Users associated with a connected Linux or UNIX platform managed by the Fan-Out Driver can authenticate in any of the following ways, depending on how you have installed Platform Services.
With local authentication, passwords are stored in /etc/shadow and users that log onto the Linux or UNIX system will authenticate with this password. To synchronize passwords with the Identity Vault, ensure the following keyword is located inside your asamplat.conf file:
UPDATEPASSWORD
The Platform Receiver (asamrcvr file) needs to be running to keep passwords synchronized with the Identity Vault. For more information, see Starting the Platform Receiver.
With redirected authentication, passwords are not stored in /etc/shadow. Instead, when a user logs on to the Linux or UNIX system, the Fan-Out Driver’s PAM module will redirect the request to the Identity Vault, where the password is checked along with eDirectory Password and Login rules. Optionally, password policies can be enforced. To configure your system to use the PAM module for authentication redirection, you will need to manually configure PAM for each application that is to be PAM-enabled. For details on manually configuring PAM, see Section B.1, PAM Configuration Notes.
The Platform Services Process (asampsp file) also needs to be running to provide a connection pool and driver load balancing. For more information, see Starting the Platform Services Process.
Authentication redirection with local failover is a hybrid of local authentication and authentication redirection. In such a scenario, authentication is redirected unless the connection between Platform Services and the Identity Vault is unavailable, in which case local authentication takes place. In this configuration, you will need the Platform Receiver running to synchronize passwords and the Platform Services Process running to provide authentication. For information about starting these two services, see Section 11.3.3, Starting Platform Services.
If you have chosen the virtual provisioning option (see Section 12.2, Provisioning), users will authenticate to the Linux or UNIX system using the Name Service Switch, which is supplied by Platform Services. Virtual users and their password information are kept in a local protected cache on the connected system. This provides the system with a local copy and therefore all the advantages of using local provisioning. If you wish to enforce eDirectory password and login rules, you will also need to manually configure PAM for authentication redirection.