HPE Community
Operating System - HP-UX
1753730 Members
4757 Online
108799 Solutions
New Discussion юеВ

Help with LDAP & PAM

 
Jonas Bygd├йn
Occasional Advisor

тАО02-26-2008 05:23 AM

тАО02-26-2008 05:23 AM

Help with LDAP & PAM

Hello!

I'm about to go completely crazy.

I'm trying to set up an 11.31 host to be an LDAP-client to our RedHat Enterprise Linux server running OpenLDAP.

LDAPUX 'REQUIRES' that the client configuration exists in the servers namespace to set it up even at the most basic level. And the instructions on how to create that configuration is ridiculously complex.

I did find a config that I managed to get to work (after modifying it heavily), but then I'm totally unable to use any schema's that's not standard. We have made a schema for checking whether the user is authorized to log on to a system, but since that's not a standard scheme LDAPUX refuses to deal with it.

I though that I might be able to use OpenLDAP instead of LDAPUX - but boy was I wrong.

It seems totally impossible to get the included pam_ldap to use anything other than LDAPUX, and it seems equally impossible to compile an opensource pam_ldap on HP-UX 11.31.

Is there anyone out there that might be able to help me?
0 Kudos
Reply
14 REPLIES 14
Claus Hoffmann
New Member

тАО02-27-2008 01:00 AM

тАО02-27-2008 01:00 AM

Re: Help with LDAP & PAM

Hi,

do you have the configuration profile created
on the LDAP server? I guess it's important, that the P of ou=Profiles is uppercase.

Example:

dn: cn=profile1,ou=Profiles,o=nis_bonmp
preferredserverlist: 172.25.91.180:389
servicesearchdescriptor: passwd:o=nis_bonmp?sub?(objectclass=posixaccount)
servicesearchdescriptor: shadow:o=nis_bonmp?sub?(objectclass=shadowaccount)
servicesearchdescriptor: group:o=nis_bonmp?sub?(objectclass=posixgroup)
servicesearchdescriptor: pam:o=nis_bonmp?sub?(objectclass=posixaccount)
servicesearchdescriptor: rpc:o=nis_bonmp?sub?(objectclass=oncrpc)
servicesearchdescriptor:
protocols:o=nis_bonmp?sub?(objectclass=ipprotocol)
servicesearchdescriptor: networks:o=nis_bonmp?sub?(objectclass=ipnetwork)
servicesearchdescriptor: hosts:o=nis_bonmp?sub?(objectclass=iphost)
servicesearchdescriptor: services:o=nis_bonmp?sub?(objectclass=ipservice)
servicesearchdescriptor: netgroup:o=nis_bonmp?sub?(objectclass=nisnetgroup)
credentiallevel: proxy
followreferrals: FALSE
authenticationmethod: simple
bindtimelimit: 5
defaultsearchbase: o=nis_bonmp
objectClass: top
objectClass: duaconfigprofile
cn: profile1


0 Kudos
Reply
Jonas Bygd├йn
Occasional Advisor

тАО02-27-2008 01:15 AM

тАО02-27-2008 01:15 AM

Re: Help with LDAP & PAM

As I said in my original post, I got it to work with "standard" schemas with LDAPUX.

But we have created an own schema that I'm unable to find out how I can get LDAPUX to use.

OpenLDAP will use any schema created, as long as its syntax is correct. But I can't get HP-UX to use OpenLDAP as a client.
0 Kudos
Reply
Claus Hoffmann
New Member

тАО02-27-2008 01:59 AM

тАО02-27-2008 01:59 AM

Re: Help with LDAP & PAM

Hi,

to my knowledge, the HP-UX LDAP Client SW is
limited to the services listed in nsswitch.conf. And it's best to follow the
LDAP RFCs to avoid problems.

Could you post your own shema here?

Do you use the latest LDAP client version?

docs.hp.com/en/J4269-90075/J4269-90075.pdf
0 Kudos
Reply
Jonas Bygd├йn
Occasional Advisor

тАО02-27-2008 02:12 AM

тАО02-27-2008 02:12 AM

Re: Help with LDAP & PAM

The latest version is 4.15 and I have 4.10.

