When I wrote my newsletter last week, I expected no feedback. I was surprised because I’ve got feedback from you. The feedback was 100% positive. Nobody unsubscribed from the newsletter and I’ve got ca. 20 more subscribers.
Thank you!
You showed me that there is a need for AIX and IBM Power related technical information. Feel free to tell me your thoughts and wishes and I will do my best to provide answers.
Today I decided to start with the question people asked me several times during the last month.
How can I connect AIX to Active Directory?
Is there any documentation regarding using LDAP on AIX and connecting it to a LDAP server?
The documentation you search for is there. You can find it in IBM AIX documentation:
Lightweight Directory Access Protocol in IBM AIX Security guide.
AIX Runtime Expert and LDAP in IBM AIX Operating system management guide.
Migrating from NIS to LDAP services in IBM AIX Networking guide.
Remote Trusted Execution Database access in IBM AIX Security guide.
LDAP-based adminsitrative database in IBM AIX Security guide for EAL4+ systems.
Remote RBAC Database support in IBM AIX Security guide.
Remote access to Encrypted Filesystem keystore in IBM AIX Security guide.
Configuring Kerberos server with LDAP storage in IBM AIX Security guide.
Distributing security policy through LDAP in IBM AIX Security guide.
Directory-enabled (LDAP) System V print on AIX in IBM AIX Printing guide.
Hosted accounting policies in IBM AIX Advanced System Management guide.
I am pretty sure I missed something, but as you can see there are many LDAP-related topics in IBM AIX documentation. The topics are distributed across whole AIX documentation and placed near the related parts of the documentation.
It makes difficult to get an overview of what can be done with LDAP on AIX. Many years ago IBM published a very good Redbook called “Integrating AIX into heterogeneous LDAP environments”. Because it was published 2007 and it is based on AIX 5.3, it is already outdated. I still recommend to read it! As we all know, AIX is not changing its interfaces in the way, some other operating systems do, and you can be sure that the commands you will use to configure your most modern AIX 7.3 are the same, I used on AIX 5.3. After 17 years we still talk about Microsoft Active Directory and IBM Security Directory Server (ex-IBM Tivoli Directory Server). There is still OpenLDAP out there. The only difference is that there is no Sun ONE LDAP Server. I don’t know if it is completely integrated into Oracle Directory Server or dropped off after Oracle bought Sun. Other product which was not there 2007 but is very popular now is FreeIPA also known as Red Hat Identity Management.
Other point I want to make before going deeper into the rabbit’s hole of LDAP is that
you can’t manage whole AIX configuration in Microsoft Active Directory
or any other LDAP server except IBM Security Directory Server. Let’s say you want to manage RBAC or TE in LDAP. In order to manage them you must apply the special schema to your LDAP server. IBM delivers the schema for IBM Security Directory Server, Microsoft Active Directory and Netscape-compatible LDAP servers. As you may imagine the schema works with IBM Security Directory Server without any issues. Applying the schema to Microsoft Active Directory is a tough decision. My Active Directory colleagues explained me that they could loose Microsoft support if they apply the schema. Of course under some circumstances. But it wasn’t only once when I’ve heard it. I heard it from many-many customers and many Active Directory administrators in the last 20 years when they declined implementing the schema on their installations.
What about OpenLDAP and FreeIPA? Both are not 100% Netscape-compatible LDAP servers. So there is no AIX schema for them. You can google and find some AIX schema for OpenLDAP in the Internet. I even saw companies working with it. You can develop your own schema for OpenLDAP. Anyway you don’t expect support for an opensource project, do you? ;-)
The situation with FreeIPA is similar. There is no schema for it and you can try to develop your own based on IBM provided schema. As I talked to FreeIPA guys they were open to accept the schema if someone will be ready to support it.
Now you have the most important information to start with your architectural decision. Yes, I know. The majority of the readers just got the task from their manager:
connect this legacy AIX system to Windows Active Directory!
Without any further information - why?
This is the most important question!
Why do you want to connect AIX to Microsoft Active Directory and
what do you want to achieve by doing it?
When you configure a new LPAR on IBM Power, you always specify three values - minimum, desired and maximum. If the LPAR starts, the system tries to allocate the desired value of resources to it. If it doesn’t have so many resources, it tries to allocate fewer resources but if it has less than minimum number of resources, it doesn’t start the LPAR. On the other side if the LPAR is started and it needs more resources you always can move additional resources up to maximum value. Very well known concept.
Similar you must define your architecture. What is the desired outcome of the action? There are usually two answers:
we want to manage passwords and password policies in Active Directory
we have all our users in Active Directory manageable by <some team, some software, some process>. AIX must also be managed by the <same team, same software, same process>.
