[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AIX as openldap client

Hi,
on AIX you don't need to retrieve the password from the ldap server. You can configure AIX to ask the authentication process to the ldap server.

In the secldapclntd configuration file (/etc/security/ldap/ldap.cfg) you have to configure these directives (lines took from my deployment):

# Authentication type. Valid values are unix_auth and ldap_auth.
# Default is unix_auth.
# unix_auth - Retrieve user password and authenticate user locally.
# ldap_auth - Bind to LDAP server to authenticate user remotely through LDAP.
authtype:ldap_auth

# AIX-LDAP attribute map path.
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
#idattrmappath:/etc/security/ldap/aixid.map

# LDAP class definitions.
userclasses:posixaccount,shadowaccount
#userclasses:aixaccount,ibm-securityidentities
#groupclasses:aixaccessgroup

# Search mode. Valid values are ALL and OS.
# Default is ALL.
# ALL - Returns all attributes of an entry.
# OS  - Returns only the OS required attributes of an entry.
#       Non-OS attributes like telephone number, binary images, etc.
#       will not be returned.
#
# Note: Use OS only when user entry has many non-OS required attributes
#       or attributes with large value, e.g. binary data, to reduce
#       sorting effort by the LDAP server.
searchmode:OS

# Default user attribute entry location.  Valid values are LDAP and local.
# The default is LDAP.
# LDAP  - Use the default entry in LDAP.
# local - Use the default entry from /etc/security/user.
defaultentrylocation:local


You also have to assure yourself that in the file /etc/security/user you have set these properties in association with your users located only local to the system:
SYSTEM = "files"
registry = files

Hope this helps
Marco

On Wed, Oct 27, 2010 at 10:37 AM, Stef Coene <stef.coene@docum.org> wrote:
> > Oct 26 20:44:12 ldap1 slapd[28664]: Entry
> > (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not
> > allowed
> > Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute
> > 'shadowLastChange' not allowed
> >
> > Is this important?
>
> Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are
loaded.  I created a test user with
objectClass: aixAuxAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson

I can login to my test linux server with this user but not on the AIX server.
When I do a telnet to the AIX server, I can enter the username, but before I
can enter the password, I get the error
3004-007 You entered an invalid login name or password.

For the password, this is stored in plain text when I add the user.  Before I
can login to the linux server, I have to change it with passwd and after that,
the password is encrypted with {crypt} and I can login to the linux client:
userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/
Can this be the problem?  I don't know what encrytion AIX expects.


Stef

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________



--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
                    Jim Morrison