Skip to content

AIX

Jump to bottom Edit New page
rseabra edited this page Oct 30, 2019 · 4 revisions

How to add an AIX 7.1 TL5SP4 server to a FreeIPA/Red Hat IDM domain.

Pre-requirements

You might want to checkout our releases pages in order to download packages...

Certification Authorities

You need to add your required CA's in PEM encoding for the OpenLDAP based components (like sudo, and not we couldn't get sudo_ids to work), and in DER encoding for gskit and others.

mkdir -p /etc/tls/ca

cat <<EOF > /etc/tls/ca/your_ca_1.crt
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
EOF
openssl x509 -outform der < /etc/tls/ca/your_ca_1.crt > /etc/tls/ca/your_ca_1.der

cat <<EOF > /etc/tls/ca/your_ca_2.crt
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
EOF
openssl x509 -outform der < /etc/tls/ca/your_ca_2.crt > /etc/tls/ca/your_ca_2.der

And so on...

DNS

You should now configure your name solving to your IPA domain (or caching name servers that are slaves to IPA):

cat <<EOF > /etc/resolv.conf
domain your.doma.in
nameserver ip.of.ipa.1
nameserver ip.of.ipa.2
nameserver ip.of.ipa.3
options rotate timeout:1 attempts:3
EOF

HOSTS_CONFIG="hosts = local, bind4"

if grep -q ^hosts /etc/netsvc.conf ; then
        perl -pi -e "s/^hosts/$HOSTS_CONFIG/" /etc/netsvc.conf
else
        echo "$HOSTS_CONFIG" >> /etc/netsvc.conf
fi

NTP

You should now configure your NTP server to the same timesource your IPA servers do:

cat <<EOF > /etc/ntp.conf
server ip.of.ntp.1 version 3 prefer iburst
server ip.of.ntp.2 version 3 iburst
server ip.of.ntp.3 version 3 iburst
slewalways yes
driftfile /etc/ntp.drift
tracefile /var/log/ntp.trace
logfile /var/log/xntpd
EOF
touch /etc/ntp.drift
chrctcp -a /usr/sbin/xntpd
startsrc -s xntpd

YUM

You should also have a working yum environment. Please not that IBM's tar ball doesn't include all that needed for a safe working yum setup, you should additionally install the following (note that the versions may vary):

rpm -Uvh \
   aixtoolbox/RPMS/ppc/libxml2/libxml2-python-2.9.9-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/expat/expat-2.2.6-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/libxml2/libxml2-2.9.9-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/zlib/zlib-1.2.11-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/xz/xz-libs-5.2.4-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/ncurses/ncurses-6.1-2.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/python/python-2.7.16-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/python/python-devel-2.7.16-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/python/python-tools-2.7.16-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/bzip2/bzip2-1.0.6-3.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/readline/readline-8.0-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/texinfo/info-6.4-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/bash/bash-5.0-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/sqlite/sqlite-3.28.0-1.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/libiconv/libiconv-1.14-22.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc/libffi/libffi-3.2.1-3.aix6.1.ppc.rpm \
   aixtoolbox/RPMS/ppc-7.1/gcc/libstdcplusplus-6.3.0-2.aix7.1.ppc.rpm \
   aixtoolbox/RPMS/ppc-7.1/gcc/libgcc-6.3.0-2.aix7.1.ppc.rpm

System configurations

You need to support logins and groups longer than 8 characters (note that it needs a reboot to make effective):

chdev -l sys0 -a max_logname=33

Then tell the system to create the home directory and use LDAP as main reference for users:

chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
chsec -f /etc/security/user -s default -a SYSTEM="LDAP or compat"

Joining the IPA domain with IDS LDAP

It's now time to join the domain, and first ou need to install and setup both GSKit and IDSLDAP. Firstwe install GSKit 8:

installp -acXgYd gskit/8.0.55.9-ISS-GSKIT-AIX-FP009 all

Now we need to accept the license and install IDSLDAP:

cd 6.4.0.19-ISS-ISDS-AIX-IF0019/license ; ./idsLicense -q
installp -acXgYd 6.4.0.19-ISS-ISDS-AIX-IF0019/images \
       idsldap.clt32bit64.rte idsldap.clt64bit64.rte \
       idsldap.clt_max_crypto32bit64.rte idsldap.clt_max_crypto64bit64.rte \
       idsldap.cltbase64.adt idsldap.cltbase64.rte \
       idsldap.license64.rte idsldap.msg64.en_US
slibclean
/opt/IBM/ldap/V6.4/bin/idslink -g -i -l 32 -f
/opt/IBM/ldap/V6.4/bin/idslink -g -i -l 64 -f
updtvpkg

That last command, updtvpkg, is if utmost importance as it will add IDSLDAP's libraries for RPM dependency management.

