Monday, November 8, 2010


Home Directories
I have not been able to have home directories automagically created when logging in with LDAP, I have added many of the user home dir's to the default AIX build but you may run into some that don't exist, you can easily make you home directory using sudo.
If you are adding LDAP to a AIX box with local accounts already established it is best practice to remove the account for LDAP users. Before you run this command you must MAKE SURE THAT SECLDAPCLNTD IS NOT RUNNING, if it is still running you will remove all of the admin accounts from LDAP!:
stop-secldapclntd && for i in ; do rmuser -p $i ; done

Here are two one liners to create all the current Unix, App, and DB admins home folders:

for i in ; do
 mkdir /home/$i;
 chown -R $i. /home/$i;

for i in ; do
 mkdir /home/$i;
 chown -R $i.IRM /home/$i;

AIX 5.3 and 6.1

# Installing and configuring LDAP client service on AIX 5.3/6.1
All packages are available on the /media/software nfs share, instructions reference that location for installation.

# Install Java
If java is not currently installed you can install Java5 64 bit, this version is for AIX 5.3 AND 6.1:

 installp -acgXYd /media/software/AIX/java/ Java5_64.sdk

Once java is installed you may need to add it to your path, the following command will do this temporarily:

 export PATH=/usr/java5_64/bin:$PATH

# Install gskit

 installp -acgXd /media/software/AIX/GSKIT/ gsksa.rte gskta.rte

# Install ITDS packages
Remove any previous version of ldap that are installed, if the following command returns with filesets they need to be removed through smit:

  lslpp -aL *ldap* # will list installed ldap packages

6.2 packages

 installp -acgXd /media/software/AIX/ITDS/ idsldap.clt32bit62 \
 idsldap.clt64bit62 idsldap.cltbase62 idsldap.msg62.en_US idsldap.clt_max_crypto32bit62 \

Once those filesets are installed run 'lslpp -aL idsldap.*' to verify, output should be similar to this:

 lslpp -aL idsldap.*
  Fileset                      Level  State  Type  Description (Uninstaller)
  idsldap.clt32bit62.rte     6.2.0.n    C     F    Directory Server - 32 bit
  idsldap.clt64bit62.rte     6.2.0.n    C     F    Directory Server - 64 bit
                             6.2.0.n    C     F    Directory Server - 32 bit
                                                   Client (SSL)
                             6.2.0.n    C     F    Directory Server - 64 bit
                                                   Client (SSL)
  idsldap.cltbase62.adt      6.2.0.n    C     F    Directory Server - Base Client
  idsldap.cltbase62.rte      6.2.0.n    C     F    Directory Server - Base Client
  idsldap.msg62.en_US        6.2.0.n    C     F    Directory Server - Messages -
                                                   U.S. English (en)

# Configuration
Paste the following into a root cli: (this assumes that you use TSM for backups and that the client is configured)

 if [ $(grep -c LDAP /usr/lib/security/methods.cfg) -eq "0" ];
   echo "Backing up current methods.cfg, please wait"
   dsmc i /usr/lib/security/methods.cfg
   cat <>/usr/lib/security/methods.cfg

        program = /usr/lib/security/LDAP
        program_64 = /usr/lib/security/LDAP64
   echo "Found LDAP stanza in /usr/lib/security/methods.cfg, assuming that it is correct."

CA Certs
Get certs from the repos

 cd /etc/security/ldap/ && wget .crt && wget .crt

Create and list key database for ssl, if you run into java errors check that your version of java is at least 1.4.2

 gsk7cmd -keydb -create -db /etc/security/ldap/key.kdb -pw -type cms
 gsk7cmd -cert -list CA -db /etc/security/ldap/key.kdb -pw

Add CA cert from to key database

gsk7cmd -cert -add -db /etc/security/ldap/key.kdb -file /etc/security/ldap/.crt -format ascii -label " CA cert" -pw -trust enable

# mksecldap command / ldap.cfg file
Run the mksecldap command to tie the system into LDAP, this may take a minute or more.
The mkseclsap command cannot be used to setup anonymous bind configurations, instead of using that command create the /etc/security/ldap/ldap.cfg using the following command:

cat </etc/security/ldap/ldap.cfg

# IDS links
IDS needs certain libraries and binaries linked from /opt/IBM/ldap//... to /usr/lib, etc.
First step is to remove any current links

 /opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 64 -s fullsrv
 /opt/IBM/ldap/V6.2/bin/idsrmlink -i -l 32 -s fullsrv

Second step is to create new links to the 32 bit binaries

 /opt/IBM/ldap/V6.2/bin/idslink -i -l 32 -s base

# Start secldap at reboot
Remove existing inittab entries

rmitab ldapclntd

Create new inittab entry

 mkitab 'ldapclntd:23456789:wait:/usr/sbin/start-secldapclntd  > /dev/console  > 2&>1

# /etc/security/user
Add ldap compatability to /etc/security/user, without this ldap login will not work

 chsec -f /etc/security/user -s default -a "SYSTEM=LDAP or compat"

# sudo
Add your sudo config, I haven't had success with the AIX Linux Toolbox sudo rpm, try the sudo-noldap package (also on AIX Linux Toolbox)

# Start secldap client
Run the following command to start the ldap client


# Syslog

AIX pulls its logging configuration from /etc/syslog.conf, the standard AIX build as of May 2009 writes most messages to /var/adm/SYSLOG and does not include rotation. I like the logging to be more Linux-like so I append this to the end of the /etc/syslog.conf file, consider commenting out the existing logging if you don't want to write to /var/adm/SYSLOG:

 # Linux-ify the AIX logging setup and enable automagic rotation
 # Everything but mail and auth to messages
 *.info;mail.none;auth.none      /var/log/messages       rotate size 10m files 10 compress
 # Auth to secure
 auth.debug                      /var/log/secure         rotate size 10m files 10 compress
 # Mail to maillog
 mail.debug                      /var/log/maillog        rotate size 10m files 10 compress
 # Emergency messages to all users
 *.emerg         *ss
 *.info;mail.none                @

This will send:
All messages except mail and authentication to /var/log/messages.
All authentication messages to /var/log/secure.
All mail messages to /var/log/maillog.
All emergency messages to all users.
All messages except mail to

If you don't like seeing the "Message forwarded from hostname:" message all over splunk you need to run the following command line as root:
 chssys -s syslogd -a "-n"
All the files need to exist prior to syslog writing to them, it will not create them on its own:
 sudo touch /var/log/messages /var/log/secure /var/log/maillog
You must then restart syslog
 stopsrc -s syslogd && startsrc -s syslogd

No comments: