AIX5.2基于LDAP的用户管理
建立用户认证所需要的所有代码都位于AIX系统安装光盘里,要求AIX的文件集bos.rte.security的版本必须是 AIX 5.2.0.2以上。首先要用AIX操作系统光盘来安装LDAP,同时也安装了DB2。需要安装的文件集如下所示:
# lslpp -l | grep ldap
cifs.base.ldap 3.1.2.0 COMMITTED Fast Connect Ldap Client
http_server.modules.ldap 1.3.19.3 COMMITTED HTTP Server LDAP Module
http_server.modules.ldap.128
ldap.client.adt 4.1.0.0 COMMITTED IBM Directory Client SDK
ldap.client.dmt 4.1.0.0 COMMITTED IBM Directory Client DMT
ldap.client.java 4.1.0.0 COMMITTED IBM Directory Client Java
ldap.client.rte 4.1.0.0 COMMITTED IBM Directory Client Runtime
ldap.html.en_US.config 4.1.0.0 COMMITTED IBM Directory Install/Config
ldap.html.en_US.man 4.1.0.0 COMMITTED IBM Directory Man Pages - U.S.
ldap.max_crypto_client.adt
ldap.max_crypto_client.java
ldap.max_crypto_client.rte
ldap.max_crypto_server.admin
ldap.max_crypto_server.com
ldap.msg.en_US 4.1.0.0 COMMITTED IBM Directory Messages - U.S.
ldap.server.admin 4.1.0.0 COMMITTED IBM Directory Server
ldap.server.cfg 4.1.0.0 COMMITTED IBM Directory Server Config
ldap.server.com 4.1.0.0 COMMITTED IBM Directory Server Framework
ldap.server.rte 4.1.0.0 COMMITTED IBM Directory Server Runtime
ldap.client.rte 4.1.0.0 COMMITTED IBM Directory Client Runtime
ldap.server.admin 4.1.0.0 COMMITTED IBM Directory Server
ldap.server.cfg 4.1.0.0 COMMITTED IBM Directory Server Config
ldap.server.com 4.1.0.0 COMMITTED IBM Directory Server Framework
#
# lslpp -l | grep db2
db2_07_01.client 7.1.0.40 COMMITTED Client Application Enabler
db2_07_01.cnvucs 7.1.0.40 COMMITTED Code Page Conversion Tables -
db2_07_01.conn 7.1.0.40 COMMITTED Connect
db2_07_01.conv.jp 7.1.0.40 COMMITTED Code Page Conversion Tables -
db2_07_01.conv.kr 7.1.0.40 COMMITTED Code Page Conversion Tables -
db2_07_01.conv.sch 7.1.0.40 COMMITTED Code Page Conversion Tables -
db2_07_01.conv.tch 7.1.0.40 COMMITTED Code Page Conversion Tables -
db2_07_01.cs.drda 7.1.0.40 COMMITTED Communication Support - DRDA
db2_07_01.cs.ipx 7.1.0.40 COMMITTED Communication Support - IPX
db2_07_01.cs.rte 7.1.0.40 COMMITTED Communication Support - TCP/IP
db2_07_01.cs.sna 7.1.0.40 COMMITTED Communication Support - SNA
db2_07_01.das 7.1.0.40 COMMITTED Administration Server
db2_07_01.db2.engn 7.1.0.40 COMMITTED Engine
db2_07_01.db2.rte 7.1.0.40 COMMITTED Run-time Environment
db2_07_01.db2.samples 7.1.0.40 COMMITTED Sample Database Source
db2_07_01.elic 7.1.0.40 COMMITTED Product Signature for UDB
db2_07_01.jdbc 7.1.0.40 COMMITTED Java Support
db2_07_01.tspf 7.1.0.40 COMMITTED Transformer Stored Procedure
From August 2003 code:
# lslpp -l bos.rte.security
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.rte.security 5.2.0.10 COMMITTED Base Security Function
Path: /etc/objrepos
bos.rte.security 5.2.0.0 COMMITTED Base Security Function
第二步,在AIX5.2系统上配置服务器
注重:1.环境变量LANG是很重要的,使用不同于en_US的LANG变量可能会发生很多问题,建议执行如下命令:
# export LANG=en_US
2.要保证/home文件系统有至少35MB的空闲空间
按照下面的步骤来配置服务器和客户机
1. 运行mksecldap命令来建立服务器
这将开始给LDAP目录树分派一个密码,启动slapd子系统并且从本地的/etc/security/passwd文件里调用AIX用户,这些也能在后面手动添加。这下面的例子里我们选择使用RFC2307认证协议。
root@regatta01
[/tmp]# mksecldap -s -a cn=admin -p just4ldap -S rfc2307aix
File System size changed to 262144
Creating the directory DB2 default database.
