March 12, 2011 11:39 pm
| | | Question | | How does AIX determine primary and secondary group membership for LDAP users? | | | | | | Answer | How AIX Determines Group Membership for LDAP Users
This document will explain how AIX determines primary and secondary group membership for LDAP users. Specific examples will be shown as well as debug and testcase collection information.
1) LDAP users must belong to LDAP groups
AIX has a requirement that LDAP users MUST belong to LDAP groups. In other words, all the possible groups that an LDAP user is a member of must be defined on LDAP. An LDAP user cannot be a member of a local group.
This LDAP group requirement is by design, as noted by a quote from development below:
âAIX has strict checks to maintain user/group integrity. It is designed that each domain works as a separate entity and there is no mix between users/groups from multiple domains.â
2) Configuration files that affect group membership lookup
There are three files that controls how AIX determines group membership: - /etc/security/ldap/ldap.cfg
- user map
- group map
To determine the exact user and group map file name, look at the userattrmappath and groupattrmappath options in the ldap.cfg file.
ldap.cfg file
The ldap.cfg file provides the following information: - groupbasedn - specifies where group entries reside on LDAP server
- userattrmappath - user map file
- groupattrmappath - group map file
- groupclasses - objectclass(es) associated with group entry
user map file
The user map file provides the primary group mapping.
In the 2307aixuser.map file, this entry is present:
pgrp            SEC_CHAR        gidnumber â¦
A similar entry is present in the sfur2user.map file:
pgrp            SEC_CHAR        gidNumber â¦
For both schemas, AIX will get the value of the gidnumber attribute for the LDAP user and map it to the primary group AIX user attribute. This gidnumber is the numeric value of the primary group name.
group map file
The group map file provides the following default mapping:
groupname       SEC_CHAR        cn ...
id              SEC_INT         gidnumber ...
users           SEC_LIST        memberuid â¦
3) How primary group membership is determined
Primary group membership for an LDAP user is obtained as follows (based on above configuration files): - Get the userâs gidnumber from the LDAP user entry
- Search under groupbasedn for a posixgroup entry that has a matching gidnumber
- The value of the âcnâ attribute in the found group entry will be displayed as primary group name for the LDAP user
Note: The specific group objectclass to search for is based on the schema being used. âposixgroupâ is typical for an rfc2307 schema while âgroupâ is common in Windows SFUR2 environment. The ldap.cfg and map files will determine which group objectclass to search for.
An example:
Hereâs a partial output of an LDAP user entry (from ldapsearch):
uid=marie,ou=People,cn=aixdata
uid=marie
cn=marie
gidnumber=100
uidnumber=237
homedirectory=/home/marie
objectclass=posixaccount
â¦
Here are two sample LDAP group entries:
cn=group1,ou=Groups,cn=aixdata
gidnumber=100
isadministrator=false
memberuid=tuvo
memberuid=dave
cn=group1
objectclass=posixgroup
â¦
cn=group2,ou=Groups,cn=aixdata
gidnumber=101
isadministrator=false
memberuid=jack
memberuid=marie
cn=group2
objectclass=posixgroup
â¦
ldap.cfg file contains the following:
groupbasedn: ou=groups,cn=aixdata
groupclasses: posixgroup
Given the above configuration and LDAP entries, here is the primary group membership for the âmarieâ user:
# lsuser -a pgrp marie
marie pgrp=group1
4) How secondary group membership is determined
Secondary group membership for an LDAP user is obtained as follows (based on above configuration files): - Search under groupbasedn for all posixgroup entries that have âmemberuid=<userDN>â or âmemberuid=<username>â; <userDN> is the DN of the LDAP user entry; <username> is the AIX login name
- The value of the âcnâ attribute for each group found will comprise the secondary group list for the LDAP user
An example:
Using configuration and sample user and group entries above, the secondary group search filter would look like this:
(|(memberuid=uid=marie,ou=People,cn=aixdata)(memberuid=marie))
The search would find the âgroup2â entry, with âcn=group2â.
And âlsuserâ will show the following group membership:
# lsuser -a pgrp groups marie
marie pgrp=group1 groups=group1,group2
Note: The âgroupsâ list is actually a concatenation of the primary and secondary groups.
5) Debugging group membership problems
Here are items to consider: - Review and understand the explanation above
- Review the relevant parameters in the ldap.cfg, user and group map files mentioned above
- Ensure that the LDAP user and group entries matches up with the configuration and map files
- Check for known defects, specifically check later levels of bos.rte.security fileset
The two most common issues regarding LDAP group membership are:
1) Customer wants LDAP users to belong to local groups. This is not possible and is addressed in section 1 of this document.
2) Secondary group membership is not working. Check the LDAP group entry that corresponds to the secondary group of a user. Make sure that the memberuid -- or whatever attribute the group map has the âusersâ attribute mapped to -- is defined correctly in the group entry.
6) Collecting and submitting a testcase
Use the instructions below to collect and submit an initial testcase.
- Create a testcase directory, ie:
# mkdir /tmp/tc
- Get a snap
# snap -gtnfkSLNd /tmp/tc/snap
- Get lsuser and lsldap data
Note: Replace <username> with LDAP user name
# cd /tmp/tc
# lsuser <username> > lsuser.out
# lsldap -a passwd <username> > lsldap.user.out
# lsldap -a group > lsldap.group.out
- Package testcase
# cd /tmp/tc
Note: If your PMR number is 12345,700,000, then <pmr.branch.country> would be 12345.700.000 (country is always 000 for USA)
# tar -cvf./<pmr.branch.country>.tar *
# gzip <pmr.branch.country>.tar
- Upload the /tmp/tc/<pmr.branch.country>.tar.gz file to IBM via the URL below:
http://www.ecurep.ibm.com/app/upload | | | | |
| |
|
January 12, 2011 6:11 pm
| | | Question | | Can LDAP users use 'newgrp' command to switch to a different primary group? | | | | | | Answer | Yes, newgrp will work for an LDAP user if both conditions below are met:
- the group you are switching to must be an LDAP group
- the user must belong to the LDAP group that you are attempting to switch to | | | | |
| |
|
November 18, 2010 11:01 pm
| | | Question | | AIX is configured to use LDAP integrated login against a Windows ADS server. ldap.cfg has authtype=unix_auth. After the user changes his password on Windows side, the LDAP user fails authentication on AIX. Switching to authtype=ldap_auth resolves the problem. Why? | | | | | | Answer | ADS typically supports two types of password attributes, Unicodepwd and msSFU30Password.
msSFU30Password is a Unix style crypt'ed password.
But when users change their passwords on Windows, only the Unicodepwd is updated (which AIX cannot use directly), so the msSFU and the unicode pwd are no longer in synch.
By using ldap_auth, you don't rely on the msSFU30Password so you don't have to worry about keeping the two password attributes in synch. | | | | |
| |
|
