ldap authentication, adhering to ppolicy overlay issue

[exsnafu]

I have an AIX 6.1 server that i'm using as a testbed for LDAP authentication. i've configured idsldap client successfully and the world is at peace..

however, per security policies I need AIX to follow certain attributes in the ppolicy overlay on my ldap server.

specifically, when an admin changes an accounts LDAP password it sets pwdMustChange:TRUE which should be telling AIX to force a password change on login but AIX is not abiding by this... the user is able to happily log in.

in Linux this is accomplished through a modification to PAM to follow extended operations.. in AIX i'm having a really hard time finding the equivalent...

anyone have experience with this?

 

[ogniemi]

I am also using idsldapclient. Plase let me know how to reproduce issue with password change you report.

# grep userldap /etc/passwd
#
# passwd userldap
Changing password for "userldap"
userldap's Old password: <--- left blank (pressed enter)
userldap's New password: <--- typed new password
Enter the new password again:
# passwd userldap
# ssh hostattachedtoldap -l userldap
userldap@hostattachedtoldap's password:
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for "userldap"
userldap's Old password:

So the user is forced to change password in next login.

The same effect when password is changed using chpasswd command, eg.

echo userldap:newpassword|chpasswd

 

[exsnafu]

thanks for the response ogniemi,

pretty much what you did is how you reproduce it, i've been working with IBM ldap/aix support on this for a week now without success...

out of curiousity, is your ldap server SunONE? did you have to load the aixauxaccount schema? specify any pwdpolicydn entries in ldap.cfg?

like i say, with one account I can log into linux and be prompted for a change, log into an aix server with the same account and no prompting for change, the id has aixauxaccount, ibm-securityidentities, posixaccount etc objectclasses.. the ibm password policy schema has been loaded into SunONE... everything but pwdMustChange seems to be adhered to.

 

[ogniemi]

hi, my ldap server is run on IBM TDS v6.... maybe that's why it works better with AIX ...

I had nothing special to do with ldap.cfg configuring itds client. The entires in ldap.cfg file on a client are:

# grep -v -e ^$ -e ^\# /etc/security/ldap/ldap.cfg
ldapservers:ldapmaster.localdomain,ldapreplica.localdomain
ldapadmin:cn=root
ldapadmpwdassword
useSSL:yes
ldapsslkeyf:/etc/security/ldap/client03.kdb
ldapsslkeypwd:keydbpassword
userattrmappath:/etc/security/ldap/2307aixuser.map
groupattrmappath:/etc/security/ldap/2307aixgroup.map
idattrmappath:/etc/security/ldap/aixid.map
userbasednu=aixuser,ou=prod,o=xxx,c=yy
groupbasednu=aixgroup,ou=prod,o=xxx,c=yy
idbasedn:cn=aixid,ou=system,ou=prod,o=xxx,c=yy
userclasses:account,posixaccount,shadowaccount,aixauxaccount
groupclassesosixgroup,aixauxgroup
ldapsslport:636
cachetimeout: 300
heartbeatinterval: 300
numberofthread: 5
connectionsperserver: 5
sockidletimeout: 0

 

[ogniemi]

btw. if you are using ssh to connect AIX check also version of ssh server running on AIX. The problem described below is fixed in newer openssh versions.

"Multi-platform Password Expiry
Note: a subset of the functionality in these patches in included in OpenSSH 3.8 and 3.8p1 and up. In most cases, users requiring handling of expired passwords will no longer need these patches. The differences are documented in this post to openssh-unix-dev.

This is a series of patches against 3.6.1p2 and 3.7.1p2 that add password expiry support to OpenSSH. Currently the patch (#26) supports AIX, platform using /etc/shadow (which includes Solaris and Linux when openssh is configured without PAM, and SCO UnixWare), and PAM Platforms (including Solaris, Linux and HP-UX).
"

 

[exsnafu]

just as a follow up to this in the event anyone else comes searching, after weeks of sending traces back and forth from ibm support and reviewing tcpdumps from the SunONE server, ibm is now reporting that they've discovered a bug in the 6.1 version of the ITDS client causing it to ignore the password policy control.... now waiting for a fix.

 

[p5wizard]

Yes, it can take some time and effort sometimes to get the IBM machine in motion... ;-)

p5wizard

 

[Kev911]

Hello
I work on AIX 5.3 against an OpenLDAP Server.
After many (days of) configuration, an LDAP User can connect to a AIX host without problem.
to make this work, I installed ldap.client package and I configured /etc/security/ldap/ldap.cfg (in 5.3 pam_ldap is not installed and i gave up trying to install it).
An user is linked with a ppolicy, to ensure passwords, but aix host doesn't take care of them.
ex 1: I can connect when password has expired
ex 2: when I try to change password too early, I got the message : incorrect value, whereas in ldap logs I see the explicit message : password is too young to change.
For information, in Redhat hosts, I put the line pam_lookup_policy yes in /etc/ldap.conf.

Anyway, it seems there is no way to have any password policy support in AIX 5.3 hosts.
Is there any one ?
if no, is there any workaround (installing another ldap client ?) ?

Thanks

 

[exsnafu]

kev911,

its quite possible you're experiencing the same issue i have spent 8+ weeks battling with IBM India 3rd level support, However, ppolicy overlay now seems to be working with a few ifixes for both AIX 6.1 and 5.3.

a couple of things:

1. you'll need to use the Tivoli Directory Server Client 6.1, fixpack5(6.1.0.27) with AIX 5.3 or 6.1 for adequate support. fp5 is brand new and contains a necessary ifix (IO10449 - LDAP does not recognize ppolicy response control) that resolve several issues.

on AIX 5.3 the ITDS client i think is on CD#4 this supersedes ldap.client.rte which is no longer supported i'm told. you need to make sure you install both 64 and 32bit versions of the ITDS client as mksecldap is 32bit. you can get FP005 from the Tivoli download site

2. upgrade to AIX 5.3 TL9 or later(TL2 on AIX 6.1). This I believe is to resolve IZ24374 - Support LDAP SERVER Password Policy

3. I've just received a seperate combo ifix that resolves a final issue with pwdreset=true from 3rd level support which honors pwdreset properly..

basically, i recommend you update to TL9/10, upgrade to ITDS client FP5, test and then open a PMR with TDS LDAP support and they should be able to direct you further. it seems to me anyways that LDAP client interoperability has not been a big priority for IBM until the mess of PMR's I opened, it's been rather frustrating to be honest..

some URL's worth mentioning:
IO10449 -

http://www-01.ibm.com/support/docvi...49&loc=en_US&cs=UTF-8&lang=en&rss=ct767tivoli

ITDS FP5 -

http://www-01.ibm.com/support/search.wss?rs=767&tc=SSVJJU&rank=8&dc=D400&dtm

AIX LDAP integration redbook(covers ITDS client install):

http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf

APARs:
IO10449 - ITDS fix
IZ52744 and IZ51782 - combo ifix I just received.