[Freeipa-users] AIX client integration
David Beck
frozen3 at aol.com
Thu Mar 26 19:44:06 UTC 2015
All,
This for anyone using AIX clients with freeipa. I have the client up and running just fine (No KRB5, AIX Bug); however I cannot seem to get the client to load the groups attributes properly. The users primary group shows up in the groups attribute from lsuser but not any subsequent groups the user is a member of in IPA. In the outputs below, I do a lookup for IPA user 0016751and I would expect the groups= attirbute to match those that are listed in the "Member of Groups" from freeipa.
I experiemented with the groups attribute and mapping to the memberOf ldap attribute in the IPAuser.map file but that hasn't changed the outcome. If anyone has any pointers or advice it would ge greatly appreciated!
AIX Client:
6100-09-04-1441
LDAP Client version:
idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit
idsldap.clt_max_crypto32bit61.rte
idsldap.cltbase61.adt 6.1.0.57 COMMITTED Directory Server - Base Client
idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client
idsldap.ent61.rte 6.1.0.26 COMMITTED Directory Server - Entitlement
idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit
idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client
IDM Server:
RHEL 6.6 x64
ipa-server-3.0.0-42
AIX Client LDAP Config:
ldapservers:idm1-corp-p1.idm.abc.com,idm2-corp-p1.idm.abc.com
binddn:uid=0016751,cn=users,cn=accounts,dc=idm,dc=abc,dc=com
bindpwd:password
authtype:ldap_auth
userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map
userbasedn:cn=users,cn=accounts,dc=idm,dc=abc,dc=com
groupbasedn:cn=groups,cn=accounts,dc=idm,dc=abc,dc=com
#IPAuser.map file
keyobjectclass SEC_CHAR posixaccount s na
username SEC_CHAR uid s na
id SEC_INT idnumber s na
pgrp SEC_CHAR gidnumber s na
#groups SEC_LIST memberOf m na
home SEC_CHAR homedirectory s na
shell SEC_CHAR loginshell s na
gecos SEC_CHAR gecos s na
spassword SEC_CHAR userpassword s na
lastupdate SEC_INT shadowlastchange s days
#IPAgroup.map file
groupname SEC_CHAR cn s na
id SEC_INT gidNumber s na
users SEC_LIST member m na
LDAP User lookup
root at aix:/home/root > lsuser -f -R LDAP 0016751
0016751:
id=1329001106
pgrp=0016751
groups=0016751
home=/home/0016751
shell=/bin/bash
gecos=David Beck
login=true
su=true
rlogin=true
daemon=true
admin=false
sugroups=ALL
admgroups=
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
umask=77
registry=LDAP
SYSTEM=compat or LDAP
logintimes=
loginretries=3
pwdwarntime=14
account_locked=false
LDAP Group lookup
root at aix:/home/root > lsgroup -R LDAP aix-admins
aix-admins id=1329004961users=0016066,0016751,0002885,0016896,0016304,0014269,0015513,0015611,0016721registry=LDAP
User Group lookup
root at aix:/home/root > groups 0016751
0016751 : 0016751
From the IDM server:
[root at idm1-corp-p1 ~]# ipa user-show 0016751
User login: 0016751
First name: David
Last name: Beck
Home directory: /home/0016751
Login shell: /bin/bash
Email address: David.Beck at abc.com
UID: 1329001106
GID: 1329001106
Telephone Number: 555-555-5555
Job Title:
Account disabled: False
Password: True
Member of groups: unixss, linux-admins, aix-admins, smb-linfs-linadm, tam-admins
Roles: IPA Administration
Member of Sudo rule: nmap-intaudit
Member of HBAC rule: aix-sshd-test
Indirect Member of group: smb-linfs
Indirect Member of Sudo rule: serverAdmin
Indirect Member of HBAC rule: ssh_all, cvs_access
Kerberos keys available: True
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150326/ba2c7711/attachment.htm>
More information about the Freeipa-users
mailing list