Hi,
Some time ago, I configured an ubuntu intrepid as openldap server and I was able to use it as authentication server for AIX 6.1.
I tried the same with an ubuntu maverick server, but I can not get it working anymore. I can see all the user information on the AIX server. I can do 'su - <user>' to become the user. But I can not login so I think there is a problem with the password. When I change the password of a user on the AIX server, I get these errors in the logfile on the openldap server:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed
Is this important?
The intrepid has version 2.4.11-0ubuntu6.2, the maverick has version 2.4.21-0ubuntu5.3.
I didn't noted down what I did on the intrepid server, but I can remember that it asked a bunch of questions when I installed slapd. These initial steps are removed from the maverick version. I also remember using the ldapinit command.
How can I debug the difference between these 2 versions? Using slapcat, I can see some differeces, but nothing that is important in my opinion.
How can I debug the openldap server to see what's going on?
I can use the openldap server on a linux ldap client without problems.
Stef
PS I also tried to post this message to openldap-software@openldap.org, but I got a 'Delivery status notification' saying that the user does not exist.
Stef Coene stef.coene@docum.org writes:
Hi,
Some time ago, I configured an ubuntu intrepid as openldap server and I was able to use it as authentication server for AIX 6.1.
I tried the same with an ubuntu maverick server, but I can not get it working anymore. I can see all the user information on the AIX server. I can do 'su
- <user>' to become the user. But I can not login so I think there is a
problem with the password. When I change the password of a user on the AIX server, I get these errors in the logfile on the openldap server:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
-Dieter
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson
I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password.
For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/ Can this be the problem? I don't know what encrytion AIX expects.
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
try chuser SYSTEM=LDAP registry=LDAP [USER]
Mit freundlichen Grüßen Howard ALLISON
Pensionsversicherungsanstalt Rechenzentrumsbetrieb A-1021 Wien, Friedrich-Hillegeist-Straße 1
E-Mail..: howard.allison@pva.sozvers.at Internet: www.pensionsversicherung.at
openldap-technical-bounces@openldap.org wrote on 27.10.2010 10:37:08:
Stef Coene stef.coene@docum.org Gesendet von: openldap-technical-bounces@openldap.org
27.10.2010 10:43
An
openldap-technical@openldap.org
Kopie
Thema
Re: AIX as openldap client
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check:
attribute
'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis
are
loaded. I created a test user with objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson
I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but
before I
can enter the password, I get the error 3004-007 You entered an invalid login name or password.
For the password, this is stored in plain text when I add the user.
Before I
can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux
client:
userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/ Can this be the problem? I don't know what encrytion AIX expects.
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
-------------------------- VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen bestimmt, an den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls Sie nicht der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass die unberechtigte Weitergabe oder Verwendung sowie das unberechtigte Verteilen oder Kopieren dieser Nachricht strikt untersagt sind. Falls Sie diese Nachricht irrtümlich erhalten haben, vernichten Sie sie bitte sofort.
CONFIDENTIALITY: This message is intended only for the use of the individuality or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, use or copying of this communication is strictly prohibited. If you received this message in error, please immediately destroy this message. --------------------------
Hi, on AIX you don't need to retrieve the password from the ldap server. You can configure AIX to ask the authentication process to the ldap server.
In the secldapclntd configuration file (/etc/security/ldap/ldap.cfg) you have to configure these directives (lines took from my deployment):
# Authentication type. Valid values are unix_auth and ldap_auth. # Default is unix_auth. # unix_auth - Retrieve user password and authenticate user locally. # ldap_auth - Bind to LDAP server to authenticate user remotely through LDAP. authtype:ldap_auth
# AIX-LDAP attribute map path. userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map #idattrmappath:/etc/security/ldap/aixid.map
# LDAP class definitions. userclasses:posixaccount,shadowaccount #userclasses:aixaccount,ibm-securityidentities #groupclasses:aixaccessgroup
# Search mode. Valid values are ALL and OS. # Default is ALL. # ALL - Returns all attributes of an entry. # OS - Returns only the OS required attributes of an entry. # Non-OS attributes like telephone number, binary images, etc. # will not be returned. # # Note: Use OS only when user entry has many non-OS required attributes # or attributes with large value, e.g. binary data, to reduce # sorting effort by the LDAP server. searchmode:OS
# Default user attribute entry location. Valid values are LDAP and local. # The default is LDAP. # LDAP - Use the default entry in LDAP. # local - Use the default entry from /etc/security/user. defaultentrylocation:local
You also have to assure yourself that in the file /etc/security/user you have set these properties in association with your users located only local to the system: SYSTEM = "files" registry = files
Hope this helps Marco
On Wed, Oct 27, 2010 at 10:37 AM, Stef Coene stef.coene@docum.org wrote:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check:
attribute
'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson
I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password.
For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/ Can this be the problem? I don't know what encrytion AIX expects.
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Stef Coene stef.coene@docum.org writes:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with
You may load either nis.schema or rfc2307bis.schema, but not both. I depends on your PAM requirements, which one to load.
objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson
I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password.