Actually joining the LDAP domain

Time for the first levels of action, where we're setting up the trust store with your required CA's. Please use a good password, and not what's shown below:

cd /etc/security/ldap
rm -f ldap.crl ldap.kdb ldap.rdb ldap.sth
gsk8capicmd -keydb -create -db ldap.kdb
gsk8capicmd -cert -add -db ldap.kdb \
        -file /etc/tls/ca/your_ca_1.der -label your_ca_1
gsk8capicmd -cert -add -db ldap.kdb \
        -file /etc/tls/ca/your_ca_2.der -label your_ca_2

export KDBPASSWORD='A_rea11y_insecure_passw0rd!'
gsk8capicmd -keydb -changepw -new_pw ${KDBPASSWORD} -db ldap.kdb
gsk8capicmd -keydb -stashpw -pw ${KDBPASSWORD} -db ldap.kdb

And now, let's configure the system for the LDAP domain:

export DOMAIN="dc=your,dc=own,dc=domain"
export BINDDN="uid=aix.bind.user,cn=users,cn=accounts,$DOMAIN"
export LDAPPASS='Another_freaking1y_insecure_passw0rd?'
mksecldap -c \
        -h ipa1.your.own.domain,ipa2.your.own.doman,ipa3.your.own.domain \
        -a $BINDDN -p ${LDAPPASS} \
        -d $DOMAIN -k /etc/security/ldap/ldap.kdb -w ${KDBPASSWORD} \
        -j SSL \
        -A ldap_auth -D ldap

sudo

I know IBM might like it more if one used sudo_ids but, to be quite frank, after loosing some patience and also having to support sudo on Solaris with similar configuration, I'd rather support actually similar configurations rather than multiple ones, if I can avoid it.

So sudo with OpenLDAP it is...

SUDO_CONFIG="sudoers = files, ldap"

if grep -q ^sudoers /etc/netsvc.conf ; then
        perl -pi -e "s/^sudoers/$SUDO_CONFIG/" /etc/netsvc.conf
else
        echo "$SUDO_CONFIG" >> /etc/netsvc.conf
fi

yum -y install sudo

cat <<EOF > /etc/sudo.conf
Plugin sudoers_policy /opt/freeware/libexec/sudo/sudoers.so ldap_conf=/etc/ldap.conf
#Debug sudo /var/log/sudo_debug all@debug,plugin@debug
EOF

perl -e 'print $ENV{LDAPPASS}; ' > /etc/ldap.secret
chgrp sshd /etc/ldap.secret
chmod 0440 /etc/ldap.secret

cat <<EOF > /etc/ldap.conf
BIND_TIMELIMIT    5
ROOTBINDDN      uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain

DEREF           never
URI             ldaps://ipa1.your.own.domain/ ldaps://ipa2.your.own.domain/ ldaps://ipa3.your.own.domain/
BASE            dc=your,dc=own,dc=domain
SUDOERS_BASE    ou=SUDOers,dc=your,dc=own,dc=domain
NETGROUP_BASE   cn=ng,cn=compat,dc=your,dc=own,dc=domain
#SUDOERS_DEBUG 1

TIMELIMIT       60

TLS_CACERT      /etc/tls/ca/your_ca_1.crt
EOF

SSH

Now you need to configure AIX's OpenSSH to use PAM and to fetch user's SSH public keys from the IPA domain:

cat <<EOF >> /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/sbin/ssh-getkey-ldap
AuthorizedKeysCommandUser sshd
EOF

perl -pi -e 's,^UsePAM.*,UsePAM yes,' /etc/ssh/sshd_config

cat <<EOF > /usr/sbin/ssh-getkey-ldap
#!/bin/sh
#

export LDAPCONF='/etc/ldap.conf'

log() {
        /usr/bin/logger -i -t sshd -p "auth.$1" "$2"
}

uid="$1"
 
if [ ! -r "$LDAPCONF" ]; then
        log err "file $LDAPCONF does not exist or not readable"
        exit 1
fi

if ! expr "$uid" : '[a-zA-Z0-9._-]*$' 1>/dev/null; then
        log err "bad characters in username: $uid"
        exit 2
fi

BINDDN=$( /usr/bin/awk '/^ROOTBINDDN/ {print $2}' $LDAPCONF )
URI=$( /usr/bin/grep URI /etc/ldap.conf | sed -e 's,URI *,,; s/  */ /g' )

#export DEBUG="-d 100 -v"

/opt/freeware/bin/ldapsearch $DEBUG -x -LLL -H "$URI" -D "$BINDDN" -y "/etc/ldap.secret" -b cn=users,cn=accounts,dc=your,dc=own,dc=domain -o ldif-wrap=no "(&(uid=$uid)(ipaSshPubKey=*))" 'ipaSshPubKey' | \
         sed -n 's/^ipaSshPubKey: *\(.*\)$/\1/p;'
EOF
chmod 0755 /usr/sbin/ssh-getkey-ldap

Setup pam_ipahbac

This example is for AIX's OpenSSH and ipahbac's own test program:

In /etc/pam.conf:

(...)
sshd    account required        pam_aix
sshd    account required        pam_ipahbac.so blameGetOpt -k /etc/security/ldap/ldap.kdb -U aix.bind.user -b dc=your,dc=own,dc=domain -P /etc/ldap.secret -l ipa1.your.own.domain,ipa2.your.own.doman,ipa3.your.own.domain -x /etc/hbac_exclude
(...)
# only for testing, not needed in production
ipahbac_test account    required     pam_ipahbac.so blameGetOpt -k /etc/security/ldap/ldap.kdb -U aix.bind.user -b dc=your,dc=own,dc=domain -P /etc/ldap.secret -l ipa1.your.own.domain,ipa2.your.own.doman,ipa3.your.own.domain -x /etc/hbac_exclude
  • NOTE: pam_ipahbac MUST BE AFTER pam_aix because otherwise, randomly, the user's attributes were not queried at the LDAP servers for reasons unknown (see more details in KNOWN ISSUES).
  • At /etc/hbac_exclude you should plasce users that should not be subject to hbac, namely root and functional users that require login, eg via ssh).

I couldn't get pam_hbac to work, it should have been something like this but... meh... if you really rather have pam_hbac (in a way, I'd prefer that too even though I think my module is way simpler), suggest them to take a look at this code, specially the RPM spec, to know how to compile for AIX.

ipahbac_test account    required     pam_hbac.so ignore_unknown_user ignore_authinfo_unavail

and then

cat <<EOF > /etc/pam_hbac.conf
URI = ldaps://ipa1.your.own.domain,ldaps://ipa2.your.own.doman,ldaps://ipa3.your.own.domain/
BASE = dc=your,dc=own,dc=domain
BIND_DN = uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain
BIND_PW = Another_freaking1y_insecure_passw0rd!
SSL_PATH = /etc/tls/ca/your_ca_1.crt
EOF

Known Issues

You entered an invalid login name or password

We found the following random error when pam_ipahbac was ran before pam_aix for sshd:

[me@desktop ~]$ ssh me@aix-server
3004-300 You entered an invalid login name or password.

Connection closed by aix.server.ip.addr port 22

What was identified was that when this error happened, the AIX server never even tried to get the user's information from the LDAP server. When no error hapenned (most of the attempts were sucessful), it did.

Example of log when it fails

First, ssh requests the user's key 3 times (wtf?), then pam_ipahbac checks HBAC, then nothing follows.

[25/Oct/2019:13:23:31.587649150 +0100] conn=1456 op=2 SRCH base="cn=users,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixaccount)(uid=john.doe))" attrs=ALL
[25/Oct/2019:13:23:31.588132889 +0100] conn=1456 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0000651205
[25/Oct/2019:13:23:31.622675597 +0100] conn=1457 fd=75 slot=75 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:23:31.623160756 +0100] conn=1457 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:23:31.623269066 +0100] conn=1457 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:23:31.623664550 +0100] conn=1457 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000957326 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:23:31.624020141 +0100] conn=1457 op=1 SRCH base="cn=users,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(uid=john.doe)(ipaSshPubKey=*))" attrs="ipaSshPubKey"
[25/Oct/2019:13:23:31.624493686 +0100] conn=1457 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000519335
[25/Oct/2019:13:23:31.625034382 +0100] conn=1457 op=2 UNBIND
[25/Oct/2019:13:23:31.625044966 +0100] conn=1457 op=2 fd=75 closed - U1
[25/Oct/2019:13:23:31.669212952 +0100] conn=1458 fd=75 slot=75 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:23:31.669632448 +0100] conn=1458 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:23:31.669724650 +0100] conn=1458 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:23:31.670042602 +0100] conn=1458 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000804540 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:23:31.670458742 +0100] conn=1458 op=1 SRCH base="cn=users,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(uid=john.doe)(ipaSshPubKey=*))" attrs="ipaSshPubKey"
[25/Oct/2019:13:23:31.670802386 +0100] conn=1458 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000394416
[25/Oct/2019:13:23:31.671315011 +0100] conn=1458 op=2 UNBIND
[25/Oct/2019:13:23:31.671325589 +0100] conn=1458 op=2 fd=75 closed - U1
[25/Oct/2019:13:23:32.603764524 +0100] conn=1459 fd=75 slot=75 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:23:32.604289191 +0100] conn=1459 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:23:32.604427360 +0100] conn=1459 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:23:32.604789480 +0100] conn=1459 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000986106 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:23:32.605165140 +0100] conn=1459 op=1 SRCH base="cn=users,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(uid=john.doe)(ipaSshPubKey=*))" attrs="ipaSshPubKey"
[25/Oct/2019:13:23:32.605501608 +0100] conn=1459 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000393514
[25/Oct/2019:13:23:32.606018106 +0100] conn=1459 op=2 UNBIND
[25/Oct/2019:13:23:32.606029546 +0100] conn=1459 op=2 fd=75 closed - U1
[25/Oct/2019:13:23:32.700992871 +0100] conn=1460 fd=75 slot=75 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:23:32.701499401 +0100] conn=1460 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:23:32.701635249 +0100] conn=1460 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:23:32.701980949 +0100] conn=1460 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000951962 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:23:32.702457972 +0100] conn=1460 op=1 SRCH base="cn=hbac,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=ipahbacrule)(ipaEnabledFlag=true)(accessRuleType=allow))" attrs="memberUser memberHost memberService userCategory hostCategory serviceCategory"
[25/Oct/2019:13:23:32.702781634 +0100] conn=1460 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000405412
[25/Oct/2019:13:23:32.703229402 +0100] conn=1460 op=2 SRCH base="cn=groups,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(cn=group1)(member=uid=john.doe,cn=users,cn=accounts,dc=your,dc=own,dc=domain))" attrs="member"
[25/Oct/2019:13:23:32.703847405 +0100] conn=1460 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0000666738
[25/Oct/2019:13:23:32.704342778 +0100] conn=1460 op=-1 fd=75 closed - B1

Example of when it succeeds

First, ssh requests the user's key 3 times (wtf?), then pam_ipahbac checks HBAC, then finally idsldap requests the user's information (this is missing when it fails).

