Saturday, October 24, 2009

LDAP in AIX

LDAP can be implemented in AIX using IBM Directory Server software which is available in the AIX installation CDs.

Required File Sets:
ldap.server - Fileset for IBM Directory Server software.
ldap.client - Fileset for IBM Directory client library, header files, utilities.
ldap.max_crypto_server - Fileset for IBM Directory server software, encryption version; Required for SSL setup.
ldap.max_crypto_client - Fileset for IBM Directory client software, encryption version; Required for SSL setup.
gskkm.rte - Fileset for IBM GSKit software; Required for IDS v4 SSL setup.
gskak.rte - Fileset for IBM GSKit software; Required for IDS v6 SSL setup.

DB2:
DB2 database is installed by default along with the ldap.server fileset.

mksecldap command creates the default db2 instance and database while setting up the LDAP server.

Default DB2 instance created, managed by LDAP: ldapdb2
Default DB2 database created, managed by LDAP: ldapdb2

LDAP Daemons in AIX :

slapd - Server Daemon :
It runs in LDAP server, processes the requests forwarded by secldapclntd.

secldapclntd - Client Daemon :
It accepts requests from the LDAP load module, forwards the request
to the LDAP Security Information Server, and passes the result from
the server back to the LDAP load module.
This daemon reads the configuration information defined in the /etc/
security/ldap/ldap.cfg file during its startup, and authenticates to
the LDAP Security Information Server using the server administrator's
distinguished name and password, and establishes a connection between
the local host and the server.

LDAP Configuration Files:

/etc/slapd32.conf
- Server Config File

/etc/security/ldap/ldap.cfg
- Client Config File contains ldap server names,port numbers, Admin
DN, Admin DN password, SSL key/path, user/group/id Attr Map Path, user/
group cache size, cache TTL, heart beat interval, # of thread.

/usr/lib/security/methods.cfg
- Loadable module config file contains the LDAP stanza.

LDAP module entry in /usr/lib/security/methods.cfg :

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

Attribute Map Files:
These map files are used by the /usr/lib/security/LDAP module and the secldapclntd daemon for translation between AIX attribute names to


LDAP attribute names.
Each entry in a mapping file represents a translation for an attribute.

For Example, "accountlocked" user attribute in AIX is mapped to
"isaccountenabled" LDAP attribute.

# /etc/security/ldap/2307aixuser.map
# /etc/security/ldap/2307aixgroup.map
# /etc/security/ldap/idmap.map

User Attributes related to LDAP:
1. hostsallowedlogin = List of hosts where login is enabled
2. hostsdeniedlogin - List of hosts where login is disabled
3. SYSTEM = LDAP
4. registery = LDAP

Management of secldapclntd daemon:

start-secldapclntd - Starts the daemon
stop-secldapclntd - Stops the daemon
restart-secldapclntd - Restarts the daemon
ls-secldapclntd - Lists the daemon status including current server,
port number, caching status, etc.
flush-secldapclntd - Clears the cache of the daemon

Note: secldapclntd daemon is started by "mksecldap -c" command and it
gets started on boot time thru /etc/inittab entry.

LDAP Server Commands:

To setup the server,
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix

where
cn=admin is the administrator DN
pwd is the password
rfc2307aix is the schema. Other available schemas are aix and rfc2307.

This will export the locally defined users and groups to the LDAP server with RFC2307AIX schema.

To do the above task without migrating local users and groups,
# mksecldap -s -a cn=admin -p pwd -S rfc2307aix -u NONE

To undo a previous server setup,
# mksecldap -s -U

To generate/import SSL certificate,
# gsk5ikm

To export all locally defined users and groups to a ldif file,
# sectoldif -d cn=aixsecdb,cn=aixdata -S rfs2307aix > /tmp/ ldapusers.ldif

To import users and groups from ldif file to the LDAP server,
# Use ldif2db or ldapadd command

LDAP Client Commands:
To setup LDAP client without SSL,
# mksecldap -c -h servername -a adminDN -p passwd

To setup ldap client using SSL,
# mksecldap -c -h servername -a adminDN -p passwd -k /usr/ldap/etc/
mykey.kdb -p keypwd

To undo a previous client setup,
# mksecldap -c -U

DB2 commands for managing LDAP database:

To drop(delete) the ldapdb2 database:
# su - ldapdb2
$ db2 drop database ldapdb2
$ exit

To drop the ldapdb2 instance:
# /usr/lpp/db2_07_01/instance/db2idrop ldapdb2

User/Group Related Commands:

