Blog

AIX Authentication Inegration in to Active Directory via LDAP

| Categories: Technical | Tags: , , No Comments ↓

AIX can be integrated in to Active Directory in two ways: via Samba’s winbind directly as a Windows machine, and indirectly via LDAP.

The winbind configuration was already covered in a previous posting and worked rather well. However, because of GE’s requirements, it was not possible to utilize the winbind method for Active Directory integration. The alternative was to use LDAP to authenticate against Active Directory.

This approach is a bit more complex and has a few more parts to it, but it does provide additional user information directly from Active Directory.

Windows


First things first, on each of the Active Directory Domain Controllers, install the “Identity Management for UNIX”. This can be found under:

Control Panel -> Add / Remove Programs -> Add / Remove Windows Components -> Active Directory Services -> Identity Management for UNIX

This will extend the Active Directory LDAP schema to allow it to include UNIX attributes, such as the UID, GID, and Home Directory.

AIX


By default, AIX does not have the LDAP client package installed. Mount the first disc * from the pair of OS Install discs, and execute:

smit install

Navigate to the software install menus via:

Install and Update Software -> Install Software

Begin the software install via:

Enter /cdrom in to the field for “INPUT device / directory for software”

The window will refresh providing more options. The first item that is highlighted is “SOFTWARE to install” with the default of “_all_latest” entered in the field. Replace that entry with “ldap.client”.

Using the arrow keys and the tab key, make sure that the following options are set to “yes”:

  • COMMIT software updates?
  • AUTOMATICALLY install requisite software?
  • EXTEND file systems if space needed?
  • ACCEPT new license agreements?

Start the install by hitting “Enter”.

Once the package is installed, some minor configuration is necessary. While the client software is installed, the authentication mechanism still knows nothing about it. For this, we have to edit /usr/lib/security/methods.cfg to add the following lines:

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

Additionally, we need to tell the system that we want to authenticate against LDAP for all user accounts by default, but not for local accounts. For this to work, we need to edit /etc/security/user, find the stanza for “default” and then find the line that reads SYSTEM = “compat”. Replace that line with SYSTEM = “LDAP”. For all of the stanzas, which represent the local accounts, add the line SYSTEM = “compat”.

Rather than modifying the LDAP configuration file (/etc/security/ldap/ldap.cfg) directly, make use of mksecldap:

mksecldap -c -h ldapauth.chahq.local -a CN=Administrator,OU=IT\ Department,OU=Users,OU=My\ Business,DC=chahq,DC=local -p ourpassword

That will automatically set up the LDAP configuration file according to those command line arguments. As a security precaution, it encrypts the password in the configuration file. With LDAP now configured, start the LDAP authentication service:

start-secldapclntd

To confirm that the service is running properly:

lsuser -R LDAP ALL

ls-secldapclntd

To stop the service:

stop-secldapclntd

AIX Username Length

| Categories: Technical | Tags: , No Comments ↓

By default, AIX 5.3 has a user name length limitation of 8 characters, regardless of the back end authentication mechanism.

To confirm this, run:

getconf LOGIN_NAME_MAX

or

lsattr -El sys0 -a max_logname

To set the size limitation to a new (higher) value, run (where # is the new maximum user name length):

chdev -l sys0 -a max_logname=#

Removing Windows Search 4.0 Without It Showing Up in the Add / Remove Programs Control Panel

| Categories: Technical, Windows | Tags: , , No Comments ↓

With Microsoft’s recent release of Windows Search 4.0 for Windows XP, a number of users who had it installed complained about their system becoming rather slow and they wanted the old search functionality returned.  In most cases, a simple uninstall via Add/Remove Programs restored the search functionality to its previous incarnation, but in one particular stubborn case, “Windows Search 4.0” did not show up in Add/Remove programs while Windows Search 4.0 was clearly installed (toolbar and the taskbar icon were present, as were the individual processes).  Unfortunately, C:\Windows\$NtUninstallKB940157$ was not present, either, so a manual uninstall could not be performed.
The solution was to forcefully remove the following registry entries, via regedit:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB940157
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB940157

Once those were removed, manually installing Windows Search 4.0 from Microsoft got the add-on to install properly, complete with an entry in Add/Remove Programs.  Finally, selecting “Remove” from the Add/Remove Programs control panel for “Windows Search 4.0” did the deed and removed it from the system.

1 18 19 20 21 22 35