Considerations when using various authentication methods

Transparent LDAP-based authentication and group look up support on AIX® extends support to Kerberos authentication.

Additional work was done on AIX for using Kerberos authentication with Transparent LDAP. The following is what needs to be included in /usr/lib/security/methods.cfg and /etc/security/users when there is a need to manage accounts in different locations and use different authentication methods, such as Kerberos.

In /usr/lib/security/methods.cfg you need to have the following to have files, LDAP and Kerberos authentication.
Note: KRB5A is for using Microsoft Active Directory as the Keberos Key Distribution Center (KDC).
For LDAP:
        program = /usr/lib/security/LDAP
        program_64 =/usr/lib/security/LDAP64
For KRB5A:
        program = /usr/lib/security/KRB5A
        program_64 = /usr/lib/security/KRB5A_64
        options = tgt_verify=no,authonly,is_kadmind_compat=no
For KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = kadmind=no
For KRB5Afiles:
        options = db=BUILTIN,auth=KRB5A
For KRB5files:
        options = db=BUILTIN,auth=KRB5
For KRB5ALDAP:
        options = db=LDAP,auth=KRB5A
For KRB5LDAP:
        options = db=LDAP,auth=KRB5

Examples

The following example shows four accounts managed differently. Each uses different authentication methods.

If frank's account is stored on file and is authenticated using files, then this is what frank's stanza would look like in /etc/security/users.
frank:
        SYSTEM = files
        registry = files
If karen's account is stored on file and is authenticated using Kerberos, then this is what karen's stanza would look like in /etc/security/users.
karen:
        SYSTEM = KRB5files
        registry = KRB5files
If luke's account is stored on LDAP and is authenticated using Kerberos, then this is what luke's stanza would look like in /etc/security/users.
luke: 
        SYSTEM = KRB5LDAP
        registry = KRB5LDAP
If lucy's account is stored on LDAP and is authenticated using LDAP, then this is what lucy's stanza would look like in /etc/security/users.
lucy:
        SYSTEM = LDAP
        registry = LDAP
To determine if a user is defined on LDAP you can use the following command to query a user.
$ lsuser -R LDAP lucy
lucy id=1234 pgrp=staff groups=staff home=/home/lucy shell=/bin/ksh registry=LDAP