IBM’s proprietary Loadable Authentication Module (LAM) interface is an alternative to PAM on AIX systems. In fact, the Identity Manager Fan-Out Driver fully supports PAM only on AIX 5.3 and later.
If you use LAM with the Fan-Out Driver, be sure to include the following considerations in your configuration.
The Fan-Out Driver’s LAM module is named DCE and located here on your AIX system:
/usr/lib/security/DCE
NOTE:IBM also has a deprecated LAM module named DCE, which is their implementation of the Distributed Computing Environment. IBM’s DCE LAM module is unrelated to the Fan-Out Driver’s DCE LAM module.
To enable the DCE LAM module as an available authentication mechanism, you must add it to the methods.cfg configuration file located here on your AIX system:
/usr/lib/security/methods.cfg
A sample methods.cfg file is included in /usr/local/ASAM/bin/PlatformServices.
The DCE LAM module can be made the default authentication method for all users, or it can be associated with particular users, via the user file located here on your AIX system:
/etc/security/user
Two sample user files are included in /usr/local/ASAM/bin/PlatformServices:
user.sample shows how to make DCE the default authentication mechanism.
user.sample2 shows how to make DCE the default authentication mechanism with fail-over to local authentication if DCE authentication is unavailable.
Alternatively, the DCE LAM module can be explicitly associated with Fan-Out Driver managed users by adding the SYSTEM and registry attributes to the mkuser command in the Fan-Out Driver’s adduser.sh script as follows:
COMMAND="/usr/bin/mkuser -R files SYSTEM=\"DCE\" registry=DCE "
To enable LAM on AIX 5.3 and later, you also need to modify the login.cfg file located here on your AIX system:
/etc/security/login.cfg
In this file, make sure that auth_type is set to STD_AUTH.
Finally, to use ssh with the DCE LAM module, you will need to check your sshd_config file located here on your AIX system:
/etc/ssh/sshd_config
In this file, it is important for PasswordAuthentication to have the default setting of yes .