Thank you.
So you know if you work a lot of the green screens,
so after some time you cannot distinguish between green and yellow.
So it's what happens to me and we are talking about IBM RX,
and it's usually green screen.
So we are here in the deaf room and the first, I'm not a developer.
I'm a classical system administrator.
So yeah, you can say to me I'm a DevOps engineer because I can quote,
I can quote and see and Google Go and Rust in Python and Ruby,
so I used everything.
And I ported a lot of tools to IBM IX and to Linux on IBM Power,
and on OpenPower.
I'm not an IBMer.
Usually IBM has talks about IBM Power.
I'm not.
I'm an IBM champion.
So if you know what is AWS Hero, Microsoft, most valued professional,
so this is the similar program from IBM.
I'm not a red-hitter.
I don't have a red-hitter.
So as you see, I'm a red-hitter certified engineer and I'm a red-hitter instructor.
So that's why some of these talk may sound for you like a training material,
so it is not.
And we're here at FOSDEM, beer, open source hackers.
What does it do?
What has it to do with IX?
IX is a series of proprietary, Unix operating systems called sourceWare.
So this is my attitude to it.
Real hackers don't need source code.
I was born in another time in another country and we didn't have access to source code mostly.
And the real hackers, or real hacker, is someone who can understand how the program works
without looking into the source code and who can change it without looking into the source code.
So, who are some of the men who use it today?
Who uses IX?
Nobody?
You are all wrong.
Do you have a banking account?
You're a bank user, so do you have insurance?
Your insurance user, so how did you came here by car, by train, by flight?
Everyone uses IX.
So retailers, manufacturers, if you bought something, it was done on IX.
So do you have this thing?
No, you don't have an onix on it.
But in the back end, it is IX database, or database on IX,
who processes all your orders and sign-ons and so on.
So I added some, yeah, I added some marketing sheet
because nobody knows what IBM power is.
Sheet with long e, not with short.
I just want to say that this is my favorite guy, IBM Power 8 and AC.
So it has 1,920 logical CPUs and 64 terabytes of memory.
So you can have it everything in one position, so in one virtual machine.
So I did once with six, first time I did with 640 CPUs, virtual machines.
So I wanted to look what are my CPUs are doing.
And you know, even if you have, let's say, 40 lines in your terminal, 640 CPUs,
it is how many? 16 pages of CPUs.
So it takes some time to get them.
But there are some funny facts about power which are not very well known.
So fun fact number one, zero successful data breaches.
So it is 2022.
I don't think it is about that IX is so secure. IX is not so secure.
So it is like any other operating systems.
And most of the guys, system administrators, cannot use it correctly.
So but the other side of the story, nobody knows about it.
So it's difficult to breach into it if you don't know how to use it.
Fun fact number two, it's 14 years the major reliable server.
So somewhere here, the typo.
So it's really reliable. To bring it down, it's impossible.
So it just works. So it can work year long.
You can forget about it, it will work anyway.
So and I like this fun fact.
So this is about performance.
Let a P in power is performance.
So you see here IBM E-server P5.
So this is the fifth generation of power servers 2005.
Did an SIP benchmark, somehow 8000 something steps.
So eight years later Fujitsu's park could do almost the same.
Last year, the latest and greatest Intel Dell Power H
with the latest and greatest Intel CPU just outperformed by 1%.
So you know what is the most powerful server right now in this benchmark.
So the first three places are there.
Before going further, we had to talk a little bit about IX
and what we should understand.
What makes it so easy and so difficult working with IX.
So it's a real unique standard operating system.
It is everything is standardized and everything what is implemented in IX is standardized.
So implemented according to standards.
But you know standards can be a little bit different according to the developer.
So it depends on developer who develops or who implements their standard usually.
One of the most things is binary compatibility.
So if you ask any IX admin, they will say binary compatibility is the most important thing
because yes, I can run on my most modern IX server.
Binary is a program which were compiled 20 years ago.
I did it even more than 20 years ago.
Another case of this binary compatibility, so you don't innovate.
Because you have it, it works.
So why should you innovate?
Why should you do newer things?
It's not BSD based and not system 5B based.
