As the conventional wisdom goes, in UNIX (AIX) “plain” users can (it is recommended they do) authenticate via some global methods like NIS, LDAP, Kerberos, and so forth. For the application (also known as the administrative) and the “system” accounts it is recommended that they authenticate locally – that they are defined on the host.
I do not argue that for the few “really” secured environments it is an excellent idea to authenticate administrative users with a token (so passwords are never the same) or to use the equivalent method of obtaining the password for a specific account from a specific location and then immediately changing it and recording the change in the same secure depository so the next time the password is needed it will be used and also immediately changed. Yes, some admins work like that and I say it again – I understand and do not dispute the need for extreme security measures.
But, “the shoes that fit John may not fit his little brother Johnny”…. So for some other organizations the describe above security requirements may not be appropriate.
There is already a number of organizations storing all login names and passwords in a central depository like LDAP or AD to name just a few.
Without diving into details, the reasoning follows this path – if users cannot login because our authentication mechanism is not functioning, why do I need to worry if an admin account can or cannot do the same?
You may also ask a UNIX administrator how often does he/she has to change the ORACLE administrative password if there are 30 or more Oracle servers and 6 DBAs? Well, sometimes often, sometimes not but always the source of the same pain for both – UNIX and DB administrators.
If the communications between the password depository and client are made secure (for example using SSL) and the repository is protected from the “outside” interference why not to authenticate even the administrative accounts centrally instead of locally?
I vote for the centralized authentication, what about you?
Still, I believe that it is (if possible) a splendid idea to allow an administrative account the opportunity to authenticate locally when the global authentication mechanism is not functional. Why not?
For example, isn’t it nice to be able to log-in as root or an application administrator to gracefully shut down the host or the application despite not being able to resolve their credentials by LDAP server?
As always, AIX comes through and delivers…. The rest of this post shows how to quickly allow a user to authenticate locally when IBM TDS (LDAP) service is not available.