Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  openldap for AIX User authentification

    Posted Tue October 25, 2022 02:21 AM

    Hi all, has anyone a working setup to use AIX/openldap for AIX authentication?

    We use AIX 7.2 and openldap-2.4.58-3.

    At the moment we get this Error Starting secldapclntd:
    start-secldapclntd
    Starting the secldapclntd daemon.
    exec(): 0509-036 Cannot load program /usr/sbin/secldapclntd because of the following errors:
    0509-150 Dependent module libibmldap.a could not be loaded.
    0509-022 Cannot load module libibmldap.a.
    0509-026 System error: A file or directory in the path name does not exist.
    exec(): 0509-036 Cannot load program /usr/sbin/secldapclntd because of the following errors:
    0509-150 Dependent module libibmldap.a could not be loaded.
    0509-022 Cannot load module libibmldap.a.
    0509-026 System error: A file or directory in the path name does not exist.
    The secldapclntd daemon failed to start.

    Any feedback is highly appreciated. Lukas



    ------------------------------
    Lukas Schmid / Switzerland
    ------------------------------

    #AIXOpenSource


  • 2.  RE: openldap for AIX User authentification

    Posted Tue October 25, 2022 02:13 PM
    Do you have openldap installed from AIX toolbox ? 
    Looks like you have ibmldap and trying to start that and it does not have ibmldap libraries.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 3.  RE: openldap for AIX User authentification

    Posted Wed October 26, 2022 04:18 AM
    Hi Lukas,



    seems, that there are missing links....
    creation of links is done by 
    /opt/IBM/ldap/[VERSION]/bin/idslink -f -q -i -l 64
    /opt/IBM/ldap/[VERSION]/bin/idslink -f -q -i -l 32

    but sometimes the following two links are not added:
    ln -s /opt/IBM/ldap/V6.4/bin/idsldapadd /usr/bin/idsldapadd
    ln -s /opt/IBM/ldap/V6.4/lib/libidsldap.a /usr/lib/libibmldap.a

    from https://www.ibm.com/docs/en/aix/7.1?topic=module-setting-up-security-directory-server
    ===SNIP===
    If the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) support is required, you must also install the Global Security Kit Version 8 (GSKitV8) package for the IBM Security Directory Server version 6.4. The system administrator must create a key database by using the GSKit key management command. You can use either the gsk8capicmd or gsk8capicmd_64 command that is available with the GSKitV8 package. For more information about configuring the LDAP server to use SSL, see the Secure Communication with SSL topic.
    ===SNAP===

    From same page for client packages you may ignore idslap.srv*.
    Example:
    lslpp -l ids\*
    Fileset Level State Description
    ----------------------------------------------------------------------------
    Path: /usr/lib/objrepos
    idsldap.clt32bit64.rte 6.4.0.16 COMMITTED Directory Server - 32 bit
    Client
    idsldap.clt64bit64.rte 6.4.0.16 COMMITTED Directory Server - 64 bit
    Client
    idsldap.clt_max_crypto32bit64.rte
    6.4.0.16 COMMITTED Directory Server - 32 bit
    Client (SSL)
    idsldap.clt_max_crypto64bit64.rte
    6.4.0.16 COMMITTED Directory Server - 64 bit
    Client (SSL)
    idsldap.cltbase64.adt 6.4.0.16 COMMITTED Directory Server - Base Client
    idsldap.cltbase64.rte 6.4.0.16 COMMITTED Directory Server - Base Client
    idsldap.license64.rte 6.4.0.16 COMMITTED Directory Server - License
    idsldap.msg64.en_US 6.4.0.16 COMMITTED Directory Server - Messages -
    U.S. English (en)

    Path: /etc/objrepos
    idsldap.clt32bit64.rte 6.4.0.16 COMMITTED Directory Server - 32 bit
    Client
    idsldap.clt64bit64.rte 6.4.0.16 COMMITTED Directory Server - 64 bit
    Client
    idsldap.cltbase64.rte 6.4.0.16 COMMITTED Directory Server - Base Client

    if you want to use TLS1.2 you have to define

    export LDAP_OPT_SECURITY_PROTOCOL=TLS12
    export LDAP_OPT_SSL_CIPHER_EX=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    export LDAP_OPT_JAVA_SECURITY_PROTOCOL=TLSv1.2

    before using mksecldap, start-secldapclntd and restart-secldapclntd

    for the last two commands we add this inside the script - and every time after an update on top :-(

    regards





    ------------------------------
    Juergen Maehlmann
    ------------------------------

    Original Message


  • 4.  RE: openldap for AIX User authentification

    Posted Fri October 28, 2022 06:17 AM

    Hi Juergen

    Thanks for your feedback. we do *not* use the IBM/AIX LDAP Software at all. The goal is to use openldap only without any other

    IBM based software. Hence, the question is does someone have such a configuration up and running?

    If yes, would it be possible to share the configuration?

    Many thanks in advance, Lukas



    ------------------------------
    Lukas Schmid
    ------------------------------

    Original Message


  • 5.  RE: openldap for AIX User authentification

    Posted Sun October 30, 2022 12:55 PM
    First you need to install openldap. From your output looks like you have ibmldap.
    The configuration of openldap will be same as on any other platform.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 6.  RE: openldap for AIX User authentification

    Posted Tue November 08, 2022 10:53 AM
    Hi Lukas,

    secldapclntd needs IBM LDAP client (idsldap), this is a prerequisite. In our environment, we use openldap but only for sudo (getting sudo rules via LDAP)

    Note, about the library error you have, after installing IBM LDAP client we had to link it to get it to work. See below example (our Puppet code for deploying LDAP config on AIX):
      file { '/usr/lib/libibmldap.a':
        ensure  => 'link,',
        target  => '/opt/IBM/ldap/V6.4/lib/libidsldap.a'
      }


    ------------------------------
    Lionel Widmer
    ------------------------------

    Original Message


Related Content