I'm currently trying to mix local and LDAP users on an AIX 7.1.
I've triied many things.
My LDAP Server in on a CentOS - OpenLDAP (which works fine with linux).
I'm currently stuck on AIX at how to declare LDAP AND Local users.
Here's what i did :
Code:
/usr/sbin/mksecldap -c -h 'ldap03' -a 'cn=admin,o=other,c=fr' -p 'secret' -S 'RFC2307'
chsec -f /etc/security/user -s default -a SYSTEM='compat or LDAP'
I also triied
Code:
chsec -f /etc/security/user -s default -a SYSTEM='compat or LDAP'
chsec -f /etc/security/user -s default -a registry='LDAP'
But like this, i can't connect on my local users but i can connect to LDAP user with ssh and while connected to my AIX.
With the current configuration, i'm able to login to local and LDAP users BUT while trying throught ssh, i get "Permission denied, please try again." error
afaiu users are there, both local and LDAP, you can login using both types of users using standard AIX tools/procedures, such as "normal" login, telnet, ftp, but you receive some error trying to open ssh session. Am I right?
Do you have problems opening an SSH session with an LDAP user or with a local AIX user or with both types of users?
afaiu users are there, both local and LDAP, you can login using both types of users using standard AIX tools/procedures, such as "normal" login, telnet, ftp, but you receive some error trying to open ssh session. Am I right?
Do you have problems opening an SSH session with an LDAP user or with a local AIX user or with both types of users?
Currently here's whats going on :
Code:
Connection
su to local user Works
su to LDAP user Works but can't use chuser/rmuser and all user commands (like sudo -l with a LDAP user)
ssh to local user Works
ssh to LDAP user Permission denied, please try again. (Like when you type a wrong passwd)
What i would like to do :
Code:
Connection
su to local user Works
su to LDAP user Works
ssh to local user Works
ssh to LDAP user Works
mkuser Creates local user
rmuser Delete local user
chuser Changes local user
lsuser List local and LDAP user
mkuser/rmuser/chuser -R LDAP works but my LDAP server will block this
In fact i would like AIX users works like Linux users (at least it works like this on my Linux servers)
Last edited by AIX_user_324891; 11-25-2015 at 03:05 AM..
you have to specify for all local (already existing) users SYSTEM = "files" and registry = files - or e.g. the login process will search them on the LDAP-Server.
If LDAP is the default you need to specify that a user should create or exists locally:
Code:
mkuser [-R files] SYSTEM='files' registry='files' testuser
rmuser -R files testuser
passwd -R files testuser
lsuser -R files -a SYSTEM registry ALL
...
c) check your current defaults for SYSTEM and registry
Code:
michael@x071:[/home/michael]rity/user | egrep "SYSTEM|registry" <
* Possible values: SYSTEM,NONE,token;username.
* SYSTEM : Describes normal password authentication in
* an authentication grammar. See SYSTEM
* auth1 = SYSTEM,mylogin;mary
* SYSTEM Describes Version 4 authentication requirements. This
* SYSTEM grammar manual pages.
* SYSTEM = "DCE OR DCE[UNAVAIL] AND compat"
* registry Describes where this user is administered. It is used
auth1 = SYSTEM
SYSTEM = "compat"
d) notice in the comments the example for SYSTEM way back when (1995ish) when DCE was more popular. I will rephrase this:
Code:
if (DCE authentication succeeds)
then authentication successful;
if (DCE not available AND compat authentication succeeds)
then authentication successful;
In other words, "compat" is only used when DCE is unavailable. Yours should substitute DCE with LDAP.
e) From memory (i.e., without additional testing) I cannot say exactly what registry = LDAP is doing. But I expect, not what you expect. Maybe if you have added the AIX schema into your CentOS LDAP server it might work. But since mkuser/chuser/etc -R LDAP is not working I expect the LDAP server is refusing because it does not have the AIX (LDIF) schema for all the attributes in /etc/security/user (to name just one of the registry 'files').
I suggest returning "registry = files" as the default setting.
Code:
chsec -f /etc/security/user -s default -a registry=files'
f) For users, rather account names, that must be local add at least "SYSTEM=compat" to the user, e.g., for michael
Code:
michael@x071:[/home/michael]chuser SYSTEM=compat michael
michael@x071:[/home/michael]grep -p michael: /etc/security/user | egrep "SYSTEM>
SYSTEM = "compat"
Other stuff) - back from 2000 when I designed the AIX security curriculum.
The key two attributes for Identification (aka username) and Authentication (aka password verification) are auth1 and SYSTEM. This is easy to delegate to an external I&A service, e.g., LDAP, DCE or kerberos server.
The third /etc/security/user attribute is registry - and, with no access to program code, design documents, etc. to verify it I have always understood this to be where to look for additional information about a user that is not uid/gid to username/groupnamelookup (and v.v.). In a literal sense I take this to mean - when registry=LDAP (as is your case) to not even look in /etc/passwd for my HOME directory or default shell (for the RFC2307 attributes that any UNIX oriented LDAP server should have).
You might be able to test this by changing the home directory of a user using both -R files and -R LDAP. If you do, please post results and expand my understanding!
you have to specify for all local (already existing) users SYSTEM = "files" and registry = files - or e.g. the login process will search them on the LDAP-Server.
If LDAP is the default you need to specify that a user should create or exists locally:
Code:
mkuser [-R files] SYSTEM='files' registry='files' testuser
rmuser -R files testuser
passwd -R files testuser
lsuser -R files -a SYSTEM registry ALL
...
