Securid PAM agent for AIX 5.3 - unable to use ldap groups

3 years ago

Originally Published: 2011-04-26

Article Number

000048378

Applies To

AIX 5.3

PAM SecurID agent for AIX

Issue

Securid PAM agent for AIX - unable to use ldap groups with PAM agent on AIX

Cause

IBM has chosen a LAM vs straight PAM model for LDAP. IBM has only recently documented the limitation of its system calls with PAM and ldap, see IBM APAR (bug report)

https://www-304.ibm.com/support/docview.wss?uid=isg1IZ89143

IZ89143: DOC DOES NOT SAY THAT GETGRENT AND GETPWENT DOES NOT SUPPORT LAM

Under the AIX LAM model, you cannot use GETGRENT() and GETPWENT() standard unix system calls to traverse groups and users when ldap is used.
This differs from RHEL, Solaris, HPUX and SuSe, which are the other platforms the RSA PAM agent can be leveraged against. This behavior was only recently documented by IBM.

Resolution

RSA has released a new PAM module which accomodates the newly documented limitations of the AIX LAM module. Please use AIX PAM kit 7.0.2 (to be officially released as a full kit beginning June 2011 and publicly available for download at http://www.rsa.com/node.aspx?id=1177 ).

Notes

Note, LAM support is available until AIX 5.3, therefore you cannot use ldap groups with AIX 5.2. This is not an RSA PAM module limitation, it is a limitation of AIX.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles