Ronald Wimmer via FreeIPA-users wrote: > On 23.06.23 11:34, Ronald Wimmer via FreeIPA-users wrote: >> On 23.06.23 10:26, Ronald Wimmer via FreeIPA-users wrote: >>> On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote: >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> On 20.06.23 16:08, Alexander Bokovoy wrote: >>>>>> On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote: >>>>>>> On 20.06.23 15:57, Alexander Bokovoy wrote: >>>>>>>> On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote: >>>>>>>>> On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote: >>>>>>>>>> Ronald Wimmer via FreeIPA-users wrote: >>>>>>>>>>> I can and use IPA users on an AIX client. As well as groups. But >>>>>>>>>>> somehow >>>>>>>>>>> group membership does not seem to be configured correctly... >>>>>>>>>>> >>>>>>>>>>> # id y179768 >>>>>>>>>>> uid=1246660005(y179768) gid=1246660005(y179768) >>>>>>>>>>> >>>>>>>>>>> # lsgroup -R LDAP ipa-aix-g >>>>>>>>>>> ipa-aix-g id=1246690508 users= registry=LDAP >>>>>>>>>>> >>>>>>>>>>> Anyone has a hint what could be misconfigured? >>>>>>>>>> >>>>>>>>>> There isn't enough information. How is LDAP configured, what >>>>>>>>>> search bases? >>>>>>>>>> >>>>>>>>>> What is ipa-aix-g? What membership do you expect? >>>>>>>>>> >>>>>>>>>> How does the group relate to the user you id'd? >>>>>>>>> >>>>>>>>> I'll try to clarify. >>>>>>>>> >>>>>>>>> ipa-aix-g is the IPA group containing several members as y179768 >>>>>>>>> for example. >>>>>>>>> >>>>>>>>> /etc/security/ldap/ldap.cfg: >>>>>>>>> userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at >>>>>>>>> groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at >>>>>>>> >>>>>>>> Which LDAP schema AIX configuration is expecting to use? RFC2307 or >>>>>>>> RFC2307bis? >>>>>>>> >>>>>>>> The primary LDAP tree in FreeIPA is using RFC2307bis (e.g. >>>>>>>> member/memberof, not memberuid attributes). >>>>>>> >>>>>>> I did not do the AIX client configuration by myself. I am just >>>>>>> trying >>>>>>> to assist my AIX colleagues to find the problem... >>>>>>> >>>>>>> What I saw were two map files in /etc/security/ldap named >>>>>>> 2307user.map and 2307group.map. So I am suspecting that they are >>>>>>> trying to use RFC2307. In order to use that we would need to use a >>>>>>> different configuration? Is this where the compat tree comes into >>>>>>> place? >>>>>> >>>>>> Correct. If your clients are using RFC2307, compat tree is what >>>>>> could be >>>>>> used to provide them the data in the format they expect. However, I'd >>>>>> rather ask AIX admins to use RFC2307bis. For example, >>>>>> https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-client >>>>>> >>>>>> >>>>>> talks about other maps for AD (which is also using >>>>>> member/memberof, not >>>>>> memberuid). >>>>> >>>>> Just to avoid any confusion. Is the link you provided an example for >>>>> 2307bis configuration? I am asking because the term "2307bis" is not >>>>> mentioned at all in the article... >>>> >>>> It isn't and the group configuration is rather subtle. >>>> >>>> Near as I can tell you want to look for: >>>> >>>> #users SEC_LIST memberUid m na yes >>>> users SEC_LIST member m na yes >>>> >>>> memberUid is RFC 2307 and member is RFC 2307bis. >>>> >>> >>> I tried to configure an AIX client the bis way. Now the IPA group >>> shows its members. Perfect. However, the id command does not list the >>> IPA group. As a result, sudo commands do not work because these >>> rights were given to the IPA group. >>> >>> I've added >>> >>> groups SEC_LIST memberof s >>> na yes >>> >>> to the 2307bisuser.map file because I thought that might fit. But >>> unfortunately it did not. >>> >>> What might I be missing? >> >> Forgot to mention that lsuser -R LDAP someuser also does not reveal >> the IPA group. >> ____________ > > Andrey Klyachkin from IBM answered my question on LinkedIn: > Ronald, did you check LDAP client mappings on AIX? By default if you > followed the article AIX will search for memberUid attribute in > cn=groups. It is RFC2307, not RFC2307bis. You can update > /etc/security/ldap/2307group.map (or create your own map) and define > member attribute instead of memberUid. After restart secldapclntd should > find the secondary groups. > Another possible confusion place - AIX expects usernames in member or > memberUid attribute. If your LDAP administrator wrote user's full CN in > the attribute instead of just username, AIX will not identify it as a > secondary group for the user. As far as I could test IPA doesn't allow > to write just usernames into the attribute and wants to have full CNs. > (https://www.linkedin.com/feed/update/urn:li:ugcPost:7059442334530207744?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7059442334530207744%2C7079018671796330496%29&replyUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7059442334530207744%2C7079041984954281984%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287079018671796330496%2Curn%3Ali%3AugcPost%3A7059442334530207744%29&dashReplyUrn=urn%3Ali%3Afsd_comment%3A%287079041984954281984%2Curn%3Ali%3AugcPost%3A7059442334530207744%29 > ) > > Could this be the issue? > _______________________________________________
It's hard to say because you keep referring to groups not showing up but providing no details on what that means. Also, understand that the IPA team has extremely limited and dated knowledge of AIX. This is about all we have, written in probably 2010: https://freeipa.org/page/ConfiguringAixClients.html This goes back to the difference between the two RFCs and how they configure membership. If AIX wants a login name then memberUid/RFC2307 is what you want (cn=compat). Your best bet is to reach out to IBM directly and ask how to configure authentication and nss services against an LDAP server. If the instructions include member/memberof then you can use the main IPA trees. If not use cn=compat. Or search the archives of this list. There have been AIX questions before. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
