Hi,
on AIX you don't need to retrieve the password from the ldap server. You can configure AIX to ask the authentication process to the ldap server.

In the secldapclntd configuration file (/etc/security/ldap/ldap.cfg) you have to configure these directives (lines took from my deployment):

# Authentication type. Valid values are unix_auth and ldap_auth.
# Default is unix_auth.
# unix_auth - Retrieve user password and authenticate user locally.
# ldap_auth - Bind to LDAP server to authenticate user remotely through LDAP.
authtype:ldap_auth

# AIX-LDAP attribute map path.
userattrmappath:/etc/security/ldap/2307user.map
groupattrmappath:/etc/security/ldap/2307group.map
#idattrmappath:/etc/security/ldap/aixid.map

# LDAP class definitions.
userclasses:posixaccount,shadowaccount
#userclasses:aixaccount,ibm-securityidentities
#groupclasses:aixaccessgroup

# Search mode. Valid values are ALL and OS.
# Default is ALL.
# ALL - Returns all attributes of an entry.
# OS - Returns only the OS required attributes of an entry.
#       Non-OS attributes like telephone number, binary images, etc.
#       will not be returned.
#
# Note: Use OS only when user entry has many non-OS required attributes
#       or attributes with large value, e.g. binary data, to reduce
#       sorting effort by the LDAP server.
searchmode:OS

# Default user attribute entry location. Valid values are LDAP and local.
# The default is LDAP.
# LDAP - Use the default entry in LDAP.
# local - Use the default entry from /etc/security/user.
defaultentrylocation:local

You also have to assure yourself that in the file /etc/security/user you have set these properties in association with your users located only local to the system:
SYSTEM = "files"
registry = files

Hope this helps
Marco

On Wed, Oct 27, 2010 at 10:37 AM, Stef Coene <stef.coene@docum.org> wrote:

> > Oct 26 20:44:12 ldap1 slapd[28664]: Entry
> > (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not
> > allowed
> > Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute
> > 'shadowLastChange' not allowed
> >
> > Is this important?
>
> Yes, because either nis.schema or rfc2307bis.schema are missing.

I just reconfigured the openldap server and made sure nis and rfc2307bis are
loaded. I created a test user with
objectClass: aixAuxAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson

I can login to my test linux server with this user but not on the AIX server.
When I do a telnet to the AIX server, I can enter the username, but before I
can enter the password, I get the error
3004-007 You entered an invalid login name or password.

For the password, this is stored in plain text when I add the user. Before I
can login to the linux server, I have to change it with passwd and after that,
the password is encrypted with {crypt} and I can login to the linux client:
userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/
Can this be the problem? I don't know what encrytion AIX expects.

Stef

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison