I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
rob
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
On 20.06.23 15:51, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
I would expect the id command to list the IPA group and the lsgroup command do list the user's UID.
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli... talks about other maps for AD (which is also using member/memberof, not memberuid).
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli... talks about other maps for AD (which is also using member/memberof, not memberuid).
Thanks for your input Alexander & Rob!
In my opinion RFC2307bis would also be the way to go. Thanks for the link. I'll have some time for that on Friday. I'll get back to this thread how it worked out.
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow group membership does not seem to be configured correctly...
# id y179768 uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli... talks about other maps for AD (which is also using member/memberof, not memberuid).
Just to avoid any confusion. Is the link you provided an example for 2307bis configuration? I am asking because the term "2307bis" is not mentioned at all in the article...
Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote: > I can and use IPA users on an AIX client. As well as groups. But > somehow > group membership does not seem to be configured correctly... > > # id y179768 > uid=1246660005(y179768) gid=1246660005(y179768) > > # lsgroup -R LDAP ipa-aix-g > ipa-aix-g id=1246690508 users= registry=LDAP > > Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli...
talks about other maps for AD (which is also using member/memberof, not memberuid).
Just to avoid any confusion. Is the link you provided an example for 2307bis configuration? I am asking because the term "2307bis" is not mentioned at all in the article...
It isn't and the group configuration is rather subtle.
Near as I can tell you want to look for:
#users SEC_LIST memberUid m na yes users SEC_LIST member m na yes
memberUid is RFC 2307 and member is RFC 2307bis.
It's tough for us to provide user-support for non-Linux installs because we don't have access to all versions, hardware, etc. (we tried and failed early on). Your best bet is always to ask the vendor for support, but we do what we can when possible.
rob
On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote: > Ronald Wimmer via FreeIPA-users wrote: >> I can and use IPA users on an AIX client. As well as groups. But >> somehow >> group membership does not seem to be configured correctly... >> >> # id y179768 >> uid=1246660005(y179768) gid=1246660005(y179768) >> >> # lsgroup -R LDAP ipa-aix-g >> ipa-aix-g id=1246690508 users= registry=LDAP >> >> Anyone has a hint what could be misconfigured? > > There isn't enough information. How is LDAP configured, what > search bases? > > What is ipa-aix-g? What membership do you expect? > > How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768 for example.
/etc/security/ldap/ldap.cfg: userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli...
talks about other maps for AD (which is also using member/memberof, not memberuid).
Just to avoid any confusion. Is the link you provided an example for 2307bis configuration? I am asking because the term "2307bis" is not mentioned at all in the article...
It isn't and the group configuration is rather subtle.
Near as I can tell you want to look for:
#users SEC_LIST memberUid m na yes users SEC_LIST member m na yes
memberUid is RFC 2307 and member is RFC 2307bis.
I tried to configure an AIX client the bis way. Now the IPA group shows its members. Perfect. However, the id command does not list the IPA group. As a result, sudo commands do not work because these rights were given to the IPA group.
I've added
groups SEC_LIST memberof s na yes
to the 2307bisuser.map file because I thought that might fit. But unfortunately it did not.
What might I be missing?
On 23.06.23 10:26, Ronald Wimmer via FreeIPA-users wrote:
On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote: > On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> I can and use IPA users on an AIX client. As well as groups. But >>> somehow >>> group membership does not seem to be configured correctly... >>> >>> # id y179768 >>> uid=1246660005(y179768) gid=1246660005(y179768) >>> >>> # lsgroup -R LDAP ipa-aix-g >>> ipa-aix-g id=1246690508 users= registry=LDAP >>> >>> Anyone has a hint what could be misconfigured? >> >> There isn't enough information. How is LDAP configured, what >> search bases? >> >> What is ipa-aix-g? What membership do you expect? >> >> How does the group relate to the user you id'd? > > I'll try to clarify. > > ipa-aix-g is the IPA group containing several members as y179768 > for example. > > /etc/security/ldap/ldap.cfg: > userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at > groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli...
talks about other maps for AD (which is also using member/memberof, not memberuid).
Just to avoid any confusion. Is the link you provided an example for 2307bis configuration? I am asking because the term "2307bis" is not mentioned at all in the article...
It isn't and the group configuration is rather subtle.
