Why is Kerberos and LDAP
LDAP is very effective for storing and retrieving user attributes for AIX users, but using LDAP for authentication still requires the user to provide an AIX password and an AD password. Kerberos supports AIX using the local AD protocol to authenticate users by referencing their Microsoft Windows passwords.
Active Directory Properties for use
The following AD properties can be used by AIX to obtain user information.
Before Start-prerequisites
The following items need to be configured before starting the process.
The Domain Name System (DNS) records (A and PTR) of the AIX hosts in your Windows DNS server.
The computer object in Active Directory that matches the AIX host name.
The organizational unit (OU) that contains the AIX object.
The target OU contains at least one user who supports UNIX.
The ad service account that can be used to bind LDAP to AD. The service account should have full Read permissions on any OU that will have UNIX-enabled users.
Ensure that the hostname command returns the fully qualified domain name (FQDN) of the AIX server. The/etc/hosts entry for the host should be {IP} {FQDN} {short Name}
Make sure that the AIX host will use the DNS domain controller.
Configure Network Time Protocol (NTP) on the AIX server. (Kerberos will fail if the clock exceeds 5 minutes.) )
Configure Syslog or verify that it is running as expected.
Sample Environment
Sample scenarios can be tested using AIX 6.1 TL 6 and TL 8 and AIX 7.1 tl 1, and Active Directory on the Server 2008 R2 domain controllers runs at the 2003 functional level. It is important to emphasize that the domain controller must be a Windows Server 2003 R2 or a later version to contain the out-of-the-box UNIX LDAP properties. If you have a Server 2003 domain controller, you can use the Microsoft Windows Services for UNIX add-on to extend the LDAP schema to include UNIX properties. (This article does not intend to introduce this scenario.) )