Hi, on AIX you don't need to retrieve the password from the ldap server. You can configure AIX to ask the authentication process to the ldap server.
In the secldapclntd configuration file (/etc/security/ldap/ldap.cfg) you have to configure these directives (lines took from my deployment): # Authentication type. Valid values are unix_auth and ldap_auth. # Default is unix_auth. # unix_auth - Retrieve user password and authenticate user locally. # ldap_auth - Bind to LDAP server to authenticate user remotely through LDAP. authtype:ldap_auth # AIX-LDAP attribute map path. userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map #idattrmappath:/etc/security/ldap/aixid.map # LDAP class definitions. userclasses:posixaccount,shadowaccount #userclasses:aixaccount,ibm-securityidentities #groupclasses:aixaccessgroup # Search mode. Valid values are ALL and OS. # Default is ALL. # ALL - Returns all attributes of an entry. # OS - Returns only the OS required attributes of an entry. # Non-OS attributes like telephone number, binary images, etc. # will not be returned. # # Note: Use OS only when user entry has many non-OS required attributes # or attributes with large value, e.g. binary data, to reduce # sorting effort by the LDAP server. searchmode:OS # Default user attribute entry location. Valid values are LDAP and local. # The default is LDAP. # LDAP - Use the default entry in LDAP. # local - Use the default entry from /etc/security/user. defaultentrylocation:local You also have to assure yourself that in the file /etc/security/user you have set these properties in association with your users located only local to the system: SYSTEM = "files" registry = files Hope this helps Marco On Wed, Oct 27, 2010 at 10:37 AM, Stef Coene <[email protected]> wrote: > > > Oct 26 20:44:12 ldap1 slapd[28664]: Entry > > > (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not > > > allowed > > > Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: > attribute > > > 'shadowLastChange' not allowed > > > > > > Is this important? > > > > Yes, because either nis.schema or rfc2307bis.schema are missing. > I just reconfigured the openldap server and made sure nis and rfc2307bis > are > loaded. I created a test user with > objectClass: aixAuxAccount > objectClass: posixAccount > objectClass: shadowAccount > objectClass: inetOrgPerson > > I can login to my test linux server with this user but not on the AIX > server. > When I do a telnet to the AIX server, I can enter the username, but before > I > can enter the password, I get the error > 3004-007 You entered an invalid login name or password. > > For the password, this is stored in plain text when I add the user. Before > I > can login to the linux server, I have to change it with passwd and after > that, > the password is encrypted with {crypt} and I can login to the linux client: > userPassword: {crypt}$1$.xxxxxxxxxxxxxxxxxxxxxxxx/ > Can this be the problem? I don't know what encrytion AIX expects. > > > Stef > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > -- _________________________________________ Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
