[Freeipa-users] Aix client configuration
Rob Crittenden
rcritten at redhat.com
Thu Jan 26 14:02:50 UTC 2012
Sylvain Angers wrote:
>
>
> 2012/1/25 Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
>
> Sylvain Angers wrote:
>
> Hello
> In our lab, we are testing latest ipa on redhat and we are now
> configuring/testing an IBM/AIX client 6.1
>
> Here is the ipa server command that we used
> *ipa-server-install -a ipa123 --hostname=mtl-ipa01d.cnppd.__lab -n
> cnppd.lab -p ldap123 -r CNPPD.LAB *
>
>
> We are following your documentation for AIX client and have some
> issue
> getting through the step
>
> we had to install these fileset and we still fight modcrypt
>
> lslpp -L | grep idsldap
> idsldap.clt32bit61.rte 6.1.0.34 C F Directory
> Server - 32 bit
> idsldap.clt64bit61.rte 6.1.0.34 C F Directory
> Server - 64 bit
> idsldap.cltbase61.adt 6.1.0.34 C F Directory
> Server -
> Base Client
> idsldap.cltbase61.rte 6.1.0.34 C F Directory
> Server -
> Base Client
>
>
> lslpp -L | grep krb
> krb5.client.rte 1.5.0.2 C F Network
> Authentication Service
> krb5.client.samples 1.5.0.2 C F Network
> Authentication Service
> krb5.doc.en_US.html 1.5.0.2 C F Network Auth
> Service HTML
> krb5.doc.en_US.pdf 1.5.0.2 C F Network Auth
> Service PDF
> krb5.lic 1.5.0.2 C F Network
> Authentication Service
> krb5.msg.en_US.client.rte 1.5.0.2 C F Network Auth
> Service
> Client
> krb5.server.rte 1.5.0.2 C F Network
> Authentication Service
>
> ww did run the mksecldap command, as follow
>
> *mksecldap -c -h mtl-ipa01d.cnppd.lab -d
> cn=accounts,dc=cnppd,dc=lab -a
> uid=nss,cn=sysaccounts,cn=etc,__dc=cnppd,dc=lab -p abc123*
>
>
> and we got : Invalid bind DN or bind passwd. Client presetup
> check failed.
>
> Do we need to customize further this command if so, what are we
> missing?
> also as we have not yet succeed to make modcrypt works on our
> AIX 6.1,
> we wonder if we will need (temporary) to do some ldapmodify on
> the ipa
> server to disable ssl?
>
> Thank you for your assistance!
>
>
> Did you create the entry uid=nss,cn=sysaccounts,cn=etc,__... ?
>
> You can test that the password is correct independently with
> ldapsearch and the 389-ds access log may have additional information
> on the bind failure.
>
> rob
>
> Hello Rob,
>
> All I see at the moment is
> uid=sudo,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab
> uid=kdc,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab
>
> whenever I create new users, it get under
>
> uid=nss,cn=users,cn=accounts,dc=cnppd,dc=lab
>
> How do we create uid=nss,cn=sysaccounts,cn=etc,__dc=cnppd,dc=lab ?
>
> is this something we have to manually do via ldapadd?
> about the nss password will the ldapadd be part of the command?
>
> Thanks
>
> --
> Sylvain Angers
>
Use ldapmodify to create this entry:
# ldapmodify -D "cn=directory manager" -w secret -p 389 -h
ipaserver.example.com -x -a
dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: nss
userPassword: secretpassword
This is documented at
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html
rob
More information about the Freeipa-users
mailing list