3

We have a need to authenticate local users on an AIX server against OID using LDAP. We have a branch within OID where we've placed and synchronized Active Directory users. We've also configured external authentication on OID so that it verifies username/passwords against AD.

Has anyone configured authentication for AIX in this type of environment? We believe we need to populate unix specific attributes on the user's directory entry in OID, but are unsure which attributes are needed.

Additionally, we are looking to authenticate Oracle database users against OID but because of external authentication we are unable to populate the ORCLPASSWORD attribute on the user's directory entry on OID (which is the attribute Oracle is looking for password in).

Help with either or both are welcome.

mwilkes
  • 131
  • 2
  • 3

3 Answers3

1

Oracle Authentication Services for Operating Systems makes this pretty easy. It generates a script that does most of the configuration on the AIX server for you.

0

You can start with this redbook but it won't be quick or easy...

Ewan Leith
  • 1,695
  • 8
  • 7
0

Generally, implementing just about any LDAP with AIX is a cumbersome task. It looks like this is by design. However, there is a good redbook, named something like "Integrating AIX with Heterogenous LDAP servers". It is huge, but this is because the topic is complicated. It does not specifically cover OID, but it gives plenty of useful info.

In particular, in AIX you can choose between several layouts of LDAP attributes used. Take a look at /etc/security/ldap/aixuser.map (traditional proprietary AIX scheme), rfc2307user.map (very close to RFC2307), sfu30user.map (Services For Unix 3 = add-on to Windows AD). You can customize your own .map file.

One of few nice things is the authtype=ldap_auth. It's the possibility to authenticate in AIX via LDAP binds (i.e. if the credentials provided are sufficient to bind to LDAP, they are considered sufficient to login to AIX - in this simple mode AIX does not read/compare any password field from LDAP).

kubanczyk
  • 13,502
  • 5
  • 40
  • 55