Originally posted by: SystemAdmin

hi, i'm trying the module nss_ldap (http://www.padl.com/OSS/nss_ldap.html) on my Aix 5.3.
In the past (with Aix 4.3) worked perfectly but with 5.3 not works.

My problem is with telnet, for example, if i try to login with ldap user obtain the following error:

3004-008 Failed setting credentials.
Connection closed by foreign host.

However i see the ldap user with the command "id":

AIX:/# id ldapuser
uid=1000(ldapuser) gid=1000(ldapgroup)

My config:

/etc/ldap.conf

HOST 192.168.1.100
BASE o=rootldap
URI ldap://192.168.1.100

nss_base_passwd o=rootldap?sub
nss_base_shadow o=rootldap?sub
nss_base_group o=rootldap?sub

/usr/lib/security/methods.cfg (module compiled successfully)

LDAP:
program = /usr/lib/security/NSS_LDAP

perms of module:

AIX:/# ls -l /usr/lib/security/NSS_LDAP
-rwxr-xr-x 1 root root 1541242 Oct 23 16:21 /usr/lib/security/NSS_LDAP

/etc/security/user

SYSTEM = "compat or LDAP"

also tried

SYSTEM = "LDAP or compat"
The previous configuration works with Aix 4.3

Anyone help me?

Thanks

Originally posted by: SystemAdmin

Why not use the IBM AIX supported LDAP authentication?
Don't expect the PADL stuff to work in AIX unless you do some things that require quite a bit of extra effort or you change the system authorization to PAM_AUTH and then IBM won't support you in getting it to work.

Install the LDAP client and use mksecldap -c to configure the AIX LDAP client which is fully supported and documented in the Security Guide and the Redbook.

Originally posted by: SystemAdmin

Hi,

AIX LDAP client is compatible with OpenLDAP server?
The server is an OpenLDAP on Linux

Thanks

Originally posted by: SystemAdmin

Yes, the AIX client is compatable with OpenLDAP supporting RFC2307.

Originally posted by: SystemAdmin

Hi,

I readed the documentation of secldap.

My config:

1. mksecldap -c -a cn=Manager,o=rootldap -p mypass -d o=rootldap -h 192.168.1.100 -A ldap_auth

bind correctly

1. ls-secldapclntd

ldapservers=192.168.1.100
ldapport=389
ldapversion=3
userbasedn=o=rootldap
groupbasedn=o=rootldap
idbasedn=
usercachesize=1000
usercacheused=0
groupcachesize=100
groupcacheused=0
usercachetimeout=300
groupcachetimeout=300
heartbeatT=300
numberofthread=10
connectionsperserver=10
alwaysmaster=no
authtype=LDAP_AUTH
searchmode=ALL
defaultentrylocation=LDAP
ldaptimeout=60
userobjectclass=posixaccount,account,shadowaccount
groupobjectclass=posixgroup

but telnet doesn't work

(AIX) Usuario: ldapuser
ldapuser's Password:
3004-007 You entered an invalid login name or password.

Originally posted by: SystemAdmin

Running mksecldap enables the AIX client to use the LDAP server and you should be able to see the users with 'lsldap passwd' and also with lsuser -R LDAP, but it does not enable the user for authentication. You really need to read the white paper and Redbook.
The user (or default user) in /etc/security/user needs to have the SYSTEM parameter set to LDAP.

lsuser username

This should show SYSTEM=LDAP

1. chuser registry=LDAP SYSTEM=LDAP olduser

and

1. chuser -R LDAP registry=LDAP SYSTEM=LDAP olduser

Then olduser should be able to log in.

Originally posted by: grukrz1

it is very well described in IBM's books, eg.

http://www.redbooks.ibm.com/abstracts/sg247165.html

http://www-1.ibm.com/servers/aix/whitepapers/ldap_client.pdf

Originally posted by: SystemAdmin

ok thanks.
Now i can do telnet with ldap user, but not with ssh.
I'm using OpenSSH in AIX.

Can i authenticate ldap users through ssh?

thanks

Originally posted by: SystemAdmin

Although you don't have to change to PAM authentication, if my memory serves me right you need to change the sshd configuration file to set
UsePAM yes

If my memory serves me right the file ise
/etc/ssh/sshd_config
Make sure this is the sshd_config file for you running sshd daemon.

You will also need to refresh/recycle the sshd daemon.

Originally posted by: SystemAdmin

thanks, works perfectly