So it's a usual, it's OSF-1 based if someone remembers OSF-1.
So it was end of the eighties, beginning of the nineties
when IBM, HP and digital united together to make a new standard in Unix world.
And they did OSF-1.
And of course, because not everything can be standardized, it has some unique features.
And let's go to authentication.
So PIME, everyone knows.
Everyone uses in Linux PIME.
IX has support for PIME.
Everything is good? No.
So it's originated in Solaris, yeah.
Can be used in IX.
But IX uses old Solaris implementation of PIME from the end of the nineties.
And it's really paining in the ass, sorry, to port some PIME module from Linux to IX.
I tried to port Azure AD authentication to IX.
And I failed and after one week I said no, I will not do it.
Because the differences between APIs in IX and old PIME interface and newer interface.
But IX has something different called load authentication module.
This is original IX idea, how to make almost the same.
So it was done even before PIME.
So five years I think before PIME, they did LAM.
Almost the same, but a little bit different.
IX only technology and very popular in IX world.
Again, not because it is the best technology.
Usually because system administrators don't know anything else.
So that's why they use LAM.
It is by default there.
So and the most big feature of it, there is almost no documentation how to use it and how to develop it.
So first time I developed my LAM module, I used Samba source code to understand how it works.
Because Samba had LAM module for IX and IBM didn't provide anything.
So it's not really versus, it's together.
They work together.
So we have PIME and LAM.
We can have application one using PIME and application two using LAM.
It's flexibility.
So we can have user one using PIME and user two using LAM on the same system.
We can do everything we want.
Every user has 50 attributes, different attributes we can configure.
So it's not like in Linux where you have home directory password, user ID and so on.
In IX you have 50 attributes.
You must not use every attribute, but you can use it.
And you can configure, you can have different password policy for different user based on different dictionaries and so on.
But even in wars you can configure PIME to use LAM for authentication and use LAM to configure LAM to use PIME for authentication.
So usually it's good that IX administrators don't know about this feature,
but you can get into real, I don't know how to say it.
So you will be waiting for authentication 20 years till it completes because LAM will consult PIME and PIME will consult LAM.
So now let's go a little bit into details.
So the first configuration we need to, we can choose, do we use standard authentication?
It is LAM, loadable authentication model, or we use PIME authentication.
So we configure it's just normal in config file and this is standard value, standard authentication.
And in our case we leave it as standard authentication.
So next in ETC security user we can configure different user attributes.
And this is one attribute system which is usually tells us which loadable authentication modules we should use to authenticate the user.
By default in IX there are two variants, files or compact, they are not very, really different,
but you can install additional authentication modules and add much more.
So it works with IX only functions authenticate, it is not POSIX, it's not single user specification, it's just IX.
And you just get username from user and send it to this function.
And functions read ETC security user, it somehow works with system which we configured and says,
okay, let's go use this prompt to the user.
So in this case it can be that user one uses LDAP and authenticate with free EPA for example.
And other user uses Kerber's and authenticate with Microsoft Active Directory,
the third user can use multi-factor authentication and authenticate through GitHub.
So all on the same system.
But it's not all because as I said sometimes documentation lacks some information.
There is another function authenticate X in the newer version of IX.
Yeah, IBM is like me in this case, so they have very big brain how to name functions.
So I also use the variables name, R, Y, J, K, L, M and so on.
But the difference is here with this state.
So what should be used, I don't know.
But one of these two functions is used by login and it then goes to loadable authentication modules.
And we have a configuration for loadable authentication module in this file and this is standard way.
As you see we have one module for 32 bits programs and another module for 64 bit programs.
And this is again the problem for me personally because I like to use modern programming languages like Google Go or Rust.
And they are 64 bit only on IX.
But in this case you need also to have 32 bit program and it means you can use just C or that's it, nothing else.
And this is what comes by default as you see IX delivers carbers and LDAP as default modules.
They are just there, you need to configure them.
But there are some pieces missing of information here.
So if you want to use LDAP you must install IBM directory server LDAP file sets.
They are delivered with IX, so but they are not installed by default.
Similar if you want to use carbers you must install IBM network authentication service file sets.
