All,
This for anyone using AIX clients with freeipa. I have the client up and
running just fine (No KRB5, AIX Bug); however I cannot seem to get the client
to load the groups attributes properly. The users primary group shows up in
the groups attribute from lsuser but not any subsequent groups the user is a
member of in IPA. In the outputs below, I do a lookup for IPA user 0016751and
I would expect the groups= attirbute to match those that are listed in the
"Member of Groups" from freeipa.
I experiemented with the groups attribute and mapping to the memberOf ldap
attribute in the IPAuser.map file but that hasn't changed the outcome. If
anyone has any pointers or advice it would ge greatly appreciated!
AIX Client:
6100-09-04-1441
LDAP Client version:
idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit
idsldap.clt_max_crypto32bit61.rte
idsldap.cltbase61.adt 6.1.0.57 COMMITTED Directory Server - Base Client
idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client
idsldap.ent61.rte 6.1.0.26 COMMITTED Directory Server - Entitlement
idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit
idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client
IDM Server:
RHEL 6.6 x64
ipa-server-3.0.0-42
AIX Client LDAP Config:
ldapservers:idm1-corp-p1.idm.abc.com,idm2-corp-p1.idm.abc.com
binddn:uid=0016751,cn=users,cn=accounts,dc=idm,dc=abc,dc=com
bindpwd:password
authtype:ldap_auth
userattrmappath:/etc/security/ldap/IPAuser.map
groupattrmappath:/etc/security/ldap/IPAgroup.map
userbasedn:cn=users,cn=accounts,dc=idm,dc=abc,dc=com
groupbasedn:cn=groups,cn=accounts,dc=idm,dc=abc,dc=com
#IPAuser.map file
keyobjectclass SEC_CHAR posixaccount s na
username SEC_CHAR uid s na
id SEC_INT idnumber s na
pgrp SEC_CHAR gidnumber s na
#groups SEC_LIST memberOf m na
home SEC_CHAR homedirectory s na
shell SEC_CHAR loginshell s na
gecos SEC_CHAR gecos s na
spassword SEC_CHAR userpassword s na
lastupdate SEC_INT shadowlastchange s days
#IPAgroup.map file
groupname SEC_CHAR cn s na
id SEC_INT gidNumber s na
users SEC_LIST member m na
LDAP User lookup
root@aix:/home/root > lsuser -f -R LDAP 0016751
0016751:
id=1329001106
pgrp=0016751
groups=0016751
home=/home/0016751
shell=/bin/bash
gecos=David Beck
login=true
su=true
rlogin=true
daemon=true
admin=false
sugroups=ALL
admgroups=
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
umask=77
registry=LDAP
SYSTEM=compat or LDAP
logintimes=
loginretries=3
pwdwarntime=14
account_locked=false
LDAP Group lookup
root@aix:/home/root > lsgroup -R LDAP aix-admins
aix-admins
id=1329004961users=0016066,0016751,0002885,0016896,0016304,0014269,0015513,0015611,0016721registry=LDAP
User Group lookup
root@aix:/home/root > groups 0016751
0016751 : 0016751
From the IDM server:
[root@idm1-corp-p1 ~]# ipa user-show 0016751
User login: 0016751
First name: David
Last name: Beck
Home directory: /home/0016751
Login shell: /bin/bash
Email address: [email protected]
UID: 1329001106
GID: 1329001106
Telephone Number: 555-555-5555
Job Title:
Account disabled: False
Password: True
Member of groups: unixss, linux-admins, aix-admins, smb-linfs-linadm,
tam-admins
Roles: IPA Administration
Member of Sudo rule: nmap-intaudit
Member of HBAC rule: aix-sshd-test
Indirect Member of group: smb-linfs
Indirect Member of Sudo rule: serverAdmin
Indirect Member of HBAC rule: ssh_all, cvs_access
Kerberos keys available: True
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
