Share via

Install the pluggable authentication module (PAM) on AIX

  • Article

Applies To: Windows Server 2003 R2

To install the pluggable authentication module (PAM) on AIX

  1. Copy pam_sso.aix from IDMU\Unix\Bins on the Windows Server 2003 R2 CD to /usr/lib/ on the UNIX computer, and change its name to pam_sso.aix.1.

  2. On the UNIX computer, log on as root, and then enter the following commands:

    chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1

  3. If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.

    Sample pam.conf file

     

    # Authentication management
OTHER   auth     required       /usr/lib/security/pam_aix

# Account management
OTHER   account  required       /usr/lib/security/pam_aix

# Session management
OTHER   session  required       /usr/lib/security/pam_aix

  4. Open /etc/pam.conf with a text editor.

  5. In the Password management section, add the following line:

    passwd password required /usr/lib/security/pam_sso.aix.1

    Sample pam.conf file with this line added

     

    # Authentication management
OTHER   auth     required       /usr/lib/security/pam_aix

# Account management
OTHER   account  required       /usr/lib/security/pam_aix

# Session management
OTHER   session  required       /usr/lib/security/pam_aix

# Password management
passwd   password required       /usr/lib/security/pam_sso.aix.1

  6. Open /usr/lib/security/methods.cfg with a text editor and add the following lines at the end of the file:

    PAM:    program = /usr/lib/security/PAM

    PAMfiles:    options = auth=PAM,db=BUILTIN

  7. Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:

    user1:    admin = false    SYSTEM = PAMfiles[*] AND "compat"    registry = PAMfiles

Note

You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5.

See Also

Concepts

Understanding Password Synchronization
Implementing Password Synchronization