AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only

  • 1.  LDAP Config issues

    Posted 20 days ago

    We have our AIX fleet configured for ldap and it is working.  The issue I am running into is there is another OU I need to add in order to access other groups.  I am trying to figure out how to add this into the ldap.cfg to get it working.  Below is our config:

    ##


    ldapservers:unixldap.test.com
    binddn:cn=LDAPUNIX,ou=UNIX,ou=DATA,o=AUTH
    bindpwd:XXxxXXxx
    authtype:ldap_auth
    useSSL: yes
    ldapsslkeyf:/etc/security/ldap/clientkey.kdb
    userattrmappath:/etc/security/ldap/2307user.map
    groupattrmappath:/etc/security/ldap/2307group.map
    userbasedn:ou=USERS,ou=USERS,o=AUTH??(|(groupmembership=cn= RPAU_N_UT_Unix-Servers,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=AUTH)(groupmembership=cn=RPAU_N_UT_Unix-Server-srvtest1195,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=hnbauth))
    userbasedn:ou=Accounts,ou=UNIX,ou=data,o=AUTH??(|(groupmembership=cn= RPAU_N_UT_Unix-Servers,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=AUTH)(groupmembership=cn=RPAU_N_UT_Unix-Server-srvtest1195,ou=Resource,ou=Groups,ou=UNIX,ou=DATA,o=auth))
    groupbasedn:ou=UNIX,ou=DATA,o=AUTH??(gidnumber<=20000)
    userclasses:posixAccount
    groupclasses:posixGroup
    ldapversion:3
    ldapport:389
    ldapsslport:636
    defaultentrylocation:local
    ldaptimeout:90
    memberfulldn: no
    host    unixldap.test.com
    base    ou=USERS,ou=USERS,o=AUTH
    binddn  cn=LDAPUNIX,ou=UNIX,ou=data,o=auth
    bindpw  XXxxXXxx
    SUDOERS_SEARCH_FILTER (sudoHost=srvtest1195)
    SUDOERS_BASE ou=sudoers,ou=UNIX,ou=DATA,o=AUTH

    ##

    OU to add

    ou=GROUPS,o=AUTH

    Not sure what else is needed to look at it.



    ------------------------------
    Joshua Krause
    ------------------------------


  • 2.  RE: LDAP Config issues

    Posted 19 days ago

    Joshua,

    you can have up to 10 base DNs for users:

    Detailed information
           Multiple base DNs
                All the base DN attributes accept multiple values, with each <basedn>: <value> pair on a separate line. For example, to allow users in the ou=dept1users,cn=aixdata
                base DNs and the ou=dept2users,cn=aixdata base DNs to log in to the system, you can specify the userbasedn attribute as follows:

                userbasedn: ou=dept1users,cn=aixdata
                userbasedn: ou=dept2users,cn=aixdata

                You can specify up to 10 base DNs for each entity in the /etc/security/ldap/ldap.cfg file. The base DNs are prioritized in the order that they appear in the
                /etc/security/ldap/ldap.cfg file. The following list describes the system behaviors with regards to multiple base DNs:
                  *    Query operations, such as the lsuser command, are done according to the base DN order that is specified until a matching account is found. A failure is
                       returned only if all the base DNs are searched without finding a match.
                  *    Modification operations, such as the chuser command, are done to the first matching account.
                  *    Deletion operations, such as the rmuser command, are done to the first matching account.
                  *    Creation operations, such as the mkuser command, are done only to the first base DN.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


Related Content