[25/Oct/2019:13:24:30.702898139 +0100] conn=1461 fd=77 slot=77 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:24:30.703476275 +0100] conn=1461 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:24:30.703606748 +0100] conn=1461 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:24:30.703976036 +0100] conn=1461 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001029909 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:24:30.704354335 +0100] conn=1461 op=1 SRCH base="cn=users,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(uid=john.doe)(ipaSshPubKey=*))" attrs="ipaSshPubKey"
[25/Oct/2019:13:24:30.704794846 +0100] conn=1461 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000498607
[25/Oct/2019:13:24:30.705373406 +0100] conn=1461 op=2 UNBIND
[25/Oct/2019:13:24:30.705385463 +0100] conn=1461 op=2 fd=77 closed - U1
[25/Oct/2019:13:24:30.732912477 +0100] conn=1462 fd=77 slot=77 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:24:30.733563106 +0100] conn=1462 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:24:30.733723989 +0100] conn=1462 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:24:30.734243560 +0100] conn=1462 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001278818 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:24:30.734677960 +0100] conn=1462 op=1 SRCH base="cn=users,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(uid=john.doe)(ipaSshPubKey=*))" attrs="ipaSshPubKey"
[25/Oct/2019:13:24:30.735185792 +0100] conn=1462 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000600715
[25/Oct/2019:13:24:30.735751636 +0100] conn=1462 op=2 UNBIND
[25/Oct/2019:13:24:30.735770823 +0100] conn=1462 op=2 fd=77 closed - U1
[25/Oct/2019:13:24:31.591240285 +0100] conn=1456 op=-1 fd=74 closed - B1
[25/Oct/2019:13:24:31.681862055 +0100] conn=1463 fd=74 slot=74 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:24:31.682379187 +0100] conn=1463 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:24:31.682518688 +0100] conn=1463 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:24:31.682928027 +0100] conn=1463 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001018791 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:24:31.683289835 +0100] conn=1463 op=1 SRCH base="cn=users,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(uid=john.doe)(ipaSshPubKey=*))" attrs="ipaSshPubKey"
[25/Oct/2019:13:24:31.683625638 +0100] conn=1463 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000396366
[25/Oct/2019:13:24:31.684162065 +0100] conn=1463 op=2 UNBIND
[25/Oct/2019:13:24:31.684173734 +0100] conn=1463 op=2 fd=74 closed - U1
[25/Oct/2019:13:24:31.779024451 +0100] conn=1464 fd=74 slot=74 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:24:31.779772097 +0100] conn=1464 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:24:31.779989168 +0100] conn=1464 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:24:31.780629548 +0100] conn=1464 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001542955 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:24:31.781081812 +0100] conn=1464 op=1 SRCH base="cn=hbac,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=ipahbacrule)(ipaEnabledFlag=true)(accessRuleType=allow))" attrs="memberUser memberHost memberService userCategory hostCategory serviceCategory"
[25/Oct/2019:13:24:31.781455885 +0100] conn=1464 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0000475100
[25/Oct/2019:13:24:31.781963320 +0100] conn=1464 op=2 SRCH base="cn=groups,cn=accounts,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(cn=group1)(member=uid=john.doe,cn=users,cn=accounts,dc=your,dc=own,dc=domain))" attrs="member"
[25/Oct/2019:13:24:31.782620812 +0100] conn=1464 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0000736214
[25/Oct/2019:13:24:31.783114730 +0100] conn=1464 op=-1 fd=74 closed - B1
[25/Oct/2019:13:24:32.368064861 +0100] conn=1465 fd=74 slot=74 SSL connection from aix.ser.ver to ipa1.your.own.domain
[25/Oct/2019:13:24:32.368669829 +0100] conn=1465 TLS1.2 256-bit AES-GCM
[25/Oct/2019:13:24:32.368783513 +0100] conn=1465 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:13:24:32.369132112 +0100] conn=1465 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001032554 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:13:24:32.369674822 +0100] conn=1465 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="vendorName objectClass isglobalcatalogready"
[25/Oct/2019:13:24:32.370684636 +0100] conn=1465 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0001062621
[25/Oct/2019:13:24:32.790839922 +0100] conn=1465 op=2 SRCH base="cn=users,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixaccount)(uid=default))" attrs=ALL
[25/Oct/2019:13:24:32.790953948 +0100] conn=1465 op=2 RESULT err=0 tag=101 nentries=0 etime=0.0000240758
[25/Oct/2019:13:24:32.804068949 +0100] conn=1465 op=3 SRCH base="cn=groups,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(memberUid=john.doe))" attrs="gidNumber"
[25/Oct/2019:13:24:32.804445567 +0100] conn=1465 op=3 RESULT err=0 tag=101 nentries=2 etime=0.0000448661
[25/Oct/2019:13:24:32.808140219 +0100] conn=1465 op=4 SRCH base="cn=groups,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(gidNumber=1345000005))" attrs="cn gidNumber"
[25/Oct/2019:13:24:32.808358991 +0100] conn=1465 op=4 RESULT err=0 tag=101 nentries=1 etime=0.0000273536
[25/Oct/2019:13:24:32.813506694 +0100] conn=1465 op=5 SRCH base="cn=groups,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(gidNumber=1345000005))" attrs="cn gidNumber"
[25/Oct/2019:13:24:32.813624139 +0100] conn=1465 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0000184252
[25/Oct/2019:13:24:32.816112415 +0100] conn=1465 op=6 SRCH base="cn=groups,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(cn=john.doe))" attrs=ALL
[25/Oct/2019:13:24:32.816309150 +0100] conn=1465 op=6 RESULT err=0 tag=101 nentries=1 etime=0.0000256788
[25/Oct/2019:13:24:32.825098552 +0100] conn=1465 op=7 SRCH base="cn=groups,cn=compat,dc=your,dc=own,dc=domain" scope=2 filter="(&(objectClass=posixgroup)(cn=tty))" attrs=ALL
[25/Oct/2019:13:24:32.825160526 +0100] conn=1465 op=7 RESULT err=0 tag=101 nentries=0 etime=0.0000133359