They are also delivered but not installed by default.
In this particular case I use only LDAP but you can use also carbers for authentication and LDAP as directory service to list to users, to get directory for users.
So do I need to do something on free EPASite?
No, really no, no.
You just install and use free PSU.
Usually do.
So I have such installation at customer site and they just installed, they didn't do anything special for IX on there.
I usually do something, so in my test I usually do OK2oFS delegate too.
It's not for LDAP indeed, so it's more for carbers single sign on which I don't use here but so it works.
And I create separate IX for you because there are some gotchas with IX.
So BESH is not on every IX installed by default.
So just on newer versions of IX it is by default there.
On older IX version we use con shell 93 and on IX standard user group has JID 1 and not 100 SM Linux.
So that's why I do this using Vue.
So and yes, just small ansible snippet what I do, what I told about and again thank you very much for ansible modules.
So magnificent.
So IX site.
On IX site we just create second app configuration with this command and we specify here our IR server.
The name which we use to log into free EPO and password you see I use the long very long password and cryptical so and where we can start searching.
So it creates automatically configuration for loadable authentication module.
It creates automatically LDAP client configuration and starts LDAP client.
And if you see here it finds really finds where it can find users and groups on its own.
Nothing, no magic, no rocket science.
The only thing you can see here is RFC 2307.
As in Linux you use usually RFC 2307 BESH and here there is no BESH.
Why? Because as I told IX is a standard operating system.
So and RFC 2307 since 20 years is a draft of a standard but not a standard.
So sorry guys it will not be implemented.
So this is official answer from my BMI gut because it's not a standard.
So everything else looks good.
So there are some configuration changes I see they must be done.
So but in real life they should be done not must.
So you want to have home directors for your users to be created when they log in.
So I found so okay you say that by default all the users are in LDAP directory.
So and I found that on the new US-TIX these two parameters and password policy plays not very nicely together with LDAP.
Another feature the main list groups so by default IX use if user to IX comes from LDAP directory.
It can have only LDAP groups.
It can be in local groups and switching on these the main list groups I say okay the user can be also in a member in a local group.
So and one more if you use views in FreeEpa like me so just don't forget to adhere IX views and restart LDAP client that's it.
So everything is configured everything is working so it's not so interesting if something goes wrong you can use LDAP to check what FreeEpa brings to you or what IX sees on FreeEpa side.
And if something goes completely wrong you can switch on debugging with such magical variables nowhere documented almost nowhere documented.
So but be careful with them first of all they produce really a lot of output.
Second you can find even your passwords in clear text in this output.
So okay mapping sometimes you must change your mapping this is standard mapping what all IX uses but you may find situation I was for one bank another a little bit different mapping because they need some additional fields in their case.
So and you can change the mapping here and it's rather easy it's no rocket science so does it work yes but there is always some but some so there are some wishes first of all as I told standards are so how.
How developer implements the standard it's depends on developer and I extend that sees a little bit different password class change attribute as in FreeEpa so different formats of dates.
So it's on IX side and I development tries to fix the problem since I think one year something like so it's when you walk with closed source operating system so you can't fix it on your own sorry.
I don't I didn't find the way how to make HB a quacking.
So I have the answer thank you.
But I would like to have it working so yes free plays missing my favorite 50 IX use attributes and I would like to have them there it's really one of the things I love in our IX.
We have even more IX specific like role based access control and trusted execution so if you switch it on you cannot execute some some binary on IX without it will check the signage of the binary and everything can be stored in held up so that's why it would be nice to have it in free part to.
Yeah.
And yes I exist missing 23 but I would like to have a native free Epa client which is not there.
So and if you can help me feel free to ping and we will talk thank you very much for the time and.
And.
We have any.
One minute.
Yeah.
Not a question just a side note.
About stuff so.
Well it's sort of catch 22 until you.
Until RFC is implemented it can't become a standard for a proper standard.
It is implemented by numerous.
Yeah.
So probably.
Raise the issue to.
IETF is not interested in finishing this work.
The people who originally started this job not interested because everything is working for everyone.
That's that's.
Position.
Okay.