I have not been able to have home directories automagically created when logging in with LDAP, I have added many of the user home dir's to the default AIX build but you may run into some that don't exist, you can easily make you home directory using sudo.
If you are adding LDAP to a AIX box with local accounts already established it is best practice to remove the account for LDAP users. Before you run this command you must MAKE SURE THAT SECLDAPCLNTD IS NOT RUNNING, if it is still running you will remove all of the admin accounts from LDAP!:
stop-secldapclntd && for i in
Here are two one liners to create all the current Unix, App, and DB admins home folders:
start-secldapclntd
for i in
mkdir /home/$i;
chown -R $i.
done
for i in
mkdir /home/$i;
chown -R $i.IRM /home/$i;
done
AIX 5.3 and 6.1
# Installing and configuring LDAP client service on AIX 5.3/6.1
Installation
All packages are available on the /media/software nfs share, instructions reference that location for installation.
# Install Java
If java is not currently installed you can install Java5 64 bit, this version is for AIX 5.3 AND 6.1:
installp -acgXYd /media/software/AIX/java/ Java5_64.sdk# Install gskit
Source: https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt&S_PKG
installp -acgXd /media/software/AIX/GSKIT/ gsksa.rte gskta.rte
# Install ITDS packages
Remove any previous version of ldap that are installed, if the following command returns with filesets they need to be removed through smit:
lslpp -aL *ldap* # will list installed ldap packages
Source http://www-01.ibm.com/support/docview.wss?rs=767&context=SSPREK&uid=swg27009778#ver62
6.2 packages
installp -acgXd /media/software/AIX/ITDS/6.2.0.2-TIV-ITDS-AIX-IF0002/images/ idsldap.clt32bit62 \
idsldap.clt64bit62 idsldap.cltbase62 idsldap.msg62.en_US idsldap.clt_max_crypto32bit62 \
idsldap.clt_max_crypto64bit62
lslpp -aL idsldap.*
Fileset Level State Type Description (Uninstaller)
----------------------------------------------------------------------------
idsldap.clt32bit62.rte 6.2.0.n C F Directory Server - 32 bit
Client
idsldap.clt64bit62.rte 6.2.0.n C F Directory Server - 64 bit
Client
idsldap.clt_max_crypto32bit62.rte
6.2.0.n C F Directory Server - 32 bit
Client (SSL)
idsldap.clt_max_crypto64bit62.rte
6.2.0.n C F Directory Server - 64 bit
Client (SSL)
idsldap.cltbase62.adt 6.2.0.n C F Directory Server - Base Client
idsldap.cltbase62.rte 6.2.0.n C F Directory Server - Base Client
idsldap.msg62.en_US 6.2.0.n C F Directory Server - Messages -
U.S. English (en)# Configuration
methods.cfg
Paste the following into a root cli: (this assumes that you use TSM for backups and that the client is configured)
if [ $(grep -c LDAP /usr/lib/security/methods.cfg) -eq "0" ];
then
echo "Backing up current methods.cfg, please wait"
dsmc i /usr/lib/security/methods.cfg
cat <>/usr/lib/security/methods.cfg
LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64
EOF
else
echo "Found LDAP stanza in /usr/lib/security/methods.cfg, assuming that it is correct."
fi
CA Certs
Get certs from the repos
cd /etc/security/ldap/ && wget .crt && wget .crt gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw
# mksecldap command / ldap.cfg file
The mkseclsap command cannot be used to setup anonymous bind configurations, instead of using that command create the /etc/security/ldap/ldap.cfg using the following command:
ldapservers:
authtype:ldap_auth
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
userbasedn:
groupbasedn:
useSSL:yes
ldapsslkeyf:/etc/security/ldap/key.kdb
ldapsslkeypwd:
EOF
# IDS links
IDS needs certain libraries and binaries linked from /opt/IBM/ldap/
First step is to remove any current links
/opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 32 -s fullsrv
# Start secldap at reboot
Remove existing inittab entries
# /etc/security/user
Add ldap compatability to /etc/security/user, without this ldap login will not work
chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or compat"
# sudo
Add your sudo config, I haven't had success with the AIX Linux Toolbox sudo rpm, try the sudo-noldap package (also on AIX Linux Toolbox)
# Start secldap client
Run the following command to start the ldap client
#
# Syslog
#
AIX pulls its logging configuration from /etc/syslog.conf, the standard AIX build as of May 2009 writes most messages to /var/adm/SYSLOG and does not include rotation. I like the logging to be more Linux-like so I append this to the end of the /etc/syslog.conf file, consider commenting out the existing logging if you don't want to write to /var/adm/SYSLOG:
# Linux-ify the AIX logging setup and enable automagic rotation
# Everything but mail and auth to messages
*.info;mail.none;auth.none /var/log/messages rotate size 10m files 10 compress
# Auth to secure
auth.debug /var/log/secure rotate size 10m files 10 compress
# Mail to maillog
mail.debug /var/log/maillog rotate size 10m files 10 compress
# Emergency messages to all users
*.emerg *ss
*.info;mail.none @
This will send:
All messages except mail and authentication to /var/log/messages.
All authentication messages to /var/log/secure.
All mail messages to /var/log/maillog.
All emergency messages to all users.
All messages except mail to
If you don't like seeing the "Message forwarded from hostname:" message all over splunk you need to run the following command line as root:
chssys -s syslogd -a "-n"
All the files need to exist prior to syslog writing to them, it will not create them on its own:
sudo touch /var/log/messages /var/log/secure /var/log/maillog
You must then restart syslog
stopsrc -s syslogd && startsrc -s syslogd