This operation may take a few minutes.
Cannot open message catalog file ldapadm.cat.
Configuring the database.
Creating database instance: ldapdb2.
Created database instance: ldapdb2.
Starting database manager for instance: ldapdb2.
Started database manager for instance: ldapdb2.
Creating database: ldapdb2.
Created database: ldapdb2.
Updating configuration for database: ldapdb2.
Updated configuration for database: ldapdb2.
Completed configuration of the database.
IBM Directory Server Configuration complete.
Password for administrator DN cn=admin has been set.
IBM Directory Server Configuration complete.
Cannot open message catalog file slapd.cat.
Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
Plugin of type EXTENDEDOP is successfully loaded from libtranext.a.
Plugin of type PREOPERATION is successfully loaded from libDSP.a.
Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
Plugin of type EXTENDEDOP is successfully loaded from libtranext.a.
Plugin of type AUDIT is successfully loaded from /lib/libldapaudit.a.
Plugin of type AUDIT is successfully loaded from /usr/ccs/lib/libsecldapaudit.a(
shr.o).
Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
Plugin of type EXTENDEDOP is successfully loaded from libtranext.a.
Plugin of type DATABASE is successfully loaded from /lib/libback-rdbm.a.
modifying entry cn=schema
modifying entry cn=schema
migrating users/groups to LDAP server.
2.运行mksecldap -c命令建立客户机
在相同主机上使用“ -h localhost”参数, 假如是在别的主机上请使用这个参数指向LDAP服务器。
# mksecldap -c -a cn=admin -p just4ldap -h localhost -S rfc2307aix
3.使用lsuser命令来检查看是否数据库被调用
# lsuser -R LDAP ALL
daemon id=1 pgrp=staff groups=staff,daemon home=/etc login=true ...
...
4. 添加一个新LDAP用户
# mkuser -R LDAP testu1
# chuser registry=LDAP SYSTEM=LDAP testu1
# passwd -R LDAP testu1
Changing password for "testu1"
testu1's New password:
Enter the new password again:
# lsuser testu1
testu1 id=219 pgrp=staff groups=staff home=/home/testu1...
registry=LDAP SYSTEM=LDAP
# lsuser -R LDAP testu1
testu1 id=219 pgrp=staff groups=staff home=/home/testu1 ...
registry=LDAP SYSTEM=LDAP
# grep testu1 /etc/security/*
/etc/security/user:
testu1:
SYSTEM = "LDAP"
registry = LDAP
注重:没有 /etc/security/passwd条目
5. 以新用户身份登录系统
AIX Version 5
(C) Copyrights by IBM and by others 1982, 2002.
login: testu1
testu1's Password:
You are required to change your password. Please choose a new one.
testu1's New password:
Re-enter testu1's new password:
下面是显示了当用户testu1登录时,跟踪到的389端口(ldap的端口)发生的通信情况:
Packet Number 1 to port 389 - request user defaults
00000000 304a0202 00fb6344 04216f75 3d616978 |0J....cD.!ou=aix|
00000010 75736572 2c636e3d 61697873 65636462 |user,cn=aixsecdb|
00000020 2c636e3d 61697864 6174610a 01020a01 |,cn=aixdata.....|
00000030 00020100 02010001 0100a30e 04037569 |..............ui|
00000040 64040764 65666175 6c743000 |d..default0. |
Packet Number 2 from port 389 - returns user defaults
00000000 3082046d 020200fb 64820465 042d7569 |0..m....d..e.-ui|
00000010 643d6465 6661756c 742c6f75 3d616978 |d=default,ou=aix|
00000020 75736572 2c636e3d 61697873 65636462 |user,cn=aixsecdb|
00000030 2c636e3d 61697864 61746130 82043230 |,cn=aixdata0..20|
00000040 10040375 69643109 04076465 6661756c |...uid1...defaul|
00000050 74304904 0b6f626a 65637463 6c617373 |t0I..objectclass|
...
00000430 6e66696c 656c696d 69743106 04043230 |nfilelimit1...20|
00000440 30303011 040a6169 78736372 65656e73 |000...aixscreens|
00000450 31030401 2a301a04 0b616978 66756e63 |1...*0...aixfunc|
00000460 6d6f6465 310b0409 726f6c65 732b6163 |mode1...roles ac|
00000470 6c |l |
Packet Number 3 from ldap port
00000000 300d0202 00fb6507 0a010004 000400 |0.....e........ |
Packet Number 4 to ldap port
00000000 304a0202 00fc6344 04216f75 3d616978 |0J....cD.!ou=aix|
00000010 75736572 2c636e3d 61697873 65636462 |user,cn=aixsecdb|
00000020 2c636e3d 61697864 6174610a 01020a01 |,cn=aixdata.....|
00000030 00020100 02010001 0100a30e 04097569 |..............ui|
00000040 646e756d 62657204 01303000 |dnumber..00. |
Packet Number 5 from ldap port
00000000 300d0202 00fc6507 0a010004 000400 |0.....e........ |
Packet Number 6 to ldap port - requests testu1 info
00000000 3081df02 0200fd66 81d8042c 7569643d |0......f...,uid=|
00000010 74657374 75312c6f 753d6169 78757365 |testu1,ou=aixuse|
00000020 722c636e 3d616978 73656364 622c636e |r,cn=aixsecdb,cn|
00000030 3d616978 64617461 3081a730 240a0102 |=aixdata0..0$...|
00000040 301f040f 69787469 6d656c61 73746c6f |0...ixtimelastlo|
00000050 67696e31 0c040a31 30363032 30383438 |gin1...106020848|
00000060 3330260a 01023021 04117465 726d696e |30&...0!..termin|
00000070 616c6c61 73746c6f 67696e31 0c040a2f |allastlogin1.../|
00000080 6465762f 7074732f 3530330a 0102302e |dev/pts/503...0.|
00000090 040d686f 73746c61 73746c6f 67696e31 |..hostlastlogin1|
000000a0 1d041b73 69672d39 2d36352d 35342d31 |...sig-9-65-54-1|
000000b0 32302e6d 74732e69 626d2e63 6f6d3022 |20.mts.ibm.com0"|
000000c0 0a010230 1d041675 6e737563 63657373 |...0...unsuccess|
000000d0 66756c6c 6f67696e 636f756e 74310304 |fullogincount1..|
000000e0 0130 |.0 |
Packet Number 8 - from ldap server - ?
