Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  LDAP Config issues

    Posted Thu May 29, 2025 11:24 AM

    We have our AIX fleet configured for ldap and it is working.  The issue I am running into is there is another OU I need to add in order to access other groups.  I am trying to figure out how to add this into the ldap.cfg to get it working.  Below is our config:

    ##


    ldapservers:unixldap.test.com
    binddn:cn=LDAPUNIX,ou=UNIX,ou=DATA,o=AUTH
    bindpwd:XXxxXXxx
    authtype:ldap_auth
    useSSL: yes
    ldapsslkeyf:/etc/security/ldap/clientkey.kdb
    userattrmappath:/etc/security/ldap/2307user.map
    groupattrmappath:/etc/security/ldap/2307group.map
    userbasedn:ou=USERS,ou=USERS,o=AUTH??(|(groupmembership=cn= RPAU_N_UT_Unix-Servers,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=AUTH)(groupmembership=cn=RPAU_N_UT_Unix-Server-srvtest1195,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=hnbauth))
    userbasedn:ou=Accounts,ou=UNIX,ou=data,o=AUTH??(|(groupmembership=cn= RPAU_N_UT_Unix-Servers,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=AUTH)(groupmembership=cn=RPAU_N_UT_Unix-Server-srvtest1195,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=auth))
    groupbasedn:ou=UNIX,ou=DATA,o=AUTH??(gidnumber<=20000)
    userclasses:posixAccount
    groupclasses:posixGroup
    ldapversion:3
    ldapport:389
    ldapsslport:636
    defaultentrylocation:local
    ldaptimeout:90
    memberfulldn: no
    host    unixldap.test.com
    base    ou=USERS,ou=USERS,o=AUTH
    binddn  cn=LDAPUNIX,ou=UNIX,ou=data,o=auth
    bindpw  XXxxXXxx
    SUDOERS_SEARCH_FILTER (sudoHost=srvtest1195)
    SUDOERS_BASE ou=sudoers,ou=UNIX,ou=DATA,o=AUTH

    ##

    OU to add

    ou=GROUPS,o=AUTH

    Not sure what else is needed to look at it.



    ------------------------------
    Joshua Krause
    ------------------------------

    #AIXOpenSource


  • 2.  RE: LDAP Config issues

    Posted Fri May 30, 2025 09:11 AM

    Joshua,

    you can have up to 10 base DNs for users:

    Detailed information
           Multiple base DNs
                All the base DN attributes accept multiple values, with each <basedn>: <value> pair on a separate line. For example, to allow users in the ou=dept1users,cn=aixdata
                base DNs and the ou=dept2users,cn=aixdata base DNs to log in to the system, you can specify the userbasedn attribute as follows:

                userbasedn: ou=dept1users,cn=aixdata
                userbasedn: ou=dept2users,cn=aixdata

                You can specify up to 10 base DNs for each entity in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order that they appear in the
                /etc/security/ldap/ldap.cfg file. The following list describes the system behaviors with regards to multiple base DNs:
                  *    Query operations, such as the lsuser command, are done according to the base DN order that is specified until a matching account is found. A failure is
                       returned only if all the base DNs are searched without finding a match.
                  *    Modification operations, such as the chuser command, are done to the first matching account.
                  *    Deletion operations, such as the rmuser command, are done to the first matching account.
                  *    Creation operations, such as the mkuser command, are done only to the first base DN.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


Related Content