Hi, on AIX you don't need to retrieve the password from the ldap server. You can configure AIX to ask the authentication process to the ldap server.
In the secldapclntd configuration file (/etc/security/ldap/ldap.cfg) you have to configure these directives (lines took from my deployment):
# Authentication type. Valid values are unix_auth and ldap_auth. # Default is unix_auth. # unix_auth - Retrieve user password and authenticate user locally. # ldap_auth - Bind to LDAP server to authenticate user remotely through LDAP. authtype:ldap_auth
# AIX-LDAP attribute map path. userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map #idattrmappath:/etc/security/ldap/aixid.map
# LDAP class definitions. userclasses:posixaccount,shadowaccount #userclasses:aixaccount,ibm-securityidentities #groupclasses:aixaccessgroup
# Search mode. Valid values are ALL and OS. # Default is ALL. # ALL - Returns all attributes of an entry. # OS - Returns only the OS required attributes of an entry. # Non-OS attributes like telephone number, binary images, etc. # will not be returned. # # Note: Use OS only when user entry has many non-OS required attributes # or attributes with large value, e.g. binary data, to reduce # sorting effort by the LDAP server. searchmode:OS
# Default user attribute entry location. Valid values are LDAP and local. # The default is LDAP. # LDAP - Use the default entry in LDAP. # local - Use the default entry from /etc/security/user. defaultentrylocation:local
You also have to assure yourself that in the file /etc/security/user you have set these properties in association with your users located only local to the system: SYSTEM = "files" registry = files
Hope this helps Marco
On Wed, Oct 27, 2010 at 10:37 AM, Stef Coene stef.coene@docum.org wrote:
Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check:
attribute
'shadowLastChange' not allowed
Is this important?
Yes, because either nis.schema or rfc2307bis.schema are missing.
I just reconfigured the openldap server and made sure nis and rfc2307bis are loaded. I created a test user with objectClass: aixAuxAccount objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson
I can login to my test linux server with this user but not on the AIX server. When I do a telnet to the AIX server, I can enter the username, but before I can enter the password, I get the error 3004-007 You entered an invalid login name or password.
For the password, this is stored in plain text when I add the user. Before I can login to the linux server, I have to change it with passwd and after that, the password is encrypted with {crypt} and I can login to the linux client: userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/ Can this be the problem? I don't know what encrytion AIX expects.
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________