Building nss_ldap on AIX 4.3.3

The latest release of nss_ldap, nss_ldap-198, has out-of-the-box support for user authentication, and user and group lookups on AIX. In this document, we detail a sample install and configuration of nss_ldap on AIX 4.3.3.

By using nss_ldap on AIX, you gain support for the industry-standard RFC 2307 schema, rather than being forced to use IBM's somewhat non-standard SecureWay schema.

Requirements:

• PADL's nss_ldap module
• AIX 4.3.3 or 5.2
• an LDAP client library: we'll use the Netscape client library here
• AIX development headers (package bos.adt.include)
• AIX libsys and libcsys (package bos.adt.syscalls)
• the IBM AIX Toolbox for Linux applications, which contains the GNU C compiler
• an LDAP server: we used an OpenLDAP server

We cannot offer any advice as to whether this will work on AIX 5L, Itanium, with xlC, other LDAP client libraries, etc.

Unpack and build nss_ldap

Use the following command to unpack nss_ldap:

$ tar xzvf nss_ldap.tar.gz
...
$ cd nss_ldap-198

Now, configure with the following flags (we assume that you have installed the LDAP client library in /usr/local/ldapsdk):

$ ./configure --with-ldap-dir=/usr/local/ldapsdk \
              --with-ldap-lib=auto \
              --with-ldap-conf-file=/etc/nss_ldap.conf

Then, type make:

$ make

All going well, you will have two resulting shared objects: nss_ldap.so and NSS_LDAP. The first, nss_ldap.so, provides support for hosts, networks, protocols and services lookups; they will be installed into /usr/lib/netsvc/dynload. The second, NSS_LDAP, provides support for user authentication, as well as user and group lookups. It is installed into /usr/lib/security. This document deals with the NSS_LDAP component; see irs.conf(5) for more information about configuring non-user and group related lookups. (Specify the "nss_ldap" mechanism in irs.conf to enable nss_ldap.)

Use the following command to install the modules:

$ su
Password:
# make install

Configuration

First, you must configure /etc/nss_ldap.conf. The configuration of this file is identical to the ldap.conf file in the Solaris and Linux versions of nss_ldap, and is not further documented here. We renamed it to nss_ldap.conf in the above configure script to avoid overwriting the /etc/ldap.conf used by IBM SecureWay.

Secondly, edit /usr/lib/security/methods.cfg. Comment out any existing references to LDAP, and add the following two lines. (You can also configure a new stanza, such as NSSLDAP, for nss_ldap; in order to make the installation experience as similar as possible to using SecureWay, we chose to use LDAP. This does not overwrite any SecureWay LDAP files.)

LDAP:
    program = /usr/lib/security/NSS_LDAP

Once this file has been edited, nss_ldap will be used for nameservice lookups. It will not, however, be configured for user authentication. (If you are running AIX version which is less than 4.3.3 you will also have to add this stanza to /etc/security/login.cfg.) To enable nss_ldap for user authentication, you will need edit /etc/security/user. You should use the chuser(8) command to do this. For example, to enable nss_ldap for authenticating all users:

# chuser SYSTEM="compat or LDAP" default

Alternatively, you can enable it on a per-user basis:

# chuser SYSTEM="compat or LDAP" username

Supporting LDAP authentication in nss_ldap is a subobtimal solution, which offers only a small subset of the account and credential management functionality available with the pam_ldap module. As with pam_ldap, you should ensure that transport security (SSL or TLS) is enabled to avoid passwords traversing the network in cleartext. We did not enable transport security for our tests.

The pam_ldap module compiles on AIX 5L, but we have not yet tested it.

Finally, using nss_ldap on AIX may make your system unsupported by IBM.

Acknowledgements

The initial port of nss_ldap to AIX was done by Gabor Gombas at Eötvös Loránd University. PADL also wishes to thank Kyle Chapman of Group 1 Software and Dejan Muhamedagic of IBM Austria.