AIX and Linux Interoperability - IBM Redbooks

More documents

Recommendations

Info

platforms and supported by many LDAP server and client implementations. Now, if we want to use an LDAP directory service for various operating systems, identifying the common denominator sounds reasonable. The following object classes are included in RFC2307 (there are more, but these are featured in this text): ► posixAccount ► posixGroup ► shadowAccount The posixAccount and posixGroup classes describe fields present in the /etc/passwd file. The shadowAccount consists of attributes that correspond to the fields in /etc/shadow. In Example 2-1, we show the relevant excerpt from RFC2307. The object class definitions may be intimidating at first sight, but we refer you to the MAY and MUST sentences, which contain a list of optional and mandatory attributes. The uid and userPassword attributes are used for user authentication. In Example 2-2 on page 19, we show a typical user entry in the LDIF format. Incidentally, even though we write object names in mixed case, it does not matter, not even in attribute values, which obviously has some effect on authentication (note the user name given): $ telnet r-linux Trying... Connected to r-linux. Escape character is '^]'. Red Hat Linux Version 8.0 (Psyche) Kernel 2.4.18-14 on an i686 login: Joe Password: Last login: Tue Nov 5 10:54:21 from 9.3.5.25 [joe@localhost joe]$ Of course, the case is significant for passwords, because they are stored as hashes. Example 2-1 Object class definitions 18 AIX and Linux Interoperabilty ( nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) ( nisSchema.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ description ) ) ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) Example 2-2 User LDIF entry dn: uid=joe,ou=People,dc=weeorg,dc=com uid: joe cn: Joe R. User objectClass: posixAccount objectClass: shadowAccount objectClass: top userPassword: {crypt}h/WA58b9dz5nI loginShell: /bin/ksh uidNumber: 1000 gidNumber: 100 homeDirectory: /home/users/joe gecos: Joe R. User shadowLastChange: 11627 shadowMax: 99999 shadowWarning: 7 2.2 Planning for LDAP authentication We suppose that everybody is already used to vendors implementing services in their own way even though the service itself may be described by a standard endorsed by everybody in the industry. It is important to check out all the options available and see how they relate to each other. Deploying LDAP is not an exception. Therefore, we examine many solutions for LDAP authentication on both AIX and Linux. We need an LDAP server to offer access to the identification and authentication data and to keep it in good shape. We also need an LDAP client that will be sufficiently integrated into the operating system to be able to take over the identification and authentication tasks. We need a thing or two more, such as implementing the security policy and encrypting the communication (we discuss these matters later in this chapter). AIX 5L Version 5.2 is delivered with both an LDAP server (IBM Directory Server) and an LDAP client. Of course, coming from the same vendor, these two cooperate nicely. If you are running an AIX-only shop and you plan to stick to it, this is probably the optimal solution. With the recently included support for PAM, Chapter 2. Centralized user management 19
Page 1: AIX and Linux Interoperability Effe
Page 4 and 5: Note: Before using this information
Page 6 and 7: 2.6.2 AIX LDAP client setup. . . .
Page 8 and 9: vi AIX and Linux Interoperability 7
Page 10 and 11: viii AIX and Linux Interoperability
Page 12 and 13: 10-12 Webmin welcome Page for Linux
Page 14 and 15: Trademarks The following terms are
Page 16 and 17: Abhijit Chavan is a Systems Enginee
Page 18 and 19: xvi AIX and Linux Interoperability
Page 20 and 21: 1.1 User security mechanisms 1.1.1
Page 22 and 23: 1.1.2 Linux security Linux keeps sh