For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/ Can this be the problem? I don't know what encrytion AIX expects.
With regard to crypt, see http://www.openldap.org/faq/data/cache/344.html For more hashing algos see password-hash in slapd.conf(5). and /etc/ldap.conf, pam_password.
-Dieter
On Wednesday 27 October 2010, Dieter Kluenter wrote:
Stef Coene stef.coene@docum.org writes:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with
You may load either nis.schema or rfc2307bis.schema, but not both. I depends on your PAM requirements, which one to load.
I created a rfc2307bis.ldif from the rfc2307bis.schema file. If I load the rfc2307bis.ldif without nis.ldif, I get an error: additional info: olcObjectClasses: AttributeType not found: "gecos"
So I think rfc2305bis dependes on nis...
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Stef Coene stef.coene@docum.org writes:
On Wednesday 27 October 2010, Dieter Kluenter wrote:
Stef Coene stef.coene@docum.org writes:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with
You may load either nis.schema or rfc2307bis.schema, but not both. I depends on your PAM requirements, which one to load.
I created a rfc2307bis.ldif from the rfc2307bis.schema file. If I load the rfc2307bis.ldif without nis.ldif, I get an error: additional info: olcObjectClasses: AttributeType not found: "gecos"
So I think rfc2305bis dependes on nis...
No!
rfc2307bis.schema and nis.schema both provide attributetype gecos. The only difference in fact is objectClass posixgroup, while nis.schema declares this objectClass as structural, rfc2307bis.schema declares this objectClass as auxiliary.
-Dieter
Hi,
I finally had some time and I was able to solve my login problems on AIX. I tried the same procedure on a clean AIX installation and I was able to logon using my ldap server .
Thx eveybody for the response. Special thx to Marco Pizzoli for the (off-topic) help.
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hello Stef,
could you please point what you did to solve your problems as anybody else could be interested in that solution. Unfortunately, these machines are on my schedule, too. :)
Thank you.
On Mon, Nov 8, 2010 at 15:40, Stef Coene stef.coene@docum.org wrote:
Hi,
I finally had some time and I was able to solve my login problems on AIX. I tried the same procedure on a clean AIX installation and I was able to logon using my ldap server .
Thx eveybody for the response. Special thx to Marco Pizzoli for the (off-topic) help.
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Monday 08 November 2010, you wrote:
Hello Stef,
could you please point what you did to solve your problems as anybody else could be interested in that solution. Unfortunately, these machines are on my schedule, too. :)
I'm documenting the steps I do to get it working and the possible problems. When I'm done, I will post them somewhere. I also have to this on the production servers.
I still have some problems with the passwords. I have to change the password from an AIX box before it works.
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Monday, 8 November 2010 16:07:25 Stef Coene wrote:
On Monday 08 November 2010, you wrote:
Hello Stef,
could you please point what you did to solve your problems as anybody else could be interested in that solution. Unfortunately, these machines are on my schedule, too. :)
I'm documenting the steps I do to get it working and the possible problems. When I'm done, I will post them somewhere. I also have to this on the production servers.
I still have some problems with the passwords. I have to change the password from an AIX box before it works.
What hash ends up in userPassword in this case? crypt? Real crypt(), with it's 8-character limit?
This normally indicates a problem in the configuration. On a Linux host, this would typically indicate that nss_ldap was set up, but pam_ldap was not, and authentication was working via app->PAM->pam_unix->getspent(3)->nss->nss_ldap-
LDAP, whereas you may prefer app->PAM->pam_ldap (otherwise some pam_ldap-
based authorization features don't work, password hashes are limited to those that are supported by all your clients etc.).
I don't have any access to our AIX hosts though ...
Regards, Buchan
Hi,
I add the user with ldapscripts on my ubuntu server.
First line is from AIX (command "lsldap -a passwd <user>"). Second line is from ldap server (command "ldapmodifyuser <user>")
paswoord entry with ldapadduser: userPassword: {SSHA}n9+bpMYtHKOdKislrMXJQsI58JD/Dla3 userPassword:: e1NTSEF9bjkrYnBNWXRIS09kS2lzbHJNWEpRc0k1OEpEL0RsYTM= -> works not for linux and aix client
password changed on AIX: userPassword: {crypt}9/Sm0z8ESZNY. userPassword:: e2NyeXB0fTkvU20wejhFU1pOWS4= -> works for AIX and linux client
password changed on ubuntu client: userPassword: {crypt}$1$orSXgBl0$6QDpVJNmJbTQy9KaM0LhT0 userPassword:: e2NyeXB0fSQxJG9yU1hnQmwwJDZRRHBWSk5tSmJUUXk5S2FNMExoVDA= -> works for linux, not for aix
So, for AIX, only the 'short' crypt works. For linux, any crypt password works.
For now, I only need authentication on AIX.
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hi,
I still have problems with AIX clients. On AIX, you can choose between ldap_auth and unix_auth. When authtype=ldap_auth: AIX will send a bind request to the LDAP server using the user's login and password. If the LDAP bind is successful, then the user's password is considered valid. When authtype=unix_auth: AIX will encrypt the password you entered and compare it with the encrypted password in the "userpassword" field that's stored in the user's entry on LDAP. So with unix_auth, AIX will send a search to the LDAP server to retrieve the user's entry. The password validation is done on the AIX client.