Regards
Thanks for your reply,
I've already triied this, it's not a suitable solution as we may create local and LDAP users anytime. What could be perfect is something like :
Code:
/etc/security/user
default:
admin = false
login = true
...
SYSTEM = "compat or LDAP" <-- this work
registry = files or LDAP <-- Will not work of course, registry can only accept 1 parameter
I really want to stay with the default behavior:
all user operations will be local and if they can't be performed locally, they will try the LDAP.
Example
Code:
if i loggin to test user, my AIX should search locally, if it doesn't find anything, it'll try on LDAP
---------- Post updated at 07:13 AM ---------- Previous update was at 07:01 AM ----------
Thanks for your reply,
a) b) I'm root
Code:
# id
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp),229(idsldap),15(dbsysadm)
# lsuser -a registry SYSTEM root
root registry=files SYSTEM=compat
c) My defaults
Code:
# lssec -f /etc/security/user -s default -a registry
default registry=LDAP
# lssec -f /etc/security/user -s default -a SYSTEM
default SYSTEM="compat or LDAP"
e) registry = LDAP
This does not really do what i want as when you mkuser a new user, his registry will be on LDAP by default, and i want it to be files by default.
f) For users, rather account names, that must be local add at least "SYSTEM=compat" to the user, e.g., for michael
It's not something that i would like to as as we have a large number of accounts and they are not all the same depending on the server. It would be a big work to declare the registry and SYSTEM parameters of our local users.
Other stuff) I understood that registry is where to look for user informations and security files.
If you declare registry to LDAP, AIX will look for the user's files (passwd, group, shadow) on the LDAP, even if the user has SYSTEM = compat.
Here's an example:
Conditions : SYSTEM = compat, registry = LDAP
Code:
mkuser test
passwd test
Changing password for "test"
User "test" does not exist.
Error changing password for "test".
grep test /etc/passwd
test:*:210:1::/home/test:/usr/bin/ksh
---------- Post updated at 07:34 AM ---------- Previous update was at 07:13 AM ----------
I'm trying to exactly do what i said earlier
Code:
Connection
su to local user Works
su to LDAP user Works
ssh to local user Works
ssh to LDAP user Works
mkuser Creates local user
rmuser Delete local user
chuser Changes local user
lsuser List local and LDAP user (or just the local users)
mkuser/rmuser/chuser -R LDAP works but my LDAP server will block this <-- this is the wanted behavior
If i put registry to LDAP, all user will be searched on the LDAP.
I think i need the SYSTEM = 'compat or LDAP' to login to local and LDAP users.
Last edited by AIX_user_324891; 11-25-2015 at 08:41 AM..
Location: on the road for work; home is private time
Posts: 456
Thanks Given: 10
Thanked 108 Times in 100 Posts
Quote:
all user operations will be local and if they can't be performed locally, they will try the LDAP.
Normally, for user authentication admins want only one or the other, not both being checked.
I have never tried SYSTEM = compat OR compat[UNAVAIL] AND LDAP as I expect compat to always be available. Assuming compat[UNAVAIL] does not work then I think SYSTEM = compat OR LDAP comes closest to your authentication needs.
For accounts that must be local, like root - the solution has been to add specific
Code:
SYSTEM=compat
entries.
If your goal is to be as close to default as possible, set registry=files
I'd like to add some x/linux-based servers to my current AIX-based TDS/SDS server community. Reading the Fine Install Guide (rtfig ?) I believe this may be covered by the section "Upgrade an instance of a previous version to a different computer" i.e. I'm going to install latest/greatest SDS on a... (4 Replies)
Hello,
i configured rhel linux 6 with AD directory to authorize windows users to connect on the system and it works.
i have accounts with high privileges (oracle for example) if an account is created on the AD server i would to block him.
I looked for how to do, for the moment all the... (3 Replies)
Hi,
I need to switch from local user to root user in a shell script.
I need to make it automated so that it doesn't prompt for the root password.
I heard the su command will do that work but it prompt for the password.
and also can someone tell me whether su command spawns a new shell or... (1 Reply)
Hi,
I have been asked to create a ksh script that will search against an LDAP directory from various HP-UX, SUSE, and AIX 5.3 and 6.1 machines. The objective is to verify the boxes are successfully authenticating users from the LDAP store. This is something I've never done, and I could use... (0 Replies)
Hi Gurus,
I have a script that requires me to switch from local user to root. Anyone who has an idea on this since when i switch user to root it requires me to input root password.
It seems that i need to use expect module here, but i don't know how to create the object for this.
... (1 Reply)
If I create a new user id test:
mkuser id=400 test
then I want it to LDAP user:
chuser -R LDAP SYSTEM=LDAP registry=LDAP test
It shows:
3004-687 User "test" does not exist.
How to do? (4 Replies)
Hi Friends,
I have this script for ftping files from AIX server to local windows xp.
#!/bin/sh
HOST='localsystem.net'
USER='myid_onlocal'
PASSWD='mypwd_onlocal'
FILE='file.txt' ##This is a file on server(AIX)
ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
put $FILE... (1 Reply)
Besides doing some shell-script which loops through /etc/passwd, I was wondering if there was some command that would tell me, like an enhanced version of getent.
The Operating system is Solaris 10 (recent-ish revision) using Sun DS for LDAP. (5 Replies)
I am implementing LDAP on Linux based system using openldap.
My management objects to the idea that all individual users will authenticate against an LDAP server because “what if it is not available”
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP... (1 Reply)
11-24-2015