I can try and download 4.15 but I seriously doubt that will make any major difference to my problem.

I would like to get OpenLDAP-client to work, but that requires a different pam_ldap. And the opensource pam_ldap that I've found seems to be impossible to compile under HP-UX.
0 Kudos
Reply
Jonas Bygd├йn
Occasional Advisor

тАО02-27-2008 02:15 AM

тАО02-27-2008 02:15 AM

Re: Help with LDAP & PAM

We have put the sudoers file in ldap, and the schema looks like this:

attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $description ) )
0 Kudos
Reply
Claus Hoffmann
New Member

тАО02-27-2008 03:19 AM

тАО02-27-2008 03:19 AM

Re: Help with LDAP & PAM

Hi,

as a workaround, I would install a cronjob
which downloads the sudoers file with ldapsearch.
0 Kudos
Reply
Jonas Bygd├йn
Occasional Advisor

тАО02-27-2008 03:42 AM

тАО02-27-2008 03:42 AM

Re: Help with LDAP & PAM

Ok, so my wish to use OpenLDAP instead of LDAPUX is not an option?
0 Kudos
Reply
Don Mallory
Trusted Contributor

тАО02-27-2008 08:01 PM

тАО02-27-2008 08:01 PM

Re: Help with LDAP & PAM

What is it that you are trying to do?

Is it just to provide users, groups, authentication against OpenLDAP, or are you trying to include authorization (limit user's ability to log into a particular host), etc?

In my case, I'm going against Windows AD 2k, so there are strange differences since they don't match the RFC2307 POSIX LDAP spec completely, but hey, it's just a guideline right?

If you are looking for authorization, why not use the built-in pam_authz module? There are references for using it around the LDAP-UX docs, but basically, add the pam_authz lines to the /etc/pam.conf, but ONLY in the account section, you aren't proving who they are, only that they are authorized to log in. Example:

# Account management
#
login account required /usr/lib/security/libpam_updbe.1
login account required /usr/lib/security/libpam_authz.1
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1


You need to repead for su, dtlogin, dtaction , ftp, rcomds and sshd.

updbe is really cool, it enables the pam_user.conf, which lets you disable using particular auth models for particular accounts, such as root, operator, oracle, or other service accounts. KRB is obviously Kerberos, I need it for getting to the AD mostly.

The config of pam_authz is under /etc/opt/ldapux/pam_authz.policy.

It's pretty simple, there is a .template file with examples, but I was never able to get any of the ldap_group or ldap_filters to work, so I just used unix groups. Create group in the directory (hostname_access), give it a GID and some users. If you are in, you log in, if not, too bad.

Example:
allow:unix_group:server2_access,server2_local

server2_local contains root, oracle, operator, etc. sort of accounts that are LOCAL to the host, so this group is in /etc/group.

server2_access is from the directory.

The biggest trouble with LDAP-UX is that you must have the profile schema in your directory, it must be right, and it must point to the right objects to translate. It's also a little finicky about the whole proxy user thing.

If you've got the host under support, give backline a call. It will take about 3 people, but there are some very good people in the team for LDAP-UX. I ended up on the phone with the guy that wrote most of the docs.

Oh, and I know, IT people don't read docs and all that, but in this case, read the docs. They're really good.
0 Kudos
Reply
Jonas Bygd├йn
Occasional Advisor

тАО02-28-2008 01:36 AM

тАО02-28-2008 01:36 AM

Re: Help with LDAP & PAM

What I'm trying to do is to use LDAP as base for sudo, instead of having that in a local file.

But LDAP-UX doesn't support any schema that's not standard.

We also use the sudoers to check whether a user is allowed to login to a system. If the user can run sudo on that host then he's allowed to login.

This works great in RHEL, AIX and Solaris - but I'm completely unable to get it to work in HP-UX.

LDAP-UX doesn't want to know about our sudoers-schema, and I'm unable to compile an opensource pam_ldap to be able to use OpenLDAP.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.