The Password Synchronizer is installed using the IBM TDI installer wizard. After the installation is finished follow the steps in this section, which describes the deployment steps required for the PAM Password Synchronizer.
To register the plug-in, edit the PAM configuration file. The table below shows the standard location of both PAM configuration files on various platforms. Your individual PAM configuration may cause the PAM password module configuration to be a different file. You should check with your system administrator if either these files do not exist, or if the added Password Synchronization module is not being invoked.
Older versions of PAM on UNIX used the configuration file /etc/pam.conf. This file is now deprecated and all PAM configuration files should now be located in /etc/pam.d for modules that rely on PAM. The PAM configuration file for the password change module should be located in this directory.
The primary component of external system configuration is the PAM configuration file. Since the purpose of the plug-in is to intercept password events, a line similar to the following should be added to the PAM configuration file. If the PAM module is being stacked with other PAM modules, then the Tivoli module should usually be the last in the stack. That way, the module can be sure that previous "required" modules have returned a success status before PAM called the Tivoli module.
Operating System | PAM Configuration File | PAM plug-in registration line |
---|---|---|
AIX 5.3 or greater | /etc/pam.conf | passwd password required TDI_Plugin_Root/pwd_plugins/pam/libpamtivoli.so use_first_pass TDI_Plugin_Root/pwd_plugins/pam/pwsync.props |
Solaris 9,10 | /etc/pam.conf or /etc/pam.d/system-auth | other password required TDI_Plugin_Root/pwd_plugins/pam/libpamtivoli.so use_first_pass TDI_Plugin_Root/pwd_plugins/pam/pwsync.props |
Linux | /etc/pam.conf or /etc/pam.d/system-auth
(RHEL 4)
/etc/pam.conf or /etc/pam.d/password (SLES 9) /etc/pam.conf or /etc/pam.d/common-password (SLES 10) | password required TDI_Plugin_Root/pwd_plugins/pam/libpamtivoli.so use_first_pass TDI_Plugin_Root/pwd_plugins/pam/pwsync.props |
If the system is 64 bit (and the applications that rely on PAM, such as "passwd", are also 64 bit) we should use "libpamtivoli_64" instead of "libpamtivoli".
The above table list system-auth as the PAM configuration file in the /etc/pam.d directory. In actual fact, the configuration file /etc/pam.d/passwd is the main configuration file for password setting and changing. On most operating systems, the standard PAM install sets up /etc/pam.d/passwd to use /etc/pam.d/system-auth for defining the actual PAM modules use for password setting and changing. For example on RHEL 4, the delegation in the /etc/pam.d/passwd file might look as follows.
password required pam_stack.so service=system-authIf your PAM /etc/pam.d/passwd configuration file has delegated to system-auth, then you must add the configuration entry into /etc/pam.d/system-auth.
There are exceptions to the placement of the Tivoli module last in the stack:
The PAM pluggable architecture allows the modules to be stacked. This means that custom solution can be created that allows several PAM Password Synchronizers to be installed on the same machine. Note each PAM plug-in would require a separate Java Proxy process (each Java Proxy should listen on a separate port). It is also recommended to use different pwsync.props files (at least they should not be in the same folder, because that folder is where the authentication is taking place).