Active Directory password attribute selection

Edit online

AIX® supports two authentication mechanisms, unix_auth and ldap_auth.

With unix_auth, the password in Microsoft Active Directory (AD) is required to be in encrypted format. During authentication, the encrypted password is retrieved from AD and compared to the encrypted format of the user-entered password. Authentication is successful if they match. In ldap_auth mode, AIX authenticates a user by an LDAP bind operation to the server with the user's identity and the supplied password. The user is authenticated if the bind operation is successful. AD supports multiple user password attributes. A different AIX authentication mode requires a different AD user password attribute.

unix_auth mode

The following AD password attributes can be used for unix_auth mode:
  • userPassword
  • unixUserPassword
  • msSFU30Password

Password management on AIX can be difficult due to AD's multiple password attributes. Knowing which password management attributes should be used by the UNIX clients can be confusing. AIX LDAP attribute mapping capability enables you to customize the password management according to your needs.

By default, AIX uses the msSFU30Password attribute for AD running on Windows 2000 and 2003, and the userPassword attribute on Windows 2003 R2. If a different password is used, you need to modify the /etc/security/ldap/sfu30user.map file (or the /etc/security/ldap/sfur2user.map file if AD is running on Windows 2003 R2). Find the line that starts with the word spassword and change the third field of the line to the desired AD password attribute name. For more information, see LDAP Attribute Mapping File Format. Run the mksecldap command to configure the AIX LDAP client after the change. If the AIX LDAP client is already configured, run the restart-secldapclntd command to restart the secldapclntd daemon to absorb the change.

In unix_auth mode, the password might be out of sync between Windows and UNIX, resulting in a different password for each system. This occurs when you change a password from AIX to Windows, because Windows uses the uncodepwd password attribute. The AIX passwd command can reset the UNIX password to be the same as a Windows password, but AIX does not support automatically changing the Window's password when you change your UNIX password from AIX.

ldap_auth mode

Active Directory also has the unicodepwd password attribute. This password attribute is used by Windows systems to authenticate Windows users. In a bind operation to AD, the unicodePwd password must be used. None of the passwords mentioned under unix_auth mode works for a bind operation. If the ldap_auth option is specified from the command line, the mksecldap command maps the password attribute to AD's unicodePwd attribute at client configuration with no manual step required.

By mapping AIX passwords with the unicodePwd attribute, users defined in AD can login to Windows and AIX systems using the same password. A password reset from either a AIX or Windows system is in effect for both AIX and Windows systems.