1

I need to integrate a couple of AIX servers into an existing LDAP directory for user authentication and authorization. Versions range from 5 to 7.1.

On some systems (I have yet failed to recognize a pattern) I need to finish the '/etc/passwd' with a line containing a single '+' character for commands line id, login and automount to work. This procedure I took from the IBM Redbook "Integrating AIX into Heterogenous LDAP Environments", p. 125.

I'd be prepared to just accept that. However, I have systems which are integrated perfectly fine into the LDAP without that line in '/etc/passwd', i.e., which just work. I would like to understand exactly what that '+' does and what other files exist to configure the system to use LDAP for authentication and authorization. I have yet failed to graps the difference between systems which require '+' and those that do not.

Frankly, I am kind of afraid to mess with a facility like '/etc/passwd' without understanding what that '+' does exactly and what other options I have to enable LDAP lookup (apparently, others need to exist.)

Grateful for any help, cheers, Christopher

NorthCat
  • 9,643
  • 16
  • 47
  • 50
user3741094
  • 11
  • 1
  • 1
    You should read the man page for passwd, the plus is a compatibility rule that says source entries from NIS/LDAP from here on. You also need to edit the /etc/netsvc.conf file to tell it to look in LDAP – Anya Shenanigans Jun 14 '14 at 20:27
  • I do not understand how netsvc.conf influences my problem: According to the comments in that file, it configures net resolution routines like gethostbyname, gethostbyname2, gethostbyaddr. However, we traced the problem down to the stanza KRB5LDAP which, when set _without_ options=netgroup allows user lookup _without_ the '+' entries in '/etc/passwd'. Anyways, thanks! – user3741094 Jun 17 '14 at 07:19
  • You've now discovered the why it was needed in one vs the other. What the `+` accomplishes in the file, though is that you can redirect to network-provided entries at that point, so you could, have accounts that are both in the `/etc/passwd` file and `LDAP`, but depending on where you placed the plus you would get different behaviour. Your solution is actually to fix the broken KRB5LDAP config. Evidently this specification is invalid configuration. A [tangentially related bug](http://www-01.ibm.com/support/docview.wss?uid=isg1IV55506) seems to mention this fact. – Anya Shenanigans Jun 17 '14 at 08:12

0 Answers0