"Fossies" - the Fresh Open Source Software Archive

Member "nss_ldap-265/doc/README.AIX" (6 Nov 2009, 5188 Bytes) of package /linux/privat/old/nss_ldap-265.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Quick notes for using nss_ldap on AIX
    2 =====================================
    3 
    4 1. Introduction
    5 ---------------
    6 
    7 The C library on AIX includes the IRS library which can also found in the
    8 BIND 8.x distribution. Of course, IBM did some things The Other Way(tm)...
    9 You can alo find related documentation at:
   10   <URI:http://www.padl.com/Articles/nss_ldaponAIX.html>
   11 
   12 2. Compilation
   13 --------------
   14 
   15 I'm assuming you have successfully installed OpenLDAP 2.x or one of the
   16 Netscape LDAP client libraries. I haven't tested it with IBM's LDAP
   17 libraries. 
   18 
   19 I'm using AIX 4.3.3. It may work with 4.[12]. It won't work with 3.x.
   20 It is going to work on 5.x.
   21 
   22 You need to ensure that bos.adt.syscalls has been installed for -lsys
   23 and -lcsys to work as the /lib/syscalls.exp file (this is found
   24 on the Kernel Extensions developer kit). [Kyle_Chapman@G1.com]
   25 
   26 Run "configure" and "make" as usual. As of nss_ldap-196, it is no
   27 longer necessary to specify --enable-proxy-auth if you want to use
   28 the AIX authentication functionality; it is enabled by default.
   29 
   30 The /etc/ldap.conf is already used by the LDAP client from
   31 IBM SecureWay, so use
   32 
   33   --with-ldap-conf-file=/etc/nss_ldap.conf
   34 
   35 to avoid confusion.  If everything went OK, you will get two
   36 objects: nss_ldap.so and NSS_LDAP.
   37 
   38 Some notes on dynamic linking that apply to dependent libraries
   39 (such as Cyrus SASL and OpenLDAP; the nss_ldap Makefile will
   40 take care of these for you within nss_ldap itself):
   41 
   42    o You may find it useful to build a current libtool and
   43      use that rather than the version distributed with many
   44      third party packages.
   45 
   46    o The GNU linker cannot reliably build shared libraries
   47      on AIX and, even if newer versions can, libtool doesn't
   48      think it can.
   49 
   50    o You should ensure libtool is using the runtime linker
   51      (-brtl) -- this builds shared libraries that resolve
   52      their symbols at runtime rather than link time.
   53 
   54 eg. for configuring libtool:
   55 
   56    $ LD=/usr/ccs/bin/ld LDFLAGS=-Wl,-brtl ./configure
   57 
   58 3. Installation
   59 ---------------
   60 
   61 Copy nss_ldap.so to /usr/lib/netsvc/dynload (create the directory if it does
   62 not exist), and copy NSS_LDAP to /usr/lib/security. ("make install" will
   63 do this for you.)
   64 
   65 4. Configuration
   66 ----------------
   67 
   68 Edit /etc/irs.conf as you like (create it if it does not exist). "man
   69 irs.conf" tells everything you need. As you would guess, you have to use the
   70 "nss_ldap" mechanism name to use nss_ldap. This lets you access host,
   71 network, service, and protocol information using LDAP (well, you can also
   72 configure netgroups here, but when I'm writing this, nss_ldap does not have
   73 netgroup support).
   74 
   75 Due to the missing netgroup support, you will get lots of "dlsym of symbol:
   76 ng_pvtinit failed: Function not implemented (ng_pvtinit)" in the system
   77 logs. That's ugly, but harmless.
   78 
   79 Now, the interesting part: users and groups. Have I said that IBM did it The
   80 Other Way(tm)? Ok, add the following stanza to /lib/security/methods.cfg:
   81 
   82 LDAP:
   83 	program = /usr/lib/security/NSS_LDAP
   84 
   85 If you are running AIX version which is less than 4.3.3 you will have
   86 to add the stanza to /etc/security/login.cfg.  In case of version
   87 4.3.3 you will have to add the same stanza to both files. Make sure
   88 you comment out existing references to LDAP, which are for IBM's
   89 SecureWay implementation.
   90 
   91 Use chuser(8) to edit /etc/security/user. Change the "SYSTEM"
   92 attribute of the "default" entry to "compat OR LDAP", i.e.:
   93 
   94 # chuser SYSTEM="compat or LDAP" default
   95 
   96 if you want to use the LDAP authentication system wide.
   97 Alternatively, you can enable it on a per-user basis:
   98 
   99 # chuser SYSTEM="compat or LDAP" username
  100 
  101 After that you should be able to use getpwnam() and friends to get the
  102 information from the LDAP server.  If you want to allow users to
  103 change their passwords using the standard passwd(1) command, you will
  104 have to change the registry attribute as well:
  105 
  106 # chuser registry=LDAP username
  107 
  108 (This is pointless right now as there is no support for password
  109 changing in nss_ldap.)
  110 
  111 NB:  The registry attribute is used to fetch/modify all the other user
  112 attributes which are not supported by the LDAP.  In particular the
  113 chuser(8) will fail to operate properly.  However, it is possible to
  114 use the "-R" option to specify the registry on which the command
  115 should operate.  For example, to change back to the normal files based
  116 authentication and identification:
  117 
  118 # chuser -R files SYSTEM=compat registry=files default
  119 
  120 NB:  Users should exist in the /etc/passwd file.  That doesn't seem to
  121 be necessary, but many strange things can happen depending on the AIX
  122 version running.  YMMV.
  123 
  124 5. What's missing
  125 -----------------
  126 
  127 The provided NSS_LDAP authentication module supports the identification
  128 and authentication interfaces. There is, however, no support for
  129 modifying user/group attributes (which means you won't be able to use
  130 the "chuser" command etc. to alter user/group attributes; you have to
  131 make all modifications directly via LDAP).
  132 
  133 Also, lsgroup does not support querying group membership, although
  134 group membership will be evaluted correctly when a user logs on.
  135 
  136 Enjoy.
  137 
  138 Gabor Gombas <gombasg@inf.elte.hu>
  139 Luke Howard <dev@padl.com>
  140 Dejan Muhamedagic <dejan.muhamedagic@at.ibm.com>
  141