To create a LDAP user from a client:
# mkuser -R LDAP joe

To modify the authentication method to LDAP for user1:
# mkuser SYSTEM=LDAP registry=LDAP user1

To lock a LDAP user:
# chuser -R LDAP account_locked=true user2

To allow user1 to login from host1 and host2:
# chuser -R LDAP hostsallowedlogin=host1,host2 user1

To deny user1 to login from host2:
# chuser -R LDAP hostsdeniedlogin=host2 user1

To allow user1 to login from the machine with IP 192.9.200.1 :
# chuser -R LDAP hostsallowedlogin=192.9.200.1 user1

Please post your comments and questions.
Print Friendly and PDF
2 comments
at 8:52 AM Posted by Raja

Friday, October 23, 2009

My Notes on NIM - Network Installation Manager

Required Filesets:

For Server - bos.sysmgt.nim.master and bos.sysmgt.nim.spot
For Client - bos.sysmgt.nim.client

Few Resource Definitions:

SPOT - Shared Product Object Tree is a directory containing files required to boot a machine and the boot image

LPP_SOURCE - Licensed Program Product source is a directory containing images/filesets that AIX uses to load software

MKSYSB - Mksysb resource used to build a machine

Requirements for NIM Server:

Disk Space :
1. 3 GB per base lpp_source resource
2. 500 MB + per mksysb resource
3. 500 MB per SPOT resource
4. Additional buffer space for future growth

Other Requirements:
# Minimum 512 MB real memory
# 10 or 100 MBPS ethernet adapter


My Recommendations for NIM VG and Filesystems :


1. Create a seperate VG called 'nimvg' with enough space.


2. Create the following filesystems in nimvg based upon your requirement


 a. /tftpboot - To hold boot images
 b. /export/nim - To hold the resources like SPOT, LPP, Mksysb

Directory Structure :
/export/nim/lpp_source - To hold lpp source resources
/export/nim/spot             - To hold spot resources 
/export/nim/mksysb       - To hold the mksysb backup for clients

Naming Schemes:

Follow the below schemes to easily identify during regular operations :

spot530TL6              - SPOT for AIX V 5.3 TL 6
spot530TL9              - SPOT for AIX V 5.3 TL 9
lpp_source530TL6  - LPP_SOURCE for AIX V 5.3 TL 6
lpp_source530TL9  - LPP_SOURCE for AIX V 5.3 TL 6
client_server1          -  Mksysb image of the host server1
client_server2          - Mksysb image of the hsot server2


How to setup the NIM Master :

0. Create the /tftpboot and /export/nim file systems as per yoru requirement

1. Initial setup of NIM Master
  a. ODM database
  b. Boot Area: /tftpboot directory that is used to store boot files (images)
  c. /etc/niminfo         -  Is the Key configuration file that exists on both master and clients
  d. nimesis daemon - This is the daemon which used to communicate with the nim clients

2. Insert the AIX CD into the master server's CD Drive

3. Create LPP_SOURCE and SPOT resources


Commands to manage NIM master and clients:


To setup NIM Server:
# nim_master_setup -B -a device=/dev/cd0 -a file_system=/nim -a volume_group=nimvg


To setup NIM installation in a client:
# smitty nim_bosinst


To view the status of NIM installation in a NIM client:
# lsnim -l client_hostname


To define a lpp_source resource:
# nim -o define -t lpp_source -a source=/dev/cd0 -a server=master -a location=/nim/lpp_source/AIX_5_3_4 AIX_5_3_4

To define a spot resource:
# nim -o define -t spot -a server=master -a location=/export/nim/spot -a source=lpp_source530 spot530
To remove a resource:
# nim -o remove AIX_5_3_4


To initialize a NIM client for diag operation:
# nim -o diag client_hostname


To initialize a NIM client for maintenance operation:
# nim -o maint client_hostname


To unconfigure a NIM server:
# nim -o unconfig master_server


To allocate a SPOT to a NIM client:
# nim -o allocate -a spot=AIX_5_3 client_hostname


To deallocate a SPOT from a NIM client:
# nim -o deallocate -a spot=AIX_5_3 client_hostname


To remove a NIM client after deallocating all its resources:
# nim -o remove client_hostname


To reboot a client:
# nim -o reboot client_hostname


To list all the NIM resources:
# lsnim


To list detailed information about a nim client:
# lsnim -l client_hostname


To list the resources allocated to a NIM client:
# lsnim -c resources client_hostname


This post is under construction. Please visit later for the upgraded version.
Print Friendly and PDF
0 comments
at 8:54 PM Posted by Raja
Subscribe to: Posts (Atom)