Originally posted by: SystemAdmin

I've configured four AIX servers to use IDS 5.2 for authentication. The LDAP schema is RFC2307AIX and AIX is version 5.2 ML 5. The authentication is working just fine but all unsuccessful login information is still being written to the local /etc/security/lastlog instead of the appropriate fields in LDAP. I'm not sure what I might have missed but I'd like the unsuccessful login information to be recorded into LDAP.

Only the following fields in LDAP are currently being populated:

cn, gidNumber, homeDirectory, objectClass, objectClass, uid, uidNumber, gecos, loginShell, userPassword

Any information on why none of the other fields are used would be helpful.

Originally posted by: SystemAdmin

I don't have an AIX 5.2 system to test on, but checking on my AIX 5.3 system, I ussed the following commands to check for failed logins for ldaygray

ldapsearch -h localhost -D cn=admin -w ldappwd \
-b "ou=People, cn=aixdata" "(uidnumber=**)"

uid=ldaygray,ou=People,cn=aixdata
gidnumber=1
homedirectory=/home/ldaygray
isadministrator=false
loginshell=/usr/bin/ksh
uidnumber=777
uid=ldaygray
cn=ldaygray
objectclass=account
objectclass=posixaccount
objectclass=shadowaccount
objectclass=aixauxaccount
objectclass=ibm-securityIdentities
objectclass=top
shadowlastchange=13250
userpassword={crypt}LRRjiIBZqqoYU
passwordchar=!
hostlastlogin=sig-9-65-5-212.mts.ibm.com
ixtimelastlogin=1144877723
terminallastlogin=/dev/pts/1
unsuccessfullogincount=0

root@fs3 / # who /etc/security/failedlogin | grep lady
root@fs3 / #

As you can see, neither returned a failed login, so then I tried to login with the wrong password. Interestingly both failedlogin and ldapsearch show value

root@fs3 / # who /etc/security/failedlogin | grep lday
ldaygray pts/2 May 17 13:16 (sig-9-48-52-176.mts.ibm.com)
ldaygray pts/2 May 17 13:17 (sig-9-48-52-176.mts.ibm.com)
root@fs3 / # ldapsearch -h localhost -D cn=admin -w ldappwd -b "ou=People, cn>
uid=ldaygray,ou=People,cn=aixdata
gidnumber=1
homedirectory=/home/ldaygray
isadministrator=false
loginshell=/usr/bin/ksh
uidnumber=777
uid=ldaygray
cn=ldaygray
objectclass=account
objectclass=posixaccount
objectclass=shadowaccount
objectclass=aixauxaccount
objectclass=ibm-securityIdentities
objectclass=top
shadowlastchange=13250
userpassword={crypt}LRRjiIBZqqoYU
passwordchar=!
hostlastlogin=sig-9-65-5-212.mts.ibm.com
ixtimelastlogin=1144877723
terminallastlogin=/dev/pts/1
hostlastunsuccessfullogin=sig-9-48-52-176.mts.ibm.com
ixtimelastunsuccessfullogin=1147889868
terminallastunsuccessfullogin=/dev/pts/2
unsuccessfullogincount=2

As did lsuser (not my spelling of lday for lady
root@fs3 / # lsuser -RLDAP ldaygray
ldaygray id=777 pgrp=staff groups=staff home=/home/ldaygray shell=/usr/bin/ksh login=true su=true rlogin=true telnet=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=LDAP SYSTEM=LDAP logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=491519 stack=65536 core=-1 rss=-1 nofiles=2000 time_last_login=1144877723 time_last_unsuccessful_login=1147889868 tty_last_login=/dev/pts/1 tty_last_unsuccessful_login=/dev/pts/2 host_last_login=sig-9-65-5-212.mts.ibm.com host_last_unsuccessful_login=sig-9-48-52-176.mts.ibm.com unsuccessful_login_count=2 roles=

Another and I get
hostlastunsuccessfullogin=sig-9-48-52-176.mts.ibm.com
ixtimelastunsuccessfullogin=1147890307
terminallastunsuccessfullogin=/dev/pts/2
unsuccessfullogincount=3

ldaygray pts/2 May 17 13:25 (sig-9-48-52-176.mts.ibm.com)

I'm not sure what your problem is, but this should work if you have the right schema
/etc/security/ldap/ldap.cfg
/etc/security/user
ldaygray:
SYSTEM = "LDAP"
registry = LDAP