Solutions for bridging Solaris/AIX to Active Directory?

Question

I need to have Solaris and AIX systems obtain authentication and name services to AD. I have had some success with Solaris using OpenLDAP as a proxy for user authentication. I have also successfully configured AIX to use AD kerberos authentication and AD LDAP naming services. However, for both platforms, I have two serious issues I need help on:

AD users/groups may be upper or lower-case, or any combination thereof, but for consistent end-user experience and utilities working as expected in UNIX, they should be lower-case. Renaming IDs en-masse in AD is hard to sell. Linux sssd can do the lower-casing, but AIX/Solaris cannot.
AIX and Solaris expect a rfc2307 'memberUid' attribute (eg memberUid=user1) for group members, while AD uses rfc2307bis 'member' attribute (eg member=cn=user1,dc=foo,dc=com). Is there a way with OpenLDAP, or otherwise, to rewrite memberUid from member for Solaris/AIX clients? slapo-rwm can rewrite DNs, but transforming like this, doesn't seem to be there.

Why is renaming... well, re-casing, really... A hard sell? Are your users that attached to capitalization, or is there some belief that this will make a bit of difference to your AD/Windows machines? (It won't.) — HopelessN00b, Mar 03 '15 at 22:03
[Centrify](https://www.centrify.com/products/server-suite/active-directory-bridge/) is a major player in this space. Solaris and AIX are both on their supported platforms list. I realize this is a product recommendation which is why I'm posting as a comment instead of an answer. — Ryan Bolger, Mar 03 '15 at 22:27

score 1 · Answer 1 · answered Apr 24 '15 at 12:34

1

You can use Kerberos to map AIX logins to AD names/domains. This IBM page is a good reference for the AD and server config. Then you just do:

chuser auth_name=ADUSER auth_domain=example.com registry=KRB5Afiles SYSTEM=KRB5Afiles login

(note this is a bit different on AIX7.1 but works well on 6.1 and 5.3.)

This is how we authenticate to AD at my workplace, and it's pretty easy to maintain, no LDAP tie-in needed.

answered Apr 24 '15 at 12:34

Kate McAwesome

11
2

1

Sorry, just read the part where you already had this working. Need more coffee. – Kate McAwesome Apr 24 '15 at 12:35

score 0 · Accepted Answer · answered Aug 04 '16 at 20:57

Given my requirements, the solution we ended up using was the OpenLDAP contrib module (overlay) adremap, which is in every source distro of OpenLDAP, see this link. We contracted with Symas for them to develop it and put it into upstream OpenLDAP. This overlay will lowercase usernames and dynamically convert rfc2307bis member attributes to memberUid. If compiled, a man page provides the documentation to use it: man slapo-adremap.

I have OpenLDAP configured as a proxy to AD using adremap overlay (lowercase, group conversion) and rwm (man slapo-rwm) to map LDAP attributes old Solaris/AIX LDAP clients want to AD equivalents.

adremap config in use:

overlay adremap
adremap-downcase uid
adremap-downcase cn
adremap-downcase memberUid
adremap-downcase member
adremap-downcase samaccountname
adremap-dnmap member cn memberUid group posixGroup person dc=example,dc=com

Partial rwm overlay config:

rwm-map attribute       gecos           displayName
rwm-map attribute       uid             samAccountName
rwm-map attribute       homedirectory   unixHomeDirectory
rwm-map objectclass     posixGroup      group
rwm-map objectclass     posixAccount    user

Configuring OpenLDAP as a proxy is covered in man slapd-ldap, and is beyond what I could usefully provide here.

After chewing on this issue a while, I have found that there is no perfect solution out there, but this one works for us. Note, this solution is also working well for older RHEL (pre-EL6) LDAP clients also, as they are unable to lowercase usernames.

Solutions for bridging Solaris/AIX to Active Directory?

2 Answers2