[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Files Reference


/usr/lib/security/methods.cfg File

Purpose

Contains the information for loadable authentication module configuration.

Description

The /usr/lib/security/methods.cfg file is an ASCII file that contains stanzas with loadable authentication module information. Each stanza is identified by a module name followed by a colon (:) and contains attributes in the form Attribute=Value. Each attribute ends with a new-line character and each stanza ends with an additional new-line character.

Each stanza can have the following attributes:

domain Specifies a free-format ASCII text string that is used by the loadable authentication module to select a data repository. This attribute is optional.
program Names the load module containing the executable code that implements the loadable authentication method.
program_64 Names the load module containing the executable code that implements the loadable authentication method for 64-bit processes.
options Specifies an ASCII text string containing optional values that are passed to the loadable authentication module upon initialization. The supported values for each module are described by the product documentation for that loadable authentication module.

The options attribute takes the following pre-defined values:

auth=module
Specifies the module to be used to perform authentication functions for the current loadable authentication module

authonly
Indicates that the loadable authentication module only performs authentication operations. User and group information must be provided by a different module, specified by the db= option. If not by a module, then user and group information must be provided by the local files database.

db=module
Specifies the module to be used for providing user and group information for the current loadable authentication module

dbonly
Indicates that the loadable authentication module only provides user and group information and does not perform authentication functions. Authentication operations must be performed by a different load module, specified by the auth= option. If the auth= option is not specified, all authentication operations fail.

noprompt
The initial password prompt for authentication operations is suppressed. The loadable authentication module would then control all password prompting.

You can only use the auth=module and db=module value strings for complex loadable authentication modules, which may require or be used with another loadable authentication module to provide new functionality.

The authonly and dbonly values are invalid for complex modules.

You can use the noprompt value for any kind of module.

Security

Access Control: This file should grant read (r) and write (w) access to the root user only and read (r) access to the security group and all other users.

Examples

  1. To indicate that the loadable authentication module is located in the file /usr/lib/security/DCE, enter:

    program = /usr/lib/security/DCE
    
  2. To indicate that the loadable authentication module only should provide authentication functions, enter:

    options = authonly
    
  3. The following example contains configuration information for the LDAP simple loadable authentication module:

    LDAP:
        program = /usr/lib/security/LDAP
        program_64 = /usr/lib/security/LDAP64
    

    The "LDAP" stanza gives the name of the module, used by the SYSTEM and registry attributes for a user. The name does not have to be the same as the file name given for the program attribute.

  4. The following example contains configuration information for the KERBEROS complex loadable authentication module:

    KERBEROS:
        program = /usr/lib/security/KERBEROS
        program_64 = /usr/lib/security/KERBEROS64
        options = authonly,db=LDAP
    

    The "KERBEROS" stanza gives the name of the module as used by the SYSTEM and registry attributes for a user. This name does not have to be the same as the name of the file given for the program attribute. The options attribute indicates that the user and group information functions are to be performed by the module described by the "LDAP" stanza (in example 3).

Implementation Specifics

This file is part of Base Operating System (BOS) Runtime.

Files

/usr/lib/security/methods.cfg
Specifies the path to the file.

/etc/passwd
Contains basic user attributes.

/etc/security/user
Contains the extended attributes of users.

Related Information

The chuser command, login command, lsuser command, passwd command, su command.

The getauthdb subroutine, setauthdb subroutine.

Chapter 18. Loadable Authentication Module Programming Interface in AIX 5L Version 5.1 Kernel Extensions and Device Support Programming Concepts


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]