Page 24 and 25: 1.2.2 PAM keywords 6 AIX and Linux
Page 26 and 27: 8 AIX and Linux Interoperabilty Her
Page 28 and 29: It is also possible to install new
Page 30 and 31: Configuring a PAM module The PAM LD
Page 32 and 33: 14 AIX and Linux Interoperabilty
Page 34 and 35: 2.1 Lightweight Directory Access Pr
Page 38 and 39: 2.3 LDAP servers the AIX LDAP authe
Page 40 and 41: 2.3.1 IBM Directory Server IBM Dire
Page 42 and 43: Example 2-4 IBM Directory Server in
Page 44 and 45: Choosing the suffix All DNs adminis
Page 46 and 47: krb5-devel-1.2.5-6.i386.rpm openlda
Page 48 and 49: 30 AIX and Linux Interoperabilty ad
Page 50 and 51: Figure 2-4 Creating the key databas
Page 52 and 53: 2.5 LDAP authentication clients 34
Page 54 and 55: Figure 2-6 Linux security subsystem
Page 56 and 57: Example 2-8 Alternative LDAP identi
Page 58 and 59: If you enter '.', the field will be
Page 60 and 61: Example 2-10 OpenLDAP /etc/openldap
Page 62 and 63: objectClass: posixAccount objectCla
Page 64 and 65: Though authconfig does a good job,
Page 66 and 67: ut values may be only host names or
Page 68 and 69: 50 AIX and Linux Interoperabilty si
Page 70 and 71: standard authentication methods to
Page 72 and 73: The kinit program obtains the TGT.
Page 74 and 75: weeorg.com = WEEORG.COM The krb5.co
Page 76 and 77: the kadmind administration server i
Page 78 and 79: For example, ordinary users have ju
Page 80 and 81: minclasses Minimum number of charac
Page 82 and 83: server and loaded into the target d
Page 84 and 85: There exists, however, an LDAP back
Page 86 and 87:
68 AIX and Linux Interoperabilty Ve
Page 88 and 89:
ACL restrictions. Enter password fo
Page 90 and 91:
Note that version numbers may chang
Page 92 and 93:
Example 3-7 The DNS zone with suppo
Page 94 and 95:
principals that are running on a pa
Page 96 and 97:
You should find other Kerberos serv
Page 98 and 99:
The -A option will instruct the scr
Page 100 and 101:
3.9 Security considerations Kerbero
Page 102 and 103:
On AIX 5L Version 5.2, the EIM APIs
Page 104 and 105:
4.1 Protocols Protocols define how
Page 106 and 107:
Configuring the master name server
Page 108 and 109:
90 AIX and Linux Interoperabilty c.
Page 110 and 111:
92 AIX and Linux Interoperabilty d.
Page 112 and 113:
Address: 192.168.5.10 94 AIX and Li
Page 114 and 115:
96 AIX and Linux Interoperabilty }
Page 116 and 117:
Route Tree for Protocol Family 2 (I
Page 118 and 119:
100 AIX and Linux Interoperabilty I
Page 120 and 121:
4.2 Data transfers 4.2.1 rsync On t
Page 122 and 123:
For more information on the rsync.c
Page 124 and 125:
Running the rdist command In AIX, g
Page 126 and 127:
The IBM Tivoli Netview supports AIX
Page 128 and 129:
If you want to install and compile
Page 130 and 131:
4.3.4 UNIX network performance mana
Page 132 and 133:
- Mail aliases file - Mail queue -
Page 134 and 135:
5.1.2 Configuration file: sendmail.
Page 136 and 137:
This creates a dbm version of the a
Page 138 and 139:
The MASQUERADE_AS macro removes all
Page 140 and 141:
macro files, which are generally in
Page 142 and 143:
6.1 Installing Samba on AIX You can
Page 144 and 145:
126 AIX and Linux Interoperabilty C
Page 146 and 147:
Figure 6-3 Creating homes share thr
Page 148 and 149:
Figure 6-5 Configuring print shares
Page 150 and 151:
Example 6-2 Verifying the shares av
Page 152 and 153:
# server and service. # For example
Page 154 and 155:
136 AIX and Linux Interoperabilty W
Page 156 and 157:
[homes] 138 AIX and Linux Interoper
Page 158 and 159:
140 AIX and Linux Interoperabilty T
Page 160 and 161:
142 AIX and Linux Interoperabilty
Page 162 and 163:
7.1 What NFS is NFS was designed by
Page 164 and 165:
Example 7-3 Installing NFS server f
Page 166 and 167:
Example 7-5 NFS options from SMIT 1
Page 168 and 169:
Use SECURE option? no + Public file
Page 170 and 171:
This means that /usr/home from aix_
Page 172 and 173:
► lockd ► statd The first servi
