Date: Fri, 01 Nov 2002 15:27:46 +0500
From: linux <linux@javajobs.ru>
Newsgroups: ftn.ru.unix.aix
Subject: Запуск nss_ldap под AIX 4.3.3 [eng]
WM> У кого бинарники nss_ldap.so и NSS_LDAP под AIX 4.3.3 есть ? (http://padl.com)
WM> Говорят, эти модули возможно сбилдить под AIXом,
http://www.padl.com/Articles/nss_ldaponAIX.html
Building nss_ldap on AIX 4.3.3
The latest release of nss_ldap, nss_ldap-198, has out-of-the-box support for
user authentication, and user and group lookups on AIX. In this document, we
detail a sample install and configuration of nss_ldap on AIX 4.3.3.
By using nss_ldap on AIX, you gain support for the industry-standard RFC
2307 schema, rather than being forced to use IBM's somewhat non-standard
SecureWay schema.
Requirements:
PADL's nss_ldap module
AIX 4.3.3
an LDAP client library: we'll use the Netscape client library here
AIX development headers (package bos.adt.include)
AIX libsys and libcsys (package bos.adt.syscalls)
the IBM AIX Toolbox for Linux applications, which contains the GNU C
compiler
an LDAP server: we used an OpenLDAP server
We cannot offer any advice as to whether this will work on AIX 5L, Itanium,
with xlC, other LDAP client libraries, etc.
Unpack and build nss_ldap
Use the following command to unpack nss_ldap:
$ tar xzvf nss_ldap.tar.gz
...
$ cd nss_ldap-198
Now, configure with the following flags (we assume that you have installed
the LDAP client library in /usr/local/ldapsdk):
All going well, you will have two resulting shared objects: nss_ldap.so and
NSS_LDAP. The first, nss_ldap.so, provides support for hosts, networks,
protocols and services lookups; they will be installed into
/usr/lib/netsvc/dynload. The second, NSS_LDAP, provides support for user
authentication, as well as user and group lookups. It is installed into
/usr/lib/security. This document deals with the NSS_LDAP component; see
irs.conf(5) for more information about configuring non-user and group
related lookups. (Specify the "nss_ldap" mechanism in irs.conf to enable
nss_ldap.)
Use the following command to install the modules:
$ su
Password:
# make install
Configuration
First, you must configure /etc/nss_ldap.conf. The configuration of this file
is identical to the ldap.conf file in the Solaris and Linux versions of
nss_ldap, and is not further documented here. We renamed it to nss_ldap.conf
in the above configure script to avoid overwriting the /etc/ldap.conf used
by IBM SecureWay.
Secondly, edit /usr/lib/security/methods.cfg. Comment out any existing
references to LDAP, and add the following two lines. (You can also configure
a new stanza, such as NSSLDAP, for nss_ldap; in order to make the
installation experience as similar as possible to using SecureWay, we chose
to use LDAP. This does not overwrite any SecureWay LDAP files.)
LDAP:
program = /usr/lib/security/NSS_LDAP
Once this file has been edited, nss_ldap will be used for nameservice
lookups. It will not, however, be configured for user authentication. (If
you are running AIX version which is less than 4.3.3 you will also have to
add this stanza to /etc/security/login.cfg.) To enable nss_ldap for user
authentication, you will need edit /etc/security/user. You should use the
chuser(8) command to do this. For example, to enable nss_ldap for
authenticating all users:
# chuser SYSTEM="compat or LDAP" default
Alternatively, you can enable it on a per-user basis:
# chuser SYSTEM="compat or LDAP" username
Comments
Supporting LDAP authentication in nss_ldap is a subobtimal solution, which
offers only a small subset of the account and credential management
functionality available with the pam_ldap module. As with pam_ldap, you
should ensure that transport security (SSL or TLS) is enabled to avoid
passwords traversing the network in cleartext. We did not enable transport
security for our tests.
If and when we have access to AIX 5L, we may look into porting our pam_ldap
module, as this latest version of AIX apparently supports PAM.
Finally, using nss_ldap on AIX may make your system unsupported by IBM.
Acknowledgements
The initial port of nss_ldap to AIX was done by Gabor Gombas at Eцtvцs
Lorбnd University. PADL also wishes to thank Kyle Chapman of Group 1
Software and Dejan Muhamedagic of IBM Austria.