AIX installation notes

Support for AIX Capabilities attribute

Support has been added for the AIX Capabilities user attribute, a feature that is only available on AIX 5.3 and later. To enable the feature, edit /etc/centrifydc/centrifydc.conf to add the following line:

lam.method.version: 520

This allows using methods that are only available with AIX 5.3 and later, and these methods are required to support the Capabilities attribute.

Use adquery to view capabilities for an Active Directory user:

adquery user -X aix.capabilities <ADuser>

Use adupdate to set capabilities for an Active Directory user:

adupdate modify user -X +aix.capabilities=CAPABILITIES <ADuser>

Where CAPABILITIES is a comma-separated list of capabilities to add for the user. For example:

CAP_NUMA_ATTACH, CAP_BYPASS_RAC_VMM, CAP_PROPOGATE

Currently there is no group policy support for capabilities, this may be implemented in a future release of authentication service.

Users cannot log in via ftp if they have a restricted shell

On AIX 6.1, a user's login shell must appear in the shells attribute of the /etc/security/login.cfg file. Centrify Privilege Elevation Service does not add dzsh to this attribute so by default an ftp user who is using dzsh as their login shell cannot log in. To workaround this issue, add /usr/bin/dzsh to the shells attribute of /etc/security/login.cfg.

Starting and stopping DirectControl on AIX

Because the authentication service daemon, adclient, is defined as an AIX system resource, you use the following commands to start, stop, and check the status of the daemon:

startsrc -s centrifydc
stopsrc -s centrifydc
lssrc -s centrifydc

Using the Centrify Authentication Service LDAP Proxy on AIX

When using the LDAP Proxy on AIX you need the following line in the slapd configuration file at

/usr/share/centrifydc/etc/openldap/ldapproxy.slapd.conf 
moduleload /usr/share/centrifydc/libexec/openldap/libback_centrifydc.a(libback_centrifydc.so.0)

Note:   Note this should be entered as a single line into the configuration file. This line may already be in the configuration file, but commented out, in which case you can just remove the leading "#" to uncomment it.