In the first case you don’t need LDAP at all. It is better to use Kerberos. Active Directory supports Kerberos natively and you don’t need any changes on Active Directory side. On AIX side you must install Kerberos filesets (IBM Network Authentication Service) and prepare the configuration file for Kerberos. The problem is solved! If the user is locked in Active Directory, it can’t access AIX. If the user changed its password in Active Directory, the new password must be used to login to AIX. Even better - you can configure Signle Sign-on and if the user is logged in on Windows box, it can login to AIX without entering any password.
In the second case, your company uses Active Directory as a dumb users directory. You have there users accounts, their first and last names, departments and phone numbers. Everything is nice and good, but
do you have UIDs in Active Directory?
As a UNIX specialist you know that users and groups on UNIX are only numbers. Windows administrators know nothing about it. When they start with UIDs and GIDs, you usually get first some mix of accounts with UIDs and accounts without UIDs. Some groups have GIDs, some don’t have them.
Who is on control that every user in Active Directory has a unique numerical UID?
Same about the groups - who is on control that every group in Active Directory has a unique numerical GID?
Related to UIDs and GIDs but of less importance is the question of ID ranges. As an administrator you usually know that every user with UID less than 200, is a system user. Some organizations introduce other ID ranges too - for technical users, for application users, for batch users and for personal users. It always depends on your environment if you need them and if yes, then how many.
When we clarified the question with UIDs and GIDs, we must clarify the next question with shells. Think about it! You have a centralized solution. It means you have everything centralized. The shell (the same as home directory, but it usually is of less importance) is the same for all systems you have in your IT infrastructure. Your Linux colleagues have only /bin/bash. OK, they can have /bin/csh and /bin/zsh and some other fancy or not-so-fancy shells. But by default they have /bin/bash. You on your AIX system have /bin/ksh. If you already have AIX 7.3, you may have /bin/bash too. If you have AIX 7.2 and installed bash from AIX Toolbox, you have it in /opt/freeware/bin/bash. Before you connect your AIX to Active Directory, you must go through all your servers and be sure, that you have /bin/bash. Or you agree with your Linux and Active Directory fellows to change the default shell to /bin/ksh.
After you agreed on all attributes you are almost done with the preparation. You must only have in your mind that
you can’t save all additional AIX attributes like fsize, core_dump, rlogin, su, and so on in Active Directory.
It means even if your AIX box is connected to Active Directory, you still have to do some work locally on each AIX box. Forget about centralized RBAC roles, Trusted Execution database or security policies. They don’t exist in Active Directory world. Same as in FreeIPA or OpenLDAP worlds.
Don’t even try to put AIX system users like root into Active Directory!
I had a chance to see the funny situation which was not very funny for all participants. Active Directory had a user called root with UID 0. Because someone of IT Security wanted to have it there. They had their reasons. IT Security scanned servers and tried to connect as root to them to check that root access is disabled. According to the policies of the shop account is locked after three unsuccessful logins. Because everything is centralized, after scanning of just three servers root account in Active Directory was locked. Nobody could work with root account anymore.
These are the reasons why I suggest you to use IBM Security Directory Server.
The solution with IBM Security Directory Server has many advantages.
You can manage your AIX users centralized in a LDAP directory with all AIX features you need.
You can connect it to your Active Directory server and authenticate users through Active Directory by storing their data in the Directory Server.
It is free for use with AIX and you don’t have to pay any license fees if you manage only AIX servers.
Yeah, I already hear - “I am an AIX administrator and not an LDAP administrator! Why should I learn it?” If you are one of the guys, who thinks so, we are on the different sides of the barricades. I had a colleague, he told me - I am a Lotus administrator, not a developer to develop scripts! Fortunately to him he is a project manager now.
Be open for new knowledge! There is nothing better as to learn something new if this new helps you to succeed in your job. IBM Security Directory Server is a part of IBM AIX distribution and if you are an AIX administrator, you must have at least some basic knowledge how to work with it. You don’t need more than basic knowledge to install, configure and use it. Everything else I will show you.
The only REAL disadvantage of IBM Security Directory Server is that you may work in a highly regulated environment. In this case you may have a requirement, that all user accounts related work be done by special people and be monitored. If you’ve heard the word GDPR (European regulation on privacy), you should understand that working with user accounts is a type of work with personal data. In a “normal” environment it doesn’t make any problems. But in highly regulated environments like banks, insurance or big manufacturers you make have special requirements to the hardware and the software you use to maintain personal data. You may be obliged to special audits. In this case it is of course understandable to move the job to the Active Directory team even if it is technically not the best solution.
I think you already understand that I prefer to use IBM Security Directory Server. That’s why we will start first with it. Our final architecture will be a highly available instance of IBM Security Directory Server which is acting like a proxy to Microsoft Active Directory Server. In this case you manage all AIX specific data in IBM Security Directory Server, but users’ authentication and password policies are going through Active Directory.
In the next newsletter we will start with the installation of IBM Security Directory Server. Meanwhile:
Have fun with users management on AIX!
Andrey