evident).
Here's a demonstation of what i can do on my linux servers :
First i've got a linux user in my LDAP server like this :
uid=ldap_user,ou=linux_users,ou=other,o=other
When connecting to our CentOS server, i just do this :
Code:
ssh ldap_user@vhzva03
[ldap_user] $ id
uid=9999(ldap_user) gid=16000(network_admin) groupes=16000(network_admin)

Now on that vhzva03 if i grep /etc/passwd, i don't find the ldap_user (as expected)
Code:
[root] # grep ldap_user /etc/passwd

When looking with a ldapsearch command
ldapsearch -b "o=other" -x "(cn=ldap_user)"
Code:
dn: uid=ldap_user,ou=linux_users,ou=other,o=other
cn: ldap_user
gidNumber: 16000
homeDirectory: /home/ldap_user
loginShell: /bin/bash
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
uid: ldap_user
uidNumber: 9999
userPassword::

Now with a useradd :
Code:
[root] # useradd test
[root] # grep test /etc/passwd
test:x:501:501::/home/test:/bin/bash

Now userdel:
Code:
[root] # userdel test
[root] # grep test /etc/passwd

[root] # userdel ldap_user
userdel : user ldap_user does not exist

As you can see, i can login via ssh, su to my ldap_user.
When performing account commands, only local users are affected.
# 13  
Old 11-25-2015
Quote:
Originally Posted by AIX_user_324891
ldap_user's Password:
Cannot su to "ldap_user" : Authentication is denied.
[/CODE]
Changing the default stanza to
Code:
/etc/security/user
SYSTEM = "compat or LDAP"

seems to be a workaround. Now i can SU from an LDAP user to another LDAP user. If i try to delete a ldap user (as root), i get an error: 3004-698 Error committing changes to "ldap_user".

BUT: I noticed that the chsec command throw the same error.
Code:
# chsec -f /etc/security/user -s default -a SYSTEM="compat or LDAP"
3004-698 Error committing changes to "default".

So the use of authcontroldomain seems to be buggy. You/I will need do further tests.

Regards
This User Gave Thanks to -=XrAy=- For This Post:
# 14  
Old 11-26-2015
Quote:
Originally Posted by -=XrAy=-
Changing the default stanza to
Code:
/etc/security/user
SYSTEM = "compat or LDAP"

seems to be a workaround. Now i can SU from an LDAP user to another LDAP user. If i try to delete a ldap user (as root), i get an error: 3004-698 Error committing changes to "ldap_user".

BUT: I noticed that the chsec command throw the same error.
Code:
# chsec -f /etc/security/user -s default -a SYSTEM="compat or LDAP"
3004-698 Error committing changes to "default".

So the use of authcontroldomain seems to be buggy. You/I will need do further tests.

Regards
Ok, i triied this, it looks like it work, hope the
Code:
# chsec -f /etc/security/user -s default -a SYSTEM="compat or LDAP"
3004-698 Error committing changes to "default".

Does not make some bugs anywhere
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

IBM TDS/SDS (LDAP) - can I mix endianness among servers in an instance ?

I'd like to add some x/linux-based servers to my current AIX-based TDS/SDS server community. Reading the Fine Install Guide (rtfig ?) I believe this may be covered by the section "Upgrade an instance of a previous version to a different computer" i.e. I'm going to install latest/greatest SDS on a... (4 Replies)
Discussion started by: maraixadm
4 Replies

2. UNIX for Advanced & Expert Users

Pam.d and make difference between AD User and local user on Linux

Hello, i configured rhel linux 6 with AD directory to authorize windows users to connect on the system and it works. i have accounts with high privileges (oracle for example) if an account is created on the AD server i would to block him. I looked for how to do, for the moment all the... (3 Replies)
Discussion started by: vincenzo
3 Replies

3. Shell Programming and Scripting

How to Switch from Local user to root user from a shell script?

Hi, I need to switch from local user to root user in a shell script. I need to make it automated so that it doesn't prompt for the root password. I heard the su command will do that work but it prompt for the password. and also can someone tell me whether su command spawns a new shell or... (1 Reply)
Discussion started by: Little
1 Replies

4. Shell Programming and Scripting

Hp-UX, SUSE, and AIX LDAP User Script Help

Hi, I have been asked to create a ksh script that will search against an LDAP directory from various HP-UX, SUSE, and AIX 5.3 and 6.1 machines. The objective is to verify the boxes are successfully authenticating users from the LDAP store. This is something I've never done, and I could use... (0 Replies)
Discussion started by: tekster2
0 Replies

5. Shell Programming and Scripting

switch user from local user to root in perl

Hi Gurus, I have a script that requires me to switch from local user to root. Anyone who has an idea on this since when i switch user to root it requires me to input root password. It seems that i need to use expect module here, but i don't know how to create the object for this. ... (1 Reply)
Discussion started by: linuxgeek
1 Replies

6. AIX

How to change normal user id to LDAP user id?

If I create a new user id test: mkuser id=400 test then I want it to LDAP user: chuser -R LDAP SYSTEM=LDAP registry=LDAP test It shows: 3004-687 User "test" does not exist. How to do? (4 Replies)
Discussion started by: rainbow_bean
4 Replies

7. AIX

Do I need to configure my local windows to FTP files from local windows to a UNIX AIX server?

Hi Friends, I have this script for ftping files from AIX server to local windows xp. #!/bin/sh HOST='localsystem.net' USER='myid_onlocal' PASSWD='mypwd_onlocal' FILE='file.txt' ##This is a file on server(AIX) ftp -n $HOST <<END_SCRIPT quote USER $USER quote PASS $PASSWD put $FILE... (1 Reply)
Discussion started by: rajsharma
1 Replies

8. UNIX for Advanced & Expert Users

Determining if user is local-user in /etc/passwd or LDAP user

Besides doing some shell-script which loops through /etc/passwd, I was wondering if there was some command that would tell me, like an enhanced version of getent. The Operating system is Solaris 10 (recent-ish revision) using Sun DS for LDAP. (5 Replies)
Discussion started by: ckmehta
5 Replies

9. SuSE

user management - LDAP and local files

I am implementing LDAP on Linux based system using openldap. My management objects to the idea that all individual users will authenticate against an LDAP server because “what if it is not available” Their suggestion is that we run in parallel a set of local configured users and a set of LDAP... (1 Reply)
Discussion started by: scampi
1 Replies

10. AIX

ldap for aix

hello i look for a ldap for Aix, do know it ? thank you (0 Replies)
Discussion started by: pascalbout
0 Replies
Login or Register to Ask a Question