Page 174 and 175:
3. To verify the mounted directory,
Page 176 and 177:
On Linux, automount is started by r
Page 178 and 179:
7.6.4 NFS locking An RPC program ha
Page 180 and 181:
Page 182 and 183:
8.1 Journaled File System (JFS) The
Page 184 and 185:
Reboot the system. Now we have JFS
Page 186 and 187:
dev/fd0 /mnt/floppy auto noauto,own
Page 188 and 189:
which will be available in future r
Page 190 and 191:
udfcheck. The command names are sel
Page 192 and 193:
Where /dev/cd0 is the DVD-RAM drive
Page 194 and 195:
Since the export rules allow the wr
Page 196 and 197:
Another popular archiver is cpio. I
Page 198 and 199:
9.1 IPSec In this topic, we are goi
Page 200 and 201:
9.1.2 Tunnels and key management To
Page 202 and 203:
9.1.3 Installing IPSec on Linux The
Page 204 and 205:
In Figure 9-2, we suggest a test sc
Page 206 and 207:
9.1.4 Installing IPSec on AIX The I
Page 208 and 209:
6. Click OK. The Password Prompt wi
Page 210 and 211:
Expand the Network icon, on the lef
Page 212 and 213:
configuration to the corresponding
Page 214 and 215:
We can also check the logs files. I
Page 216 and 217:
9.2 Security tools 9.2.1 OpenSSL In
Page 218 and 219:
openssl ###########################
Page 220 and 221:
# so this is commented out by defau
Page 222 and 223:
# This goes against PKIX guidelines
Page 224 and 225:
Using OpenSSL Now we will cover som
Page 226 and 227:
To encrypt a file using a symmetric
Page 228 and 229:
In Example 9-17, we generate a set
Page 230 and 231:
In Example 9-21 we compute the publ
Page 232 and 233:
Example 9-24 Generating a RSA publi
Page 234 and 235:
organizationalUnitName = Internatio
Page 236 and 237:
Verifying password - Enter PEM pass
Page 238 and 239:
ea:c2:f7:e0:67:50:34:5d:ab:a9:89:83
Page 240 and 241:
9.2.2 OpenSSH 9.2.3 tcp_wrapper To
Page 242 and 243:
Page 244 and 245:
10.1 Web-based System Manager Web-b
Page 246 and 247:
If Web-based System Manager is not
Page 248 and 249:
Figure 10-2 Web-based System Manage
Page 250 and 251:
To install Web-based System Manager
Page 252 and 253:
Figure 10-5 Installation of Web-bas
Page 254 and 255:
We have a network that consists of
Page 256 and 257:
238 AIX and Linux Interoperability
Page 258 and 259:
10.On the Linux command line, run t
Page 260 and 261:
10.3 Webmin To view the CA certific
Page 262 and 263:
Config file directory [/etc/webmin]
Page 264 and 265:
Figure 10-11 Webmin welcome page fo
Page 266 and 267:
administer. An example Web page of
Page 268 and 269:
Figure 10-15 Servers category Other
Page 270 and 271:
252 AIX and Linux Interoperability
Page 272 and 273:
11.1 Printing from Linux to a print
Page 274 and 275:
Example 11-2 Adding a queue for pri
Page 276 and 277:
Example 11-5 Adding print access fo
Page 278 and 279:
11.2 Printing from AIX to a printer
Page 280 and 281:
4. Figure 11-4 shows that Red Hat a
Page 282 and 283:
Figure 11-7 A properly configured p
Page 284 and 285:
To configure a remote printer using
Page 286 and 287:
Example 11-10 Selecting the remote
Page 288 and 289:
2. Configure the IBM Directory to s
Page 290 and 291:
12.1 Linux on a logical partition (
Page 292 and 293:
Figure 12-2 Workload Management thr
Page 294 and 295:
Other related information and links
Page 296 and 297:
System applications Samba client, G
Page 298 and 299:
► Linux Applications on pSeries,
Page 300 and 301:
NS Name Server NSS Name Service Swi
Page 302 and 303:
284 AIX and Linux Interoperabilty A
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
► rsync Web site 290 AIX and Linu
Page 310 and 311:
Page 312 and 313:
allow-query 88 allow-transfer 88 Ap
Page 314 and 315:
LDAP directory schema 66 logging 56
Page 316 and 317:
AIX PAM module 9 applications on AI
Page 318 and 319:
udfcreate 171, 174 udflabel 171, 17
Page 322:
AIX and Linux Interoperability Effe
show all

AIX and Linux Interoperability - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?