This was solved by running pam_aix before pam_ipahbac.

Since the actual reason was not identified, nothing prevents this bug from reocurring, maybe a future AIX update can provide better diagnostics information.

Failed to search (objectclass=*) from the LDAP server in syslog

idsldap shows an error in syslog periodically:

Oct 25 14:02:57 aix-server daemon:warn|warning secldapclntd: 3001-718 Failed to search (objectclass=*) from the LDAP server.

At IPA server's LDAP log one can see that the query returned success with one entry:

[25/Oct/2019:14:02:57.710436160 +0100] conn=1622 fd=75 slot=75 SSL connection from aix.server.ip.addr to 	pa1.your.own.domain
[25/Oct/2019:14:02:57.711125662 +0100] conn=1622 TLS1.2 256-bit AES-GCM
[25/Oct/2019:14:02:57.711265541 +0100] conn=1622 op=0 BIND dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain" method=128 version=3
[25/Oct/2019:14:02:57.711700358 +0100] conn=1622 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001214822 dn="uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain"
[25/Oct/2019:14:02:57.712233660 +0100] conn=1622 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="vendorName objectClass isglobalcatalogready"
[25/Oct/2019:14:02:57.713412277 +0100] conn=1622 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0001270685

With OpenLDAP's ldapsearch it was verified that the query indeed successfully returns an entry with two of the three requested members:

[root@ipa1.your.own.domain ~]# ldapsearch -y aixPasswordFile -D uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain -s base -b "" '(objectClass=*)' vendorName objectClass isglobalcatalogready
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: vendorName objectClass isglobalcatalogready
#

#
dn:
vendorName: 389 Project
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The same with IDSLDAP's ldapsearch:

[ root@aix-server ] /root # ldapsearch -v -w $( cat /etc/ldap.secret ) -P 'A_rea11y_insecure_passw0rd!' -K /etc/security/ldap/ldap.kdb -Z -h ipa1.your.own.domain -s base -D uid=aix.bind.user,cn=users,cn=accounts,dc=your,dc=own,dc=domain -b "" '(objectClass=*)' vendorName objectClass isglobalcatalogready
ldap_ssl_client_init( /etc/security/ldap/ldap.kdb, tol_MeysdoofdoircIs3, 0, &failureReasonCode )
ldap_ssl_init( ipa1.your.own.domain, 636, NULL )
filter pattern: (objectClass=*)
returning: vendorName objectClass isglobalcatalogready
filter is: ((objectClass=*))

vendorName=389 Project
objectClass=top
1 matches

The current theory is that this is a bug in IDSLDAP that is fired by a lacking isglobalcatalogready member, and then reports the failure incorrectly.

No issue derived from this situation was detected.

Add a custom footer
Add a custom sidebar
Clone this wiki locally