00000000 300d0202 00fd6707 0a010004 000400 |0.....g........ |
Packet Number 9 - to ldap servedr - request testu1 groupid
00000000 30540202 00fe634e 04216f75 3d616978 |0T....cN.!ou=aix|
00000010 75736572 2c636e3d 61697873 65636462 |user,cn=aixsecdb|
00000020 2c636e3d 61697864 6174610a 01020a01 |,cn=aixdata.....|
00000030 00020100 02010001 0100a30d 04037569 |..............ui|
00000040 64040674 65737475 31300b04 09676964 |d..testu10...gid|
00000050 6e756d62 6572 |number |
Packet Number 10 - from ldap port - returns gidnumber
00000000 30480202 00fe6442 042c7569 643d7465 |0H....dB.,uid=te|
00000010 73747531 2c6f753d 61697875 7365722c |stu1,ou=aixuser,|
00000020 636e3d61 69787365 6364622c 636e3d61 |cn=aixsecdb,cn=a|
00000030 69786461 74613012 30100409 6769646e |ixdata0.0...gidn|
00000040 756d6265 72310304 0131 |umber1...1 |
Packet Number 11 - from ldap port
00000000 300d0202 00fe6507 0a010004 000400 |0.....e........ |
Packet Number 12 - to ldap port
00000000 305b0202 00ff6355 04226f75 3d616978 |0[....cU."ou=aix|
00000010 67726f75 702c636e 3d616978 73656364 |group,cn=aixsecd|
00000020 622c636e 3d616978 64617461 0a01020a |b,cn=aixdata....|
00000030 01000201 00020100 010100a3 1304096d |...............m|
00000040 656d6265 72756964 04067465 73747531 |emberuid..testu1|
00000050 300b0409 6769646e 756d6265 72 |0...gidnumber |
Packet Number 13 - from ldap
00000000 300d0202 00ff6507 0a010004 000400 |0.....e........ |
Packet Number 14 - to ldap port
00000000 30490202 01006343 04216f75 3d616978 |0I....cC.!ou=aix|
00000010 75736572 2c636e3d 61697873 65636462 |user,cn=aixsecdb|
00000020 2c636e3d 61697864 6174610a 01020a01 |,cn=aixdata.....|
00000030 00020100 02010001 0100a30d 04037569 |..............ui|
00000040 64040674 65737475 313000 |d..testu10. |
Packet Number 15 - from ldap port
00000000 3082022a 02020100 64820222 042c7569 |0..*....d..".,ui|
00000010 643d7465 73747531 2c6f753d 61697875 |d=testu1,ou=aixu|
00000020 7365722c 636e3d61 69787365 6364622c |ser,cn=aixsecdb,|
00000030 636e3d61 69786461 74613082 01f03010 |cn=aixdata0...0.|
00000040 04096769 646e756d 62657231 03040131 |..gidnumber1...1|
00000050 30120409 7569646e 756d6265 72310504 |0...uidnumber1..|
00000060 03323139 301f040d 686f6d65 64697265 |.2190...homedire|
00000070 63746f72 79310e04 0c2f686f 6d652f74 |ctory1.../home/t|
00000080 65737475 31301a04 0f697361 646d696e |estu10...isadmin|
00000090 69737472 61746f72 31070405 66616c73 |istrator1...fals|
000000a0 65301c04 0a6c6f67 696e7368 656c6c31 |e0...loginshell1|
000000b0 0e040c2f 7573722f 62696e2f 6b736830 |.../usr/bin/ksh0|
000000c0 14040967 726f7570 6c697374 31070405 |...grouplist1...|
...
00000160 040c7573 65727061 7373776f 72643116 |..userpassword1.|
00000170 04147b63 72797074 7d586445 79633661 |..{crypt}XdEyc6a|
00000180 7179412e 58673013 040c7061 7373776f |qyA.Xg0...passwo|
00000190 72646368 61723103 04012130 2e040d68 |rdchar1...!0...h|
000001a0 6f73746c 6173746c 6f67696e 311d041b |ostlastlogin1...|
000001b0 7369672d 392d3635 2d35342d 3132302e |sig-9-65-54-120.|
000001c0 6d74732e 69626d2e 636f6d30 1f040f69 |mts.ibm.com0...i|
000001d0 7874696d 656c6173 746c6f67 696e310c |xtimelastlogin1.|
000001e0 040a3130 36303230 38343833 30210411 |..10602084830!..|
000001f0 7465726d 696e616c 6c617374 6c6f6769 |terminallastlogi|
00000200 6e310c04 0a2f6465 762f7074 732f3530 |n1.../dev/pts/50|
00000210 1d041675 6e737563 63657373 66756c6c |...unsuccessfull|
00000220 6f67696e 636f756e 74310304 0130 |ogincount1...0 |
Packet Number 16 - from ldap port
00000000 300d0202 01006507 0a010004 000400 |0.....e........ |
Packet Number 17 - to ldap port ACK.