I don't want to use unix_auth. This limits the password to be encrypted with {crypt} and that is not compatible with non-AIX clients.
The problem is that unx_auth is working and ldap_auth is not. (unx_auth is working when I change the password from an AIX client) I can 'see' the password in the ldap server output (debug mode -d 2) when I try to login to the AIX client with ldap_auth.
When I use the ldapsearch command on the AIX server, I also get an error: ldapsearch -h 172.30.222.20 -p 389 -D "uid=test,ou=People,dc=test,dc=intra" -w secret -b "dc=test,dc=intra" objectclass=* ldap_simple_bind: Invalid credentials
Is it possible that I can not do the bind as a regular user?
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hi,
I attached the output from running slapd with -d 255 when doing ldapsearch from the AIX client.
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hello,
I just wanted to point you to the official guides from IBM howto configure your AIX ldap client, which worked fine for me, except für sudo-ldap, but that's another topic.
Section 7: http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
Bye, Benjamin.
On Mon, Nov 15, 2010 at 10:45, Stef Coene stef.coene@docum.org wrote:
Hi,
I still have problems with AIX clients. On AIX, you can choose between ldap_auth and unix_auth.
When authtype=ldap_auth: AIX will send a bind request to the LDAP server using the user's login and password. If the LDAP bind is successful, then the user's password is considered valid.
When authtype=unix_auth: AIX will encrypt the password you entered and compare it with the encrypted password in the "userpassword" field that's stored in the user's entry on LDAP. So with unix_auth, AIX will send a search to the LDAP server to retrieve the user's entry. The password validation is done on the AIX client.
I don't want to use unix_auth. This limits the password to be encrypted with {crypt} and that is not compatible with non-AIX clients.
The problem is that unx_auth is working and ldap_auth is not. (unx_auth is working when I change the password from an AIX client)
I can 'see' the password in the ldap server output (debug mode -d 2) when I try to login to the AIX client with ldap_auth.
When I use the ldapsearch command on the AIX server, I also get an error:
ldapsearch -h 172.30.222.20 -p 389 -D "uid=test,ou=People,dc=test,dc=intra" -w secret -b "dc=test,dc=intra" objectclass=*
ldap_simple_bind: Invalid credentials
Is it possible that I can not do the bind as a regular user?
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Monday 15 November 2010, Benjamin Griese wrote:
Hello,
I just wanted to point you to the official guides from IBM howto configure your AIX ldap client, which worked fine for me, except für sudo-ldap, but that's another topic.
Section 7: http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
I have read the redbook. What ldap server are you running? I'm using ubuntu server 10.04.
I think my problem is that I can not bind to the ldap server as a regular user with the ldapsearch command. I can only bind as the admin specfied as olcRootDN with password olcRootPW.
I attached the 2 ldif files I use to configure the ldap server. I hope that someone can find en error in it ....
I also noted that the userPassword entry for cn=admin,dc=axi,dc=intra is not encrypted. How can I generate an encrypted password? Can this be a {SHA} or has it to be a {SSHA}?
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hi Stef,
olcAccess: to dn.subtree="ou=People,dc=test,dc=intra" attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * auth olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=test,dc=intra" write by anonymous auth by * none
- I can see here that you somehow changed the olcRootDN in the first ACL which doesn't fit to the baseDN defined - I wouldn't use the 2nd ACL, because all neccessary is done in the first one (as far as userPassword/shadow* is only used in the people subtree)
I'll show you one example from my tree:
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=ldapadm,dc=example,dc=de" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=ldapadm,dc=example,dc=de" write by * read
Please check if that is going to work for you.
Bye, Benjamin.
PS: I am doing anonymous binds for logins from the AIX LDAP-Clients to the OpenLDAP-Server. Right now I am fiddling around with SSL und the keydatabases.
On Mon, Nov 15, 2010 at 13:27, Stef Coene stef.coene@docum.org wrote:
On Monday 15 November 2010, Benjamin Griese wrote:
Hello,
I just wanted to point you to the official guides from IBM howto configure your AIX ldap client, which worked fine for me, except für sudo-ldap, but that's another topic.
Section 7: http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
I have read the redbook. What ldap server are you running? I'm using ubuntu server 10.04.
I think my problem is that I can not bind to the ldap server as a regular user with the ldapsearch command. I can only bind as the admin specfied as olcRootDN with password olcRootPW.
I attached the 2 ldif files I use to configure the ldap server. I hope that someone can find en error in it ....
I also noted that the userPassword entry for cn=admin,dc=axi,dc=intra is not encrypted. How can I generate an encrypted password? Can this be a {SHA} or has it to be a {SSHA}?
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
openldap-technical@openldap.org
-
Benjamin Griese -
Buchan Milne -
Dieter Kluenter -
Howard Allison -
Marco Pizzoli -
Stef Coene