AIX

Hi,

we are using "LDAP for AIX" for about 1-2 years now with a Novell eDirectory as LDAP server. Problem is, that we need PAM authentication to have Informix DBs working together with LDAP, as the Informix support told us.
This would require to use a PAM module for LDAP, like PAM_LDAP from padl.com, together with NSS_LDAP.
I checked out different info I found via Google, but it seems that people are not using it or are not able to compile it. We tried it 3-4 years ago too and failed too. I have also found some compilation documentation in an IBM Redbook about Security in 5.2 (don't remember if I had this way back).
From a comment on padl.com (Documentation about how to compile NSS_LDAP) it seems, that IBM will not support a solution using those modules.

So my questions are:
Thanks in forward.

I don't fully understand the term "LDAP for AIX" as you mention the LDAP server being Novell eDirectory server. I am guessing you are meaning you are using secldapclntd on the client side and the backend LDAP server is Novell. We are using IBM's flavor of LDAP on AIX 5.3 and AIX 6.1. Fileset being ldap.client.rte (secldapclntd) the client side and idsldap.clt64bit61.rte on the server side which I think is officially called Identity Directory Server but not sure. Our database servers are running Informix 11.50. The Informix db serves are not using LDAP locally as they are use normal AIX security. So basically we have 8 application servers that are using LDAP to authenticate the users into the system. Then we the users start running the application which starts talking to the db servers there is a trust set up (/etc/hosts.equiv) between the application servers and the Informix db servers. The users running the application are not real users on the db side we have generic entries in the /etc/passwd and /etc/security/password file for each user. The user does not have a password or home dir on the db side. the only real users on the db side is the the admin accounts and the db admin accounts.

Not sure my environment was anything like you were looking for but wanted to respond in-case I could be of any assistance. If not sorry to have wasted the space.

Thanks for your answer.

Yes, "AIX for LDAP" is a term I tend to use when at least secldapclntd is involved on the client side. Sorry if I confused you. I use it that way to make a clear difference between it and OpenLDAP which is also used on Linux boxes in our environment.

For administrative accounts, we have a similar layout as you have in your environment. DBAs connect with ssh (your hosts.equiv/rlogin is not encrypted) to the DB box, authenticate against LDAP, su to a local account, since these can be members of local groups according the IBM Redbook "Integrating AIX into heterogenous LDAP Environment" (sg247165). They are also allowed to sudo su to informix.

Our problem is, that normal users use a Windows application which connects to the database and the database will check for the local credential, which are just local. So this PAM_LDAP thing would have been a way to implement an authentication via LDAP for every user.
Changing the user's application to authenticate vs LDAP first is sadly not an option.