The latest release of nss_ldap, nss_ldap-198, has out-of-the-box support for user authentication, and user and group lookups on AIX. In this document, we detail a sample install and configuration of nss_ldap on AIX 4.3.3.
By using nss_ldap on AIX, you gain support for the industry-standard RFC 2307 schema, rather than being forced to use IBM's somewhat non-standard SecureWay schema.
All going well, you will have two resulting shared objects: nss_ldap.so and NSS_LDAP. The first, nss_ldap.so, provides support for hosts, networks, protocols and services lookups; they will be installed into /usr/lib/netsvc/dynload. The second, NSS_LDAP, provides support for user authentication, as well as user and group lookups. It is installed into /usr/lib/security. This document deals with the NSS_LDAP component; see irs.conf(5) for more information about configuring non-user and group related lookups. (Specify the "nss_ldap" mechanism in irs.conf to enable nss_ldap.)
Use the following command to install the modules:
# make install
First, you must configure /etc/nss_ldap.conf. The configuration of this file is identical to the ldap.conf file in the Solaris and Linux versions of nss_ldap, and is not further documented here. We renamed it to nss_ldap.conf in the above configure script to avoid overwriting the /etc/ldap.conf used by IBM SecureWay.
Secondly, edit /usr/lib/security/methods.cfg. Comment out any existing references to LDAP, and add the following two lines. (You can also configure a new stanza, such as NSSLDAP, for nss_ldap; in order to make the installation experience as similar as possible to using SecureWay, we chose to use LDAP. This does not overwrite any SecureWay LDAP files.)
program = /usr/lib/security/NSS_LDAP
Once this file has been edited, nss_ldap will be used for nameservice lookups. It will not, however, be configured for user authentication. (If you are running AIX version which is less than 4.3.3 you will also have to add this stanza to /etc/security/login.cfg.) To enable nss_ldap for user authentication, you will need edit /etc/security/user. You should use the chuser(8) command to do this. For example, to enable nss_ldap for authenticating all users:
# chuser SYSTEM="compat or LDAP" default
Alternatively, you can enable it on a per-user basis:
# chuser SYSTEM="compat or LDAP" username
Supporting LDAP authentication in nss_ldap is a subobtimal solution, which offers only a small subset of the account and credential management functionality available with the pam_ldap module. As with pam_ldap, you should ensure that transport security (SSL or TLS) is enabled to avoid passwords traversing the network in cleartext. We did not enable transport security for our tests.
The pam_ldap module compiles on AIX 5L, but we have not yet tested it.
Finally, using nss_ldap on AIX may make your system unsupported by IBM.