Near as I can tell you want to look for:
#users SEC_LIST memberUid m na yes users SEC_LIST member m na yes
memberUid is RFC 2307 and member is RFC 2307bis.
I tried to configure an AIX client the bis way. Now the IPA group shows its members. Perfect. However, the id command does not list the IPA group. As a result, sudo commands do not work because these rights were given to the IPA group.
I've added
groups SEC_LIST memberof s na yes
to the 2307bisuser.map file because I thought that might fit. But unfortunately it did not.
What might I be missing?
Forgot to mention that lsuser -R LDAP someuser also does not reveal the IPA group.
On 23.06.23 11:34, Ronald Wimmer via FreeIPA-users wrote:
On 23.06.23 10:26, Ronald Wimmer via FreeIPA-users wrote:
On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote: > On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote: >> On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote: >>> Ronald Wimmer via FreeIPA-users wrote: >>>> I can and use IPA users on an AIX client. As well as groups. But >>>> somehow >>>> group membership does not seem to be configured correctly... >>>> >>>> # id y179768 >>>> uid=1246660005(y179768) gid=1246660005(y179768) >>>> >>>> # lsgroup -R LDAP ipa-aix-g >>>> ipa-aix-g id=1246690508 users= registry=LDAP >>>> >>>> Anyone has a hint what could be misconfigured? >>> >>> There isn't enough information. How is LDAP configured, what >>> search bases? >>> >>> What is ipa-aix-g? What membership do you expect? >>> >>> How does the group relate to the user you id'd? >> >> I'll try to clarify. >> >> ipa-aix-g is the IPA group containing several members as y179768 >> for example. >> >> /etc/security/ldap/ldap.cfg: >> userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at >> groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at > > Which LDAP schema AIX configuration is expecting to use? RFC2307 or > RFC2307bis? > > The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. > member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named 2307user.map and 2307group.map. So I am suspecting that they are trying to use RFC2307. In order to use that we would need to use a different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli...
talks about other maps for AD (which is also using member/memberof, not memberuid).
Just to avoid any confusion. Is the link you provided an example for 2307bis configuration? I am asking because the term "2307bis" is not mentioned at all in the article...
It isn't and the group configuration is rather subtle.
Near as I can tell you want to look for:
#users SEC_LIST memberUid m na yes users SEC_LIST member m na yes
memberUid is RFC 2307 and member is RFC 2307bis.
I tried to configure an AIX client the bis way. Now the IPA group shows its members. Perfect. However, the id command does not list the IPA group. As a result, sudo commands do not work because these rights were given to the IPA group.
I've added
groups SEC_LIST memberof s na yes
to the 2307bisuser.map file because I thought that might fit. But unfortunately it did not.
What might I be missing?
Forgot to mention that lsuser -R LDAP someuser also does not reveal the IPA group. ____________
Andrey Klyachkin from IBM answered my question on LinkedIn: Ronald, did you check LDAP client mappings on AIX? By default if you followed the article AIX will search for memberUid attribute in cn=groups. It is RFC2307, not RFC2307bis. You can update /etc/security/ldap/2307group.map (or create your own map) and define member attribute instead of memberUid. After restart secldapclntd should find the secondary groups. Another possible confusion place - AIX expects usernames in member or memberUid attribute. If your LDAP administrator wrote user's full CN in the attribute instead of just username, AIX will not identify it as a secondary group for the user. As far as I could test IPA doesn't allow to write just usernames into the attribute and wants to have full CNs. (https://www.linkedin.com/feed/update/urn:li:ugcPost:7059442334530207744?comm... )
Could this be the issue?
Ronald Wimmer via FreeIPA-users wrote:
On 23.06.23 11:34, Ronald Wimmer via FreeIPA-users wrote:
On 23.06.23 10:26, Ronald Wimmer via FreeIPA-users wrote:
On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote: > On 20.06.23 15:57, Alexander Bokovoy wrote: >> On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote: >>> On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote: >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> I can and use IPA users on an AIX client. As well as groups. But >>>>> somehow >>>>> group membership does not seem to be configured correctly... >>>>> >>>>> # id y179768 >>>>> uid=1246660005(y179768) gid=1246660005(y179768) >>>>> >>>>> # lsgroup -R LDAP ipa-aix-g >>>>> ipa-aix-g id=1246690508 users= registry=LDAP >>>>> >>>>> Anyone has a hint what could be misconfigured? >>>> >>>> There isn't enough information. How is LDAP configured, what >>>> search bases? >>>> >>>> What is ipa-aix-g? What membership do you expect? >>>> >>>> How does the group relate to the user you id'd? >>> >>> I'll try to clarify. >>> >>> ipa-aix-g is the IPA group containing several members as y179768 >>> for example. >>> >>> /etc/security/ldap/ldap.cfg: >>> userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at >>> groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >> >> Which LDAP schema AIX configuration is expecting to use? RFC2307 or >> RFC2307bis? >> >> The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. >> member/memberof, not memberuid attributes). > > I did not do the AIX client configuration by myself. I am just > trying > to assist my AIX colleagues to find the problem... > > What I saw were two map files in /etc/security/ldap named > 2307user.map and 2307group.map. So I am suspecting that they are > trying to use RFC2307. In order to use that we would need to use a > different configuration? Is this where the compat tree comes into > place?
Correct. If your clients are using RFC2307, compat tree is what could be used to provide them the data in the format they expect. However, I'd rather ask AIX admins to use RFC2307bis. For example, https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-cli...
talks about other maps for AD (which is also using member/memberof, not memberuid).
Just to avoid any confusion. Is the link you provided an example for 2307bis configuration? I am asking because the term "2307bis" is not mentioned at all in the article...
It isn't and the group configuration is rather subtle.
Near as I can tell you want to look for:
#users SEC_LIST memberUid m na yes users SEC_LIST member m na yes
memberUid is RFC 2307 and member is RFC 2307bis.
I tried to configure an AIX client the bis way. Now the IPA group shows its members. Perfect. However, the id command does not list the IPA group. As a result, sudo commands do not work because these rights were given to the IPA group.
I've added
groups SEC_LIST memberof s na yes
to the 2307bisuser.map file because I thought that might fit. But unfortunately it did not.
What might I be missing?
Forgot to mention that lsuser -R LDAP someuser also does not reveal the IPA group. ____________
Andrey Klyachkin from IBM answered my question on LinkedIn: Ronald, did you check LDAP client mappings on AIX? By default if you followed the article AIX will search for memberUid attribute in cn=groups. It is RFC2307, not RFC2307bis. You can update /etc/security/ldap/2307group.map (or create your own map) and define member attribute instead of memberUid. After restart secldapclntd should find the secondary groups. Another possible confusion place - AIX expects usernames in member or memberUid attribute. If your LDAP administrator wrote user's full CN in the attribute instead of just username, AIX will not identify it as a secondary group for the user. As far as I could test IPA doesn't allow to write just usernames into the attribute and wants to have full CNs. (https://www.linkedin.com/feed/update/urn:li:ugcPost:7059442334530207744?comm... )
Could this be the issue? _______________________________________________
It's hard to say because you keep referring to groups not showing up but providing no details on what that means. Also, understand that the IPA team has extremely limited and dated knowledge of AIX. This is about all we have, written in probably 2010: https://freeipa.org/page/ConfiguringAixClients.html
This goes back to the difference between the two RFCs and how they configure membership. If AIX wants a login name then memberUid/RFC2307 is what you want (cn=compat).
Your best bet is to reach out to IBM directly and ask how to configure authentication and nss services against an LDAP server. If the instructions include member/memberof then you can use the main IPA trees. If not use cn=compat.
Or search the archives of this list. There have been AIX questions before.
rob
I just tried the approach above from Linkedin and it worked perfectly for me.
I'm curious, area there any other OS with compatibility views? Look for documentation, but expecting I'll have to read through the schema.
I also found this reference, and wondering if anyone can comment on its accuracy? I'm still trying to digest it
https://pagure.io/slapi-nis/raw/master/f/doc/ipa/sch-ipa.txt
Chris Cowan via FreeIPA-users wrote:
I just tried the approach above from Linkedin and it worked perfectly for me.
I'm curious, area there any other OS with compatibility views?
Solaris also uses RFC2307 IIRC.
Look for documentation, but expecting I'll have to read through the schema.
I also found this reference, and wondering if anyone can comment on its accuracy? I'm still trying to digest it
https://pagure.io/slapi-nis/raw/master/f/doc/ipa/sch-ipa.txt
I'm not aware of any issues with it.
rob
freeipa-users@lists.fedorahosted.org