The model you use for provisioning will depend on your situation. Models include the following:
Local Provisioning, Redirected Authentication is the traditional Fan-Out driver provisioning model and uses asamrcvr and the supplied scripts to locally provision users and groups into the /etc/passwd and /etc/group UNIX files. Authentication and password change are redirected, using PAM, back to the Identity Vault. On AIX the FanOut Driver’s DCE LAM module can be used, as an alternative to PAM, to redirect authentication and password change back to the Identity Vault. It is not recommended to use PAM on versions of AIX prior to version 5.3.
Each operating system vendor has its own set of PAM configuration files, and its default PAM configuration files usually change with each operating system release. There is no generic “one size fits all” PAM configuration that is correct for every organization. The Local Provisioning, Redirected Authentication provisioning model requires you to properly configure all PAM module types for all PAM-enabled applications needed by your organization. When using PAM on AIX, make sure that auth_type is set to PAM_AUTH in /etc/security/login.cfg.
On AIX, the Fan-Out Driver DCE LAM module will be used when SYSTEM and registry are set to DCE in the default stanza in /etc/security/user as shown in the Platform Services Quick Start Guide for AIX. To configure AIX 5.3 and later to use LAM instead of PAM, make sure that auth_type is set to STD_AUTH in /etc/security/login.cfg.
Local Provisioning, Local Authentication uses asamrcvr and the supplied scripts to locally provision users and groups to the /etc/ files and keep the local password store synchronized with the Identity Vault password. PAM is auto-configured to cause local password changes to be reflected in the Identity Vault. This option is only recommended on AIX if you have AIX version 5.3 or higher and auth_type is set to PAM_AUTH in /etc/security/login.cfg.
The Name Service Switch (Account Redirection) option uses the ascauth Name Service Switch to virtually provision users and groups without modifying /etc/passwd or /etc/group. PAM is auto-configured to cause password changes to be reflected back to the Identity Vault. User home directories must be supplied using NFS automounting or some other method of your choice. Identity Vault user and group objects must have Posix* attributes in order to be used with the Name Service Switch, and these posix attributes must be present in the subscriber channel of the Fan-Out driver. When this option is chosen, /usr/nsswitch.conf is also auto-configured. The Name Service Switch is not supported for Free-BSD or AIX.
To support Account Redirection on AIX, a special LAM module called ASCAUTH is provided with the Fan-Out Driver. The ASCAUTH LAM Module virtually provisions users and groups without modifying any local user or group files. To use the ASCAUTH LAM Module, change the /etc/security/user default settings for SYSTEM and registry to ASCAUTH, and add a stanza for /usr/lib/security/ASCAUTH to /usr/lib/security/methods.cfg, as shown in the Platform Services Quick Start Guide for AIX. Any local users who depend on the previous default settings for SYSTEM and registry will need to have those settings added to their own stanzas in /etc/security/user. Password changes are reflected back to the Identity Vault. User home directories must be supplied using NFS automounting or some other method of your choice. Identity Vault user and group objects must have posix attributes to be used with the ASCAUTH LAM module, and these posix attributes must be present in the subscriber channel of the Fan-Out driver. On AIX 5.3 and later, auth_type must be set to STD_AUTH in /etc/security/login.cfg.