IZ78246: CSAIX BACK-COMPATIBILITY DISABLE_PASSWORD_SUBSTITUTION NEEDS MORE VERSATILE AUTHENTICATION MECHANISM

Communications Server for AIX, Version 6.4 -- Latest PTFs

APAR status

• Closed as new function.

Error description

• Communications Server for AIX, Version 6.4
  ------------------------------------------
  The back-level compatibility feature to use the AIX password
  database instead of an internal CSAIX database for
  authenticating userid/password pairs on inbound conversations is
  only able to use the local /etc/password file and not any other
  authentication mechanism in AIX, such as LDAP.
  

Local fix

Problem summary

• USERS AFFECTED: All who use disable_password_substitution.
  
  PROBLEM DESCRIPTION:
  When using disable_password_substitution, userids that are
  authenticated to AIX through a method other than "compat"
  (such as LDAP) fail authentication in CSAIX.
  
  PROBLEM SUMMARY:
  CSAIX uses the getpwnam() call to obtain the encrypted
  password from the AIX password database (/etc/passwd),
  then compares that with the received password that CSAIX
  has encrypted. If they match, then the password is valid.
  However, getpwnam() can not obtain the encrypted password
  from other authentication methods.
  

Problem conclusion

• CSAIX has been modified to use the AIX authenticate() call
  and provide the received password. AIX will then authenticate
  the password and indicate if it is valid or invalid and return
  that result to CSAIX.
  
  Because this is a design modification / new function, this
  change is only being made in CSAIX 6.4. Earlier levels will
  retain the existing behavior.
  

Temporary fix

• snatpsrvd
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  CS AIX V6.X

• Fixed component ID

  5765E5100

Applicable component levels

• R640 PSY U838611

     UP10/11/12 I 1000