How to determine if a 3rd party application, which performs some form of user authentication, will work with Active Directory user accounts (through QAS)?
QAS supports applications which can authenticate through PAM (Pluggable Authentiction Modules), or LAM (Loadable Authentication Modules) on AIX. These security subsystems act as an abstraction layer for the application, so it does not need to be programmed to use only one authentication method.
To determine if an application supports PAM, you can check and see if its binary is linked against the PAM library using the ldd (List Dynamic Dependencies) command (please see local system ldd man pages for more information).
As an example: to check if SSH supports PAM:
# ldd /usr/lib/ssh/sshd | grep -i pam
libpam.so.1 => /lib/libpam.so.1
If the application performs a 'crypt and compare' authentication, based on libc NSS API calls for a user's password struct, this will not work with QAS. The reason is that QAS does not store a crypted hash of the users password in AD, to be returned in NSS calls, as both QAS and AD use Kerberos as the means for user authentication -- adding a user's password would significantly decrease the security of the network and defeat the primary goal of Kerberos: to ensure that a user's password does not travel over the network.
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité