User authentication on IBM AIX using Red Hat Identity Management

If you have more than 5 AIX servers, I think you already played with the thoughts to centralize your users somewhere. Most of enterprises has Active Directory and it looks reasonable to connect AIX to Active Directory.

On the other side if you have AIX, you have a free license for IBM Security Directory Server. But if you manage your AIX clients only. It has a huge advantage, that you can install the AIX-specific schema into it. AIX will understand and work with your Directory Server very well.

Do you know the problem? Login shell is /bin/bash for everyone and it doesn't matter, that bash on AIX can be found on other place or is not installed by default in AIX 7.2. IBM Security Directory Server with AIX schema solves the problem very well. If you still need to authenticate your users with the passwords stored in Active Directory you can configure password proxy plugin.

Why should I bother with Red Hat Identity Management if there are Active Directory and IBM Security Directory Server in the world?

As for me the reason is very simple - customer's requirement.

As for you you may have more complex reasons. Red Hat Identity Manager is the solution which integrates well with all the worlds - Linux (native!), Windows and AIX.

If you have a Red Hat Enterprise Linux license, you already have Red Hat Identity Management for free. If you don't have the license, you may use the open source solution - FreeIPA. It is the same software but without Red Hat's support.

In my test environment I have Red Hat Identity Management server and an AIX client, I want to connect to it.

The configuration is really simple. One Red Hat Identity Management server (without any cluster). The RH IdM manages DNS and PKI too. But for the test I don't use SSL/TLS. There are 2 users and 4 groups in IdM.

The aim of the exercise - be able to connect to AIX through SSH using users from RH Identity Management.

Let's start playing!

First of all I define a new hostgroup on IdM side:

ipa hostgroup-add --desc 'AIX servers' aix        

This is my container for AIX clients. It is easier to apply configuration to a container than to many single clients.

Then I define a special view for AIX users:

ipa idview-add --desc 'AIX specific values' aix        

Why do I do that? Because of the login shell problem I wrote above. Now I can redefine some users' attributes in this view.

ipa idoverrideuser-add --shell=/usr/bin/ksh93 aix andrewk        

In this case I redefine login shell for user andrewk and set it to ksh93. It means if the user andrewk logs in on AIX, he (yes, he!) will use /usr/bin/ksh93 as his login shell. On Linux he will use /bin/bash as his login shell. The same way you can override some other attributes like home directory, primary group number, user ID or even login name.

You can override group attributes too, like group name or GID.

Now let's define our AIX client in IdM:

ipa host-add --platform 'IBM Power' --os 'AIX' --ok-to-auth-as-delegate=true --password abc123 --ip-address 10.10.10.10 aix.idm.example.com        

Of course we should add it into both hostgroup and view:

ipa hostgroup-add-member --hosts aix.idm.example.com aix

ipa idview-apply aix --hostgroups aix        

Even if the second command applies the view to the whole hostgroup, you have to run it every time you add a new server into the hostgroup.

After we did it, we can ask RH IdM to show us the full LDAP DN (distinguished name) used for our AIX server. We need the name for AIX client:

ipa host-show aix --all | grep dn:
  dn: fqdn=aix.idm.example.com,cn=computers,cn=accounts,dc=idm,dc=example,dc=com        

Now we are ready to log in on AIX box (as root) and configure LDAP client. I hope, you know how to install it.

mksecldap -c -h server.idm.example.com -a fqdn=aix.idm.example.com,cn=computers,cn=accounts,dc=idm,dc=example,dc=com -p abc123 -d dc=idm,dc=example,dc=com -A ldap_auth -D local -M OS        

Let's take a look at the options of mksecldap command:

• -c - we configure LDAP client.
• -h server.idm.example.com - our LDAP server is server.idm.example.com. It is our IdM server.
• -a fqdn=... - this is the distinguished name of our host object in IdM and we will use it as a bind (connection) user for the LDAP client.
• -p abc123 - this is the password for our host object in IdM.
• -d dc=idm,dc=example,dc=com - this is the base, where LDAP searches start. We will correct it in the next steps, but it allows AIX to determine the type of the directory server and to make some assumptions.
• -A ldap_auth - we use LDAP authentication for our LDAP users. Each time a user tries to log in on the AIX server, the LDAP client makes a connection to the LDAP server using the provided credentials. If the connection succeeds, the user can log in. You can choose unix_auth instead, but in that case you need to configure some other authentication mechanism - either store users' passwords locally or use Kerberos. Red Hat Identity Management has Kerberos domain controller in it and can be used for Kerberos authentication too.
• -D local - the default attributes of the users are stored locally on AIX. We don't change RH IdM LDAP schema and it has no AIX specific attributes. It means you can't find some AIX specific features like the number of open files (nofiles) in LDAP. You have to store them locally in /etc/security/user.
• -M OS - we want to fetch only OS-related attributes from LDAP. We don't need pictures, e-mail addresses or other crap from LDAP.

The command configures the LDAP client and starts it. You can check if it is started using ls-secldapclntd command. It will show you the LDAP client configuration too.

You should be able to see LDAP users at this point if you execute:

lsuser -R LDAP -a ALL        

But we still have some open tasks on the agenda. Our users can't login, they have no home directories and no secondary groups.

We have to change some settings on AIX. First of all we need automatic creation of home directories for our LDAP users:

chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true        

Next change our default authentication to LDAP:

chsec -f /etc/security/user -s default -a SYSTEM=LDAP        

We must change two of our DNs in the LDAP client configuration. Even if AIX finds them correct, we want to point them to our AIX specific view, we defined in RH IdM. Open /etc/security/ldap/ldap.cfg with your favourite vi editor and change the following options:

userbasedn:cn=users,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com
groupbasedn:cn=groups,cn=aix,cn=views,cn=compat,dc=ibm,dc=example,dc=com        

What you add, are the words "cn=aix,cn=views,cn=compat". Unfortunately you can't find them using ldapsearch command or some LDAP browser unless you know that they exist. They are completely hidden in the "normal mode of operations".

After you changed the configuration, restart the LDAP client:

restart-secldapclntd        

You can check what you see using lsldap command or more common lsuser and lsgroup commands:

# lsldap passwd
dn: uid=andrewk,cn=users,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com
dn: uid=admin,cn=users,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com
# lsldap group
dn: cn=admins,cn=groups,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com
dn: cn=andrewk,cn=groups,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com
dn: cn=Default SMB Group,cn=groups,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com
dn: cn=editors,cn=groups,cn=aix,cn=views,cn=compat,dc=idm,dc=example,dc=com        

or:

# lsuser -R LDAP -a ALL
andrewk
admin
# lsgroup -R LDAP -a ALL
admins
andrewk
Default SMB Group
editors        

Now you should be able to login on AIX using users from Red Hat Identity Management:

Have fun with AIX and Red Hat Identity Management!

Andrey

#IBMAIX #RedHat #IdM #LDAP #IBMChampion #FreeIPA #Authentication #Security